Step-by-Step Guide to Building an End-to-End GitOps Pipeline on OpenShift with Tekton and ArgoCD

This article provides a step‑by‑step guide for creating an end‑to‑end GitOps pipeline on OpenShift using Tekton and ArgoCD.

Tekton is a Kubernetes‑native, declarative, and extensible CI/CD framework that defines tasks, pipelines, resources, and workspaces via custom resource definitions (CRDs), offering scalability, portability, and repeatability for cloud‑native workflows.

Key Tekton concepts include:

Task – the basic building block representing a single unit of work such as building code, running tests, or deploying an application.

Pipeline – orchestrates tasks in a specific order, supporting multiple stages, parallel execution, and conditional branching.

Resources – define inputs and outputs for tasks, such as source repositories, container images, or other artifacts.

Workspace – enables sharing of files between tasks across pipeline stages.

ArgoCD is a declarative continuous‑delivery tool for Kubernetes that follows the GitOps model: the desired state of applications is stored in a Git repository, and ArgoCD continuously reconciles the actual cluster state with this desired state, supporting multi‑cluster deployments, automated sync, rollbacks, and versioned history.

The complete pipeline consists of two Git repositories: one containing the .NET Core application code and Tekton resources, and a second GitOps repository holding all ArgoCD manifests (Deployments, Services, etc.). When code changes are pushed, a GitHub webhook triggers Tekton to clone the repo, build the Docker image, push it to Quay.io, and update the GitOps repo; ArgoCD then automatically synchronizes the cluster to reflect the new image.

Installation steps:

Install OpenShift GitOps (ArgoCD) and OpenShift Pipelines (Tekton) via OperatorHub.

Create a Quay.io account, generate a repository (e.g., dotnetcore ), and create a Docker registry secret: oc create secret docker-registry quay-secret --docker-server=quay.io --docker-username=<QUAY_USERNAME> --docker-password=<ENCRYPTED_PASSWORD>

Create a GitHub personal‑access‑token secret for Tekton to push changes: apiVersion: v1 kind: Secret metadata: name: git-user-pass annotations: tekton.dev/git-0: https://github.com type: kubernetes.io/basic-auth stringData: username: <github_user> password: <github_personal_access_token>

Link the secrets to the Tekton service account: oc secret link pipeline quay-secret oc secret link pipeline git-user-pass

Apply Tekton resources (pipeline.yaml, tasks, triggers, etc.) using oc apply -f <file> commands.

Expose the webhook URL via an OpenShift route and configure the webhook in the GitHub repository settings.

After committing new code changes ( git commit -am "new changes" && git push ), Tekton automatically runs the CI pipeline, pushes the updated image tag to the GitOps repository, and ArgoCD synchronizes the deployment within a few minutes. The ArgoCD UI can be used to verify the application state and manually trigger sync or rollbacks if needed.

By following these steps, you obtain a fully automated, cloud‑native GitOps CI/CD workflow on OpenShift using Tekton and ArgoCD.