Transforming Private ROSA Deployments with Automated Tekton CI/CD

In today’s cloud-native world, application teams seek automation, security, and scalability without trade-offs. Red Hat OpenShift Service on AWS (ROSA) delivers a managed Kubernetes experience with enterprise-grade features. But when clusters run in private subnets for security, it creates a common challenge: how do you enable CI/CD pipelines that rely on external triggers, like GitHub webhooks, without exposing your cluster to the internet?

In this blog, we highlight a real-world success story where we built an end-to-end CI/CD pipeline on a private ROSA cluster using Tekton pipelines, GitHub webhooks, and a Bastion reverse proxy. This design delivered security, speed, and automation, enabling seamless code-to-deployment workflows in production.

Customer Problem Statement

The customer was running workloads on ROSA to power business-critical applications. For security, the clusters were deployed entirely in private subnets. While this eliminated public exposure, it introduced an immediate bottleneck:

• Webhook Delivery Blocked: GitHub could not send push/PR events to the Tekton EventListener service inside the private cluster.
• Manual Deployments: Developers were forced to run manual oc or kubectl commands after each change.
• Slow Feedback Loops: Without automation, builds and deployments lagged behind commits.
• Scalability Issues: Each new application required manual setup, slowing delivery and increasing operational overhead.

In short, the organization had robust infrastructure but lacked a secure bridge between GitHub → Tekton → ROSA deployments.

Solution Implemented

Our team designed and implemented a production-ready DevOps pipeline, powered by CI/CD automation and tailored for private ROSA clusters. The solution combined Tekton, GitHub, and a Bastion + Nginx reverse proxy for secure webhook handling.

1. Foundation Setup

• Deployed a ROSA cluster in private subnets.
• Installed Tekton Pipelines & Triggers via OpenShift OperatorHub.
• Configured a Node.js application in GitHub as the source repo.

2. Pipeline Design

The Tekton pipeline was designed as a repeatable, modular flow:

• Code Fetch -> Tekton git-clone task pulls the repo.
• Image Build -> Kaniko builds a container image securely (no privileged access).
• Push to ECR -> Images tagged with the commit SHA are pushed to Amazon ECR.
• Deploy -> OpenShift Deployment is automatically updated with the new image.

Think of it as a conveyor belt: GitHub → Tekton → ECR → ROSA Deployment.

3. Secure Webhook Integration

To bridge GitHub with the private ROSA cluster:

• A Bastion EC2 instance was launched in a public subnet.
• Nginx reverse proxy was configured on the Bastion to receive GitHub webhooks.
• Nginx securely forwarded requests to the Tekton EventListener service inside ROSA.

Result: GitHub push events could now trigger Tekton pipelines securely without exposing the cluster.

Exploring ROSA for your next deployment? Our DevOps specialists can design a secure Tekton pipeline tailored for private clusters, no public exposure needed.

Get in Touch

Business Value Achieved

Within weeks of deploying this CI/CD solution, we realized immediate benefits:

• 100% Automation: Code changes triggered pipelines instantly, eliminating manual steps.
• Faster Delivery: Build → Push → Deploy cycles completed in minutes.
• Security Maintained: The ROSA cluster stayed private with no direct exposure to the internet.
• Scalability: Adding new apps only required defining new pipelines, not re-engineering networking.
• Developer Productivity Boost: Engineers focused on writing code, not running deployment scripts.

Key Learnings

• Separation of Concerns: Tekton handled CI/CD, OpenShift handled deployments.
• Networking Creativity: Bastion + Nginx proved to be a simple and secure bridge for private clusters.
• Scalability: Multiple apps can use the same pattern with minimal changes.
• Automation Confidence: Even in a private environment, pipelines can run reliably.

Conclusion

Through this, we demonstrated that it is possible to build end-to-end CI/CD pipelines on ROSA with private networking, using Tekton, GitHub, and a secure Bastion + Nginx setup.

This approach shows that security and automation can coexist, even in private clusters. If you are exploring ROSA for production workloads, this pattern provides a strong foundation for secure, automated, and scalable CI/CD pipelines.