In today’s cloud-native world, application teams seek automation, security, and scalability without trade-offs. Red Hat OpenShift Service on AWS (ROSA) delivers a managed Kubernetes experience with enterprise-grade features. But when clusters run in private subnets for security, it creates a common challenge: how do you enable CI/CD pipelines that rely on external triggers, like GitHub webhooks, without exposing your cluster to the internet?
In this blog, we highlight a real-world success story where we built an end-to-end CI/CD pipeline on a private ROSA cluster using Tekton pipelines, GitHub webhooks, and a Bastion reverse proxy. This design delivered security, speed, and automation, enabling seamless code-to-deployment workflows in production.
Customer Problem Statement
The customer was running workloads on ROSA to power business-critical applications. For security, the clusters were deployed entirely in private subnets. While this eliminated public exposure, it introduced an immediate bottleneck:
- Webhook Delivery Blocked: GitHub could not send push/PR events to the Tekton EventListener service inside the private cluster.
- Manual Deployments: Developers were forced to run manual oc or kubectl commands after each change.
- Slow Feedback Loops: Without automation, builds and deployments lagged behind commits.
- Scalability Issues: Each new application required manual setup, slowing delivery and increasing operational overhead.
In short, the organization had robust infrastructure but lacked a secure bridge between GitHub → Tekton → ROSA deployments.
Solution Implemented
Our team designed and implemented a production-ready DevOps pipeline, powered by CI/CD automation and tailored for private ROSA clusters. The solution combined Tekton, GitHub, and a Bastion + Nginx reverse proxy for secure webhook handling.
1. Foundation Setup
- Deployed a ROSA cluster in private subnets.
- Installed Tekton Pipelines & Triggers via OpenShift OperatorHub.
- Configured a Node.js application in GitHub as the source repo.
2. Pipeline Design
The Tekton pipeline was designed as a repeatable, modular flow:
- Code Fetch -> Tekton git-clone task pulls the repo.
- Image Build -> Kaniko builds a container image securely (no privileged access).
- Push to ECR -> Images tagged with the commit SHA are pushed to Amazon ECR.
- Deploy -> OpenShift Deployment is automatically updated with the new image.
Think of it as a conveyor belt: GitHub → Tekton → ECR → ROSA Deployment.
3. Secure Webhook Integration
To bridge GitHub with the private ROSA cluster:
- A Bastion EC2 instance was launched in a public subnet.
- Nginx reverse proxy was configured on the Bastion to receive GitHub webhooks.
- Nginx securely forwarded requests to the Tekton EventListener service inside ROSA.
Result: GitHub push events could now trigger Tekton pipelines securely without exposing the cluster.
Exploring ROSA for your next deployment? Our DevOps specialists can design a secure Tekton pipeline tailored for private clusters, no public exposure needed.
Business Value Achieved
Within weeks of deploying this CI/CD solution, we realized immediate benefits:
- 100% Automation: Code changes triggered pipelines instantly, eliminating manual steps.
- Faster Delivery: Build → Push → Deploy cycles completed in minutes.
- Security Maintained: The ROSA cluster stayed private with no direct exposure to the internet.
- Scalability: Adding new apps only required defining new pipelines, not re-engineering networking.
- Developer Productivity Boost: Engineers focused on writing code, not running deployment scripts.
Key Learnings
- Separation of Concerns: Tekton handled CI/CD, OpenShift handled deployments.
- Networking Creativity: Bastion + Nginx proved to be a simple and secure bridge for private clusters.
- Scalability: Multiple apps can use the same pattern with minimal changes.
- Automation Confidence: Even in a private environment, pipelines can run reliably.
Conclusion
Through this, we demonstrated that it is possible to build end-to-end CI/CD pipelines on ROSA with private networking, using Tekton, GitHub, and a secure Bastion + Nginx setup.
This approach shows that security and automation can coexist, even in private clusters. If you are exploring ROSA for production workloads, this pattern provides a strong foundation for secure, automated, and scalable CI/CD pipelines.
