Tekton 认证配置
Tenton 支持Secret 类型
Git | Docker |
---|---|
kubernetes.io/basic-auth kubernetes.io/ssh-auth |
kubernetes.io/basic-auth kubernetes.io/dockercfg kubernetes.io/dockerconfigjson |
配置 Git 身份验证
Tenton Secrets 存储路径
~/.gitconfig 文件或 ~/.ssh 目录。
配置basic-auth类型身份验证
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: basic-user-pass
annotations:
tekton.dev/git-0: https://github.com # Described below
type: kubernetes.io/basic-auth
stringData:
username: <cleartext username>
password: <cleartext password>
serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: basic-user-pass
绑定 PipelineRun
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: demo-pipeline
namespace: default
spec:
serviceAccountName: build-bot
pipelineRef:
name: demo-pipeline
Tekton 生成认证内容
=== ~/.gitconfig ===
[credential]
helper = store
[credential "https://url1.com"]
username = "user1"
[credential "https://url2.com"]
username = "user2"
...
=== ~/.git-credentials ===
https://user1:pass1@url1.com
https://user2:pass2@url2.com
...
配置ssh-auth类型身份验证
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: ssh-key
annotations:
tekton.dev/git-0: github.com # Described below
type: kubernetes.io/ssh-auth
stringData:
ssh-privatekey: <private-key>
# This is non-standard, but its use is encouraged to make this more secure.
# If it is not provided then the git server's public key will be requested
# when the repo is first fetched.
known_hosts: <known-hosts>
serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: ssh-key
绑定 PipelineRun
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: demo-pipeline
namespace: default
spec:
serviceAccountName: build-bot
pipelineRef:
name: demo-pipeline
使用自定义端口进行 SSH 身份验证
apiVersion: v1
kind: Secret
metadata:
name: ssh-key-custom-port
annotations:
tekton.dev/git-0: example.com:2222
type: kubernetes.io/ssh-auth
stringData:
ssh-privatekey: <private-key>
known_hosts: <known-hosts>
Tekton 生成认证内容
=== ~/.ssh/id_key1 ===
{contents of key1}
=== ~/.ssh/id_key2 ===
{contents of key2}
...
=== ~/.ssh/config ===
Host url1.com
HostName url1.com
IdentityFile ~/.ssh/id_key1
Host url2.com
HostName url2.com
IdentityFile ~/.ssh/id_key2
...
=== ~/.ssh/known_hosts ===
{contents of known_hosts1}
{contents of known_hosts2}
...
配置Docker身份验证
配置basic-auth类型身份验证
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: basic-user-pass
annotations:
tekton.dev/docker-0: https://gcr.io # Described below
type: kubernetes.io/basic-auth
stringData:
username: <cleartext username>
password: <cleartext password>
serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: basic-user-pass
绑定 PipelineRun
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: demo-pipeline
namespace: default
spec:
serviceAccountName: build-bot
pipelineRef:
name: demo-pipeline
Tekton 生成认证内容
=== ~/.docker/config.json ===
{
"auths": {
"https://url1.com": {
"auth": "$(echo -n user1:pass1 | base64)",
"email": "not@val.id",
},
"https://url2.com": {
"auth": "$(echo -n user2:pass2 | base64)",
"email": "not@val.id",
},
...
}
}
配置 config.json 身份认证
用~/.docker/config.json生成secret
Secret
kubectl create secret generic regcred --from-file=.dockerconfigjson=<path/to/.docker/config.json> --type=kubernetes.io/dockerconfigjson
serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: regcred
绑定 PipelineRun
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: demo-pipeline
namespace: default
spec:
serviceAccountName: build-bot
pipelineRef:
name: demo-pipeline
禁用 Tekton 内置认证
# kubectl edit cm feature-flags -n tekton-pipelines
disable-creds-init: "true"
Tekton 认证示例
apiVersion: v1
kind: Secret
type: kubernetes.io/ssh-auth
metadata:
name: ssh-key-for-git
annotations:
tekton.dev/git-0: localhost
data:
# This key was generated for this test and isn't used for anything else.
ssh-privatekey: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUF5T1g3ZG5OWlFBZVk4cHNMOXlaUnp3NXNDVG1yWGh6Zld1YTZuZ2VDQ0VRRTY4YjVUSThTCkNlbEhlNG9oTUtBdXZ0ZTE4YXJMK2EvVldpeFN6a2tBMmFIZVhkdUJ1bStkS2R2TlVVSUhNc1dOUythcENQYmE4R3ZGaHYKdG81Tkx0bWpxT2M0WjJkK1RPS3AvakMrS3pvUDFHQWdRL25QMitMTldabzlvTTc4TzQ3Z1dSem9FNlFKeGJqbFlPMHRMbwp4YXUxdTNrbUtsNSthbUxsNHpGN25wdmV1dGlSWDhmY2hGam5Ka2dqK3BVeFJvTGF4SDdDN0NTcDExWUkyMEhKRVFXeEk3CllaekNTYml5KzZ1a2l0Tk1MZ29qMnpSTGl2ZTVvZm9nenpYbkdWUUpZdUIzOFhQM0ZIQWMvOXhzUXdzd3dQS2hkQ3g4T0QKbjErYXpLOHp5SGhXK0dxckJhS1R4cDlrcVRpKzZSMWk4ZjVxOEt6NXpGVTZmd05qQXZ3STFBZ3IwS2FzU1JxWTVMcGxnTgpZcW1DY01JODZKUnRGWHRWWVQrT05tdWFhYUQ1QUErbnpkNW81R0haZTlFSlNqUThZMHZwbjhmNjNjeEw2RTdzVmxpMnpzCnNhN1RST2JMK3YyVnFuSlpEY2pIZXMzS1M5Mld0V3RJbXdXOG81VkRBQUFGaU04K0NUL1BQZ2svQUFBQUIzTnphQzF5YzIKRUFBQUdCQU1qbCszWnpXVUFIbVBLYkMvY21VYzhPYkFrNXExNGMzMXJtdXA0SGdnaEVCT3ZHK1V5UEVnbnBSM3VLSVRDZwpMcjdYdGZHcXkvbXYxVm9zVXM1SkFObWgzbDNiZ2Jwdm5TbmJ6VkZDQnpMRmpVdm1xUWoyMnZCcnhZYjdhT1RTN1pvNmpuCk9HZG5ma3ppcWY0d3ZpczZEOVJnSUVQNXo5dml6Vm1hUGFETy9EdU80RmtjNkJPa0NjVzQ1V0R0TFM2TVdydGJ0NUppcGUKZm1waTVlTXhlNTZiM3JyWWtWL0gzSVJZNXlaSUkvcVZNVWFDMnNSK3d1d2txZGRXQ050QnlSRUZzU08yR2N3a200c3Z1cgpwSXJUVEM0S0k5czBTNHIzdWFINklNODE1eGxVQ1dMZ2QvRno5eFJ3SFAvY2JFTUxNTUR5b1hRc2ZEZzU5Zm1zeXZNOGg0ClZ2aHFxd1dpazhhZlpLazR2dWtkWXZIK2F2Q3MrY3hWT244RFl3TDhDTlFJSzlDbXJFa2FtT1M2WllEV0twZ25EQ1BPaVUKYlJWN1ZXRS9qalpybW1tZytRQVBwODNlYU9SaDJYdlJDVW8wUEdOTDZaL0grdDNNUytoTzdGWll0czdMR3UwMFRteS9yOQpsYXB5V1EzSXgzck55a3ZkbHJWclNKc0Z2S09WUXdBQUFBTUJBQUVBQUFHQUNQSGtmbU9vWjZkdThlNWhYQUhDeHJ0WHFCCmwvUGROL1JtYmJqRW05U216czR5cWEwd1BUdzhrMU81VHM0V05nY1hMZFVRTlB6YkE4aWFWTGtvL0JqKzhiSFlhMmdmeVMKUE5qaWpXbXBOR09EWlF2Q0h2b095WUdpNjkycHovWnNTZCt0bEFzNm54LzY1ZjcwZHdVREJub0FjZnFLY28wQnVMRlNBKworamY5RnhISGYzQkFEUS9TdDVFQjlZelo1Q2F2cTRQcjZvS2w3R3RpbnRIbTZIbUlwTUlubWVEMnV3cjl2ZGZ1RGJhVDdYClVOSm10elVGck1uOUhlOWd1WkoyTXd3a015S09ScnRhVFA3VjFZK3FOM3ZncStmRkNtU0VkekxBU3BWTHMyL1hQTCtwTnAKTTVZUVRRMFJSZWdKTEdtTHZ0ZmpkK1RRMFQ0bjBucnBJVGRXRTRsL05sTG9taTVhUndzQXFtY2hZSGxhN0g3YlNyS2lKawpyWTg1RTliZm8wSXJqUDNQNzFYNmxjcTB0VDhDTklUQUNleWJQT3kwcDVDc3JwZTdhZEJBOXF4MTZjR2tkZ0NPWk9GMnRpCktoWWJHeTc4ei9YNEh2OEptVmhaSHF3RlFQQzVleWljbE1PTFJXNDJOcUJhNEVFc3RHT3l4MHZwa0lVS3VhRlJuQkFBQUEKd1FESytXYzU1WHVpWjgySXM5NnN2bWIrR0Y5c2pBRWVaWHpHSWpDL1NHVEhIWTZSQmc1TnlQOUdZNmtoWnBjd0cyTU52dQpZUjhuN0psRWlVanU2cjY2Smh0WGtvdTR4WlU1dDkvMlJvdHRmeWpKODJmYm8yTHZmNERUOVNvSURxZnk5VmlMSjhSWUNkCkt6NnpYSHFTZ1RBRU1vaUhjbFpIZzRqTitrOW1ma2tPMDBQbEJJaE1YU0ZMLzUrZUhGdStQTmxaU1g5NUlMRjJvZ0Y1RG0KWTFuaTRUOGJjdzY2dmFzamthcjFZekptM1VidEVnSzQ2VVllNGJac2NXbWt4dngwMEFBQURCQVA4UysyTmtheWkvb3NzVApTQXpJMi9QU2tJMDVEY1lTYnNOQjZ4a3pobzdKaDlHeUNvbW5xZ1IxR2ZBOTBqV3AxVks0TG43TmtYYWJaVmJPc0xoT21DCkdBbVRZTHRjaTB0bkhhYk5HTEZ3ZmdiUitqRzZNQ2p4cEh5anM5MDlKSHhtYmswbElpczdPN1N3VThERGcrSEVxc0EvNUoKQ1VMTWU3em9mNERhUnZXdFhTRks2ZW5LNnpGaHBINjVQY29TN0o0NjJhNzdUMDVGQXhMemNaRkc5VWZ5WUdMa1ZmdHRTTApNVDhudW9LaW5XTGNLSlVQeis1MjJlM3lIcis4c3pVUUFBQU1FQXlhQ28xSnRBcjRpczY0YTBuZTFUV0o0dXcyT3FDdUlDCm9acG1QN2UyRnh3bVRCSWMrbzZkSEVNVHo2c2ZZSkFxU2l4ZzYydXYzWlRTc25STWljaDZ0b1k0SVI4cWFMa1prLzU5cmEKQWFONFlvTkdpQTZxY0Jzc3NLMmZuM2YxRFJhckxPbWZHTnpTMU41S1RvSFVlUkVGWDExdHVNM1pqOGxTelFBOWZSakk1OQpFWmFnOWJaOXRJOEg5dmEvTGRMK3U3dTZZWkVRSEJCS1MxMW1tOVVXd1pDMkdUV3ZnNzRlTnRmemtZeDQxdlhIeTZBbW9ECmxuOHo2N3lvWEZzbEpUQUFBQURuTmpiM1IwUUcxbFkyZ3ViR0Z1QVFJREJBPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
# Note: we intentionally omit a known_hosts entry here. You should include
# one in your own Secrets as a security measure, otherwise the Git PipelineResource
# and git-clone Tasks will blindly accept any public key returned by a repository.
#
# We're able to omit known_hosts here because the file is generated by the
# git server sidecar. The benefit of omitting it here is that it exercises
# a codepath in Tekton that used to fail. In prior versions Tekton would
# run ssh-keyscan if known_hosts was omitted, which would fail for this example
# because the git server sidecar is not up and running at the time the scan
# would have happened.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ssh-key-service-account
secrets:
- name: ssh-key-for-git
---
apiVersion: tekton.dev/v1
kind: TaskRun
metadata:
name: authenticating-git-commands
spec:
serviceAccountName: ssh-key-service-account
taskSpec:
volumes:
- name: messages
emptyDir: {}
sidecars:
- name: server
image: alpine/git:v2.26.2
securityContext:
runAsUser: 0
volumeMounts:
- name: messages
mountPath: /messages
script: |
#!/usr/bin/env ash
# Generate a private host key and give the Steps access to its public
# key for their known_hosts file.
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
chmod 0600 /etc/ssh/ssh_host_rsa_key*
HOST_PUBLIC_KEY=$(cat /etc/ssh/ssh_host_rsa_key.pub | awk '{ print $2 }')
echo "localhost ssh-rsa $HOST_PUBLIC_KEY" > /messages/known_hosts
# Wait for a Step to supply the server a public key generated from creds-init
# credentials.
while [ ! -f /messages/authorized_keys ] ; do
sleep 1
done
# Allow Steps to SSH login as root to this server.
mkdir /root/.ssh
cp /messages/authorized_keys /root/.ssh/
# "Unlock" the root account, allowing SSH login to succeed.
sed -i s/root:!/"root:*"/g /etc/shadow
# Create the git repo we're going to test against.
cd /root/
mkdir repo
cd repo
git init . --bare
# Start the sshd server.
/usr/sbin/sshd -E /var/log/sshd
touch /messages/sshd-ready
tail -f /var/log/sshd
steps:
- name: setup
# This Step is only necessary as part of the test, it's not something you'll
# ever need in a real-world scenario involving an external git repo.
image: alpine/git:v2.26.2
securityContext:
runAsUser: 0
volumeMounts:
- name: messages
mountPath: /messages
script: |
#!/usr/bin/env ash
# Generate authorized_keys file from the creds-init private key and give
# it to the sidecar server so that Steps can successfully SSH login
# using creds-init credentials.
ssh-keygen -y -f $(credentials.path)/.ssh/id_ssh-key-for-git > /messages/authorized_keys
# Wait for sshd to start on the git server.
while [ ! -f /messages/sshd-ready ] ; do
sleep 1
done
- name: git-clone-and-push
image: alpine/git:v2.26.2
securityContext:
runAsUser: 0
workingDir: /root
volumeMounts:
- name: messages
mountPath: /messages
script: |
#!/usr/bin/env ash
set -xe
if [ -d /tekton/home/.ssh ] ; then
# When disable-home-env-overwrite is "false", creds-init credentials
# will be copied to /tekton/home/.ssh by the entrypoint. But we need
# them in /root/.ssh.
# Overwrite the creds-init known_hosts file with that of our test
# git server. You wouldn't need to do this in any kind of real-world
# scenario involving an external git repo.
cp /messages/known_hosts $(credentials.path)/.ssh/
# Symlink /tekton/creds/.ssh to /root/.ssh because this script issues
# vanilla git commands of its own. Git PipelineResources and the git-clone
# catalog task handle this for you.
ln -s $(credentials.path)/.ssh /root/.ssh
else
# When disable-home-env-overwrite is "true", creds-init credentials
# will be copied to /root/.ssh by the entrypoint. We just need to
# overwrite the known_hosts file with that of our test git server.
cp /messages/known_hosts /root/.ssh/known_hosts
fi
git clone root@localhost:/root/repo ./repo
cd repo
git config user.email "example@example.com"
git config user.name "Example"
echo "Hello, world!" > README
git add README
git commit -m "Test commit!"
git push origin master
- name: git-clone-and-check
image: gcr.io/tekton-releases/dogfooding/alpine-git-nonroot:latest
# Because this Step runs with a non-root security context, the creds-init
# credentials will fail to copy into /tekton/home. This happens because
# our previous step _already_ wrote to /tekton/home and ran as a root
# user. So there will be warning messages reporting "unsuccessful cred
# copy". These can be safely ignored and instead this Step will copy
# the credentials out of /tekton/creds to nonroot's HOME directory.
securityContext:
runAsUser: 1000
workingDir: /home/nonroot
volumeMounts:
- name: messages
mountPath: /messages
script: |
#!/usr/bin/env ash
set -xe
if [ -d /tekton/home/.ssh ] ; then
# When disable-home-env-overwrite is "false", creds-init credentials
# will be copied to /tekton/home/.ssh by the entrypoint. But we need
# them in /home/nonroot/.ssh.
# Overwrite the creds-init known_hosts file with that of our test
# git server. You wouldn't need to do this in any kind of real-world
# scenario involving an external git repo.
cp /messages/known_hosts $(credentials.path)/.ssh/
# Symlink /tekton/creds/.ssh to /home/nonroot/.ssh because this script issues
# vanilla git commands of its own and we're running as a non-root user.
# Git PipelineResources and the git-clone catalog task handle this for you.
ln -s $(credentials.path)/.ssh /home/nonroot/.ssh
else
# When disable-home-env-overwrite is "true", creds-init credentials
# will be copied to /home/nonroot/.ssh by the entrypoint. We just need to
# overwrite the known_hosts file with that of our test git server.
cp /messages/known_hosts /home/nonroot/.ssh/known_hosts
fi
git clone root@localhost:/root/repo ./repo
cd repo
cat README | grep "Hello, world!"
参考文档
https://tekton.dev/docs/pipelines/auth/