Tekton 认证配置

Tenton 支持Secret 类型

Git Docker
kubernetes.io/basic-auth
kubernetes.io/ssh-auth
kubernetes.io/basic-auth
kubernetes.io/dockercfg
kubernetes.io/dockerconfigjson

配置 Git 身份验证

Tenton Secrets 存储路径

~/.gitconfig 文件或 ~/.ssh 目录。

配置basic-auth类型身份验证

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/git-0: https://github.com # Described below
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext username>
  password: <cleartext password>

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: basic-user-pass

绑定 PipelineRun

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

Tekton 生成认证内容

=== ~/.gitconfig ===
[credential]
    helper = store
[credential "https://url1.com"]
    username = "user1"
[credential "https://url2.com"]
    username = "user2"
...
=== ~/.git-credentials ===
https://user1:pass1@url1.com
https://user2:pass2@url2.com
...

配置ssh-auth类型身份验证

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: ssh-key
  annotations:
    tekton.dev/git-0: github.com # Described below
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: <private-key>
  # This is non-standard, but its use is encouraged to make this more secure.
  # If it is not provided then the git server's public key will be requested
  # when the repo is first fetched.
  known_hosts: <known-hosts>

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: ssh-key

绑定 PipelineRun

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

使用自定义端口进行 SSH 身份验证

apiVersion: v1
kind: Secret
metadata:
  name: ssh-key-custom-port
  annotations:
    tekton.dev/git-0: example.com:2222
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: <private-key>
  known_hosts: <known-hosts>

Tekton 生成认证内容

=== ~/.ssh/id_key1 ===
{contents of key1}
=== ~/.ssh/id_key2 ===
{contents of key2}
...
=== ~/.ssh/config ===
Host url1.com
    HostName url1.com
    IdentityFile ~/.ssh/id_key1
Host url2.com
    HostName url2.com
    IdentityFile ~/.ssh/id_key2
...
=== ~/.ssh/known_hosts ===
{contents of known_hosts1}
{contents of known_hosts2}
...

配置Docker身份验证

配置basic-auth类型身份验证

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/docker-0: https://gcr.io # Described below
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext username>
  password: <cleartext password>

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: basic-user-pass

绑定 PipelineRun

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

Tekton 生成认证内容

=== ~/.docker/config.json ===
{
  "auths": {
    "https://url1.com": {
      "auth": "$(echo -n user1:pass1 | base64)",
      "email": "not@val.id",
    },
    "https://url2.com": {
      "auth": "$(echo -n user2:pass2 | base64)",
      "email": "not@val.id",
    },
    ...
  }
}

配置 config.json 身份认证 

用~/.docker/config.json生成secret

Secret

kubectl create secret generic regcred  --from-file=.dockerconfigjson=<path/to/.docker/config.json>  --type=kubernetes.io/dockerconfigjson

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: regcred

绑定 PipelineRun

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

禁用 Tekton 内置认证

# kubectl edit cm feature-flags -n tekton-pipelines
disable-creds-init: "true"

Tekton 认证示例

apiVersion: v1
kind: Secret
type: kubernetes.io/ssh-auth
metadata:
  name: ssh-key-for-git
  annotations:
    tekton.dev/git-0: localhost
data:
  # This key was generated for this test and isn't used for anything else.
  ssh-privatekey: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUF5T1g3ZG5OWlFBZVk4cHNMOXlaUnp3NXNDVG1yWGh6Zld1YTZuZ2VDQ0VRRTY4YjVUSThTCkNlbEhlNG9oTUtBdXZ0ZTE4YXJMK2EvVldpeFN6a2tBMmFIZVhkdUJ1bStkS2R2TlVVSUhNc1dOUythcENQYmE4R3ZGaHYKdG81Tkx0bWpxT2M0WjJkK1RPS3AvakMrS3pvUDFHQWdRL25QMitMTldabzlvTTc4TzQ3Z1dSem9FNlFKeGJqbFlPMHRMbwp4YXUxdTNrbUtsNSthbUxsNHpGN25wdmV1dGlSWDhmY2hGam5Ka2dqK3BVeFJvTGF4SDdDN0NTcDExWUkyMEhKRVFXeEk3CllaekNTYml5KzZ1a2l0Tk1MZ29qMnpSTGl2ZTVvZm9nenpYbkdWUUpZdUIzOFhQM0ZIQWMvOXhzUXdzd3dQS2hkQ3g4T0QKbjErYXpLOHp5SGhXK0dxckJhS1R4cDlrcVRpKzZSMWk4ZjVxOEt6NXpGVTZmd05qQXZ3STFBZ3IwS2FzU1JxWTVMcGxnTgpZcW1DY01JODZKUnRGWHRWWVQrT05tdWFhYUQ1QUErbnpkNW81R0haZTlFSlNqUThZMHZwbjhmNjNjeEw2RTdzVmxpMnpzCnNhN1RST2JMK3YyVnFuSlpEY2pIZXMzS1M5Mld0V3RJbXdXOG81VkRBQUFGaU04K0NUL1BQZ2svQUFBQUIzTnphQzF5YzIKRUFBQUdCQU1qbCszWnpXVUFIbVBLYkMvY21VYzhPYkFrNXExNGMzMXJtdXA0SGdnaEVCT3ZHK1V5UEVnbnBSM3VLSVRDZwpMcjdYdGZHcXkvbXYxVm9zVXM1SkFObWgzbDNiZ2Jwdm5TbmJ6VkZDQnpMRmpVdm1xUWoyMnZCcnhZYjdhT1RTN1pvNmpuCk9HZG5ma3ppcWY0d3ZpczZEOVJnSUVQNXo5dml6Vm1hUGFETy9EdU80RmtjNkJPa0NjVzQ1V0R0TFM2TVdydGJ0NUppcGUKZm1waTVlTXhlNTZiM3JyWWtWL0gzSVJZNXlaSUkvcVZNVWFDMnNSK3d1d2txZGRXQ050QnlSRUZzU08yR2N3a200c3Z1cgpwSXJUVEM0S0k5czBTNHIzdWFINklNODE1eGxVQ1dMZ2QvRno5eFJ3SFAvY2JFTUxNTUR5b1hRc2ZEZzU5Zm1zeXZNOGg0ClZ2aHFxd1dpazhhZlpLazR2dWtkWXZIK2F2Q3MrY3hWT244RFl3TDhDTlFJSzlDbXJFa2FtT1M2WllEV0twZ25EQ1BPaVUKYlJWN1ZXRS9qalpybW1tZytRQVBwODNlYU9SaDJYdlJDVW8wUEdOTDZaL0grdDNNUytoTzdGWll0czdMR3UwMFRteS9yOQpsYXB5V1EzSXgzck55a3ZkbHJWclNKc0Z2S09WUXdBQUFBTUJBQUVBQUFHQUNQSGtmbU9vWjZkdThlNWhYQUhDeHJ0WHFCCmwvUGROL1JtYmJqRW05U216czR5cWEwd1BUdzhrMU81VHM0V05nY1hMZFVRTlB6YkE4aWFWTGtvL0JqKzhiSFlhMmdmeVMKUE5qaWpXbXBOR09EWlF2Q0h2b095WUdpNjkycHovWnNTZCt0bEFzNm54LzY1ZjcwZHdVREJub0FjZnFLY28wQnVMRlNBKworamY5RnhISGYzQkFEUS9TdDVFQjlZelo1Q2F2cTRQcjZvS2w3R3RpbnRIbTZIbUlwTUlubWVEMnV3cjl2ZGZ1RGJhVDdYClVOSm10elVGck1uOUhlOWd1WkoyTXd3a015S09ScnRhVFA3VjFZK3FOM3ZncStmRkNtU0VkekxBU3BWTHMyL1hQTCtwTnAKTTVZUVRRMFJSZWdKTEdtTHZ0ZmpkK1RRMFQ0bjBucnBJVGRXRTRsL05sTG9taTVhUndzQXFtY2hZSGxhN0g3YlNyS2lKawpyWTg1RTliZm8wSXJqUDNQNzFYNmxjcTB0VDhDTklUQUNleWJQT3kwcDVDc3JwZTdhZEJBOXF4MTZjR2tkZ0NPWk9GMnRpCktoWWJHeTc4ei9YNEh2OEptVmhaSHF3RlFQQzVleWljbE1PTFJXNDJOcUJhNEVFc3RHT3l4MHZwa0lVS3VhRlJuQkFBQUEKd1FESytXYzU1WHVpWjgySXM5NnN2bWIrR0Y5c2pBRWVaWHpHSWpDL1NHVEhIWTZSQmc1TnlQOUdZNmtoWnBjd0cyTU52dQpZUjhuN0psRWlVanU2cjY2Smh0WGtvdTR4WlU1dDkvMlJvdHRmeWpKODJmYm8yTHZmNERUOVNvSURxZnk5VmlMSjhSWUNkCkt6NnpYSHFTZ1RBRU1vaUhjbFpIZzRqTitrOW1ma2tPMDBQbEJJaE1YU0ZMLzUrZUhGdStQTmxaU1g5NUlMRjJvZ0Y1RG0KWTFuaTRUOGJjdzY2dmFzamthcjFZekptM1VidEVnSzQ2VVllNGJac2NXbWt4dngwMEFBQURCQVA4UysyTmtheWkvb3NzVApTQXpJMi9QU2tJMDVEY1lTYnNOQjZ4a3pobzdKaDlHeUNvbW5xZ1IxR2ZBOTBqV3AxVks0TG43TmtYYWJaVmJPc0xoT21DCkdBbVRZTHRjaTB0bkhhYk5HTEZ3ZmdiUitqRzZNQ2p4cEh5anM5MDlKSHhtYmswbElpczdPN1N3VThERGcrSEVxc0EvNUoKQ1VMTWU3em9mNERhUnZXdFhTRks2ZW5LNnpGaHBINjVQY29TN0o0NjJhNzdUMDVGQXhMemNaRkc5VWZ5WUdMa1ZmdHRTTApNVDhudW9LaW5XTGNLSlVQeis1MjJlM3lIcis4c3pVUUFBQU1FQXlhQ28xSnRBcjRpczY0YTBuZTFUV0o0dXcyT3FDdUlDCm9acG1QN2UyRnh3bVRCSWMrbzZkSEVNVHo2c2ZZSkFxU2l4ZzYydXYzWlRTc25STWljaDZ0b1k0SVI4cWFMa1prLzU5cmEKQWFONFlvTkdpQTZxY0Jzc3NLMmZuM2YxRFJhckxPbWZHTnpTMU41S1RvSFVlUkVGWDExdHVNM1pqOGxTelFBOWZSakk1OQpFWmFnOWJaOXRJOEg5dmEvTGRMK3U3dTZZWkVRSEJCS1MxMW1tOVVXd1pDMkdUV3ZnNzRlTnRmemtZeDQxdlhIeTZBbW9ECmxuOHo2N3lvWEZzbEpUQUFBQURuTmpiM1IwUUcxbFkyZ3ViR0Z1QVFJREJBPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
  # Note: we intentionally omit a known_hosts entry here. You should include
  # one in your own Secrets as a security measure, otherwise the Git PipelineResource
  # and git-clone Tasks will blindly accept any public key returned by a repository.
  #
  # We're able to omit known_hosts here because the file is generated by the
  # git server sidecar. The benefit of omitting it here is that it exercises
  # a codepath in Tekton that used to fail. In prior versions Tekton would
  # run ssh-keyscan if known_hosts was omitted, which would fail for this example
  # because the git server sidecar is not up and running at the time the scan
  # would have happened.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ssh-key-service-account
secrets:
- name: ssh-key-for-git
---
apiVersion: tekton.dev/v1
kind: TaskRun
metadata:
  name: authenticating-git-commands
spec:
  serviceAccountName: ssh-key-service-account
  taskSpec:
    volumes:
    - name: messages
      emptyDir: {}
    sidecars:
    - name: server
      image: alpine/git:v2.26.2
      securityContext:
        runAsUser: 0
      volumeMounts:
      - name: messages
        mountPath: /messages
      script: |
        #!/usr/bin/env ash

        # Generate a private host key and give the Steps access to its public
        # key for their known_hosts file.
        ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
        chmod 0600 /etc/ssh/ssh_host_rsa_key*
        HOST_PUBLIC_KEY=$(cat /etc/ssh/ssh_host_rsa_key.pub | awk '{ print $2 }')
        echo "localhost ssh-rsa $HOST_PUBLIC_KEY" > /messages/known_hosts

        # Wait for a Step to supply the server a public key generated from creds-init
        # credentials.
        while [ ! -f /messages/authorized_keys ] ; do
          sleep 1
        done

        # Allow Steps to SSH login as root to this server.
        mkdir /root/.ssh
        cp /messages/authorized_keys /root/.ssh/

        # "Unlock" the root account, allowing SSH login to succeed.
        sed -i s/root:!/"root:*"/g /etc/shadow

        # Create the git repo we're going to test against.
        cd /root/
        mkdir repo
        cd repo
        git init . --bare

        # Start the sshd server.
        /usr/sbin/sshd -E /var/log/sshd
        touch /messages/sshd-ready
        tail -f /var/log/sshd
    steps:
    - name: setup
      # This Step is only necessary as part of the test, it's not something you'll
      # ever need in a real-world scenario involving an external git repo.
      image: alpine/git:v2.26.2
      securityContext:
        runAsUser: 0
      volumeMounts:
      - name: messages
        mountPath: /messages
      script: |
        #!/usr/bin/env ash

        # Generate authorized_keys file from the creds-init private key and give
        # it to the sidecar server so that Steps can successfully SSH login
        # using creds-init credentials.
        ssh-keygen -y -f $(credentials.path)/.ssh/id_ssh-key-for-git > /messages/authorized_keys

        # Wait for sshd to start on the git server.
        while [ ! -f /messages/sshd-ready ] ; do
          sleep 1
        done
    - name: git-clone-and-push
      image: alpine/git:v2.26.2
      securityContext:
        runAsUser: 0
      workingDir: /root
      volumeMounts:
      - name: messages
        mountPath: /messages
      script: |
        #!/usr/bin/env ash
        set -xe

        if [ -d /tekton/home/.ssh ] ; then
          # When disable-home-env-overwrite is "false", creds-init credentials
          # will be copied to /tekton/home/.ssh by the entrypoint. But we need
          # them in /root/.ssh.

          # Overwrite the creds-init known_hosts file with that of our test
          # git server. You wouldn't need to do this in any kind of real-world
          # scenario involving an external git repo.
          cp /messages/known_hosts $(credentials.path)/.ssh/

          # Symlink /tekton/creds/.ssh to /root/.ssh because this script issues
          # vanilla git commands of its own. Git PipelineResources and the git-clone
          # catalog task handle this for you.
          ln -s $(credentials.path)/.ssh /root/.ssh
        else
          # When disable-home-env-overwrite is "true", creds-init credentials
          # will be copied to /root/.ssh by the entrypoint. We just need to
          # overwrite the known_hosts file with that of our test git server.
          cp /messages/known_hosts /root/.ssh/known_hosts
        fi

        git clone root@localhost:/root/repo ./repo
        cd repo
        git config user.email "example@example.com"
        git config user.name "Example"
        echo "Hello, world!" > README
        git add README
        git commit -m "Test commit!"
        git push origin master
    - name: git-clone-and-check
      image: gcr.io/tekton-releases/dogfooding/alpine-git-nonroot:latest
      # Because this Step runs with a non-root security context, the creds-init
      # credentials will fail to copy into /tekton/home. This happens because
      # our previous step _already_ wrote to /tekton/home and ran as a root
      # user. So there will be warning messages reporting "unsuccessful cred
      # copy". These can be safely ignored and instead this Step will copy
      # the credentials out of /tekton/creds to nonroot's HOME directory.
      securityContext:
        runAsUser: 1000
      workingDir: /home/nonroot
      volumeMounts:
      - name: messages
        mountPath: /messages
      script: |
        #!/usr/bin/env ash
        set -xe

        if [ -d /tekton/home/.ssh ] ; then
          # When disable-home-env-overwrite is "false", creds-init credentials
          # will be copied to /tekton/home/.ssh by the entrypoint. But we need
          # them in /home/nonroot/.ssh.

          # Overwrite the creds-init known_hosts file with that of our test
          # git server. You wouldn't need to do this in any kind of real-world
          # scenario involving an external git repo.
          cp /messages/known_hosts $(credentials.path)/.ssh/

          # Symlink /tekton/creds/.ssh to /home/nonroot/.ssh because this script issues
          # vanilla git commands of its own and we're running as a non-root user.
          # Git PipelineResources and the git-clone catalog task handle this for you.
          ln -s $(credentials.path)/.ssh /home/nonroot/.ssh
        else
          # When disable-home-env-overwrite is "true", creds-init credentials
          # will be copied to /home/nonroot/.ssh by the entrypoint. We just need to
          # overwrite the known_hosts file with that of our test git server.
          cp /messages/known_hosts /home/nonroot/.ssh/known_hosts
        fi

        git clone root@localhost:/root/repo ./repo
        cd repo
        cat README | grep "Hello, world!"

参考文档

https://tekton.dev/docs/pipelines/auth/

posted @ 2023-12-04 17:14  小吉猫  阅读(317)  评论(0编辑  收藏  举报