Chapter 4. Authenticating pipelines using git secret
A Git secret consists of credentials to securely interact with a Git repository, and is often used to automate authentication. In Red Hat OpenShift Pipelines, you can use Git secrets to authenticate pipeline runs and task runs that interact with a Git repository during execution.
A pipeline run or a task run gains access to the secrets through the associated service account. OpenShift Pipelines support the use of Git secrets as annotations (key-value pairs) for basic authentication and SSH-based authentication.
4.1. Credential selection Copy linkLink copied to clipboard!
A pipeline run or task run might require multiple authentications to access different Git repositories. Annotate each secret with the domains where OpenShift Pipelines can use its credentials.
A credential annotation key for Git secrets must begin with tekton.dev/git-
, and its value is the URL of the host for which you want OpenShift Pipelines to use that credential.
In the following example, OpenShift Pipelines uses a basic-auth
secret, which relies on a username and password, to access repositories at github.com
and gitlab.com
.
Example: Multiple credentials for basic authentication
You can also use an ssh-auth
secret (private key) to access a Git repository.
Example: Private key for SSH based authentication
- 1
- The content of the SSH private key file.
4.2. Configuring basic authentication for Git Copy linkLink copied to clipboard!
For a pipeline to retrieve resources from password-protected repositories, you must configure the basic authentication for that pipeline.
To configure basic authentication for a pipeline, update the secret.yaml
, serviceaccount.yaml
, and run.yaml
files with the credentials from the Git secret for the specified repository. When you complete this process, OpenShift Pipelines can use that information to retrieve the specified pipeline resources.
For GitHub, authentication using plain password is deprecated. Instead, use a personal access token.
Procedure
In the
secret.yaml
file, specify the username and password or GitHub personal access token to access the target Git repository.Copy to Clipboard Copied! Toggle word wrap Toggle overflow In the
serviceaccount.yaml
file, associate the secret with the appropriate service account.Copy to Clipboard Copied! Toggle word wrap Toggle overflow In the
run.yaml
file, associate the service account with a task run or a pipeline run.Associate the service account with a task run:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Associate the service account with a
PipelineRun
resource:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Apply the changes.
oc apply --filename secret.yaml,serviceaccount.yaml,run.yaml
$ oc apply --filename secret.yaml,serviceaccount.yaml,run.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.3. Configuring SSH authentication for Git Copy linkLink copied to clipboard!
For a pipeline to retrieve resources from repositories configured with SSH keys, you must configure the SSH-based authentication for that pipeline.
To configure SSH-based authentication for a pipeline, update the secret.yaml
, serviceaccount.yaml
, and run.yaml
files with the credentials from the SSH private key for the specified repository. When you complete this process, OpenShift Pipelines can use that information to retrieve the specified pipeline resources.
Consider using SSH-based authentication rather than basic authentication.
Procedure
-
Generate an SSH private key, or copy an existing private key, which is usually available in the
~/.ssh/id_rsa
file. In the
secret.yaml
file, set the value ofssh-privatekey
to the content of the SSH private key file, and set the value ofknown_hosts
to the content of the known hosts file.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantIf you omit the private key, OpenShift Pipelines accepts the public key of any server.
-
Optional: To specify a custom SSH port, add
:<port number>
to the end of theannotation
value. For example,tekton.dev/git-0: github.com:2222
. In the
serviceaccount.yaml
file, associate thessh-key
secret with thebuild-bot
service account.Copy to Clipboard Copied! Toggle word wrap Toggle overflow In the
run.yaml
file, associate the service account with a task run or a pipeline run.Associate the service account with a task run:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Associate the service account with a pipeline run:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Apply the changes.
oc apply --filename secret.yaml,serviceaccount.yaml,run.yaml
$ oc apply --filename secret.yaml,serviceaccount.yaml,run.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.4. Using SSH authentication in git type tasks Copy linkLink copied to clipboard!
When invoking Git commands, you can use SSH authentication directly in the steps of a task. SSH authentication ignores the $HOME
variable and only uses the user’s home directory specified in the /etc/passwd
file. So each step in a task must symlink the /tekton/home/.ssh
directory to the home directory of the associated user.
However, explicit symlinks are not necessary when you use a pipeline resource of the git
type, or the git-clone
task available in the Tekton catalog.
As an example of using SSH authentication in git
type tasks, refer to authenticating-git-commands.yaml.
4.5. Using secrets as a non-root user Copy linkLink copied to clipboard!
You might need to use secrets as a non-root user in certain scenarios, such as:
- The users and groups that the containers use to execute runs are randomized by the platform.
- The steps in a task define a non-root security context.
- A task specifies a global non-root security context, which applies to all steps in a task.
In such scenarios, consider the following aspects of executing task runs and pipeline runs as a non-root user:
-
SSH authentication for Git requires the user to have a valid home directory configured in the
/etc/passwd
directory. Specifying a UID that has no valid home directory results in authentication failure. -
SSH authentication ignores the
$HOME
environment variable. So you must or symlink the appropriate secret files from the$HOME
directory defined by OpenShift Pipelines (/tekton/home
), to the non-root user’s valid home directory.
In addition, to configure SSH authentication in a non-root security context, refer to the example for authenticating git commands.
4.6. Limiting secret access to specific steps Copy linkLink copied to clipboard!
By default, the secrets for OpenShift Pipelines are stored in the $HOME/tekton/home
directory, and are available for all the steps in a task.
To limit a secret to specific steps, use the secret definition to specify a volume, and mount the volume in specific steps.