Red Hat Summitこのコンテンツは選択した言語では利用できません。
Chapter 1. Understanding authentication at runtime
Developers building images may need to configure authentication and use secrets to handle sensitive data safely within the build process. Access to build resources is governed by role-based access control (RBAC), defined by cluster administrators to ensure only authorized users can act securely.
1.1. Build secret annotation
Add an annotation to a build secret to ensure the build controller reconciles on create, update, or delete events for the referenced build secret.
The following example shows the usage of an annotation with a secret:
where:
<pull_secret>- Specifies the Base64-encoded pull secret used by the build.
build.shipwright.io/referenced.secret-
Specifies the value of the
build.shipwright.io/referenced.secretannotation.
This annotation ensures the controller ignores secret events unless the secret is explicitly referenced by a build. For example, if a secret does not include this annotation, the build controller will not reconcile when that secret changes, even if an event is triggered. Reconciling on relevant events allows the build controller to re-run build configuration validations, helping detect missing or misconfigured dependencies early.
1.2. Authentication to Git repositories
You can define the following types of authentication for a Git repository:
- Basic authentication
- Secure Shell (SSH) authentication
You can configure a Git secret with these authentication methods.
1.2.1. Basic authentication
Configure basic authentication credentials for a Git repository by creating a Kubernetes secret with a username and password. The following example shows a Git basic-auth secret referenced by a build:
where:
type-
Specifies the Kubernetes secret type.
kubernetes.io/basic-authindicates that the secret contains credentials for basic authentication. stringData- Specifies the username and password used for basic authentication to the Git repository referenced by the build.
1.2.2. SSH authentication
With Secure Shell (SSH) authentication, configure Tekton annotations to specify the hostname of the Git repository provider. For example, use github.com for GitHub or gitlab.com for GitLab.
The following example shows a Kubernetes secret configured for SSH authentication to a Git repository:
where:
type-
Specifies the Kubernetes secret type.
kubernetes.io/ssh-authindicates that the secret contains SSH credentials. ssh-privatekey-
Specifies the Base64-encoded SSH private key used to authenticate to the Git repository. You can generate this value by running
base64 ~/.ssh/id_rsa, where~/.ssh/id_rsais the default location of the SSH private key commonly used for Git authentication.
1.2.3. Usage of Git secret
After creating a secret in the relevant namespace, you can reference it in your Build custom resource (CR). You can configure the Git secret to use either basic authentication or Secure Shell (SSH) authentication.
The following example shows the usage of a Git secret with SSH authentication type:
The following example shows the usage of a Git secret with basic authentication type:
1.3. Authentication to container registries
To push images to a private container registry, you must create a secret in the relevant namespace and then reference it in your Build custom resource (CR).
Prerequisites
- You have installed the Builds for Red Hat OpenShift Operator on the OpenShift Container Platform cluster.
-
You have installed the
ocCLI.
Procedure
Run the following command to generate a
secretobject:oc --namespace <namespace> create secret docker-registry <container_registry_secret_name> \ --docker-server=<registry_host> \ --docker-username=<username> \ --docker-password=<password> \ --docker-email=<email_address>
$ oc --namespace <namespace> create secret docker-registry <container_registry_secret_name> \ --docker-server=<registry_host> \ --docker-username=<username> \ --docker-password=<password> \ --docker-email=<email_address>Copy to Clipboard Copied! Toggle word wrap Toggle overflow where:
<namespace>- Specifies the namespace where you want to create the secret.
<container_registry_secret_name>-
Specifies the name of the
Secretresource that stores the container registry credentials. <registry_host>-
Specifies the registry URL in the format
https://<registry_server>/<registry_host>. <username>- Specifies the registry username.
<password>- Specifies the password or an access token for the container registry.
<email_address>- Specifies the email address associated with the container registry credentials.
Run the following command to annotate the secret:
oc --namespace <namespace> annotate secrets <container_registry_secret_name> build.shipwright.io/referenced.secret='true'
$ oc --namespace <namespace> annotate secrets <container_registry_secret_name> build.shipwright.io/referenced.secret='true'Copy to Clipboard Copied! Toggle word wrap Toggle overflow where:
<namespace>- Specifies the namespace in which you want to create the secret.
<container_registry_secret_name>-
Specifies the name of the
Secretresource that stores the container registry credentials.
Set the value of the
spec.output.pushSecretfield to the secret name in yourBuildCR:Copy to Clipboard Copied! Toggle word wrap Toggle overflow where
<path_to_image>- Specifies the location of the output image.
<container_registry_secret_name>-
Specifies the name of the
Secretresource that stores the container registry credentials.
-
Run a build using the
BuildCR. The container registry credentials are verified during the image push. If authentication fails, the build does not push the image.
1.4. Role-based access control
By default, builds for Red Hat OpenShift installation includes the following two cluster-wide roles for using Builds objects:
-
shpwright-build-aggregate-view: Grants read access to the Builds resources, such asBuildStrategy,ClusterBuildStrategy,Build, andBuildRun. This role is aggregated into the Kubernetesviewrole. -
shipwright-build-aggregate-edit: Grants write access to the Builds resources that are configured at namespace level. The build resources includeBuildStrategy,Build, andBuildRun. Read access is granted to allClusterBuildStrategyresources. This role is aggregated into the Kuberneteseditandadminroles.
Only cluster administrators have write access to the ClusterBuildStrategy resources by default. You can change this setting by creating a separate Kubernetes ClusterRole with the desired permissions and binding it to the appropriate users.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}