-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RHDEVDOCS-4233| Documented guidance on authentication strategies for pipelines #57140
Conversation
🤖 Updated build preview is available at: Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/13649 |
cicd/pipelines/authenticating-pipelines-and-tasks-using-secrets.adoc
Outdated
Show resolved
Hide resolved
…(git, image registry)
851bff9
to
29e04b7
Compare
@ppitonak @VeereshAradhya This PR is ready for QE review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I would reorder sections so that all related to git are following each other and section about docker is either first or last
- The doc talks about binding secret to workspace but it doesn't show how.
|
||
. Create a Task called `git-clone` that clones a git repository using SSH authentication. | ||
|
||
. Define workspaces, describe the process to create a secret, and bind it to the workspace. For example: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I don't understand this part
describe the process to create a secret
- I split this point into two - one would only talk about how to create a secret, another one would talk about workspace declaration in task and binding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noted,
Resolved
+ | ||
[NOTE] | ||
==== | ||
To create the above secret, run `$ kubectl create secret generic my-github-ssh-credentials \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We usually use oc
instead of kubectl
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolved
|
||
== git-clone Task | ||
|
||
This approach involves creating a task called `git-clone`, which clones a git repository using SSH authentication. The following are the steps to use Secrets and Workspace in Tekton Pipelines: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already ship git-clone
clustertask, can't we just show how it looks like and describe how to use secrets with it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @vdemeester , can we use the already existing git-clone
clustertask in this case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ppitonak , according to tekton documentation, clustertasks are deprecated. As Red Hat, are we still shipping them downstream? (CC @mramendi )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we still ship them
--param url=git@github.com:<username>/buildkit-tekton \ | ||
--workspace name=output,emptyDir="" \ | ||
--workspace name=ssh-directory,secret=my-github-ssh-credentials \ | ||
--use-param-defaults --showlog` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This command is rendered on a single line, in that case backslashes are not necessary
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noted,
Addressed
|
||
Following are the steps involved in using a Docker configuration file inside a Tekton pipeline task. | ||
|
||
. Define a Tekton Task in your Kubernetes cluster with a reference to Skopeo image that copies a docker image to a specified repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kubernetes cluster -> OpenShift cluster
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressed.
mountPath: /optional-workspace | ||
---- | ||
|
||
.Example: A modified git clone task to incorporate the optional Workspace feature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we have 2 examples here? 🤔
cp "$(workspaces.basic_auth.path)/.gitconfig" "${HOME}/.gitconfig" | ||
chmod 400 "${HOME}/.git-credentials" | ||
chmod 400 "${HOME}/.gitconfig" | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is basically a code from our own task but I miss the context here.
|
||
* kubernetes.io/basic-auth : basic authentications | ||
|
||
* kubernetes.io/dockercfg : serialized ~/.dockercfg file kubernetes.io/dockerconfigjson : serialized ~/.docker/config.json file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubernetes.io/dockerconfigjson should be a new bullet point
---- | ||
# For a TaskRun | ||
|
||
apiVersion: tekton.dev/v1beta1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update to v1
metadata: | ||
name: build-with-basic-auth | ||
spec: | ||
serviceAccountName: build-bot |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
v1 API uses different syntax https://tekton.dev/docs/pipelines/migrating-v1beta1-to-v1/#changes-to-fields
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR is now being tracked with this PR-66069 |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
/remove-lifecycle rotten |
@gtrivedi88 I mistakenly removed the rotten lifecycle. Could you please close this PR? Teh up-to-date PR on this issue is #70384 |
@mramendi As you suggested. I've closed this PR. |
enterprise-4.10
,enterprise-4.11
,enterprise-4.12
, andenterprise-4.13