Suprious warning from git-clone with SSH credentials

[jimmyjones2]

Expected Behavior

When using the git-clone task with SSH credentials, no spurious warnings are emitted on successful clone

Actual Behavior

The warning appears to need SSH authentication but no SSH credentials have been provided

This comes from the following code: https://github.com/tektoncd/pipeline/blob/34274fb039971f310c84f77b609f6589a6763eb8/pkg/git/git.go#L271 which seems to expect creds in /tekton/creds (legacy) whereas it'll be in ~/.ssh https://github.com/tektoncd/pipeline/blob/34274fb039971f310c84f77b609f6589a6763eb8/pkg/apis/pipeline/paths.go#L28

Steps to Reproduce the Problem

1. Create git-clone TaskRun with SSH credentials

Additional Info

• Kubernetes version:

  Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:14:10Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"darwin/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.6+k3s1", GitCommit:"418c3fa858b69b12b9cefbcff0526f666a6236b9", GitTreeState:"clean", BuildDate:"2022-04-28T22:16:18Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"linux/amd64"}

• Tekton Pipeline version:

v0.37.0

Releated issue #5242

[chengjoey]

@jimmyjones2 hi, The warning message is only if no credentials are provided and it is an ssh repository, or if it is not an ssh repository but credentials are provided. when using the git-clone task with SSH credentials, no spurious warnings maybe is expected

useing git-clone task with ssh credentials log:

Defaulted container "step-git-source-gitssh-xswn7" out of: step-git-source-gitssh-xswn7, step-config, prepare (init), place-scripts (init)
{"level":"info","ts":1667921371.8161123,"caller":"git/git.go:176","msg":"Successfully cloned [email protected]:chengjoey/xxx.git @ 7aaa7c2f15a5ac1e1eed34420cfc17e91fa09cc3 (grafted, HEAD, origin/master) in path /workspace/gitssh"}
{"level":"info","ts":1667921371.8346016,"caller":"git/git.go:215","msg":"Successfully initialized and updated submodules in path /workspace/gitssh"}

[jimmyjones2]

@chengjoey The git-clone Task copies SSH creds into /home/git/.ssh by default (which git automatically uses) here https://github.com/tektoncd/catalog/blob/1de628290778ad5063450a2a9edffda690c119e3/task/git-clone/0.9/git-clone.yaml#L184

I'm successfully cloning SSH git repos but getting the warning, I presume because the Task is not putting them into /tekton/creds where git-init expects it? How would creds ever get there?

[tekton-robot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[jimmyjones2]

/remove-lifecycle stale Still an issue

[jerop]

/remove-lifecycle stale

[edubois10]

@jimmyjones2 which version of Tekton Pipelines are you using. I had the same issue than you, even worse because the pipeline was failling, it wasn't only a warning sign. I was trying to run the task with the following image version gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2 which is only compatible with Tekton Pipelines versions 0.29.0 and greater see https://github.com/tektoncd/catalog/tree/main/task/git-clone/0.9. I then change the image to version gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.29.0 and the task runs fine and I don't have any warning message.

I hope it will help you.

[jimmyjones2]

Thanks @edubois10. I get this error on v0.37.0. I've just switched over to using annotated secrets for authentication https://github.com/tektoncd/pipeline/blob/main/docs/auth.md which removes the spurious warning. The issue is only present when using the buildah Task supplied with a ssh-directory workspace.

[W1zzardTPU]

+1 same issue with everything updated to the latest version today

[tekton-robot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[kad-dirc]

@chengjoey The git-clone Task copies SSH creds into /home/git/.ssh by default (which git automatically uses) here https://github.com/tektoncd/catalog/blob/1de628290778ad5063450a2a9edffda690c119e3/task/git-clone/0.9/git-clone.yaml#L184

I'm successfully cloning SSH git repos but getting the warning, I presume because the Task is not putting them into /tekton/creds where git-init expects it? How would creds ever get there?

I have this same situation as described here. It works, but I still get a warning.

{"level":"warn","ts":1691749946.356301,"caller":"git/git.go:271","msg":"URL(\"ssh://[email protected]:443/my/repo.git\") appears to need SSH authentication but no SSH credentials have been provided"} {"level":"info","ts":1691750019.4559164,"caller":"git/git.go:176","msg":"Successfully cloned ssh://[email protected]:443/my/repo.git @ 2a41c53c75b0dc32717ed1ddc94a3d7a6961076e (grafted, HEAD) in path /workspace/output/"} {"level":"info","ts":1691750019.483891,"caller":"git/git.go:215","msg":"Successfully initialized and updated submodules in path /workspace/output/"}

Versions:

• gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2
• git-clone task version 0.9

Analysis

• as mentioned by in the initial post. Git-init image expects a fixed directory tekton/creds
• but the git-clone task puts the ssh files in the .ssh of the home dir /home/git.
  • home dir
  • copy ssh files

[tekton-robot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten with a justification. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen with a justification. Mark the issue as fresh with /remove-lifecycle rotten with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen with a justification. Mark the issue as fresh with /remove-lifecycle rotten with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[IndranilNandy]

This issue still exists and the pipeline is failing. Pipeline version: v0.56.1 git-clone task version: 0.9

[glennodickson]

Hi I'm experiencing exactly the same issue using version: Pipeline version: v0.61.0 git-clone task version 0.6 to 0.9

I've used the version 0.6 to 0.9 with no success. Any help would be most helpful: https://api.hub.tekton.dev/v1/resource/tekton/task/git-clone/0.6/raw

Here is the output from the container:

STEP-CLONE

+ '[' false '=' true ]
+ '[' true '=' true ]
+ cp -R /workspace/ssh-directory /tekton/home/.ssh
+ chmod 700 /tekton/home/.ssh
+ chmod -R 400 /tekton/home/.ssh/ssh-privatekey
+ '[' false '=' true ]
+ CHECKOUT_DIR=/workspace/output/
+ '[' true '=' true ]
+ cleandir
+ '[' -d /workspace/output/ ]
+ rm -rf /workspace/output//lost+found
+ rm -rf '/workspace/output//.[!.]*'
+ rm -rf '/workspace/output//..?*'
+ test -z 
+ test -z 
+ test -z 
+ /ko-app/git-init '-url=ssh://*****@*********/volume1/repo/project/cybackend/backend' '-revision=' '-refspec=' '-path=/workspace/output/' '-sslVerify=true' '-submodules=true' '-depth=1' '-sparseCheckoutDirectories='
{"level":"warn","ts":1721738282.5375512,"caller":"git/git.go:277","msg":"URL(\"ssh://*****@***************/volume1/repo/project/cybackend/backend\") appears to need SSH authentication but no SSH credentials have been provided"}
{"level":"error","ts":1721738299.8092742,"caller":"git/git.go:54","msg":"Error running git [fetch --recurse-submodules=yes --depth=1 origin --update-head-ok --force HEAD]: exit status 128\nWarning: Permanently added '****************,<someIP>' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.\r\nPermission denied, please try again.\r\n********@**************: Permission denied (publickey,password).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:54\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:149\nmain.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:53\nruntime.main\n\truntime/proc.go:204"}
{"level":"fatal","ts":1721738299.809353,"caller":"git-init/main.go:54","msg":"Error fetching git repository: failed to fetch [HEAD]: exit status 128","stacktrace":"main.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:54\nruntime.main\n\truntime/proc.go:204"}

TIA Glenn