operator
operator copied to clipboard
tektoncd
Examples of Tekton CI/CD pipelines with "skopeo copy" task.
Feature request
This is a request for improving the current documentation on how to write Tekton pipelines when using the Tekton operator.
Use case
I just want to create a simple Tekton pipeline on OpenShift using the Tekton operator. My pipeline consists in the following operations:
- fetch a given git repository,
- build a nodejs application with the s2i-nodejs Tekton task,
- store the resulting image into an external registry.
Implementing the first two steps is without any problem, implementing the third one is incredibly complicated without expert guidance.
When you want to store an image from the OpenShift internal registry into an external one, you need credentials. The OpenShift internal registry requires a pullImageSecret. You can't reuse the default pipeline service account and patch it to provide the requested pullImageSecret.
The OpenShift documentation is very clear (https://docs.openshift.com/container-platform/4.11/cicd/pipelines/using-tekton-chains-for-openshift-pipelines-supply-chain-security.html): "If you patch the default pipeline service account that Red Hat OpenShift Pipelines assigns to all task runs, the Red Hat OpenShift Pipelines Operator will override the service account." I don't know why you don't mention the same information in your documentation.
As you can't reuse the default pipeline service account, you can create another one and replace the default pipeline with the new one. However, you don't know what is exactly the RBAC configuration of the default pipeline service account. Some details are available at https://hub.tekton.dev/tekton/task/s2i Also, it requires cluster-admin rights which shouldn't normally be available to application developers. In addition, some configuration seems missing (there is a pipeline-scc not mentioned anywhere). I don't know why you don't specify the full default pipeline configuration in your documentation. This is useful information.
If we can't reuse the default pipeline service account, can't replace it with a similar service account because we don't know the full configuration and don't own the cluster admin rights: How do we do?
I found a solution (maybe there is still a better one): we can add a new "skopeo copy" Tekton task using a new service account with the adequate credentials and everything is fine! When thinking about it, I thought it was easy: one week after I still haven't succeeded! Using "skopeo copy" when copying an image from the OpenShift internal registry to an external one is a nightmare. You have to deal with so much complexity that it's terrible (at least for a newcomer) (various formats of supported authfiles, XDG_RUNTIME_DIR set or not set, very difficult debugging, etc). Podman, Buildah and Skopeo, all very powerful tools don't behave the same way! (https://github.com/containers/skopeo/issues/823). Could you provide an example describing a very simple Tekton pipeline/pipelinerun with the use of the "skopeo copy" command in your documentation (if possible in an OpenShift environment)?
