pipeline icon indicating copy to clipboard operation
pipeline copied to clipboard
verified publisher icon tektoncd

Make it easier to setup SSH authentication for Git

Open jlpettersson opened this issue 5 years ago • 10 comments

Feature request

The authentication page in documentation looks a bit overwhelming at first visit. Unfortunately, setting up authentication is one of the first things a new user needs to do to use Tekton for Continuous Integration. It would be good if the steps (and instructions) on how to setup SSH authentication for Git would be easier to understand and easier to do. If this part is too overwhelming, it might serve as a barrier to start using Tekton.

Suggestions

Prepare a known_hosts file

Example using github.com

  1. Create file with known_hosts (you may also want to verify this further)

    ssh-keyscan github.com > ssh_known_hosts

  2. Create secret from file

    kubectl create configmap github-known-hosts --from-file=ssh_known_hosts

Generate and distribute SSH key pair

Generate a separate SSH key pair for Tekton. (The current auth doc describes a process for uploading the users private key from its home dir which might not be a good idea from a security standpoint)

  1. Generate keypair to local file

    ssh-keygen -t rsa -b 4096 -f id_rsa -q -N ""

  2. Create a secret from the private key

    kubectl create secret generic github-private-key --from-file=id_rsa

  3. Upload the public key id_rsa.pub to GitHub

    Start with copying the content of the public key with (this example is for macos)

    pbcopy < id_rsa.pub

    And follow Adding a new SSH key to your GitHub account alternatively Managing Deploy Keys for organization

Usage

The ConfigMap and Secret created above, can be exposed to a Task with a Projected Volume:

      volumes:
      - name: ssh-auth                  # name of volume - matching name in Task
        projected:
          defaultMode: 0400
          sources:
          - configMap:
              name: github-known-hosts  # name of ConfigMap from Auth setup
          - secret:
              name: github-private-key  # name of Secret from Auth setup

Summary

The above commands for secret, configmap and ssh key generation can be used by copy-pasting, which makes the process a bit easier do to, and to avoid mistakes.

Use case

To configure a Git-clone Task so that the user can start to use Tekton Pipelines together with a Tekton Trigger connected to a git repository, e.g. GitHub.

jlpettersson avatar Dec 11 '20 17:12 jlpettersson

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot avatar Mar 11 '21 17:03 tekton-robot

/remove-lifecycle stale

jlpettersson avatar Mar 11 '21 19:03 jlpettersson

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot avatar Jun 09 '21 19:06 tekton-robot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten with a justification. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

tekton-robot avatar Jul 09 '21 19:07 tekton-robot

/help

/good-first-issue

ghost avatar Nov 30 '21 18:11 ghost

@sbwsg: This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-good-first-issue command.

In response to this:

/help

/good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot avatar Nov 30 '21 18:11 tekton-robot

Do you have an example using the same in a git-clone pipeline ?

arnav3000 avatar Jun 10 '22 12:06 arnav3000

@arnav3000 I'm working on a how-to doc that uses git-clone from the Catalog. To be merged soon https://github.com/tektoncd/website/pull/387

I'm going to check this issue more carefully and maybe add a few more things. We may want to link to other vendors, not only GitHub, so we don't give the impression that Tekton is a GitHub-first tool.

geriom avatar Jun 14 '22 16:06 geriom

I would like to work on this issue under hacktoberfest. How can I get started?

rahulsurwade08 avatar Oct 09 '22 18:10 rahulsurwade08

Is there anything to setup GPG keys in tekton for Github

arslaanmalik avatar Feb 04 '23 17:02 arslaanmalik