search

tektoncd / pipeline

A cloud-native Pipeline resource.
https://tekton.dev
Apache License 2.0
8.48k stars 1.78k forks source link

Make it easier to setup SSH authentication for Git #3631

Open jlpettersson opened 3 years ago

jlpettersson commented 3 years ago

Feature request

The authentication page in documentation looks a bit overwhelming at first visit. Unfortunately, setting up authentication is one of the first things a new user needs to do to use Tekton for Continuous Integration. It would be good if the steps (and instructions) on how to setup SSH authentication for Git would be easier to understand and easier to do. If this part is too overwhelming, it might serve as a barrier to start using Tekton.

Suggestions

Prepare a known_hosts file

Example using github.com

  1. Create file with known_hosts (you may also want to verify this further)

    ssh-keyscan github.com > ssh_known_hosts

  2. Create secret from file

    kubectl create configmap github-known-hosts --from-file=ssh_known_hosts

Generate and distribute SSH key pair

Generate a separate SSH key pair for Tekton. (The current auth doc describes a process for uploading the users private key from its home dir which might not be a good idea from a security standpoint)

  1. Generate keypair to local file

    ssh-keygen -t rsa -b 4096 -f id_rsa -q -N ""

  2. Create a secret from the private key

    kubectl create secret generic github-private-key --from-file=id_rsa

  3. Upload the public key id_rsa.pub to GitHub

    Start with copying the content of the public key with (this example is for macos)

    pbcopy < id_rsa.pub

    And follow Adding a new SSH key to your GitHub account alternatively Managing Deploy Keys for organization

Usage

The ConfigMap and Secret created above, can be exposed to a Task with a Projected Volume:

      volumes:
      - name: ssh-auth                  # name of volume - matching name in Task
        projected:
          defaultMode: 0400
          sources:
          - configMap:
              name: github-known-hosts  # name of ConfigMap from Auth setup
          - secret:
              name: github-private-key  # name of Secret from Auth setup

Summary

The above commands for secret, configmap and ssh key generation can be used by copy-pasting, which makes the process a bit easier do to, and to avoid mistakes.

Use case

To configure a Git-clone Task so that the user can start to use Tekton Pipelines together with a Tekton Trigger connected to a git repository, e.g. GitHub.

tekton-robot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

jlpettersson commented 3 years ago

/remove-lifecycle stale

tekton-robot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot commented 3 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten with a justification. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

ghost commented 2 years ago

/help

/good-first-issue

tekton-robot commented 2 years ago

@sbwsg: This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-good-first-issue command.

In response to [this](https://github.com/tektoncd/pipeline/issues/3631): >/help > >/good-first-issue Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
arnav3000 commented 2 years ago

Do you have an example using the same in a git-clone pipeline ?

geriom commented 2 years ago

@arnav3000 I'm working on a how-to doc that uses git-clone from the Catalog. To be merged soon https://github.com/tektoncd/website/pull/387

I'm going to check this issue more carefully and maybe add a few more things. We may want to link to other vendors, not only GitHub, so we don't give the impression that Tekton is a GitHub-first tool.

rahulsurwade08 commented 2 years ago

I would like to work on this issue under hacktoberfest. How can I get started?

arslaanmalik commented 1 year ago

Is there anything to setup GPG keys in tekton for Github