首页 > 其他分享 >Tekton 认证配置

Tekton 认证配置

时间:2023-12-04 17:26:17浏览次数:30  
标签:git name tekton 配置 认证 Tekton ssh known root

Tenton 支持Secret 类型

Git Docker
kubernetes.io/basic-auth
kubernetes.io/ssh-auth
kubernetes.io/basic-auth
kubernetes.io/dockercfg
kubernetes.io/dockerconfigjson

配置 Git 身份验证

Tenton Secrets 存储路径

~/.gitconfig 文件或 ~/.ssh 目录。

配置basic-auth类型身份验证

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/git-0: https://github.com # Described below
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext username>
  password: <cleartext password>

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: basic-user-pass

绑定 PipelineRun

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

Tekton 生成认证内容

=== ~/.gitconfig ===
[credential]
    helper = store
[credential "https://url1.com"]
    username = "user1"
[credential "https://url2.com"]
    username = "user2"
...
=== ~/.git-credentials ===
https://user1:[email protected]
https://user2:[email protected]
...

配置ssh-auth类型身份验证

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: ssh-key
  annotations:
    tekton.dev/git-0: github.com # Described below
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: <private-key>
  # This is non-standard, but its use is encouraged to make this more secure.
  # If it is not provided then the git server's public key will be requested
  # when the repo is first fetched.
  known_hosts: <known-hosts>

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: ssh-key

绑定 PipelineRun

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

使用自定义端口进行 SSH 身份验证

apiVersion: v1
kind: Secret
metadata:
  name: ssh-key-custom-port
  annotations:
    tekton.dev/git-0: example.com:2222
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: <private-key>
  known_hosts: <known-hosts>

Tekton 生成认证内容

=== ~/.ssh/id_key1 ===
{contents of key1}
=== ~/.ssh/id_key2 ===
{contents of key2}
...
=== ~/.ssh/config ===
Host url1.com
    HostName url1.com
    IdentityFile ~/.ssh/id_key1
Host url2.com
    HostName url2.com
    IdentityFile ~/.ssh/id_key2
...
=== ~/.ssh/known_hosts ===
{contents of known_hosts1}
{contents of known_hosts2}
...

配置Docker身份验证

配置basic-auth类型身份验证

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/docker-0: https://gcr.io # Described below
type: kubernetes.io/basic-auth
stringData:
  username: <cleartext username>
  password: <cleartext password>

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: basic-user-pass

绑定 PipelineRun

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

Tekton 生成认证内容

=== ~/.docker/config.json ===
{
  "auths": {
    "https://url1.com": {
      "auth": "$(echo -n user1:pass1 | base64)",
      "email": "[email protected]",
    },
    "https://url2.com": {
      "auth": "$(echo -n user2:pass2 | base64)",
      "email": "[email protected]",
    },
    ...
  }
}

配置 config.json 身份认证 

用~/.docker/config.json生成secret

Secret

kubectl create secret generic regcred  --from-file=.dockerconfigjson=<path/to/.docker/config.json>  --type=kubernetes.io/dockerconfigjson

serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: regcred

绑定 PipelineRun

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

禁用 Tekton 内置认证

# kubectl edit cm feature-flags -n tekton-pipelines
disable-creds-init: "true"

Tekton 认证示例

apiVersion: v1
kind: Secret
type: kubernetes.io/ssh-auth
metadata:
  name: ssh-key-for-git
  annotations:
    tekton.dev/git-0: localhost
data:
  # This key was generated for this test and isn't used for anything else.
  ssh-privatekey: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUF5T1g3ZG5OWlFBZVk4cHNMOXlaUnp3NXNDVG1yWGh6Zld1YTZuZ2VDQ0VRRTY4YjVUSThTCkNlbEhlNG9oTUtBdXZ0ZTE4YXJMK2EvVldpeFN6a2tBMmFIZVhkdUJ1bStkS2R2TlVVSUhNc1dOUythcENQYmE4R3ZGaHYKdG81Tkx0bWpxT2M0WjJkK1RPS3AvakMrS3pvUDFHQWdRL25QMitMTldabzlvTTc4TzQ3Z1dSem9FNlFKeGJqbFlPMHRMbwp4YXUxdTNrbUtsNSthbUxsNHpGN25wdmV1dGlSWDhmY2hGam5Ka2dqK3BVeFJvTGF4SDdDN0NTcDExWUkyMEhKRVFXeEk3CllaekNTYml5KzZ1a2l0Tk1MZ29qMnpSTGl2ZTVvZm9nenpYbkdWUUpZdUIzOFhQM0ZIQWMvOXhzUXdzd3dQS2hkQ3g4T0QKbjErYXpLOHp5SGhXK0dxckJhS1R4cDlrcVRpKzZSMWk4ZjVxOEt6NXpGVTZmd05qQXZ3STFBZ3IwS2FzU1JxWTVMcGxnTgpZcW1DY01JODZKUnRGWHRWWVQrT05tdWFhYUQ1QUErbnpkNW81R0haZTlFSlNqUThZMHZwbjhmNjNjeEw2RTdzVmxpMnpzCnNhN1RST2JMK3YyVnFuSlpEY2pIZXMzS1M5Mld0V3RJbXdXOG81VkRBQUFGaU04K0NUL1BQZ2svQUFBQUIzTnphQzF5YzIKRUFBQUdCQU1qbCszWnpXVUFIbVBLYkMvY21VYzhPYkFrNXExNGMzMXJtdXA0SGdnaEVCT3ZHK1V5UEVnbnBSM3VLSVRDZwpMcjdYdGZHcXkvbXYxVm9zVXM1SkFObWgzbDNiZ2Jwdm5TbmJ6VkZDQnpMRmpVdm1xUWoyMnZCcnhZYjdhT1RTN1pvNmpuCk9HZG5ma3ppcWY0d3ZpczZEOVJnSUVQNXo5dml6Vm1hUGFETy9EdU80RmtjNkJPa0NjVzQ1V0R0TFM2TVdydGJ0NUppcGUKZm1waTVlTXhlNTZiM3JyWWtWL0gzSVJZNXlaSUkvcVZNVWFDMnNSK3d1d2txZGRXQ050QnlSRUZzU08yR2N3a200c3Z1cgpwSXJUVEM0S0k5czBTNHIzdWFINklNODE1eGxVQ1dMZ2QvRno5eFJ3SFAvY2JFTUxNTUR5b1hRc2ZEZzU5Zm1zeXZNOGg0ClZ2aHFxd1dpazhhZlpLazR2dWtkWXZIK2F2Q3MrY3hWT244RFl3TDhDTlFJSzlDbXJFa2FtT1M2WllEV0twZ25EQ1BPaVUKYlJWN1ZXRS9qalpybW1tZytRQVBwODNlYU9SaDJYdlJDVW8wUEdOTDZaL0grdDNNUytoTzdGWll0czdMR3UwMFRteS9yOQpsYXB5V1EzSXgzck55a3ZkbHJWclNKc0Z2S09WUXdBQUFBTUJBQUVBQUFHQUNQSGtmbU9vWjZkdThlNWhYQUhDeHJ0WHFCCmwvUGROL1JtYmJqRW05U216czR5cWEwd1BUdzhrMU81VHM0V05nY1hMZFVRTlB6YkE4aWFWTGtvL0JqKzhiSFlhMmdmeVMKUE5qaWpXbXBOR09EWlF2Q0h2b095WUdpNjkycHovWnNTZCt0bEFzNm54LzY1ZjcwZHdVREJub0FjZnFLY28wQnVMRlNBKworamY5RnhISGYzQkFEUS9TdDVFQjlZelo1Q2F2cTRQcjZvS2w3R3RpbnRIbTZIbUlwTUlubWVEMnV3cjl2ZGZ1RGJhVDdYClVOSm10elVGck1uOUhlOWd1WkoyTXd3a015S09ScnRhVFA3VjFZK3FOM3ZncStmRkNtU0VkekxBU3BWTHMyL1hQTCtwTnAKTTVZUVRRMFJSZWdKTEdtTHZ0ZmpkK1RRMFQ0bjBucnBJVGRXRTRsL05sTG9taTVhUndzQXFtY2hZSGxhN0g3YlNyS2lKawpyWTg1RTliZm8wSXJqUDNQNzFYNmxjcTB0VDhDTklUQUNleWJQT3kwcDVDc3JwZTdhZEJBOXF4MTZjR2tkZ0NPWk9GMnRpCktoWWJHeTc4ei9YNEh2OEptVmhaSHF3RlFQQzVleWljbE1PTFJXNDJOcUJhNEVFc3RHT3l4MHZwa0lVS3VhRlJuQkFBQUEKd1FESytXYzU1WHVpWjgySXM5NnN2bWIrR0Y5c2pBRWVaWHpHSWpDL1NHVEhIWTZSQmc1TnlQOUdZNmtoWnBjd0cyTU52dQpZUjhuN0psRWlVanU2cjY2Smh0WGtvdTR4WlU1dDkvMlJvdHRmeWpKODJmYm8yTHZmNERUOVNvSURxZnk5VmlMSjhSWUNkCkt6NnpYSHFTZ1RBRU1vaUhjbFpIZzRqTitrOW1ma2tPMDBQbEJJaE1YU0ZMLzUrZUhGdStQTmxaU1g5NUlMRjJvZ0Y1RG0KWTFuaTRUOGJjdzY2dmFzamthcjFZekptM1VidEVnSzQ2VVllNGJac2NXbWt4dngwMEFBQURCQVA4UysyTmtheWkvb3NzVApTQXpJMi9QU2tJMDVEY1lTYnNOQjZ4a3pobzdKaDlHeUNvbW5xZ1IxR2ZBOTBqV3AxVks0TG43TmtYYWJaVmJPc0xoT21DCkdBbVRZTHRjaTB0bkhhYk5HTEZ3ZmdiUitqRzZNQ2p4cEh5anM5MDlKSHhtYmswbElpczdPN1N3VThERGcrSEVxc0EvNUoKQ1VMTWU3em9mNERhUnZXdFhTRks2ZW5LNnpGaHBINjVQY29TN0o0NjJhNzdUMDVGQXhMemNaRkc5VWZ5WUdMa1ZmdHRTTApNVDhudW9LaW5XTGNLSlVQeis1MjJlM3lIcis4c3pVUUFBQU1FQXlhQ28xSnRBcjRpczY0YTBuZTFUV0o0dXcyT3FDdUlDCm9acG1QN2UyRnh3bVRCSWMrbzZkSEVNVHo2c2ZZSkFxU2l4ZzYydXYzWlRTc25STWljaDZ0b1k0SVI4cWFMa1prLzU5cmEKQWFONFlvTkdpQTZxY0Jzc3NLMmZuM2YxRFJhckxPbWZHTnpTMU41S1RvSFVlUkVGWDExdHVNM1pqOGxTelFBOWZSakk1OQpFWmFnOWJaOXRJOEg5dmEvTGRMK3U3dTZZWkVRSEJCS1MxMW1tOVVXd1pDMkdUV3ZnNzRlTnRmemtZeDQxdlhIeTZBbW9ECmxuOHo2N3lvWEZzbEpUQUFBQURuTmpiM1IwUUcxbFkyZ3ViR0Z1QVFJREJBPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==
  # Note: we intentionally omit a known_hosts entry here. You should include
  # one in your own Secrets as a security measure, otherwise the Git PipelineResource
  # and git-clone Tasks will blindly accept any public key returned by a repository.
  #
  # We're able to omit known_hosts here because the file is generated by the
  # git server sidecar. The benefit of omitting it here is that it exercises
  # a codepath in Tekton that used to fail. In prior versions Tekton would
  # run ssh-keyscan if known_hosts was omitted, which would fail for this example
  # because the git server sidecar is not up and running at the time the scan
  # would have happened.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ssh-key-service-account
secrets:
- name: ssh-key-for-git
---
apiVersion: tekton.dev/v1
kind: TaskRun
metadata:
  name: authenticating-git-commands
spec:
  serviceAccountName: ssh-key-service-account
  taskSpec:
    volumes:
    - name: messages
      emptyDir: {}
    sidecars:
    - name: server
      image: alpine/git:v2.26.2
      securityContext:
        runAsUser: 0
      volumeMounts:
      - name: messages
        mountPath: /messages
      script: |
        #!/usr/bin/env ash

        # Generate a private host key and give the Steps access to its public
        # key for their known_hosts file.
        ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
        chmod 0600 /etc/ssh/ssh_host_rsa_key*
        HOST_PUBLIC_KEY=$(cat /etc/ssh/ssh_host_rsa_key.pub | awk '{ print $2 }')
        echo "localhost ssh-rsa $HOST_PUBLIC_KEY" > /messages/known_hosts

        # Wait for a Step to supply the server a public key generated from creds-init
        # credentials.
        while [ ! -f /messages/authorized_keys ] ; do
          sleep 1
        done

        # Allow Steps to SSH login as root to this server.
        mkdir /root/.ssh
        cp /messages/authorized_keys /root/.ssh/

        # "Unlock" the root account, allowing SSH login to succeed.
        sed -i s/root:!/"root:*"/g /etc/shadow

        # Create the git repo we're going to test against.
        cd /root/
        mkdir repo
        cd repo
        git init . --bare

        # Start the sshd server.
        /usr/sbin/sshd -E /var/log/sshd
        touch /messages/sshd-ready
        tail -f /var/log/sshd
    steps:
    - name: setup
      # This Step is only necessary as part of the test, it's not something you'll
      # ever need in a real-world scenario involving an external git repo.
      image: alpine/git:v2.26.2
      securityContext:
        runAsUser: 0
      volumeMounts:
      - name: messages
        mountPath: /messages
      script: |
        #!/usr/bin/env ash

        # Generate authorized_keys file from the creds-init private key and give
        # it to the sidecar server so that Steps can successfully SSH login
        # using creds-init credentials.
        ssh-keygen -y -f $(credentials.path)/.ssh/id_ssh-key-for-git > /messages/authorized_keys

        # Wait for sshd to start on the git server.
        while [ ! -f /messages/sshd-ready ] ; do
          sleep 1
        done
    - name: git-clone-and-push
      image: alpine/git:v2.26.2
      securityContext:
        runAsUser: 0
      workingDir: /root
      volumeMounts:
      - name: messages
        mountPath: /messages
      script: |
        #!/usr/bin/env ash
        set -xe

        if [ -d /tekton/home/.ssh ] ; then
          # When disable-home-env-overwrite is "false", creds-init credentials
          # will be copied to /tekton/home/.ssh by the entrypoint. But we need
          # them in /root/.ssh.

          # Overwrite the creds-init known_hosts file with that of our test
          # git server. You wouldn't need to do this in any kind of real-world
          # scenario involving an external git repo.
          cp /messages/known_hosts $(credentials.path)/.ssh/

          # Symlink /tekton/creds/.ssh to /root/.ssh because this script issues
          # vanilla git commands of its own. Git PipelineResources and the git-clone
          # catalog task handle this for you.
          ln -s $(credentials.path)/.ssh /root/.ssh
        else
          # When disable-home-env-overwrite is "true", creds-init credentials
          # will be copied to /root/.ssh by the entrypoint. We just need to
          # overwrite the known_hosts file with that of our test git server.
          cp /messages/known_hosts /root/.ssh/known_hosts
        fi

        git clone root@localhost:/root/repo ./repo
        cd repo
        git config user.email "[email protected]"
        git config user.name "Example"
        echo "Hello, world!" > README
        git add README
        git commit -m "Test commit!"
        git push origin master
    - name: git-clone-and-check
      image: gcr.io/tekton-releases/dogfooding/alpine-git-nonroot:latest
      # Because this Step runs with a non-root security context, the creds-init
      # credentials will fail to copy into /tekton/home. This happens because
      # our previous step _already_ wrote to /tekton/home and ran as a root
      # user. So there will be warning messages reporting "unsuccessful cred
      # copy". These can be safely ignored and instead this Step will copy
      # the credentials out of /tekton/creds to nonroot's HOME directory.
      securityContext:
        runAsUser: 1000
      workingDir: /home/nonroot
      volumeMounts:
      - name: messages
        mountPath: /messages
      script: |
        #!/usr/bin/env ash
        set -xe

        if [ -d /tekton/home/.ssh ] ; then
          # When disable-home-env-overwrite is "false", creds-init credentials
          # will be copied to /tekton/home/.ssh by the entrypoint. But we need
          # them in /home/nonroot/.ssh.

          # Overwrite the creds-init known_hosts file with that of our test
          # git server. You wouldn't need to do this in any kind of real-world
          # scenario involving an external git repo.
          cp /messages/known_hosts $(credentials.path)/.ssh/

          # Symlink /tekton/creds/.ssh to /home/nonroot/.ssh because this script issues
          # vanilla git commands of its own and we're running as a non-root user.
          # Git PipelineResources and the git-clone catalog task handle this for you.
          ln -s $(credentials.path)/.ssh /home/nonroot/.ssh
        else
          # When disable-home-env-overwrite is "true", creds-init credentials
          # will be copied to /home/nonroot/.ssh by the entrypoint. We just need to
          # overwrite the known_hosts file with that of our test git server.
          cp /messages/known_hosts /home/nonroot/.ssh/known_hosts
        fi

        git clone root@localhost:/root/repo ./repo
        cd repo
        cat README | grep "Hello, world!"

参考文档

https://tekton.dev/docs/pipelines/auth/

标签:git,name,tekton,配置,认证,Tekton,ssh,known,root
From: https://www.cnblogs.com/wangguishe/p/17875344.html

相关文章

  • Nginx 流量管理配置
    1.介绍Nginx通过网络速率、连接和带宽限制控制流量。2.常用方式1)限制连接数:可以构成共享区保存连接指标,并使用limit_conn限制打开的连接数。limit_conn_zone$binary_remote_addrzone=perip:10m;#通过设置每个ip的共享空间limit_conn_zone$server_namezone=perserver:10......
  • Tekton pipelineruns 基础
    pipelineruns概述PipelineRun允许你在集群上实例化和执行Pipeline。一个Pipeline指定一个或多个Tasks,按照期望的执行顺序执行。PipelineRun按照指定的顺序执行Pipeline中的Tasks,直到所有Tasks都成功执行或失败。PipelineRun会自动为Pipeline中的每个Task创建相应的taskrun。pi......
  • Tekton Pipelines 基础
    Pipelines概述Pipeline是Tasks的集合,作为持续集成流的一部分,您可以定义并按照特定的执行顺序排列这些Tasks。Pipeline中的每个Tasks在Kubernetes集群上作为Pod执行。您可以配置各种执行条件来满足您的业务需求。Pipeline使用When表达式when表达式input:被评估的内容,支持使用......
  • Tekton 基础
    Tekton概述Tekton是用于构建CI/CD系统的云原生解决方案。它由TektonPipelines(提供构建块)和支持组件(例如TektonCLI和TektonCatalog)组成,使Tekton成为一个完整的生态系统。Tekton是Linux基金会项目CD基金会的一部分。Tekton作为Kubernetes集群上的扩展安装和运......
  • UDS之29服务:认证服务
    1、服务概述  汽车工业的很多领域都有严格的国际标准,其中针对车载诊断的ISO14229规定了车载诊断服务的通用需求(UDS),UDS主要应用于OSI模型的应用层,UDS协议根据功能的不同定义了26种诊断服务。 为了应对网联汽车日益增加的安全风险,在ISO14229-1的2020版本增加了29服务。29......
  • 安装算量软件用什么配置的电脑好?
    我们学习使用安装算量软件,需要一台电脑,一般内存大于4G就可以的,根据个人的情况来使用,不同的人经济情况好的话,可以买更高级的配置!将从处理器、内存、硬盘。显卡等几种情况仅供参考!安装算量软件对电脑的配置有一定要求,一般来说,配置越高,运行越流畅。以下是一些建议的配置要求:处理器(CPU):......
  • Tekton TaskRun 基础
    TaskRun概述TaskRun允许您在集群上实例化和执行Task。任务指定执行容器映像的一个或多个Steps,每个容器映像执行特定的构建工作。TaskRun按照指定的顺序执行任务中的Steps,直到所有Steps执行成功或失败。TaskRun配置清单apiVersion:tekton.dev/v1#指定API版本。kind:T......
  • daemon.json完整配置
    2023-12-04ubuntu安装好docker后,Docker配置文件默认在/etc/docker/daemon.json修改配置文件/etc/docker/daemon.json,进入/etc/docker目录。查看是否有daemon.json文件,没有则执行如下命令创建。touchdaemon.json刚开始文件是空的,添加文件内容配置如下:{"registry-mirrors......
  • 掌握这些,轻松管理BusyBox:inittab文件的配置和作用解析
    BusyBox是一个轻量级的开源工具箱,其中包含了许多标准的Unix工具,例如 sh、ls、cp、sed、awk、grep 等,同时它也支持大多数关键的系统功能,例如自启动、进程管理、启动脚本等等。而 inittab 文件则是BusyBox中的一个重要文件,掌握了 inittab 文件的作用及如何配置有助于更好......
  • 上海MBN/MB行星锥盘无极变速机型号_配置
    上海MBN/MB行星锥盘无极变速机型号_配置_生产厂家赛尼行星锥盘无级变速机,经多年来在实践使用中,证明在众多的无级变速机家族中,由于该系列产品设计结构合操作方便、传动稳定等特点。其中MB变速机调速精度高,调速精度在0.5-1转。MBN/MB行星锥盘无极变速机广泛用于食品机械、印刷、造......