雲原生CI/CD:tekton/pipeline之認證篇
既然說tekton/pipeline是CI/CD,必然需要用到拉取git倉庫代碼,倉庫代碼可能是私有的,看下tekton/pipeline在這邊的支持。
tekton/pipeline支持兩種身份驗證方式,將以k8s中secret的形式呈現:
- kubernetes.io/basic-auth
- kubernetes.io/ssh-auth
下面將簡單價紹兩種認證方式,以及相關例子的運行。
SSH authentication (Git)
我們在拉取github代碼時,使用ssh url方式克隆項目,一般會把自己電腦的ssh key存儲到github上。一般使用ssh key的話,可以支持拉取私有倉庫,避免用戶名和密碼的暴露。tekton對這種方式是支持的,下面是包含ssh key的secret配置:
apiVersion: v1
kind: Secret
metadata:
name: ssh-key
annotations:
tekton.dev/git-0: github.com # 代表該secret所認證的web地址
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: <base64 encoded>
# 通過這個命令獲取主機私鑰cat ~/.ssh/id_rsa | base64
known_hosts: <base64 encoded> # cat ~/.ssh/known_hosts | base64
要在tekton中使用ssh key的方式拉取代碼的話,你還要配置一個serviceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: ssh-key
那比如說使用taskrun運行一些任務時該如何使用這個serviceAccount呢?
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: build-push-task-run-2
spec:
serviceAccountName: build-bot # 這裏
taskRef:
name: build-push
當然你在pipelineRun中使用的話:
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: demo-pipeline
namespace: default
spec:
serviceAccountName: build-bot #這裏
pipelineRef:
name: demo-pipeline
執行secret,serviceAcoount、task和taskRun後,將在pod中生成〜/ .ssh / config,其中包含在Secret中配置的密鑰。然後,在檢索任何PipelineResources時,將使用此密鑰進行身份驗證。
Basic authentication (Git)
你也可以直接在secret中配置github的用戶名和密碼:
apiVersion: v1
kind: Secret
metadata:
name: basic-user-pass
annotations:
tekton.dev/git-0: https://github.com # 指定認證的地址
type: kubernetes.io/basic-auth
stringData:
username: <username>
password: <password>
配置serviceAccount使用該secret:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: basic-user-pass
在taskrun中使用secret:
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: build-push-task-run-2
spec:
serviceAccountName: build-bot
taskRef:
name: build-push
在pipelineRun中使用serviceAccount:
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: demo-pipeline
namespace: default
spec:
serviceAccountName: build-bot
pipelineRef:
name: demo-pipeline
執行secret,serviceAcoount、task和taskRun後,將在steps執行之前生成一個〜/ .gitconfig,其中包含在Secret中配置的憑據,然後在檢索PipelineResources時將使用這些憑據進行身份驗證。
用於docker認證
這個basic認證還可以用於dockerhub等認證,比如你要拉取dockerhub的私有鏡像。
secret中包含用戶名和密碼用於認證docker registry
apiVersion: v1
kind: Secret
metadata:
name: basic-user-pass
annotations:
tekton.dev/docker-0: https://gcr.io
type: kubernetes.io/basic-auth
stringData:
username: <username>
password: <password>
爲secret創建serviceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: basic-user-pass
taskRun中使用:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-bot
secrets:
- name: basic-user-pass
pipelineRun中使用:
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: demo-pipeline
namespace: default
spec:
serviceAccountName: build-bot
pipelineRef:
name: demo-pipeline
在step執行前會生成~/.docker/config.json文件,用於docker registry的認證
run中跑多個認證
1個taskrun可能需要多個認證方式,需要獲取多個不同的git私有倉庫,和多個docker私有倉庫,你可以使用註解來幫助secret在面對不同源時使用哪個認證。
下面的用戶名和密碼用於認證github,gitlab,gcr
apiVersion: v1
kind: Secret
metadata:
annotations:
tekton.dev/git-0: https://github.com # 註解是關鍵,
tekton.dev/git-1: https://gitlab.com
tekton.dev/docker-0: https://gcr.io
type: kubernetes.io/basic-auth
stringData:
username: <cleartext non-encoded>
password: <cleartext non-encoded>
下面ssh key只能用於認證github.com
apiVersion: v1
kind: Secret
metadata:
annotations:
tekton.dev/git-0: github.com # 註解是關鍵
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: <base64 encoded>
# This is non-standard, but its use is encouraged to make this more secure.
# Omitting this results in the use of ssh-keyscan (see below).
known_hosts: <base64 encoded>
secret中的註解只能以tekton.dev/docker- or tekton.dev/git- 開頭,註解的值必須是要認證主機的url。
舉例
ssh key 演示
tekton官方的例子,你自己想用就把裏面的信息改下就行:
apiVersion: v1
kind: Secret
metadata:
name: git-ssh
annotations:
tekton.dev/git-0: github.com # 指定認證的地址
type: kubernetes.io/ssh-auth
data:
# Generated by:
# cat id_rsa | base64 -w 0
# This deploy key has read-only permissions on github.com/knative/build
ssh-privatekey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBc0YrY3ZIdUlKRjBwNWZNVDBUUVZhMWpTZVBNVlhtUWhGa1F0andsamJFSXVKaVh5CmVrU1I0WUtDbFZIZVo0M2VOa2p5SzFwTDVmVnZnY3J2bkVUMXE5dmFmOThtNzdHWjZUdnJGY0RyZjViZDFIZGUKTU1MTFZRRU8vN1lkcEJFeVJ1UjA4RXRzbWp0RUVaNERVZnBUWGQ5RnAyTU5UWTYwVzFpa0p0Mm53dGhWVlF0OApubFcxTTRvc1d0SHE1OVFDbnhqUkVmNzNhdHdtUTZ6enlXcCtJM3ZBRFRJUmZpTWcvSjc0UDJHOWlwL0U1U0YrCnNuRmRnU2x0cjhyd0tmTE5jTDVYandOSE53aHErQ2NJRHBUZGhuVTBUaEFZNlRsa25KWFJudXRicGNRajA4MjAKMyt1aXRxaXhJcnIwQmkrU2NDQ21GNERxZGdRUXIwRzdieXRKemJkdjJOL3dGbGFpWmVOTWtXSVd5TzRpdnU4TQoxbGUyajVHeDZFaVQ0TG5sNitoRHd3aXozUGR4Y1I0S0VxZzVqRmQ3QjNDcHQ0cUswRDFHVVhnMmx1ZHRsMU40CjVoNUJaNEZZcWF0VU1LQkVjeHd4ekZVVE1iNFZmdFhuMEJOSHkyVXlxUkx6VnBMZWgyRHRYcmtaZnRnTlFCeFAKNkNKc2FnYkpuRmZ1Mk1IaTh5VkE3UFZnUXExS3hPWnF0c0JKb3RvSzJXb0lONldpbnl0d0lwUFhsblJrZ3duYgo4dVBZdmhoZDB0ZVllZ2pYNW85azcwaDhFOEFpZGtqaFpKRkwzakRjc0NFdGJQSWtBMHp3bCs0UFN5aWV2UXpVCldFTkFTSzhXc1NxSk40bUtNSEJMbDU2WWZpTnBJNXVEUGx6eC9hS3hnQis2RExYL25GRzB0Y2ZTYlJFQ0F3RUEKQVFLQ0FnQnRjQlpZR2FxakxhK213RXFHbi9PK2RSRzcvTkZBalk2K096V3RzRnlodXZyWnJ1Z2pGOU1SQTZNMQpOZVJ6aXVMYitpMVIyeWlIR3VEQ3Y0SW9DOTRJY2xYRXpGbGpsMmJ5QXJ6ZTlhTHF1MWtQMGJWL09nOWl3bEpsCk5zSnpvRHY3SXh5d1VZeWtzcXVNNXVnV2dPWWp0RHVMSG5vTnFzT2Nmb2IwbXNyU3F0dGY5czJ2ald6dSt3aUUKbmdaTkxROG5Xd1czVGVhRnh1NXpSYWpMVEtuU0tLSkZUZER1M0t0R05QbkNra3BDN3RvRWR1RWZwaG9uMytYdwprMUtzSkwxMi9KUmw1OW5UZXdTc3o4TS9FUDNYeFhmY0RENzQwQ1R1eUVPV2dXR1BuUUhDRmJ6cXlGSmhWcEQ3CkJOZ1Awb3JoeWxCayt4Z0FmSXRCdzk2aW4xQ2VMZHZKek9TdDNXSUVrY0w3ZVB0bkpzWVpBa1J4eFU1NWF6ajEKbFJHNWRWN010ZzgwWXJTcDdoYXIxamhTQ0JjVzZMUHdueTdXK1psWEd6VG9Gb1o2clIwdytJdGRjNGpPSEhtTgpRVk9tWFd3SFJuZm5rQWZlNXdDQkZQbXpMT2tYbnloWjdaNWxmVlJQaE9lT0hlV09NeHJvWFZoRmJPcTFxemo1Cm85a1dMVGxwTk42YXhrOW41R1N6NlZDVDRHSW1iOUsyWmpQUklOMktQZ3Vxd0RRSFVmd0ViZ0NnTkVUOG5wc2UKelYxRnRpRUJaeVJPa2RwdDhDd2NrbGxHc0Nab0dIa3Z1OXlRSytMUldvV2xJS041WGJXYVljaW01VVhIZlIzUgp4ZGx2QmgxNDl2MW02Y3haMWpzNUFJM09Xb0lpaXlaWjdKUGUxbUIycDE2dUlsUGhsUUtDQVFFQTRNZmNPRVluCkdrQVEzaEdKMm5ia0ZzZ1hJemJrQkQvanIrY1JHd1pjeitBZ2x0cXFZRnQ2Rzh3eElBMGd2V1BLNDFhR1UzU1AKdHVjUEF6VjVEYlR3WklFdjVpY3kycHJlbHJ1ZTB4RkV4WWRZNFFCVGRiVFM4TE9ZWncxTEZpTGRXb1VKVlhiWApTaE4rSktpSDVpM3J1K2dwTHArT0ZHUSthWFdQSFp0TjdjTUZidEpUUkNQUlZqUkVHb25qejY3c2NNcWxZNjAyCkYxaFlURGRkTGNnNnhiN0M3ZmdXc25pdEh4ZWY5UHZFUlZSUWdyRW9RT3lOcFczL0VOU1RQN1IzTzhnNnNHTXYKUXI4SDd1a3RGUlAxUVRqSGNvdmtrdm9aaERHOHRGREd4T0FhbFMxK2phQVpBMmNVdEI4VU5ueHpqMFJFNE43VAp3OHZST3NHbjJ2aG9vd0tDQVFFQXlONmV1d0FFdllpanVlV21pYWNJTUQ0bExaL3JjLzF6T0RUQ3grWm05SHBCCjZyUGMvMG8yR3lGV2Y2aVN3UjhOWlVyM2dvREh6ck8vTHdZUTNyUEhhZFpkRGRFVWh5UXBHeDFuOG9ONXhSU0sKVkVkdnVESkF4SnhHdXRWYk9sNzlDUitadjBqa3hGY2xaOTBaSGdhVEl5TnBlK1dIcTI3Mm1oaENaOXNmK0RTMgppM2V2MEkrQ0t6eXppV2NUdzJKL0ROSlpIN0ZnUlc0U1M3OXBLcDFPOXk0a2hQMk0xQU9nVUp4eFBta0xMc05oCk45dlB0QmpXMENZZmxiei9zWjBYZEVtL1hEUE9xNWVXc0tsZm5XcnpzR3ZZVHRvZkxpN1pVekJhMjRyc1AzT3UKT0JqeFVQWDBhTnQ2bVlOSWVSQkNkVk9BZlFsbGFqSW1hVENNNXZQcXV3S0NBUUF1RXFrZjI3aytGeTJkNXVoagpvQVRtYW9MYmsrK3VzMDIvQzFTbFBtdWRyQ25oNGRZVVJBdkdVTmNzNDZQM1RkSVRRUFB0ZlRITDRwWmdLUUN6Ci80ZGFnbVJILzNiYitleHY1dXNLQmpzYlpiK2c5c2tra2ppK1g0RjRkZkFUREhoa2ltbzhXMHlMZ1cxVXBEcWUKd29EVUZpVUN5bTk3M0lReVo0YzdJVThhMGVOMk1LUWlqbGpsRzNkdUhSOVZ2VnYzVG9JUjZUbnlGUWljTHFqcApybVhsakZFMko2aTNVaWJoL1p5cXdVUWNsY2llMFNNWUU2U0E2UWZqOGo1d1MxUTVLN1JqM1NDZHhMd2lpeWJUCmNERFArb3hlL1MrUHRMV3dNK1dpNi8raDhQRmg3RjVKTnl5SlZ3S1dYTnh1d3BtSkh3d2pMMmttYzh0aUNMbVkKRjF5VEFvSUJBRWpJdWRWaW5WVWNKTTlnVW1jQWVpd1k2Sm5PbjU5bzBBNG11QWw5Q0FOQUpaQm8yZ1E3SEwzWgo1NkRjTVVqKytuaWdvR3pPUXhnMzgyZVRtQnRLSTFETFZ1NkJ1eUY0emRoQVlJRDBlUFFiakVBYm5uU3M2T0VWCkMxLzVuVlBhUlcrLzNwTDhVOEI5SDFXeVBMNnZmVE0zU3FxVk1nTEJjMlBFdEpNelNETkV6bnhjd3YwY2N2czkKeElSZU1FQVUrWnBvd2RpRkNqQStRU3puVDdFY1RSZXR4WmZXMCtlaTVMMHc0cXZObmpxMG13NkZmSTV5amF2ZwpsSU5LZDVBaEx2VjVIM2pHWVBXMk9Pa01obFBoQkNvQitlQWdrem5GeWdPbHV0WmdVVmh3ajBsT2FHcUFwSzQyCkVRZDlGWTZnZ0tSSXZIOFNINGhLWWJhdDIvQjNvNjhDZ2dFQVNnUGZubVdZcXpQTlpwYXh4VFZ3NXl0cXovMGcKUHlhcW41elhDSHFsdDluNkZFYWdRVjE4bjl0bUZzTWtnOFd4MHp1TjY5ajNvcXVDaWVDSkVRTTFDR05GUWg2MQpEV0xrd210R1FPNXZxc0VhcXpLZk9yWktnYTJ5L3BuejY2SkNlUW83UlJEdVVZVHpPY3NpQmtxNmNUNHFLQjY0ClBCVlVhQTROQkVCZlRoc1o5dDhpWHFDQWhUQnVlTDdhQ3pHV0ZjR1k5dndrZkJHNjNacURXbVlqZkZwRGlqSWIKL21ySnJVTTB0a09HcUhESk5aUWhpZXc1VHF6NWp3VElyTDY3YUdZNFpuNEVyODFlb3JOZnpEeDVnak1NYnoweQoyTGZoN1c0MFlWMDA4ZmZJTk5BbXA4VjNqay9qcWFUSFlWYlFQNGxhdTRIWkc5Q2g1Q1VpSmFvN2xBPT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
# Generated by:
# ssh-keyscan github.com | base64 -w 0
known_hosts: Z2l0aHViLmNvbSBzc2gtcnNhIEFBQUFCM056YUMxeWMyRUFBQUFCSXdBQUFRRUFxMkE3aFJHbWRubTl0VURiTzlJRFN3Qks2VGJRYStQWFlQQ1B5NnJiVHJUdHc3UEhrY2NLcnBwMHlWaHA1SGRFSWNLcjZwTGxWREJmT0xYOVFVc3lDT1Ywd3pmaklKTmxHRVlzZGxMSml6SGhibjJtVWp2U0FIUXFaRVRZUDgxZUZ6TFFOblBIdDRFVlZVaDdWZkRFU1U4NEtlem1ENVFsV3BYTG12VTMxL3lNZitTZTh4aEhUdktTQ1pJRkltV3dvRzZtYlVvV2Y5bnpwSW9hU2pCK3dlcXFVVW1wYWFhc1hWYWw3MkorVVgyQisyUlBXM1JjVDBlT3pRZ3FsSkwzUktyVEp2ZHNqRTNKRUF2R3EzbEdIU1pYeTI4RzNza3VhMlNtVmkvdzR5Q0U2Z2JPRHFuVFdsZzcrd0M2MDR5ZEdYQThWSmlTNWFwNDNKWGlVRkZBYVE9PQo=
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: robot-git-ssh
secrets:
- name: git-ssh
---
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
name: git-ssh-creds
spec:
serviceAccountName: robot-git-ssh #使用的ServiceAccount
inputs: #輸入資源定義
resources:
- name: gitssh
resourceSpec:
type: git
params:
- name: revision
value: master # 分支
- name: url
value: [email protected]:tektoncd/pipeline.git # 倉庫地址,可以改成你的
taskSpec:
inputs: #指定輸入源
resources:
- name: gitssh
type: git
steps:
- name: config
image: ubuntu
script: |
#!/usr/bin/env bash
cat /workspace/gitssh/README.md
dockerhub 認證 演示
看一個tekton官方的例子:
apiVersion: v1
kind: Secret
metadata:
name: docker-basic
annotations: # 要認證的鏡像網址
tekton.dev/docker-0: https://us.gcr.io
tekton.dev/docker-1: https://eu.gcr.io
tekton.dev/docker-2: https://asia.gcr.io
tekton.dev/docker-3: https://gcr.io
tekton.dev/docker-4: https://reduce-chance-of-selecting-gcr.io
type: kubernetes.io/basic-auth
data:
# Generated by:
# echo -n _json_key | base64
username: X2pzb25fa2V5
# Generated by:
# cat /tmp/key.json | base64 -w 0
# This service account is JUST a storage reader on gcr.io/build-crd-testing
# (it is the same as test/serviceaccount/secret.yaml)
password: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiYnVpbGQtY3JkLXRlc3RpbmciLAogICJwcml2YXRlX2tleV9pZCI6ICIwNTAyYTQxYTgxMmZiNjRjZTU2YTY4ZWM1ODMyYWIwYmExMWMxMWU2IiwKICAicHJpdmF0ZV9rZXkiOiAiLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXG5NSUlFdlFJQkFEQU5CZ2txaGtpRzl3MEJBUUVGQUFTQ0JLY3dnZ1NqQWdFQUFvSUJBUUM5WDRFWU9BUmJ4UU04XG5EMnhYY2FaVGsrZ1k4ZWp1OTh0THFDUXFUckdNVzlSZVQyeE9ZNUF5Z2FsUFArcDd5WEVja3dCRC9IaE0wZ2xJXG43TVRMZGVlS1dyK3JBMUx3SFp5V0ZXN0gwT25mN3duWUhFSExXVW1jM0JDT1JFRHRIUlo3WnJQQmYxSFRBQS8zXG5Nblc1bFpIU045b2p6U1NGdzZBVnU2ajZheGJCSUlKNzU0THJnS2VBWXVyd2ZJUTJSTFR1MjAxazJJcUxZYmhiXG4zbVNWRzVSK3RiS3oxQ3ZNNTNuSENiN0NmdVZlV3NyQThrazd4SHJyTFFLTW1JOXYyc2dSdWd5TUF6d3ovNnpOXG5oNS9pTXh4Z2VxNVc4eGtWeDNKMm5ZOEpKZEhhZi9UNkFHc09ORW80M3B4ZWlRVmpuUmYvS24xMFRDYzJFc0lZXG5TNDlVc1o3QkFnTUJBQUVDZ2dFQUF1cGxkdWtDUVF1RDVVL2dhbUh0N0dnVzNBTVYxOGVxbkhuQ2EyamxhaCtTXG5BZVVHbmhnSmpOdkUrcE1GbFN2NXVmMnAySzRlZC9veEQ2K0NwOVpYRFJqZ3ZmdEl5cWpsemJ3dkZjZ3p3TnVEXG55Z1VrdXA3SGVjRHNEOFR0ZUFvYlQvVnB3cTZ6S01yQndDdk5rdnk2YlZsb0VqNXgzYlhzYXhlOTVETy95cHU2XG53MFc5N3p4d3dESlk2S1FjSVdNamhyR3h2d1g3bmlVQ2VNNGxlV0JEeUd0dzF6ZUpuNGhFYzZOM2FqUWFjWEtjXG4rNFFseGNpYW1ZcVFXYlBudHhXUWhoUXpjSFdMaTJsOWNGYlpENyt1SkxGNGlONnk4bVZOVTNLM0sxYlJZclNEXG5SVXAzYVVWQlhtRmcrWi8ycHVWTCttVTNqM0xMV1l5Qk9rZXZ1T21kZ1FLQmdRRGUzR0lRa3lXSVMxNFRkTU9TXG5CaUtCQ0R5OGg5NmVoTDBIa0RieU9rU3RQS2RGOXB1RXhaeGh5N29qSENJTTVGVnJwUk4yNXA0c0V6d0ZhYyt2XG5KSUZnRXZxN21YZm1YaVhJTmllUG9FUWFDbm54RHhXZ21yMEhVS0VtUzlvTWRnTGNHVStrQ1ZHTnN6N0FPdW0wXG5LcVkzczIyUTlsUTY3Rk95cWl1OFdGUTdRUUtCZ1FEWmlGaFRFWmtQRWNxWmpud0pwVEI1NlpXUDlLVHNsWlA3XG53VTRiemk2eSttZXlmM01KKzRMMlN5SGMzY3BTTWJqdE5PWkN0NDdiOTA4RlVtTFhVR05oY3d1WmpFUXhGZXkwXG5tNDFjUzVlNFA0OWI5bjZ5TEJqQnJCb3FzMldCYWwyZWdkaE5KU3NDV29pWlA4L1pUOGVnWHZoN2I5MWp6b0syXG5xMlBVbUE0RGdRS0JnQVdMMklqdkVJME95eDJTMTFjbi9lM1dKYVRQZ05QVEc5MDNVcGErcW56aE9JeCtNYXFoXG5QRjRXc3VBeTBBb2dHSndnTkpiTjhIdktVc0VUdkE1d3l5TjM5WE43dzBjaGFyRkwzN29zVStXT0F6RGpuamNzXG5BcTVPN0dQR21YdWI2RUJRQlBKaEpQMXd5NHYvSzFmSGcvRjQ3cTRmNDBMQUpPa2FZUkpENUh6QkFvR0JBTlVoXG5uSUJQSnFxNElNdlE2Y0M5ZzhCKzF4WURlYTkvWWsxdytTbVBHdndyRVh5M0dLeDRLN2xLcGJQejdtNFgzM3N4XG5zRVUvK1kyVlFtd1JhMXhRbS81M3JLN1YybDVKZi9ENDAwalJtNlpmU0FPdmdEVHJ0Wm5VR0pNcno5RTd1Tnc3XG5sZ1VIM0pyaXZ5Ri9meE1JOHFzelFid1hQMCt4bnlxQXhFQWdkdUtCQW9HQUlNK1BTTllXQ1pYeERwU0hJMThkXG5qS2tvQWJ3Mk1veXdRSWxrZXVBbjFkWEZhZDF6c1hRR2RUcm1YeXY3TlBQKzhHWEJrbkJMaTNjdnhUaWxKSVN5XG51Y05yQ01pcU5BU24vZHE3Y1dERlVBQmdqWDE2SkgyRE5GWi9sL1VWRjNOREFKalhDczFYN3lJSnlYQjZveC96XG5hU2xxbElNVjM1REJEN3F4Unl1S3Nnaz1cbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cbiIsCiAgImNsaWVudF9lbWFpbCI6ICJwdWxsLXNlY3JldC10ZXN0aW5nQGJ1aWxkLWNyZC10ZXN0aW5nLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwKICAiY2xpZW50X2lkIjogIjEwNzkzNTg2MjAzMzAyNTI1MTM1MiIsCiAgImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKICAidG9rZW5fdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L3B1bGwtc2VjcmV0LXRlc3RpbmclNDBidWlsZC1jcmQtdGVzdGluZy5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIKfQo=
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: robot-docker-basic
secrets:
- name: docker-basic # 使用Secret
imagePullSecrets:
- name: docker-basic # 拉取鏡像使用的認證信息
---
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
name: docker-creds
spec:
serviceAccountName: robot-docker-basic
taskSpec:
steps:
- name: test
image: quay.io/rhpipeline/skopeo:alpine
# Test pulling a private builder container.
script: skopeo copy docker://gcr.io/build-crd-testing/secret-sauce dir:///tmp/
總結
以上講解了tekton在雲原生CI認證方面的支持,Tekton也是支持觸發器的,這個之後講解吧。使用k8s secret配置認證,用着很舒服。我覺得對於拉取github的私有代碼,用ssh key比較安全,用用戶名和密碼就有安全問題了。在私有云項目中,多是用gitlab等私有倉庫的,我覺得用用戶名和密碼問題也不大。目前,我在使用時用的ssh key拉取github代碼。
對雲原生感興趣的朋友歡迎關注公衆號“南君手記”
