云原生CI/CD:tekton/pipeline之认证篇

云原生CI/CD:tekton/pipeline之认证篇

既然说tekton/pipeline是CI/CD,必然需要用到拉取git仓库代码,仓库代码可能是私有的,看下tekton/pipeline在这边的支持。

tekton/pipeline支持两种身份验证方式,将以k8s中secret的形式呈现:

  • kubernetes.io/basic-auth
  • kubernetes.io/ssh-auth
    下面将简单价绍两种认证方式,以及相关例子的运行。

SSH authentication (Git)

我们在拉取github代码时,使用ssh url方式克隆项目,一般会把自己电脑的ssh key存储到github上。一般使用ssh key的话,可以支持拉取私有仓库,避免用户名和密码的暴露。tekton对这种方式是支持的,下面是包含ssh key的secret配置:

apiVersion: v1
kind: Secret
metadata:
  name: ssh-key
  annotations:
    tekton.dev/git-0: github.com # 代表该secret所认证的web地址
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey:  
  # 通过这个命令获取主机私钥cat ~/.ssh/id_rsa | base64
  known_hosts:  # cat ~/.ssh/known_hosts | base64

要在tekton中使用ssh key的方式拉取代码的话,你还要配置一个serviceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: ssh-key

那比如说使用taskrun运行一些任务时该如何使用这个serviceAccount呢?

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: build-push-task-run-2
spec:
  serviceAccountName: build-bot # 这里
  taskRef:
    name: build-push

当然你在pipelineRun中使用的话:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot  #这里
  pipelineRef:
    name: demo-pipeline

执行secret,serviceAcoount、task和taskRun后,将在pod中生成〜/ .ssh / config,其中包含在Secret中配置的密钥。然后,在检索任何PipelineResources时,将使用此密钥进行身份验证。

Basic authentication (Git)

你也可以直接在secret中配置github的用户名和密码:

apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/git-0: https://github.com # 指定认证的地址
type: kubernetes.io/basic-auth
stringData:
  username: 
  password: 

配置serviceAccount使用该secret:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: basic-user-pass

在taskrun中使用secret:

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: build-push-task-run-2
spec:
  serviceAccountName: build-bot
  taskRef:
    name: build-push

在pipelineRun中使用serviceAccount:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

执行secret,serviceAcoount、task和taskRun后,将在steps执行之前生成一个〜/ .gitconfig,其中包含在Secret中配置的凭据,然后在检索PipelineResources时将使用这些凭据进行身份验证。

用于docker认证

这个basic认证还可以用于dockerhub等认证,比如你要拉取dockerhub的私有镜像。

secret中包含用户名和密码用于认证docker registry

 apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
  annotations:
    tekton.dev/docker-0: https://gcr.io 
type: kubernetes.io/basic-auth
stringData:
  username: 
  password: 

为secret创建serviceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: basic-user-pass

taskRun中使用:

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: build-push-task-run-2
spec:
  serviceAccountName: build-bot
  taskRef:
    name: build-push

pipelineRun中使用:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: demo-pipeline
  namespace: default
spec:
  serviceAccountName: build-bot
  pipelineRef:
    name: demo-pipeline

在step执行前会生成~/.docker/config.json文件,用于docker registry的认证

run中跑多个认证

1个taskrun可能需要多个认证方式,需要获取多个不同的git私有仓库,和多个docker私有仓库,你可以使用注解来帮助secret在面对不同源时使用哪个认证。
下面的用户名和密码用于认证github,gitlab,gcr

apiVersion: v1
kind: Secret
metadata:
  annotations:
    tekton.dev/git-0: https://github.com # 注解是关键,
    tekton.dev/git-1: https://gitlab.com
    tekton.dev/docker-0: https://gcr.io
type: kubernetes.io/basic-auth
stringData:
  username: 
  password: 

下面ssh key只能用于认证github.com

apiVersion: v1
kind: Secret
metadata:
  annotations:
    tekton.dev/git-0: github.com # 注解是关键
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: 
  # This is non-standard, but its use is encouraged to make this more secure.
  # Omitting this results in the use of ssh-keyscan (see below).
  known_hosts: 

secret中的注解只能以tekton.dev/docker- or tekton.dev/git- 开头,注解的值必须是要认证主机的url。

举例

ssh key 演示

tekton官方的例子,你自己想用就把里面的信息改下就行:

apiVersion: v1
kind: Secret
metadata:
  name: git-ssh
  annotations:
    tekton.dev/git-0: github.com  # 指定认证的地址
type: kubernetes.io/ssh-auth
data:
  # Generated by:
  # cat id_rsa | base64 -w 0
  # This deploy key has read-only permissions on github.com/knative/build
  ssh-privatekey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBc0YrY3ZIdUlKRjBwNWZNVDBUUVZhMWpTZVBNVlhtUWhGa1F0andsamJFSXVKaVh5CmVrU1I0WUtDbFZIZVo0M2VOa2p5SzFwTDVmVnZnY3J2bkVUMXE5dmFmOThtNzdHWjZUdnJGY0RyZjViZDFIZGUKTU1MTFZRRU8vN1lkcEJFeVJ1UjA4RXRzbWp0RUVaNERVZnBUWGQ5RnAyTU5UWTYwVzFpa0p0Mm53dGhWVlF0OApubFcxTTRvc1d0SHE1OVFDbnhqUkVmNzNhdHdtUTZ6enlXcCtJM3ZBRFRJUmZpTWcvSjc0UDJHOWlwL0U1U0YrCnNuRmRnU2x0cjhyd0tmTE5jTDVYandOSE53aHErQ2NJRHBUZGhuVTBUaEFZNlRsa25KWFJudXRicGNRajA4MjAKMyt1aXRxaXhJcnIwQmkrU2NDQ21GNERxZGdRUXIwRzdieXRKemJkdjJOL3dGbGFpWmVOTWtXSVd5TzRpdnU4TQoxbGUyajVHeDZFaVQ0TG5sNitoRHd3aXozUGR4Y1I0S0VxZzVqRmQ3QjNDcHQ0cUswRDFHVVhnMmx1ZHRsMU40CjVoNUJaNEZZcWF0VU1LQkVjeHd4ekZVVE1iNFZmdFhuMEJOSHkyVXlxUkx6VnBMZWgyRHRYcmtaZnRnTlFCeFAKNkNKc2FnYkpuRmZ1Mk1IaTh5VkE3UFZnUXExS3hPWnF0c0JKb3RvSzJXb0lONldpbnl0d0lwUFhsblJrZ3duYgo4dVBZdmhoZDB0ZVllZ2pYNW85azcwaDhFOEFpZGtqaFpKRkwzakRjc0NFdGJQSWtBMHp3bCs0UFN5aWV2UXpVCldFTkFTSzhXc1NxSk40bUtNSEJMbDU2WWZpTnBJNXVEUGx6eC9hS3hnQis2RExYL25GRzB0Y2ZTYlJFQ0F3RUEKQVFLQ0FnQnRjQlpZR2FxakxhK213RXFHbi9PK2RSRzcvTkZBalk2K096V3RzRnlodXZyWnJ1Z2pGOU1SQTZNMQpOZVJ6aXVMYitpMVIyeWlIR3VEQ3Y0SW9DOTRJY2xYRXpGbGpsMmJ5QXJ6ZTlhTHF1MWtQMGJWL09nOWl3bEpsCk5zSnpvRHY3SXh5d1VZeWtzcXVNNXVnV2dPWWp0RHVMSG5vTnFzT2Nmb2IwbXNyU3F0dGY5czJ2ald6dSt3aUUKbmdaTkxROG5Xd1czVGVhRnh1NXpSYWpMVEtuU0tLSkZUZER1M0t0R05QbkNra3BDN3RvRWR1RWZwaG9uMytYdwprMUtzSkwxMi9KUmw1OW5UZXdTc3o4TS9FUDNYeFhmY0RENzQwQ1R1eUVPV2dXR1BuUUhDRmJ6cXlGSmhWcEQ3CkJOZ1Awb3JoeWxCayt4Z0FmSXRCdzk2aW4xQ2VMZHZKek9TdDNXSUVrY0w3ZVB0bkpzWVpBa1J4eFU1NWF6ajEKbFJHNWRWN010ZzgwWXJTcDdoYXIxamhTQ0JjVzZMUHdueTdXK1psWEd6VG9Gb1o2clIwdytJdGRjNGpPSEhtTgpRVk9tWFd3SFJuZm5rQWZlNXdDQkZQbXpMT2tYbnloWjdaNWxmVlJQaE9lT0hlV09NeHJvWFZoRmJPcTFxemo1Cm85a1dMVGxwTk42YXhrOW41R1N6NlZDVDRHSW1iOUsyWmpQUklOMktQZ3Vxd0RRSFVmd0ViZ0NnTkVUOG5wc2UKelYxRnRpRUJaeVJPa2RwdDhDd2NrbGxHc0Nab0dIa3Z1OXlRSytMUldvV2xJS041WGJXYVljaW01VVhIZlIzUgp4ZGx2QmgxNDl2MW02Y3haMWpzNUFJM09Xb0lpaXlaWjdKUGUxbUIycDE2dUlsUGhsUUtDQVFFQTRNZmNPRVluCkdrQVEzaEdKMm5ia0ZzZ1hJemJrQkQvanIrY1JHd1pjeitBZ2x0cXFZRnQ2Rzh3eElBMGd2V1BLNDFhR1UzU1AKdHVjUEF6VjVEYlR3WklFdjVpY3kycHJlbHJ1ZTB4RkV4WWRZNFFCVGRiVFM4TE9ZWncxTEZpTGRXb1VKVlhiWApTaE4rSktpSDVpM3J1K2dwTHArT0ZHUSthWFdQSFp0TjdjTUZidEpUUkNQUlZqUkVHb25qejY3c2NNcWxZNjAyCkYxaFlURGRkTGNnNnhiN0M3ZmdXc25pdEh4ZWY5UHZFUlZSUWdyRW9RT3lOcFczL0VOU1RQN1IzTzhnNnNHTXYKUXI4SDd1a3RGUlAxUVRqSGNvdmtrdm9aaERHOHRGREd4T0FhbFMxK2phQVpBMmNVdEI4VU5ueHpqMFJFNE43VAp3OHZST3NHbjJ2aG9vd0tDQVFFQXlONmV1d0FFdllpanVlV21pYWNJTUQ0bExaL3JjLzF6T0RUQ3grWm05SHBCCjZyUGMvMG8yR3lGV2Y2aVN3UjhOWlVyM2dvREh6ck8vTHdZUTNyUEhhZFpkRGRFVWh5UXBHeDFuOG9ONXhSU0sKVkVkdnVESkF4SnhHdXRWYk9sNzlDUitadjBqa3hGY2xaOTBaSGdhVEl5TnBlK1dIcTI3Mm1oaENaOXNmK0RTMgppM2V2MEkrQ0t6eXppV2NUdzJKL0ROSlpIN0ZnUlc0U1M3OXBLcDFPOXk0a2hQMk0xQU9nVUp4eFBta0xMc05oCk45dlB0QmpXMENZZmxiei9zWjBYZEVtL1hEUE9xNWVXc0tsZm5XcnpzR3ZZVHRvZkxpN1pVekJhMjRyc1AzT3UKT0JqeFVQWDBhTnQ2bVlOSWVSQkNkVk9BZlFsbGFqSW1hVENNNXZQcXV3S0NBUUF1RXFrZjI3aytGeTJkNXVoagpvQVRtYW9MYmsrK3VzMDIvQzFTbFBtdWRyQ25oNGRZVVJBdkdVTmNzNDZQM1RkSVRRUFB0ZlRITDRwWmdLUUN6Ci80ZGFnbVJILzNiYitleHY1dXNLQmpzYlpiK2c5c2tra2ppK1g0RjRkZkFUREhoa2ltbzhXMHlMZ1cxVXBEcWUKd29EVUZpVUN5bTk3M0lReVo0YzdJVThhMGVOMk1LUWlqbGpsRzNkdUhSOVZ2VnYzVG9JUjZUbnlGUWljTHFqcApybVhsakZFMko2aTNVaWJoL1p5cXdVUWNsY2llMFNNWUU2U0E2UWZqOGo1d1MxUTVLN1JqM1NDZHhMd2lpeWJUCmNERFArb3hlL1MrUHRMV3dNK1dpNi8raDhQRmg3RjVKTnl5SlZ3S1dYTnh1d3BtSkh3d2pMMmttYzh0aUNMbVkKRjF5VEFvSUJBRWpJdWRWaW5WVWNKTTlnVW1jQWVpd1k2Sm5PbjU5bzBBNG11QWw5Q0FOQUpaQm8yZ1E3SEwzWgo1NkRjTVVqKytuaWdvR3pPUXhnMzgyZVRtQnRLSTFETFZ1NkJ1eUY0emRoQVlJRDBlUFFiakVBYm5uU3M2T0VWCkMxLzVuVlBhUlcrLzNwTDhVOEI5SDFXeVBMNnZmVE0zU3FxVk1nTEJjMlBFdEpNelNETkV6bnhjd3YwY2N2czkKeElSZU1FQVUrWnBvd2RpRkNqQStRU3puVDdFY1RSZXR4WmZXMCtlaTVMMHc0cXZObmpxMG13NkZmSTV5amF2ZwpsSU5LZDVBaEx2VjVIM2pHWVBXMk9Pa01obFBoQkNvQitlQWdrem5GeWdPbHV0WmdVVmh3ajBsT2FHcUFwSzQyCkVRZDlGWTZnZ0tSSXZIOFNINGhLWWJhdDIvQjNvNjhDZ2dFQVNnUGZubVdZcXpQTlpwYXh4VFZ3NXl0cXovMGcKUHlhcW41elhDSHFsdDluNkZFYWdRVjE4bjl0bUZzTWtnOFd4MHp1TjY5ajNvcXVDaWVDSkVRTTFDR05GUWg2MQpEV0xrd210R1FPNXZxc0VhcXpLZk9yWktnYTJ5L3BuejY2SkNlUW83UlJEdVVZVHpPY3NpQmtxNmNUNHFLQjY0ClBCVlVhQTROQkVCZlRoc1o5dDhpWHFDQWhUQnVlTDdhQ3pHV0ZjR1k5dndrZkJHNjNacURXbVlqZkZwRGlqSWIKL21ySnJVTTB0a09HcUhESk5aUWhpZXc1VHF6NWp3VElyTDY3YUdZNFpuNEVyODFlb3JOZnpEeDVnak1NYnoweQoyTGZoN1c0MFlWMDA4ZmZJTk5BbXA4VjNqay9qcWFUSFlWYlFQNGxhdTRIWkc5Q2g1Q1VpSmFvN2xBPT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
  # Generated by:
  # ssh-keyscan github.com | base64 -w 0
  known_hosts: Z2l0aHViLmNvbSBzc2gtcnNhIEFBQUFCM056YUMxeWMyRUFBQUFCSXdBQUFRRUFxMkE3aFJHbWRubTl0VURiTzlJRFN3Qks2VGJRYStQWFlQQ1B5NnJiVHJUdHc3UEhrY2NLcnBwMHlWaHA1SGRFSWNLcjZwTGxWREJmT0xYOVFVc3lDT1Ywd3pmaklKTmxHRVlzZGxMSml6SGhibjJtVWp2U0FIUXFaRVRZUDgxZUZ6TFFOblBIdDRFVlZVaDdWZkRFU1U4NEtlem1ENVFsV3BYTG12VTMxL3lNZitTZTh4aEhUdktTQ1pJRkltV3dvRzZtYlVvV2Y5bnpwSW9hU2pCK3dlcXFVVW1wYWFhc1hWYWw3MkorVVgyQisyUlBXM1JjVDBlT3pRZ3FsSkwzUktyVEp2ZHNqRTNKRUF2R3EzbEdIU1pYeTI4RzNza3VhMlNtVmkvdzR5Q0U2Z2JPRHFuVFdsZzcrd0M2MDR5ZEdYQThWSmlTNWFwNDNKWGlVRkZBYVE9PQo=
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: robot-git-ssh
secrets:
- name: git-ssh
---
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: git-ssh-creds
spec:
  serviceAccountName: robot-git-ssh #使用的ServiceAccount
  inputs: #输入资源定义
    resources:
    - name: gitssh
      resourceSpec:
        type: git
        params:
        - name: revision
          value: master # 分支
        - name: url
          value: [email protected]:tektoncd/pipeline.git # 仓库地址,可以改成你的
  taskSpec:
    inputs: #指定输入源
      resources:
      - name: gitssh
        type: git
    steps:
    - name: config
      image: ubuntu
      script: |
        #!/usr/bin/env bash
        cat /workspace/gitssh/README.md

dockerhub 认证 演示

看一个tekton官方的例子:

apiVersion: v1
kind: Secret
metadata:
  name: docker-basic
  annotations: # 要认证的镜像网址
    tekton.dev/docker-0: https://us.gcr.io
    tekton.dev/docker-1: https://eu.gcr.io
    tekton.dev/docker-2: https://asia.gcr.io
    tekton.dev/docker-3: https://gcr.io
    tekton.dev/docker-4: https://reduce-chance-of-selecting-gcr.io
type: kubernetes.io/basic-auth
data:
  # Generated by:
  # echo -n _json_key | base64
  username: X2pzb25fa2V5
  # Generated by:
  #   cat /tmp/key.json | base64 -w 0
  # This service account is JUST a storage reader on gcr.io/build-crd-testing
  # (it is the same as test/serviceaccount/secret.yaml)
  password: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiYnVpbGQtY3JkLXRlc3RpbmciLAogICJwcml2YXRlX2tleV9pZCI6ICIwNTAyYTQxYTgxMmZiNjRjZTU2YTY4ZWM1ODMyYWIwYmExMWMxMWU2IiwKICAicHJpdmF0ZV9rZXkiOiAiLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXG5NSUlFdlFJQkFEQU5CZ2txaGtpRzl3MEJBUUVGQUFTQ0JLY3dnZ1NqQWdFQUFvSUJBUUM5WDRFWU9BUmJ4UU04XG5EMnhYY2FaVGsrZ1k4ZWp1OTh0THFDUXFUckdNVzlSZVQyeE9ZNUF5Z2FsUFArcDd5WEVja3dCRC9IaE0wZ2xJXG43TVRMZGVlS1dyK3JBMUx3SFp5V0ZXN0gwT25mN3duWUhFSExXVW1jM0JDT1JFRHRIUlo3WnJQQmYxSFRBQS8zXG5Nblc1bFpIU045b2p6U1NGdzZBVnU2ajZheGJCSUlKNzU0THJnS2VBWXVyd2ZJUTJSTFR1MjAxazJJcUxZYmhiXG4zbVNWRzVSK3RiS3oxQ3ZNNTNuSENiN0NmdVZlV3NyQThrazd4SHJyTFFLTW1JOXYyc2dSdWd5TUF6d3ovNnpOXG5oNS9pTXh4Z2VxNVc4eGtWeDNKMm5ZOEpKZEhhZi9UNkFHc09ORW80M3B4ZWlRVmpuUmYvS24xMFRDYzJFc0lZXG5TNDlVc1o3QkFnTUJBQUVDZ2dFQUF1cGxkdWtDUVF1RDVVL2dhbUh0N0dnVzNBTVYxOGVxbkhuQ2EyamxhaCtTXG5BZVVHbmhnSmpOdkUrcE1GbFN2NXVmMnAySzRlZC9veEQ2K0NwOVpYRFJqZ3ZmdEl5cWpsemJ3dkZjZ3p3TnVEXG55Z1VrdXA3SGVjRHNEOFR0ZUFvYlQvVnB3cTZ6S01yQndDdk5rdnk2YlZsb0VqNXgzYlhzYXhlOTVETy95cHU2XG53MFc5N3p4d3dESlk2S1FjSVdNamhyR3h2d1g3bmlVQ2VNNGxlV0JEeUd0dzF6ZUpuNGhFYzZOM2FqUWFjWEtjXG4rNFFseGNpYW1ZcVFXYlBudHhXUWhoUXpjSFdMaTJsOWNGYlpENyt1SkxGNGlONnk4bVZOVTNLM0sxYlJZclNEXG5SVXAzYVVWQlhtRmcrWi8ycHVWTCttVTNqM0xMV1l5Qk9rZXZ1T21kZ1FLQmdRRGUzR0lRa3lXSVMxNFRkTU9TXG5CaUtCQ0R5OGg5NmVoTDBIa0RieU9rU3RQS2RGOXB1RXhaeGh5N29qSENJTTVGVnJwUk4yNXA0c0V6d0ZhYyt2XG5KSUZnRXZxN21YZm1YaVhJTmllUG9FUWFDbm54RHhXZ21yMEhVS0VtUzlvTWRnTGNHVStrQ1ZHTnN6N0FPdW0wXG5LcVkzczIyUTlsUTY3Rk95cWl1OFdGUTdRUUtCZ1FEWmlGaFRFWmtQRWNxWmpud0pwVEI1NlpXUDlLVHNsWlA3XG53VTRiemk2eSttZXlmM01KKzRMMlN5SGMzY3BTTWJqdE5PWkN0NDdiOTA4RlVtTFhVR05oY3d1WmpFUXhGZXkwXG5tNDFjUzVlNFA0OWI5bjZ5TEJqQnJCb3FzMldCYWwyZWdkaE5KU3NDV29pWlA4L1pUOGVnWHZoN2I5MWp6b0syXG5xMlBVbUE0RGdRS0JnQVdMMklqdkVJME95eDJTMTFjbi9lM1dKYVRQZ05QVEc5MDNVcGErcW56aE9JeCtNYXFoXG5QRjRXc3VBeTBBb2dHSndnTkpiTjhIdktVc0VUdkE1d3l5TjM5WE43dzBjaGFyRkwzN29zVStXT0F6RGpuamNzXG5BcTVPN0dQR21YdWI2RUJRQlBKaEpQMXd5NHYvSzFmSGcvRjQ3cTRmNDBMQUpPa2FZUkpENUh6QkFvR0JBTlVoXG5uSUJQSnFxNElNdlE2Y0M5ZzhCKzF4WURlYTkvWWsxdytTbVBHdndyRVh5M0dLeDRLN2xLcGJQejdtNFgzM3N4XG5zRVUvK1kyVlFtd1JhMXhRbS81M3JLN1YybDVKZi9ENDAwalJtNlpmU0FPdmdEVHJ0Wm5VR0pNcno5RTd1Tnc3XG5sZ1VIM0pyaXZ5Ri9meE1JOHFzelFid1hQMCt4bnlxQXhFQWdkdUtCQW9HQUlNK1BTTllXQ1pYeERwU0hJMThkXG5qS2tvQWJ3Mk1veXdRSWxrZXVBbjFkWEZhZDF6c1hRR2RUcm1YeXY3TlBQKzhHWEJrbkJMaTNjdnhUaWxKSVN5XG51Y05yQ01pcU5BU24vZHE3Y1dERlVBQmdqWDE2SkgyRE5GWi9sL1VWRjNOREFKalhDczFYN3lJSnlYQjZveC96XG5hU2xxbElNVjM1REJEN3F4Unl1S3Nnaz1cbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cbiIsCiAgImNsaWVudF9lbWFpbCI6ICJwdWxsLXNlY3JldC10ZXN0aW5nQGJ1aWxkLWNyZC10ZXN0aW5nLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwKICAiY2xpZW50X2lkIjogIjEwNzkzNTg2MjAzMzAyNTI1MTM1MiIsCiAgImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKICAidG9rZW5fdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L3B1bGwtc2VjcmV0LXRlc3RpbmclNDBidWlsZC1jcmQtdGVzdGluZy5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIKfQo=
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: robot-docker-basic
secrets:
- name: docker-basic # 使用Secret
imagePullSecrets:
- name: docker-basic # 拉取镜像使用的认证信息
---
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: docker-creds
spec:
  serviceAccountName: robot-docker-basic
  taskSpec:
    steps:
    - name: test
      image: quay.io/rhpipeline/skopeo:alpine
      # Test pulling a private builder container. 
      script: skopeo copy docker://gcr.io/build-crd-testing/secret-sauce dir:///tmp/

总结

以上讲解了tekton在云原生CI认证方面的支持,Tekton也是支持触发器的,这个之后讲解吧。使用k8s secret配置认证,用着很舒服。我觉得对于拉取github的私有代码,用ssh key比较安全,用用户名和密码就有安全问题了。在私有云项目中,多是用gitlab等私有仓库的,我觉得用用户名和密码问题也不大。目前,我在使用时用的ssh key拉取github代码。

对云原生感兴趣的朋友欢迎关注公众号“南君手记”
云原生CI/CD:tekton/pipeline之认证篇_第1张图片

你可能感兴趣的:(云原生CI/CD:tekton/pipeline之认证篇)