Chapter 9. Securing Authentication


Не тестировалось из-за лени.


Authenticating into a Git repository


$ vi ~/tmp/task.yaml


apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: read-file
spec:
  params:
    - name: private-repo
      type: string
  steps:
    - name: clone
      image: alpine/git
      script: |
        mkdir /temp && cd /temp
        git clone $(params.private-repo) .
        cat README.md


$ kubectl create -f ~/tmp/task.yaml


Basic authentication

Вроде уже отключили такую возможность!

GitHub won’t let you authenticate using your username and password directly. Instead, you will need to create a token that can then be used as your password. This token can be easily revoked if you accidentally publish it somewhere.


$ cat << 'EOF' | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: git-basic-auth
  annotations:
    tekton.dev/git-0: https://github.com
type: kubernetes.io/basic-auth
stringData:
  username: joellord
  password: ghp_token
EOF


$ cat << 'EOF' | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: git-auth-sa
secrets:
  - name: git-basic-auth
EOF


$ cat << 'EOF' | kubectl apply -f -
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  generateName: git-auth-
spec:
  serviceAccountName: git-auth-sa
  params:
    - name: private-repo
      value: https://github.com/joellord/secret-repo.git
  taskRef:
    name: read-file
EOF


$ tkn taskrun logs git-auth-kgp9l


SSH authentication


$ cat ~/.ssh/id_rsa
$ cat ~/.ssh/known_hosts | grep github.com


$ cat << 'EOF' | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-auth
  annotations:
    tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    b3BlbnNzaC...
    NhAAAA...
    -----END OPENSSH PRIVATE KEY-----
  known_hosts: github.com,140.82.112.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF


$ cat << 'EOF' | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: git-auth-sa
secrets:
  - name: git-ssh-auth
EOF


$ cat << 'EOF' | kubectl apply -f -
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: read-file
spec:
  params:
    - name: private-repo
      type: string
  steps:
    - name: clone
      image: alpine/git
      script: |
        cd /root && mkdir .ssh && cd .ssh
        cp ~/.ssh/* .
        mkdir /temp && cd /temp
        git clone $(params.private-repo) .
        cat README.md
EOF


$ cat << 'EOF' | kubectl apply -f -
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  generateName: git-auth-
spec:
  serviceAccountName: git-auth-sa
  params:
    - name: private-repo
      value: [email protected]:joellord/secret-repo
  taskRef:
    name: read-file
EOF


$ tkn taskrun logs -f git-auth-grzw4


Authenticating in a container registry

$ kubectl create secret docker-registry registry-creds \
  --docker-server=<server> \
  --docker-username=<username> \
  --docker-password=<password> \
  --docker-email=<email>


$ cat << 'EOF' | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: authenticated
secrets:
  - name: registry-creds
imagePullSecrets:
  - name: registry-creds
EOF


$ cat << 'EOF' | kubectl apply -f -
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: private
spec:
  steps:
    - image: joellord/private
      command:
        - /bin/sh
        - -c
        - echo hello
EOF


$ tkn task start private --showlog -s authenticated