🚀

tektonでgithubのpriavaterepositoryをgitcloneできるようにする

に公開
Kubernetes
tekton
tech

概要

tektonでGithubのPrivateRepositoryからGitCloneして云々ということは必ずやりたいことの一つではある。
README.mdをcatするだけのタスクを実行してCloneできているかを見る。

準備

pipelineを作成

kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml

git-cloneのタスクを作成する

kubectl apply -f \
https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml

手順

  1. secret.yamlを作成する

秘密鍵とknown_hostsをセットする。
ちなみに、id_rsaの形式でもOK。その場合は、キーもid_rsaに変更する。

apiVersion: v1
kind: Secret
metadata:
  name: git-credentials
data:
  id_ed25519: # cat ~/.ssh/id_ed25519 | base64 -w 0
  known_hosts: # ssh-keyscan github.com 2&>/dev/null > tmp.txt && cat tmp.txt  | base64 -w 0
  1. show-readme.yamlを作成する
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: show-readme
spec:
  description: Read and display README file.
  workspaces:
  - name: source
  steps:
  - name: read
    image: alpine:latest
    script: | 
      #!/usr/bin/env sh
      cat $(workspaces.source.path)/README.md
  1. pipeline.yamlを作成する
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: test-pipeline
spec:
  workspaces:
  - name: shared-data
    description: | 
      This workspace contains the cloned repo files, so they can be read by the
      next task.
  - name: git-credentials
    description: My ssh credentials
  tasks:
  - name: fetch-source
    taskRef:
      name: git-clone
    workspaces:
    - name: output
      workspace: shared-data
    - name: ssh-directory
      workspace: git-credentials
  1. pipelinerun.yamlを作成する
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  generateName: test-pipelinerun
  namespace: default
spec:
  pipelineRef:
    name: test-pipeline
  podTemplate:
    securityContext:
      fsGroup: 65532
  workspaces:
  - name: shared-data
    volumeClaimTemplate:
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
  - name: git-credentials
    secret:
      secretName: git-credentials
  params:
  - name: repo-url
    value: git@github.com:vampire-yuta/openstack-kindle.git # private repositoryを指定する(ssh形式のgit)
  1. 各種マニフェストをApplyする
kubectl create -f show-readme.yam
kubectl create -f pipeline.yaml
kubectl create -f pipelinerun.yaml
  1. Apply後のログ確認
tkn pipelinerun logs  clone-read-run-4kgjr -f

最後に、READMEの内容を読み込んでいるのでちゃんとCloneができているということになる。

❯ tkn pr logs clone-read-run-9mdrn -f
[fetch-source : clone] + '[' false '=' true ]
[fetch-source : clone] + '[' true '=' true ]
[fetch-source : clone] + cp -R /workspace/ssh-directory /tekton/home/.ssh
[fetch-source : clone] + chmod 700 /tekton/home/.ssh
[fetch-source : clone] + chmod -R 400 /tekton/home/.ssh/id_ed25519 /tekton/home/.ssh/known_hosts
[fetch-source : clone] + '[' false '=' true ]
[fetch-source : clone] + CHECKOUT_DIR=/workspace/output/
[fetch-source : clone] + '[' true '=' true ]
[fetch-source : clone] + cleandir
[fetch-source : clone] + '[' -d /workspace/output/ ]
[fetch-source : clone] + rm -rf '/workspace/output//*'
[fetch-source : clone] + rm -rf '/workspace/output//.[!.]*'
[fetch-source : clone] + rm -rf '/workspace/output//..?*'
[fetch-source : clone] + test -z
[fetch-source : clone] + test -z
[fetch-source : clone] + test -z
[fetch-source : clone] + /ko-app/git-init '-url=git@github.com:vampire-yuta/openstack-kindle.git' '-revision=' '-refspec=' '-path=/workspace/output/' '-sslVerify=true' '-submodules=true' '-depth=1' '-sparseCheckoutDirectories='
[fetch-source : clone] {"level":"warn","ts":1739277394.7910533,"caller":"git/git.go:278","msg":"URL(\"git@github.com:vampire-yuta/openstack-kindle.git\") appears to need SSH authentication but no SSH credentials have been provided"}
[fetch-source : clone] {"level":"info","ts":1739277460.453175,"caller":"git/git.go:170","msg":"Successfully cloned git@github.com:vampire-yuta/openstack-kindle.git @ 90ceddfad3d46a6680e21d49c5b3787479f6c2ac (grafted, HEAD) in path /workspace/output/"}
[fetch-source : clone] {"level":"info","ts":1739277460.475869,"caller":"git/git.go:208","msg":"Successfully initialized and updated submodules in path /workspace/output/"}
[fetch-source : clone] + cd /workspace/output/
[fetch-source : clone] + git rev-parse HEAD
[fetch-source : clone] + RESULT_SHA=90ceddfad3d46a6680e21d49c5b3787479f6c2ac
[fetch-source : clone] + EXIT_CODE=0
[fetch-source : clone] + '[' 0 '!=' 0 ]
[fetch-source : clone] + printf '%s' 90ceddfad3d46a6680e21d49c5b3787479f6c2ac
[fetch-source : clone] + printf '%s' git@github.com:vampire-yuta/openstack-kindle.git

[show-readme : read] # openstack-kindle
[show-readme : read]
[show-readme : read] aaa

参考

https://tekton.dev/docs/how-to-guides/clone-repository/#git-authentication
https://inorio.hatenablog.com/entry/2024/02/14/180000
https://zenn.dev/ysmtegsr/articles/f537c9144f1cd103a05b

Discussion