githubsshtektontekton-pipelines

Tekton task - update Git config repo file (for ArgoCD)


How can I make a Tekton task that updates a Git config (public) repo file?

The resulting git update will trigger e.g. ArgoCD for syncing the runtime environment.

Of course I will add a proper security to the Tekton task environment. For now I would like to do a first basic step.

My first try was using Git/https:

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: deploy
spec:
  params:
    - name: environment
    - name: argo-app-name
    - name: configGitUrl
    - name: appImage
    - name: buildRevision
  workspaces:
    - name: config-source
  steps:
    - name: git-update
      image: alpine/git:v2.26.2
      workingDir: "$(workspaces.config-source.path)"
      script: |
        #!/usr/bin/env sh
        set -x
        
        whoami
        eval $(ssh-agent)
        git config --global core.sshCommand 'ssh -o StrictHostKeyChecking=accept-new'
        
        git init
        git remote add origin $(params.configGitUrl)
        git fetch --depth 1 origin master
        git clone git@github.com:myuser/argocd-demo.git
        git checkout master
        
        echo "updating $(inputs.params.environment) image to $(inputs.params.appImage):$(inputs.params.buildRevision)"
        sed -i "s#$(inputs.params.appImage):[a-zA-Z0-9]\\+#$(inputs.params.appImage):$(inputs.params.buildRevision)#" demo/sb2demo-deployment.yaml
                
        git config --global user.email "tekton@tekton.dev"
        git config --global user.name "Tekton Pipeline"
        git add .
        git commit --allow-empty -m "[tekton] updating $(inputs.params.environment) image to $(inputs.params.buildRevision)"
        git push origin master

This gives the error at the last push:

git push origin master fatal: could not read Username for 'https://github.com': No such device or address

My second try using ssh:

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: deploy
spec:
  params:
    - name: environment
    - name: argo-app-name
    - name: configGitUrl
    - name: appImage
    - name: buildRevision
  workspaces:
    - name: config-source
  steps:
    - name: git-update
      image: alpine/git:v2.26.2
      workingDir: "$(workspaces.config-source.path)"
      script: |
        #!/usr/bin/env sh
        set -x
        
        whoami
        eval $(ssh-agent)
        mkdir /ssh-stuff
        mkdir /ssh-stuff/.ssh
        ssh-keygen -t rsa -q -b 4096 -C "tekton@tekton.dev" -f /ssh-stuff/.ssh/id_rsa 
        ssh-add /ssh-stuff/.ssh/id_rsa
        git config --global core.sshCommand 'ssh -o StrictHostKeyChecking=accept-new'
        
        git init
        git remote add origin $(params.configGitUrl)
        git fetch --depth 1 origin master
        git clone git@github.com:myuser/argocd-demo.git
        git checkout master
        
        echo "updating $(inputs.params.environment) image to $(inputs.params.appImage):$(inputs.params.buildRevision)"
        sed -i "s#$(inputs.params.appImage):[a-zA-Z0-9]\\+#$(inputs.params.appImage):$(inputs.params.buildRevision)#" demo/sb2demo-deployment.yaml
                
        git config --global user.email "tekton@tekton.dev"
        git config --global user.name "Tekton Pipeline"
        git add .
        git commit --allow-empty -m "[tekton] updating $(inputs.params.environment) image to $(inputs.params.buildRevision)"
        git push origin master

This script is run with the 'root' user. It gives the error:

+ git clone git@github.com:myuser/argocd-demo.git
Cloning into 'argocd-demo'...
Warning: Permanently added 'github.com,140.82.121.3' (ECDSA) to the list of known hosts.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Solution

  • The issue was that the ~/.ssh folder was not existing for the 'root' user.

    So, the solution was simple:

    eval $(ssh-agent)
    ssh-add /tekton/creds/.ssh/id_*
    git config --global core.sshCommand 'ssh -o StrictHostKeyChecking=accept-new'
    

    After a lot of experimenting I saw that the public key format from the file '/tekton/creds/.ssh/id_*' was not valid. So, I added the ssh-add line with THAT id file.

    Keep in mind that you use the git variant and not the https variant for accessing the git repo.