How can I make a Tekton task that updates a Git config (public) repo file?
The resulting git update will trigger e.g. ArgoCD for syncing the runtime environment.
Of course I will add a proper security to the Tekton task environment. For now I would like to do a first basic step.
My first try was using Git/https:
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: deploy
spec:
params:
- name: environment
- name: argo-app-name
- name: configGitUrl
- name: appImage
- name: buildRevision
workspaces:
- name: config-source
steps:
- name: git-update
image: alpine/git:v2.26.2
workingDir: "$(workspaces.config-source.path)"
script: |
#!/usr/bin/env sh
set -x
whoami
eval $(ssh-agent)
git config --global core.sshCommand 'ssh -o StrictHostKeyChecking=accept-new'
git init
git remote add origin $(params.configGitUrl)
git fetch --depth 1 origin master
git clone git@github.com:myuser/argocd-demo.git
git checkout master
echo "updating $(inputs.params.environment) image to $(inputs.params.appImage):$(inputs.params.buildRevision)"
sed -i "s#$(inputs.params.appImage):[a-zA-Z0-9]\\+#$(inputs.params.appImage):$(inputs.params.buildRevision)#" demo/sb2demo-deployment.yaml
git config --global user.email "tekton@tekton.dev"
git config --global user.name "Tekton Pipeline"
git add .
git commit --allow-empty -m "[tekton] updating $(inputs.params.environment) image to $(inputs.params.buildRevision)"
git push origin master
This gives the error at the last push:
git push origin master fatal: could not read Username for 'https://github.com': No such device or address
My second try using ssh:
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: deploy
spec:
params:
- name: environment
- name: argo-app-name
- name: configGitUrl
- name: appImage
- name: buildRevision
workspaces:
- name: config-source
steps:
- name: git-update
image: alpine/git:v2.26.2
workingDir: "$(workspaces.config-source.path)"
script: |
#!/usr/bin/env sh
set -x
whoami
eval $(ssh-agent)
mkdir /ssh-stuff
mkdir /ssh-stuff/.ssh
ssh-keygen -t rsa -q -b 4096 -C "tekton@tekton.dev" -f /ssh-stuff/.ssh/id_rsa
ssh-add /ssh-stuff/.ssh/id_rsa
git config --global core.sshCommand 'ssh -o StrictHostKeyChecking=accept-new'
git init
git remote add origin $(params.configGitUrl)
git fetch --depth 1 origin master
git clone git@github.com:myuser/argocd-demo.git
git checkout master
echo "updating $(inputs.params.environment) image to $(inputs.params.appImage):$(inputs.params.buildRevision)"
sed -i "s#$(inputs.params.appImage):[a-zA-Z0-9]\\+#$(inputs.params.appImage):$(inputs.params.buildRevision)#" demo/sb2demo-deployment.yaml
git config --global user.email "tekton@tekton.dev"
git config --global user.name "Tekton Pipeline"
git add .
git commit --allow-empty -m "[tekton] updating $(inputs.params.environment) image to $(inputs.params.buildRevision)"
git push origin master
This script is run with the 'root' user. It gives the error:
+ git clone git@github.com:myuser/argocd-demo.git Cloning into 'argocd-demo'... Warning: Permanently added 'github.com,140.82.121.3' (ECDSA) to the list of known hosts. git@github.com: Permission denied (publickey). fatal: Could not read from remote repository.
The issue was that the ~/.ssh folder was not existing for the 'root' user.
So, the solution was simple:
eval $(ssh-agent)
ssh-add /tekton/creds/.ssh/id_*
git config --global core.sshCommand 'ssh -o StrictHostKeyChecking=accept-new'
After a lot of experimenting I saw that the public key format from the file '/tekton/creds/.ssh/id_*' was not valid. So, I added the ssh-add line with THAT id file.
Keep in mind that you use the git variant and not the https variant for accessing the git repo.