heidloff.net - Building is my Passion
Post
Cancel

Accessing GitHub in Tekton Tasks on OpenShift

This article explains how to access GitHub repositories from Tekton tasks on behalf of specific users via ssh.

In my application modernization example I use Tekton pipelines to deploy the modernized cloud-native application. In order to access GitHub, you need to follow these four steps:

  1. Key Creation
  2. GitHub Configuration
  3. Kubernetes Secret Creation
  4. Usage in Tasks

Key Creation

First you need to create the public and private ssh keys.

1
$ ssh-keygen -t rsa -b 4096 -C "tekton@tekton.dev"

Enter the file name, for example ‘/Users/niklasheidloff/.ssh/tekton’ and define no password.

GitHub Configuration

The public key needs to be defined in your GitHub settings.

Get the public key via a command like this and copy the key to the clipboard:

1
$ cat /Users/niklasheidloff/.ssh/tekton.pub 

Open your GitHub settings https://github.com/settings/keys, create a new SSH key and paste it. Call the entry ‘tekton’.

Kubernetes Secret Creation

The private key needs to be put in a Kubernetes secret.

1
2
$ cat /Users/niklasheidloff/.ssh/tekton \| base64
$ export GITHUB_SSH_KEY_PRIVATE=your_private_key

This is a template yaml file for the secret:

1
2
3
4
5
6
7
8
9
10
apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-key
  namespace: app-mod-argocd-pipelines
  annotations:
    tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <base64data>

Next the resource in the yaml file needs to be applied.

1
2
$ sed "s/<base64data>/${GITHUB_SSH_KEY_PRIVATE}/g" ${ROOT_FOLDER}/scripts-openshift-argocd/argocd-config/tekton-git-ssh-secret.yaml.template > ${ROOT_FOLDER}/scripts-openshift-argocd/argocd-config/tekton-git-ssh-secret.yaml
$ oc apply -f ${ROOT_FOLDER}/scripts-openshift-argocd/argocd-config/tekton-git-ssh-secret.yaml

Usage in Tasks

Check out the sample tasks:

The following snippet shows how to write changes to GitHub. The trick is to use the two lines ‘eval …’ and ‘ssh-add …’ which refer to the private key in the secret. Read the Tekton documentation for more details.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
steps:
- name: commit-push-changes-gitops
    image: alpine/git:v2.30.2
    workingDir: "$(workspaces.config-source.path)"
    script: |
      #!/usr/bin/env sh
      set -e

      eval $(ssh-agent)
      ssh-add ~/.ssh/id_*

      git config --global user.email "tekton@tekton.dev"
      git config --global user.name "Tekton Pipeline"
      git add .
      git commit --allow-empty -m "[Tekton] updating $(params.environment)"
      git push origin main

Note: The working directory needs to be the root path, for example “$(workspaces.config-source.path)”. Other directories cause some weird behaviour and access issues.

Next Steps

To learn more about Tekton, ArgoCD and application modernization, check out my repo.

Featured Blog Posts
Disclaimer
The postings on this site are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Trending Tags