Skip to content

Commit

Permalink
Add 0.2 git-cli task after git-clone 0.4 example
Browse files Browse the repository at this point in the history 
Remove trailing spaces

Improve README

Add SSH creds docs
  • Loading branch information
@GijsvanDulmen @tekton-robot
GijsvanDulmen authored and tekton-robot committed Jul 1, 2021
1 parent 1887c0b commit e88a331
Show file tree
Hide file tree
Showing 3 changed files with 306 additions and 0 deletions.
150 changes: 150 additions & 0 deletions task/git-cli/0.2/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
# Git Task

This `Task` is Git task to work with repositories used by other tasks
in your Pipeline.

## `git-cli`

This [task](../0.2/git-cli.yaml) can be used to perform `git operations`.
All git commands can be found [here](https://git-scm.com/docs).

Command that needs to be run can be passed as a script to the task.

### Workspaces

* **source**: A workspace that contains the fetched git repository.
* **input**: A workspace that contains file that needs to be added to git.
* **ssh-directory**: An optional workspace to provide SSH credentials. At
minimum this should include a private key but can also include other common
files from `.ssh` including `config` and `known_hosts`. It is **strongly**
recommended that this workspace be bound to a Kubernetes `Secret`.
For details on the correct format of the files in this Workspace
see [Using SSH credentials](#using-ssh-credentials) below.

* **basic-auth**: An optional workspace containing `.gitconfig` and
`.git-credentials` files. This allows username/password/access token to be
provided for basic auth.

It is **strongly** recommended that this workspace be bound to a Kubernetes
`Secret`. For details on the correct format of the files in this Workspace
see [Using basic-auth Credentials](#using-basic-auth-credentials) below.

### Parameters

* **BASE_IMAGE**: The base image for the task.
(_default_: `alpine/git:latest`)
* **GIT_USER_NAME**: Git user name for performing git operation.
* **GIT_USER_EMAIL**: Git user email for performing git operation.
* **GIT_SCRIPT**: The git script to run. (_required_)
* **VERBOSE**: Log the commands that are executed during `git-cli`'s operation. (_default_: true)
* **USER_HOME**: The user's home directory. Set this explicitly if you are running the image as a non-root user. (_default_: "/tekton/home")

### Results

* **commit**: The precise commit SHA after git operation is performed.

### Usage

This task needs authentication to git in order to push after the git operation.

After creating the task, you should now be able to execute `git` commands by
specifying the command you would like to run as the `GIT_SCRIPT` param.

`Example`:

```yaml
params:
- name: GIT_SCRIPT
value: |
git init
git remote add origin https://github.com/kelseyhightower/nocode
git pull origin master
```
## Using SSH credentials
This Task supports fetching private repositories using SSH credentials.
1. Bind an `ssh-directory` workspace to this Task.
The workspace should contain private keys (e.g. `id_rsa`), `config`
and `known_hosts` files - anything you need to interact with your git remote
via SSH. It's **strongly** recommended that you use Kubernetes `Secrets` to
hold your credentials and bind to this workspace.

In a TaskRun that would look something like this:

```yaml
kind: TaskRun
spec:
workspaces:
- name: ssh-directory
secret:
secretName: my-ssh-credentials
```

And in a Pipeline and PipelineRun it would look like this:

```yaml
kind: Pipeline
spec:
workspaces:
- name: ssh-creds
# ...
tasks:
- name: use-git-cli
taskRef:
name: git-cli
workspaces:
- name: ssh-directory
workspace: ssh-creds
# ...
---
kind: PipelineRun
spec:
workspaces:
- name: ssh-creds
secret:
secretName: my-ssh-credentials
# ...
```

The `Secret` would appear the same in both cases - structured like a `.ssh`
directory:

```yaml
kind: Secret
apiVersion: v1
metadata:
name: my-ssh-credentials
data:
id_rsa: # ... base64-encoded private key ...
known_hosts: # ... base64-encoded known_hosts file ...
config: # ... base64-encoded ssh config file ...
```

Including `known_hosts` is optional but strongly recommended. Without it
the `git-cli` Task will blindly accept the remote server's identity.

## Using basic-auth Credentials

**Note**: It is strongly advised that you use `ssh` credentials when the
option is available to you before using basic auth.

To support basic-auth this Task exposes an optional `basic-auth` Workspace.
The bound Workspace must contain a `.gitconfig` and `.git-credentials` file.
Any other files on this Workspace are ignored. A typical `Secret` containing
these credentials looks as follows:

```yaml
kind: Secret
apiVersion: v1
metadata:
name: my-basic-auth-secret
type: Opaque
stringData:
.gitconfig: |
[credential "https://<hostname>"]
helper = store
.git-credentials: |
https://<user>:<pass>@<hostname>
```
137 changes: 137 additions & 0 deletions task/git-cli/0.2/git-cli.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-cli
labels:
app.kubernetes.io/version: "0.2"
annotations:
tekton.dev/pipelines.minVersion: "0.21.0"
tekton.dev/tags: git
tekton.dev/displayName: "git cli"
spec:
description: >-
This task can be used to perform git operations.
Git command that needs to be run can be passed as a script to
the task. This task needs authentication to git in order to push
after the git operation.
workspaces:
- name: source
description: A workspace that contains the fetched git repository.

- name: input
description: A workspace that contains file that needs to be added to git.

- name: ssh-directory
optional: true
description: |
A .ssh directory with private key, known_hosts, config, etc. Copied to
the user's home before git commands are executed. Used to authenticate
with the git remote when performing the clone. Binding a Secret to this
Workspace is strongly recommended over other volume types.
- name: basic-auth
optional: true
description: |
A Workspace containing a .gitconfig and .git-credentials file. These
will be copied to the user's home before any git commands are run. Any
other files in this Workspace are ignored. It is strongly recommended
to use ssh-directory over basic-auth whenever possible and to bind a
Secret to this Workspace over other volume types.
params:
- name: BASE_IMAGE
description: |
The base image for the task.
type: string
default: docker.io/alpine/git:v2.26.2@sha256:23618034b0be9205d9cc0846eb711b12ba4c9b468efdd8a59aac1d7b1a23363f #tag: v2.26.2

- name: GIT_USER_NAME
type: string
description: |
Git user name for performing git operation.
default: ""

- name: GIT_USER_EMAIL
type: string
description: |
Git user email for performing git operation.
default: ""

- name: GIT_SCRIPT
description: The git script to run.
type: string
default: |
git help
- name: USER_HOME
description: |
Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden
the gitInitImage param with an image containing custom user configuration.
type: string
default: "/tekton/home"

- name: VERBOSE
description: Log the commands that are executed during `git-clone`'s operation.
type: string
default: "true"

results:
- name: commit
description: The precise commit SHA after the git operation.

steps:
- name: git
image: $(params.BASE_IMAGE)
workingDir: $(workspaces.source.path)
env:
- name: PARAM_VERBOSE
value: $(params.VERBOSE)
- name: PARAM_USER_HOME
value: $(params.USER_HOME)
- name: WORKSPACE_OUTPUT_PATH
value: $(workspaces.output.path)
- name: WORKSPACE_SSH_DIRECTORY_BOUND
value: $(workspaces.ssh-directory.bound)
- name: WORKSPACE_SSH_DIRECTORY_PATH
value: $(workspaces.ssh-directory.path)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
value: $(workspaces.basic-auth.bound)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
value: $(workspaces.basic-auth.path)
script: |
#!/usr/bin/env sh
set -eu
if [ "${PARAM_VERBOSE}" = "true" ] ; then
set -x
fi
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
chmod 400 "${PARAM_USER_HOME}/.git-credentials"
chmod 400 "${PARAM_USER_HOME}/.gitconfig"
fi
if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
chmod 700 "${PARAM_USER_HOME}"/.ssh
chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
fi
# Setting up the config for the git.
git config --global user.email "$(params.GIT_USER_EMAIL)"
git config --global user.name "$(params.GIT_USER_NAME)"
$(params.GIT_SCRIPT)
RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')"
EXIT_CODE="$?"
if [ "$EXIT_CODE" != 0 ]
then
exit $EXIT_CODE
fi
# Make sure we don't add a trailing newline to the result!
echo -n "$RESULT_SHA" > $(results.commit.path)
19 changes: 19 additions & 0 deletions task/git-cli/0.2/tests/run.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-cli-run
spec:
taskRef:
name: git-cli
workspaces:
- name: source
emptyDir: {}
- name: input
emptyDir: {}
params:
- name: GIT_SCRIPT
value: |
git init
git remote add origin https://github.com/kelseyhightower/nocode
git pull origin master

1 comment on commit e88a331

@EarthlingDavey
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi I think the default USER_HOME should be /root because, unlike git-clone, alpine/git image is used.

Something like: https://github.com/EarthlingDavey/catalog/commit/1201872424b538ea789d1e28aa59d5c026f34f69

Please sign in to comment.