使用tekton hub catalog git-clone任务来clone bitbucket的私有存储库。继续得到错误为no SSH credentials have been provided
我已经为安全上下文问题pods "xxxx" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "prepare", "place-scripts",创建了一个新的名称空间。
Tekton pileline安装在tekton-pipeline命名空间中。
下面的secret、pipeline和pipeline-run在fetebird-tekton命名空间中创建
Kubernetes-secret

apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-key-secret
  namespace: fetebird-tekton
  annotations:
    tekton.dev/git-0: bitbucket.org # Described below
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      .........
      -----END OPENSSH PRIVATE KEY-----
  known_hosts: |
          bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
          bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=
          bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=

字符串

管道.yaml

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: ft-common
  namespace: fetebird-tekton
spec:
  params:
    - name: repo-url
      type: string
      description: The git repository URL to clone from.
  workspaces:
    - name: shared-data
      description: |
        cloned git repo.
    - name: git-credentials
      description: |
        This workspace contains SSH key.

  tasks:
    - name: fetch-repo
      taskRef:
        name: git-clone
      workspaces:
        - name: output
          workspace: shared-data
        - name: ssh-directory
          workspace: git-credentials
      params:
        - name: url
          value: "$(params.repo-url)"

型

流水线运行.yaml

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: ft-common-run
  namespace: fetebird-tekton
spec:
  pipelineRef:
    name: ft-common
  podTemplate:
    securityContext:
      fsGroup: 65532
  workspaces:
    - name: shared-data
      volumeClaimTemplate:
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi
    - name: git-credentials
      secret:
        secretName: git-ssh-key-secret
  params:
    - name: repo-url
      value: git@bitbucket.org:anandjaisy/common.git

型

Tekton Dashboard出错

2023-07-22T04:22:38.350474002Z + '[' false '=' true ]
2023-07-22T04:22:38.350605085Z + '[' true '=' true ]
2023-07-22T04:22:38.350614877Z + cp -R /workspace/ssh-directory /home/git/.ssh
2023-07-22T04:22:38.353488627Z + chmod 700 /home/git/.ssh
2023-07-22T04:22:38.355256585Z + chmod -R 400 /home/git/.ssh/known_hosts /home/git/.ssh/ssh-privatekey
2023-07-22T04:22:38.357084710Z + '[' false '=' true ]
2023-07-22T04:22:38.357117169Z + CHECKOUT_DIR=/workspace/output/
2023-07-22T04:22:38.357124877Z + '[' true '=' true ]
2023-07-22T04:22:38.357130419Z + cleandir
2023-07-22T04:22:38.357135127Z + '[' -d /workspace/output/ ]
2023-07-22T04:22:38.357589919Z + rm -rf '/workspace/output//*'
2023-07-22T04:22:38.359449752Z + rm -rf /workspace/output//.git
2023-07-22T04:22:38.362385919Z + rm -rf '/workspace/output//..?*'
2023-07-22T04:22:38.363630044Z + test -z 
2023-07-22T04:22:38.363649377Z + test -z 
2023-07-22T04:22:38.363655377Z + test -z 
2023-07-22T04:22:38.363702419Z + git config --global --add safe.directory /workspace/output
2023-07-22T04:22:38.369294044Z + /ko-app/git-init '-url=git@bitbucket.org:anandjaisy/common.git' '-revision=' '-refspec=' '-path=/workspace/output/' '-sslVerify=true' '-submodules=true' '-depth=1' '-sparseCheckoutDirectories='
2023-07-22T04:22:38.383720460Z {"level":"warn","ts":1689999758.383478,"caller":"git/git.go:271","msg":"URL(\"git@bitbucket.org:anandjaisy/common.git\") appears to need SSH authentication but no SSH credentials have been provided"}
2023-07-22T04:22:39.859510128Z {"level":"error","ts":1689999759.8580627,"caller":"git/git.go:53","msg":"Error running git [fetch --recurse-submodules=yes --depth=1 origin --update-head-ok --force ]: exit status 128\ngit@bitbucket.org: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:53\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:156\nmain.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:53\nruntime.main\n\truntime/proc.go:250"}

型
在管道中运行secret：secretName：传递了git-ssh-key-secret，但是仍然面临相同的ssh问题