Skip to main content

Sub-pipeline with GitHub deploy keys

  • In the Radix application repository create a folder tekton. This folder need to be in the configuration branch and in the same folder, where radixconfig.yaml file is located (by default it is a root of the repository).
  • The sub-pipeline in this example runs one task with two steps.
  • Create a file test-github.yaml for the task test-github. This task has two steps "git-clone" and a step "list-contents".
tip

Mount a volume named $(radix.git-deploy-key) where you need you ssh credentials.

File test-github.yaml

apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: test-github
spec:
  stepTemplate:
    image: alpine/git
    volumeMounts:
      - name: source-volume
        mountPath: /var/source
    securityContext:
      runAsUser: 65534 # nobody

  steps:
    - name: git-clone
      volumeMounts:
        - name: $(radix.git-deploy-key) # <-- This volume is created by Radix and available where you mount it.
          mountPath: /.ssh
      command:
        - git
        - clone
        - git@github.com:Equinor-Playground/rihag-edc23-radix-1.git
        - /var/source/branch

    - name: list-contents
      script: |
        #!/usr/bin/env sh
        ls -la /var/source/branch

  volumes:
    - name: source-volume
      emptyDir: { }

  • Create a file pipeline.yaml. Add a task in the tasks list: give it a name (it can be any name, unique within this sub-pipeline), in the property taskRef ("reference to a task") put the value from the property metadata.name of the task, created above:
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: test-pipeline
spec:
  tasks:
    - name: test-github
      taskRef:
        name: test-github

  • File structure can be like this:
/
├── tekton/
│   ├── pipeline.yaml
│   └── test-github.yaml
└── radixconfig.yaml

Details:

  • The userid 65534 is mapped to the user nobody in the image alpine/git, with the home folder set to /
  • The volume referenced by $(radix.git-deploy-key) is mounted read-only and both files, id_rsa and known_hosts have permission level 444, owned by root:root. 
    total 4
    drwxrwxrwt    3 root     root           120 Nov 16 09:06 .
    drwxr-sr-x    1 git      git           4096 Nov 16 09:06 ..
    drwxr-xr-x    2 root     root            80 Nov 16 09:06 ..2023_11_16_09_06_55.2062090024
    lrwxrwxrwx    1 root     root            32 Nov 16 09:06 ..data -> ..2023_11_16_09_06_55.2062090024
    lrwxrwxrwx    1 root     root            13 Nov 16 09:06 id_rsa -> ..data/id_rsa
    lrwxrwxrwx    1 root     root            18 Nov 16 09:06 known_hosts -> ..data/known_hosts
    Note that the permissions listed are wrong, and the underlaying data have limited permissions.