1
0
mirror of https://github.com/tektoncd/catalog.git synced 2025-01-04 10:08:37 +00:00

Change git-clone default userHome

- Bumping git-clone version
- Change git-clone default userHome to fix clone error as non-root
`error: could not lock config file /home/git/.gitconfig: No such file or directory`

Signed-off-by: Nati Fridman <nafridma@redhat.com>
This commit is contained in:
Nati Fridman 2023-07-23 10:59:24 +03:00
parent e381c2c03c
commit 24e05a9327
8 changed files with 1160 additions and 0 deletions

View File

@ -0,0 +1,279 @@
# `git-clone`
**Note: this Task is only compatible with Tekton Pipelines versions 0.29.0 and greater!**
**Note: this Task is not backwards compatible with the previous versions as it is now run as a non-root user!**
This `Task` has two required inputs:
1. The URL of a git repo to clone provided with the `url` param.
2. A Workspace called `output`.
The `git-clone` `Task` will clone a repo from the provided `url` into the
`output` Workspace. By default the repo will be cloned into the root of
your Workspace. You can clone into a subdirectory by setting this `Task`'s
`subdirectory` param. If the directory where the repo will be cloned is
already populated then by default the contents will be deleted before the
clone takes place. This behaviour can be disabled by setting the
`deleteExisting` param to `"false"`.
**Note**: The `git-clone` Task is run as nonroot. The files cloned on to the `output`
workspace will end up owned by user 65532.
## Workspaces
**Note**: This task is run as a non-root user with UID 65532 and GID 65532.
Generally, the default permissions for storage volumes are configured for the
root user. To make the volumes accessible by the non-root user, you will need
to either configure the permissions manually or set the `fsGroup` field under
`PodSecurityContext` in your TaskRun or PipelineRun.
An example PipelineRun will look like:
```yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: git-clone-
spec:
pipelineRef:
name: git-clone-pipeline
podTemplate:
securityContext:
fsGroup: 65532
...
...
```
An example TaskRun will look like:
```yaml
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: taskrun
spec:
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
...
...
```
* **output**: A workspace for this Task to fetch the git repository in to.
* **ssh-directory**: An optional workspace to provide SSH credentials. At
minimum this should include a private key but can also include other common
files from `.ssh` including `config` and `known_hosts`. It is **strongly**
recommended that this workspace be bound to a Kubernetes `Secret`.
* **ssl-ca-directory**: An optional workspace to provide custom CA certificates.
Like the /etc/ssl/certs path this directory can have any pem or cert files,
this uses libcurl ssl capath directive. See this SO answer here
https://stackoverflow.com/a/9880236 on how it works.
* **basic-auth**: An optional workspace containing `.gitconfig` and
`.git-credentials` files. This allows username/password/access token to be
provided for basic auth.
It is **strongly** recommended that this workspace be bound to a Kubernetes
`Secret`. For details on the correct format of the files in this Workspace
see [Using basic-auth Credentials](#using-basic-auth-credentials) below.
**Note**: Settings provided as part of a `.gitconfig` file can affect the
execution of `git` in ways that conflict with the parameters of this Task.
For example, specifying proxy settings in `.gitconfig` could conflict with
the `httpProxy` and `httpsProxy` parameters this Task provides. Nothing
prevents you setting these parameters but it is not advised.
## Parameters
* **url**: Repository URL to clone from. (_required_)
* **revision**: Revision to checkout. (branch, tag, sha, ref, etc...) (_default_: "")
* **refspec**: Refspec to fetch before checking out revision. (_default_:"")
* **submodules**: Initialize and fetch git submodules. (_default_: true)
* **depth**: Perform a shallow clone, fetching only the most recent N commits. (_default_: 1)
* **sslVerify**: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. (_default_: true)
* **crtFileName**: If `sslVerify` is **true** and `ssl-ca-directory` workspace is given then set `crtFileName` if mounted file name is different than `ca-bundle.crt`. (_default_: "ca-bundle.crt")
* **subdirectory**: Subdirectory inside the `output` workspace to clone the repo into. (_default:_ "")
* **deleteExisting**: Clean out the contents of the destination directory if it already exists before cloning. (_default_: true)
* **httpProxy**: HTTP proxy server for non-SSL requests. (_default_: "")
* **httpsProxy**: HTTPS proxy server for SSL requests. (_default_: "")
* **noProxy**: Opt out of proxying HTTP/HTTPS requests. (_default_: "")
* **verbose**: Log the commands that are executed during `git-clone`'s operation. (_default_: true)
* **sparseCheckoutDirectories**: Which directories to match or exclude when performing a sparse checkout (_default_: "")
* **gitInitImage**: The image providing the git-init binary that this Task runs. (_default_: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:TODO")
* **userHome**: The user's home directory. (_default_: "/workspace/nonroot")
## Results
* **commit**: The precise commit SHA that was fetched by this Task
* **url**: The precise URL that was fetched by this Task
* **committer-date**: The epoch timestamp of the commit that was fetched by this Task
## Platforms
The Task can be run on `linux/amd64`, `linux/s390x`, `linux/arm64`, and `linux/ppc64le` platforms.
## Usage
If the `revision` is not provided in the param of the taskrun
then it will auto-detect the branch as specified by the `default`
in the respective git repository.
The following pipelines demonstrate usage of the git-clone Task:
- [Cloning a branch](./samples/git-clone-checking-out-a-branch.yaml)
- [Checking out a specific git commit](./samples/git-clone-checking-out-a-commit.yaml)
- [Checking out a git tag and using the "commit" Task Result](./samples/using-git-clone-result.yaml)
## Cloning Private Repositories
This Task supports fetching private repositories. There are three ways to
authenticate:
1. The simplest approach is to bind an `ssh-directory` workspace to this
Task. The workspace should contain private keys (e.g. `id_rsa`), `config`
and `known_hosts` files - anything you need to interact with your git remote
via SSH. It's **strongly** recommended that you use Kubernetes `Secrets` to
hold your credentials and bind to this workspace.
In a TaskRun that would look something like this:
```yaml
kind: TaskRun
spec:
workspaces:
- name: ssh-directory
secret:
secretName: my-ssh-credentials
```
And in a Pipeline and PipelineRun it would look like this:
```yaml
kind: Pipeline
spec:
workspaces:
- name: ssh-creds
# ...
tasks:
- name: fetch-source
taskRef:
name: git-clone
workspaces:
- name: ssh-directory
workspace: ssh-creds
# ...
---
kind: PipelineRun
spec:
workspaces:
- name: ssh-creds
secret:
secretName: my-ssh-credentials
# ...
```
The `Secret` would appear the same in both cases - structured like a `.ssh`
directory:
```yaml
kind: Secret
apiVersion: v1
metadata:
name: my-ssh-credentials
data:
id_rsa: # ... base64-encoded private key ...
known_hosts: # ... base64-encoded known_hosts file ...
config: # ... base64-encoded ssh config file ...
```
Including `known_hosts` is optional but strongly recommended. Without it
the `git-clone` Task will blindly accept the remote server's identity.
2. Use Tekton Pipelines' built-in credentials support as [documented in
Pipelines' auth.md](https://github.com/tektoncd/pipeline/blob/master/docs/auth.md).
3. Another approach is to bind an `ssl-ca-directory` workspace to this
Task. The workspace should contain crt keys (e.g. `ca-bundle.crt`)files - anything you need to interact with your git remote
via custom CA . It's **strongly** recommended that you use Kubernetes `Secrets` to
hold your credentials and bind to this workspace.
In a TaskRun that would look something like this:
```yaml
kind: TaskRun
spec:
workspaces:
- name: ssl-ca-directory
secret:
secretName: my-ssl-credentials
```
And in a Pipeline and PipelineRun it would look like this:
```yaml
kind: Pipeline
spec:
workspaces:
- name: ssl-creds
# ...
tasks:
- name: fetch-source
taskRef:
name: git-clone
workspaces:
- name: ssl-ca-directory
workspace: ssl-creds
# ...
---
kind: PipelineRun
spec:
workspaces:
- name: ssl-creds
secret:
secretName: my-ssl-credentials
# ...
```
The `Secret` would appear like below:
```yaml
kind: Secret
apiVersion: v1
metadata:
name: my-ssl-credentials
data:
ca-bundle.crt: # ... base64-encoded crt ... # If key/filename is other than ca-bundle.crt then set crtFileName param as explained under Parameters section
```
## Using basic-auth Credentials
**Note**: It is strongly advised that you use `ssh` credentials when the option
is available to you before using basic auth. You can generate a short
lived token from WebVCS platforms (Github, Gitlab, Bitbucket etc..) to be used
as a password and generally be able to use `git` as the username.
On bitbucket server the token may have a / into it so you would need
to urlquote them before in the `Secret`, see this stackoverflow answer :
https://stackoverflow.com/a/24719496
To support basic-auth this Task exposes an optional `basic-auth` Workspace.
The bound Workspace must contain a `.gitconfig` and `.git-credentials` file.
Any other files on this Workspace are ignored. A typical `Secret` containing
these credentials looks as follows:
```yaml
kind: Secret
apiVersion: v1
metadata:
name: my-basic-auth-secret
type: Opaque
stringData:
.gitconfig: |
[credential "https://<hostname>"]
helper = store
.git-credentials: |
https://<user>:<pass>@<hostname>
```

View File

@ -0,0 +1,242 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
labels:
app.kubernetes.io/version: "0.10"
annotations:
tekton.dev/pipelines.minVersion: "0.38.0"
tekton.dev/categories: Git
tekton.dev/tags: git
tekton.dev/displayName: "git clone"
tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
spec:
description: >-
These Tasks are Git tasks to work with repositories used by other tasks
in your Pipeline.
The git-clone Task will clone a repo from the provided url into the
output Workspace. By default the repo will be cloned into the root of
your Workspace. You can clone into a subdirectory by setting this Task's
subdirectory param. This Task also supports sparse checkouts. To perform
a sparse checkout, pass a list of comma separated directory patterns to
this Task's sparseCheckoutDirectories param.
workspaces:
- name: output
description: The git repo will be cloned onto the volume backing this Workspace.
- name: ssh-directory
optional: true
description: |
A .ssh directory with private key, known_hosts, config, etc. Copied to
the user's home before git commands are executed. Used to authenticate
with the git remote when performing the clone. Binding a Secret to this
Workspace is strongly recommended over other volume types.
- name: basic-auth
optional: true
description: |
A Workspace containing a .gitconfig and .git-credentials file. These
will be copied to the user's home before any git commands are run. Any
other files in this Workspace are ignored. It is strongly recommended
to use ssh-directory over basic-auth whenever possible and to bind a
Secret to this Workspace over other volume types.
- name: ssl-ca-directory
optional: true
description: |
A workspace containing CA certificates, this will be used by Git to
verify the peer with when fetching or pushing over HTTPS.
params:
- name: url
description: Repository URL to clone from.
type: string
- name: revision
description: Revision to checkout. (branch, tag, sha, ref, etc...)
type: string
default: ""
- name: refspec
description: Refspec to fetch before checking out revision.
default: ""
- name: submodules
description: Initialize and fetch git submodules.
type: string
default: "true"
- name: depth
description: Perform a shallow clone, fetching only the most recent N commits.
type: string
default: "1"
- name: sslVerify
description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
type: string
default: "true"
- name: crtFileName
description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt.
type: string
default: "ca-bundle.crt"
- name: subdirectory
description: Subdirectory inside the `output` Workspace to clone the repo into.
type: string
default: ""
- name: sparseCheckoutDirectories
description: Define the directory patterns to match or exclude when performing a sparse checkout.
type: string
default: ""
- name: deleteExisting
description: Clean out the contents of the destination directory if it already exists before cloning.
type: string
default: "true"
- name: httpProxy
description: HTTP proxy server for non-SSL requests.
type: string
default: ""
- name: httpsProxy
description: HTTPS proxy server for SSL requests.
type: string
default: ""
- name: noProxy
description: Opt out of proxying HTTP/HTTPS requests.
type: string
default: ""
- name: verbose
description: Log the commands that are executed during `git-clone`'s operation.
type: string
default: "true"
- name: gitInitImage
description: The image providing the git-init binary that this Task runs.
type: string
default: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2"
- name: userHome
description: |
Absolute path to the user's home directory.
type: string
default: "/workspace/nonroot"
results:
- name: commit
description: The precise commit SHA that was fetched by this Task.
- name: url
description: The precise URL that was fetched by this Task.
- name: committer-date
description: The epoch timestamp of the commit that was fetched by this Task.
steps:
- name: clone
image: "$(params.gitInitImage)"
env:
- name: HOME
value: "$(params.userHome)"
- name: PARAM_URL
value: $(params.url)
- name: PARAM_REVISION
value: $(params.revision)
- name: PARAM_REFSPEC
value: $(params.refspec)
- name: PARAM_SUBMODULES
value: $(params.submodules)
- name: PARAM_DEPTH
value: $(params.depth)
- name: PARAM_SSL_VERIFY
value: $(params.sslVerify)
- name: PARAM_CRT_FILENAME
value: $(params.crtFileName)
- name: PARAM_SUBDIRECTORY
value: $(params.subdirectory)
- name: PARAM_DELETE_EXISTING
value: $(params.deleteExisting)
- name: PARAM_HTTP_PROXY
value: $(params.httpProxy)
- name: PARAM_HTTPS_PROXY
value: $(params.httpsProxy)
- name: PARAM_NO_PROXY
value: $(params.noProxy)
- name: PARAM_VERBOSE
value: $(params.verbose)
- name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
value: $(params.sparseCheckoutDirectories)
- name: PARAM_USER_HOME
value: $(params.userHome)
- name: WORKSPACE_OUTPUT_PATH
value: $(workspaces.output.path)
- name: WORKSPACE_SSH_DIRECTORY_BOUND
value: $(workspaces.ssh-directory.bound)
- name: WORKSPACE_SSH_DIRECTORY_PATH
value: $(workspaces.ssh-directory.path)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
value: $(workspaces.basic-auth.bound)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
value: $(workspaces.basic-auth.path)
- name: WORKSPACE_SSL_CA_DIRECTORY_BOUND
value: $(workspaces.ssl-ca-directory.bound)
- name: WORKSPACE_SSL_CA_DIRECTORY_PATH
value: $(workspaces.ssl-ca-directory.path)
securityContext:
runAsNonRoot: true
runAsUser: 65532
script: |
#!/usr/bin/env sh
set -eu
if [ "${PARAM_VERBOSE}" = "true" ] ; then
set -x
fi
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
chmod 400 "${PARAM_USER_HOME}/.git-credentials"
chmod 400 "${PARAM_USER_HOME}/.gitconfig"
fi
if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
chmod 700 "${PARAM_USER_HOME}"/.ssh
chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
fi
if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then
export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}"
if [ "${PARAM_CRT_FILENAME}" != "" ] ; then
export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}"
fi
fi
CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
cleandir() {
# Delete any existing contents of the repo directory if it exists.
#
# We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
# or the root of a mounted volume.
if [ -d "${CHECKOUT_DIR}" ] ; then
# Delete non-hidden files and directories
rm -rf "${CHECKOUT_DIR:?}"/*
# Delete files and directories starting with . but excluding ..
rm -rf "${CHECKOUT_DIR}"/.[!.]*
# Delete files and directories starting with .. plus any other character
rm -rf "${CHECKOUT_DIR}"/..?*
fi
}
if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
cleandir || true
fi
test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}"
/ko-app/git-init \
-url="${PARAM_URL}" \
-revision="${PARAM_REVISION}" \
-refspec="${PARAM_REFSPEC}" \
-path="${CHECKOUT_DIR}" \
-sslVerify="${PARAM_SSL_VERIFY}" \
-submodules="${PARAM_SUBMODULES}" \
-depth="${PARAM_DEPTH}" \
-sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
cd "${CHECKOUT_DIR}"
RESULT_SHA="$(git rev-parse HEAD)"
EXIT_CODE="$?"
if [ "${EXIT_CODE}" != 0 ] ; then
exit "${EXIT_CODE}"
fi
RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)"
printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)"
printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
printf "%s" "${PARAM_URL}" > "$(results.url.path)"

View File

@ -0,0 +1,78 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: cat-branch-readme
spec:
description: |
cat-branch-readme takes a git repository and a branch name and
prints the README.md file from that branch. This is an example
Pipeline demonstrating the following:
- Using the git-clone catalog Task to clone a branch
- Passing a cloned repo to subsequent Tasks using a Workspace.
- Ordering Tasks in a Pipeline using "runAfter" so that
git-clone completes before we try to read from the Workspace.
- Using a volumeClaimTemplate Volume as a Workspace.
- Avoiding hard-coded paths by using a Workspace's path
variable instead.
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: branch-name
type: string
description: The git branch to clone.
workspaces:
- name: shared-data
description: |
This workspace will receive the cloned git repo and be passed
to the next Task for the repo's README.md file to be read.
tasks:
- name: fetch-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.branch-name)
- name: cat-readme
runAfter: ["fetch-repo"] # Wait until the clone is done before reading the readme.
workspaces:
- name: source
workspace: shared-data
taskSpec:
workspaces:
- name: source
steps:
- image: zshusers/zsh:4.3.15
script: |
#!/usr/bin/env zsh
cat $(workspaces.source.path)/README.md
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: git-clone-checking-out-a-branch
spec:
pipelineRef:
name: cat-branch-readme
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: https://github.com/tektoncd/pipeline.git
- name: branch-name
value: release-v0.12.x

View File

@ -0,0 +1,124 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: checking-out-a-revision
spec:
description: |
checking-out-a-revision takes a git repository and a commit SHA
and validates that cloning the revision succeeds. This is an example
Pipeline demonstrating the following:
- Using the git-clone catalog Task to clone a specific commit
- Passing a cloned repo to subsequent Tasks using a Workspace.
- Ordering Tasks in a Pipeline using "runAfter" so that
git-clone completes before we try to read from the Workspace.
- Using a volumeClaimTemplate Volume as a Workspace.
- Avoiding hard-coded paths by using a Workspace's path
variable instead.
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: commit
type: string
description: The git commit to fetch.
- name: user-home
type: string
description: The home directory of the user performing the git clone.
default: "/tekton/home"
- name: user-uid
type: string
description: The UID of the user performing the git clone.
default: "0"
workspaces:
- name: shared-data
description: |
This workspace will receive the cloned git repo and be passed
to the next Task for the commit to be checked.
tasks:
- name: fetch-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.commit)
- name: gitInitImage
value: localhost:5000/git-init-4874978a9786b6625dd8b6ef2a21aa70:latest
- name: userHome
value: $(params.user-home)
- name: check-expectations
runAfter: ["fetch-repo"] # Wait until the clone is done before reading the readme.
params:
- name: expected-commit
value: $(params.commit)
- name: expected-readme-uid
value: $(params.user-uid)
workspaces:
- name: source
workspace: shared-data
taskSpec:
params:
- name: expected-commit
- name: expected-readme-uid
workspaces:
- name: source
steps:
- image: alpine/git:v2.24.3
script: |
#!/usr/bin/env sh
cd "$(workspaces.source.path)"
receivedCommit="$(git rev-parse HEAD)"
if [ "$receivedCommit" != "$(params.expected-commit)" ]; then
echo "Expected commit $(params.expected-commit) but received $receivedCommit."
exit 1
else
echo "Received commit $receivedCommit as expected."
fi
detectedUID="$(ls -l ./README.md | awk '{ print $3 }')"
if [ "$detectedUID" != "$(params.expected-readme-uid)" ]; then
echo "Expected README UID of $(params.expected-readme-uid) but received $detectedUID."
exit 2
else
echo "Saw README with owner of $detectedUID as expected."
fi
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: git-clone-checking-out-a-commit-
spec:
pipelineRef:
name: checking-out-a-revision
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Mi
taskRunSpecs:
- pipelineTaskName: fetch-repo
taskPodTemplate:
securityContext:
runAsNonRoot: true
runAsUser: 65532 # nonroot user in git-init container
params:
- name: repo-url
value: https://github.com/tektoncd/pipeline.git
- name: commit
value: 301b41380e95382a18b391c2165fa3a6a3de93b0 # Tekton Pipeline's first ever commit!
- name: user-home
value: "/home/nonroot"
- name: user-uid
value: "65532"

View File

@ -0,0 +1,87 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: cat-readme
spec:
description: |
cat-readme takes a git repository and
prints the README.md file from main branch. This is an example
Pipeline demonstrating the following:
- Using the git-clone catalog Task to clone a main branch for the repo which uses custom CAs for HTTPS
- Passing a cloned repo to subsequent Tasks using a Workspace.
- Ordering Tasks in a Pipeline using "runAfter" so that
git-clone completes before we try to read from the Workspace.
- Using a volumeClaimTemplate Volume as a Workspace.
- Avoiding hard-coded paths by using a Workspace's path
variable instead.
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
workspaces:
- name: shared-data
description: |
This workspace will receive the cloned git repo and be passed
to the next Task for the repo's README.md file to be read.
- name: ssl-ca-dir
description: |
This workspace contains CA certificates, this will be used by Git to
verify the peer with when fetching or pushing over HTTPS.
tasks:
- name: fetch-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
- name: ssl-ca-directory
workspace: ssl-ca-dir
params:
- name: url
value: $(params.repo-url)
- name: cat-readme
runAfter: ["fetch-repo"] # Wait until the clone is done before reading the readme.
workspaces:
- name: source
workspace: shared-data
taskSpec:
workspaces:
- name: source
steps:
- image: zshusers/zsh:4.3.15
script: |
#!/usr/bin/env zsh
cat $(workspaces.source.path)/README.md
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: git-clone-checking-out-a-branch
spec:
pipelineRef:
name: cat-branch-readme
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: ssl-ca-dir
secret:
secretName: my-ssl-credentials
params:
- name: repo-url
value: https://github.com/tektoncd/pipeline.git
---
kind: Secret
apiVersion: v1
metadata:
name: my-ssl-credentials
data:
ca-bundle.crt: jdsfjshfj122w # base64-encoded crt ... If key/filename is other than ca-bundle.crt then set crtFileName param as explained under Parameters section.

View File

@ -0,0 +1,79 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: sparse-checkout-list-dir
spec:
description: |
sparse-checkout-list-dir takes a git repository and a list of
directory patterns to match and lists all cloned files and directories.
This is an example pipeline demonstrating the following:
- Using the git-clone catalog Task to clone a specific set of
files based on directory patterns.
- Passing a cloned repo to subsequent Tasks using a Workspace.
- Ordering Tasks in a Pipeline using "runAfter" so that
git-clone completes before we try to read from the Workspace.
- Using a volumeClaimTemplate Volume as a Workspace.
- Avoiding hard-coded paths by using a Workspace's path
variable instead.
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: sparseCheckoutDirectories
type: string
description: directory patterns to clone
workspaces:
- name: shared-data
description: |
This workspace will receive the cloned git repo and be passed
to the next Task to list all cloned files and directories.
tasks:
- name: fetch-repo
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: sparseCheckoutDirectories
value: $(params.sparseCheckoutDirectories)
- name: list-dirs
runAfter: ["fetch-repo"] # Wait until the clone is done before listing all files and directories cloned
workspaces:
- name: source
workspace: shared-data
taskSpec:
workspaces:
- name: source
steps:
- image: zshusers/zsh:4.3.15
script: |
#!/usr/bin/env zsh
ls -R $(workspaces.source.path)/
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: git-clone-sparse-checkout
spec:
pipelineRef:
name: sparse-checkout-list-dir
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
params:
- name: repo-url
value: https://github.com/tektoncd/pipeline.git
- name: sparseCheckoutDirectories
value: /*,!/*/,/docs/,/cmd/

View File

@ -0,0 +1,81 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: validate-tag-sha
spec:
description: |
validate-tag-sha takes a git repository, tag name, and a commit SHA and
checks whether the given tag resolves to that commit. This example
Pipeline demonstrates the following:
- How to use the git-clone catalog Task
- How to use the git-clone Task's "commit" Task Result from another Task.
- How to discard the contents of the git repo when it isn't needed by
passing an `emptyDir` Volume as its "output" workspace.
params:
- name: repo-url
type: string
description: The git repository URL to clone from.
- name: tag-name
type: string
description: The git tag to clone.
- name: expected-sha
type: string
description: The expected SHA to be received for the supplied revision.
workspaces:
- name: output
tasks:
- name: fetch-repository
taskRef:
name: git-clone
workspaces:
- name: output
workspace: output
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.tag-name)
- name: validate-revision-sha
params:
- name: revision-name
value: $(params.tag-name)
- name: expected-sha
value: $(params.expected-sha)
- name: received-sha
value: $(tasks.fetch-repository.results.commit)
taskSpec:
params:
- name: revision-name
- name: expected-sha
- name: received-sha
steps:
- image: zshusers/zsh:4.3.15
script: |
#!/usr/bin/env zsh
if [ "$(params.expected-sha)" != "$(params.received-sha)" ]; then
echo "Expected revision $(params.revision-name) to have SHA $(params.expected-sha)."
exit 1
else
echo "Revision $(params.revision-name) has expected SHA $(params.expected-sha)."
fi
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: using-git-clone-result-
spec:
pipelineRef:
name: validate-tag-sha
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: output
emptyDir: {} # We don't care about the repo contents in this example, just the "commit" result
params:
- name: repo-url
value: https://github.com/tektoncd/pipeline.git
- name: tag-name
value: v0.12.1
- name: expected-sha
value: a54dd3984affab47f3018852e61a1a6f9946ecfa

View File

@ -0,0 +1,190 @@
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-noargs
spec:
workspaces:
- name: output
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/kelseyhightower/nocode
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-tag
spec:
workspaces:
- name: output
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: revision
value: 1.0.0
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-no-submodules
spec:
workspaces:
- name: output
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/githubtraining/example-dependency
- name: submodules
value: "false"
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-no-depth-2
spec:
workspaces:
- name: output
emptyDir: {}
podTemplate:
securityContext:
fsGroup: 65532
taskRef:
name: git-clone
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: depth
value: "2"
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-sslverify-none
spec:
workspaces:
- name: output
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: sslVerify
value: "false"
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-ssl-cadirectory-empty
spec:
workspaces:
- name: output
emptyDir: {}
- name: ssl-ca-directory
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: crtFileName
value: ""
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-subdirectory
spec:
workspaces:
- name: output
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: subdirectory
value: "hellomoto"
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-delete-existing
spec:
workspaces:
- name: output
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: deleteExisting
value: "true"
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-run-without-verbose
spec:
workspaces:
- name: output
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: verbose
value: "false"
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: git-clone-sparse
spec:
workspaces:
- name: output
emptyDir: {}
taskRef:
name: git-clone
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: url
value: https://github.com/kelseyhightower/nocode
- name: sparseCheckoutDirectories
value: "CONTRIBUTING.md,STYLE.md"