-
Story
-
Resolution: Done
-
Undefined
-
None
When the Webhook is coming from a private repository we are all good for API operation and initial check if there is `.tekton/` repository since we have a token generated from the private key.
But when doing git-clone from the PipelineRun user would need to have a token or ssh to be able to checkout this git-clone from its pipelinerun.
To make it easier so the user would not need to install a new Secret and use the short live token generated from github-app, we could automatically create a new secret in the target namespace :
pac-git-basic-auth-${OWNER}-${REPOSITORY}
we target OWNER REPOSITORY so there is no mixup when different github user target same namespace but don't have the same rights (which is a edge case)
We need them to document to the user to modify her pipeline/pipelinrun to add the optional basic-auth volume to the git-clone task, like for example :
the modification would look like this :
diff --git a/.tekton/pipeline.yaml b/.tekton/pipeline.yaml
index 99922bd..c8e10f4 100644
--- a/.tekton/pipeline.yaml
+++ b/.tekton/pipeline.yaml
@@ -6,6 +6,7 @@ metadata:
spec:
workspaces:
- name: source
+ - name: basic-auth
params:
- name: repo_url
- name: revision
@@ -44,3 +45,5 @@ spec:
workspaces:
- name: output
workspace: source
+ - name: basic-auth
+ workspace: basic-auth
diff --git a/.tekton/run.yaml b/.tekton/run.yaml
index c09df69..ee2518d 100644
--- a/.tekton/run.yaml
+++ b/.tekton/run.yaml
@@ -26,3 +26,6 @@ spec:
resources:
requests:
storage: 1Gi
+ - name: basic-auth
+ secret:
+ secretName: pac-git-basic-auth-openshift-pipelines-pac-test
git-clone task would automatically pick this up as documented in :
TODO :
- [ ] Add repo_owner repo_name as template variable
- [ ] Generate secret pac-git-basic-auth-${REPO_OWNER}-${REPO_NAME}
- [ ] Document it in README
- [ ] Add E2E test on GHE
- clones
-
-
- Closed
-
