Skip to content

SSH Auth docs improvement #8512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+20 −13
Open

SSH Auth docs improvement #8512

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b3a20af
Update auth.md
k0dard Jan 21, 2025
ebd6d6a
Update auth.md
k0dard Jan 22, 2025
be409f9
Update auth.md
k0dard Jan 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 20 additions & 13 deletions docs/auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,11 @@ This section describes how to configure an `ssh-auth` type `Secret` for use with
before executing any `Steps` in the `Run`, Tekton creates a `~/.ssh/config` file containing the SSH key
specified in the `Secret`.

1. In `secret.yaml`, define a `Secret` that specifies your SSH private key:
1. Generate a new SSH key with `ssh-keygen` command (optionally specify the file path in which the key will be saved, default is `~/.ssh/<key-name>`)

2. View public key with `cat ~/.ssh/<key-name>.pub` and add it to GitHub (under Settings > SSH and GPG Keys > New SSH key)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an optional step though (one could use something else than GitHub)


3. In `secret.yaml`, define a `Secret` containing your SSH private key:

```yaml
apiVersion: v1
Expand All @@ -247,23 +251,26 @@ specified in the `Secret`.
tekton.dev/git-0: github.com # Described below
type: kubernetes.io/ssh-auth
stringData:
ssh-privatekey: <private-key>
# This is non-standard, but its use is encouraged to make this more secure.
ssh-privatekey: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAA...
...
-----END OPENSSH PRIVATE KEY-----
# known-hosts is not mandatory, but its use is strongly encouraged for security reasons.
# If it is not provided then the git server's public key will be requested
# when the repo is first fetched.
known_hosts: <known-hosts>
known_hosts: |
github.com ssh-rsa AAAAB3NzaC1yc2EA...
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNh...
github.com ssh-ed25519 AAAAC3NzaC1l...
```

In the above example, the value for `tekton.dev/git-0` specifies the URL for which Tekton will use this `Secret`,
as described in [Understanding credential selection](#understanding-credential-selection).

You can view your private key with `cat ~/.ssh/<key-name>` and get GitHub's public key with `ssh-keyscan github.com`

1. Generate the `ssh-privatekey` value. For example:

`cat ~/.ssh/id_rsa`

1. Set the value of the `known_hosts` field to the generated `ssh-privatekey` value from the previous step.

1. In `serviceaccount.yaml`, associate the `Secret` with the desired `ServiceAccount`:
5. In `serviceaccount.yaml`, associate the `Secret` with the desired `ServiceAccount`:

```yaml
apiVersion: v1
Expand All @@ -274,7 +281,7 @@ specified in the `Secret`.
- name: ssh-key
```

1. In `run.yaml`, associate the `ServiceAccount` with your `Run` by doing one of the following:
6. In `run.yaml`, associate the `ServiceAccount` with your `Run` by doing one of the following:

- Associate the `ServiceAccount` with your `TaskRun`:

Expand Down Expand Up @@ -303,7 +310,7 @@ specified in the `Secret`.
name: demo-pipeline
```

1. Execute the `Run`:
7. Execute the `Run`:

```shell
kubectl apply --filename secret.yaml,serviceaccount.yaml,run.yaml
Expand Down