Enterprise Git clone fails in tekton taskrun

[soumochak83]

Issue: The enterprise git (github.xxx.com) clone step fails when running the taskrun in tekton.
Platform: OpenShift: 3.11
Tekton Pipeline version: v0.12.1

Step name: step-git-source-clone
Error log:
{"level":"error","ts":1590679054.7200413,"caller":"git/git.go:41","msg":"Error running git [fetch --recurse-submodules=yes --depth=1 origin --update-head-ok --force master]: exit status 128\nfatal: could not read Username for 'https://github.xxx.com': No such device or address\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:41\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:116\nmain.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:53\nruntime.main\n\truntime/proc.go:203"}

I'm not sure why this step is trying to look for a username when the enterprise git authentication should happen via ssh. Please find the config of the secrets and serviceaccount. Note that the ssh keys are in base64 encoded format.

apiVersion: v1
kind: Secret
type: kubernetes.io/ssh-auth
metadata:
  name: ssh-key
  annotations:
    tekton.dev/git-0: github.xxx.com
data:
  ssh-privatekey: "xxxxx\
xxxxx\
xxxxxxx"
known_hosts: "xxxxx\
xxxxx\
xxxxx"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
secrets:
  - name: ssh-key
  - name: regcred

Note - The secret is added to service account for taskrun. Reference link for configuring ssh git: https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#ssh-authentication-git

Any help to fix this issue?

--

(edited by sbwsg to restore the indentation to the YAML snippets)

[ghost]

Could you post a sanitized copy of the Pod YAML that ran for this TaskRun? You can get the Pod's name by checking the podName field on the TaskRun and then run

kubectl get -o yaml pod <name of pod>

I'm interested to take a look at the args that were passed to the creds-init initContainer and the volumes that were provided to it.

Also, just to confirm: your ssh-privatekey appears to span multiple lines - is the base64 string split like this? I wonder if that could be a factor.

[soumochak83]

@sbwsg : I have generated a base64 encoded output of the ssh-privatekey and known_hosts, have aligned them in a single line but that also failed with similar error as mentioned in my original post. Then I tried to put them in separate line for UI convenience as the string is too long.
pod.txt

The sanitized copy of pod yaml is attached.
Please help!

[ghost]

Ah, it looks like maybe you're passing an https URL in your git PipelineResource? I think it should be a git@ ssh-style URL instead (e.g. git@github.com:tektoncd/pipeline.git)?

[soumochak83]

@sbwsg : The following example says to use the URL - https://github.com/tektoncd/pipeline/blob/master/docs/tutorial.md#specifying-task-inputs-and-outputs

However let me try with the one you suggesting and let you know

[soumochak83]

@sbwsg : I replaced the URL to git@ ssh-style URL and it worked like a charm. Thanks a ton! (I had spent almost 2 days in this issue and finally now fixed)

Note: I have a separate issue now with image push to OCP registry, do I open a separate issue or continue in this issue thread?

[ghost]

Note: I have a separate issue now with image push to OCP registry, do I open a separate issue or continue in this issue thread?

Sure, a new issue would be great, thanks!