pipeline: git auth with multiple keys for the same provider fail

Expected Behavior

Multiple ssh keys to the same host/provider (eg. github) are working.

Actual Behavior

Only first ssh key for github is working, rest is failing.

Steps to Reproduce the Problem

Two different secrets with two different ssh keys for two different github repos:

---
apiVersion: v1
kind: Secret
metadata:
  name: ssh-key-repo1
  annotations:
    tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <key>

---
apiVersion: v1
kind: Secret
metadata:
  name: ssh-key-repo2
  annotations:
    tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: <key>

ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: fetch-repo
secrets:
- name: ssh-key-repo1
- name: ssh-key-repo2

It produces .ssh/config like this:

Host github.com
    HostName github.com
    Port 22
    IdentityFile /tekton/home/.ssh/id_ssh-key-repo1
    IdentityFile /tekton/home/.ssh/id_ssh-key-repo2

For ssh this config is fine but git for some reason respect only first IdentityFile clause and ignores rest. So in this case you can only authenticate to repo1. Authentication to repo2 will fail - github will complain that the repository doesn’t match.

So in order to authenticate properly with git and multiple ssh keys, .ssh/config file should look similar to this:

Host github.com-ssh-key-repo1
    HostName github.com
    Port 22
    IdentityFile /tekton/home/.ssh/id_ssh-key-repo1

Host github.com-ssh-key-repo2
    HostName github.com
    Port 22
    IdentityFile /tekton/home/.ssh/id_ssh-key-repo2

Unfortunately git client then should also use those fake hosts:

git clone git@github.com-ssh-key-repo1:example/repo1.git

and

git clone git@github.com-ssh-key-repo2:example/repo2.git

For this reason, above workaround seems not quite reasonable since you can have git repo url dynamically fetched from git push webhook and then it would be in a form: git@github.com:example/repo1.git or git@github.com:example/repo2.git

Additional Info

This is particularly painful with github because it doesn’t allow to use the same deploy key for different repos so you need to use different keys. And this it how you hit this issue.

  • Kubernetes version:

    Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T23:41:24Z", GoVersion:"go1.14", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
  • Tekton Pipeline version:
Client version: 0.8.0
Pipeline version: v0.11.1

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 20 (2 by maintainers)

Most upvoted comments

then both of these should have just a single and same github deployment key for both repos in github repo settings?

Are you using these PipelineResources with a single Task? If so then yes you will unfortunately need to use the same deploy key.

If you use them as part of separate Tasks of a Pipeline you can assign each Task its own ServiceAccount + Secret. So the deploy keys can be different.

The more robust approach is to build a Pipeline that uses git-clone Tasks from the catalog. Each can be provided a different service account w/ deploy key. There’s more coordination involved (with workspaces, etc) but the result is much more flexibility in the ways you can orchestrate.

+3
ghost on Feb 10, 2021
Read more comments on GitHub
← pipeline: fork/exec /busybox/mkdir: exec format error
pipeline: Github and GCR Authentication Failed. →