pipeline: Github and GCR Authentication Failed.
Expected Behavior
Taskrun can fetch code from private github repository, make docker image from it, and push image to Google Container Registry.
Actual Behavior
Failed to authenticate Github and Google Container Registry.
Steps to Reproduce the Problem
Follow the step explained in Tekton pipeline tutorial both with basic authentication or with ssh-authentication for github and .dockerconfigjson authentication for GCR as explained in Tekton pipeline Authentication.
Additional Info
I was using Tekton 0.8.0, installed as instructed in Installing Tekton Pipeline in Private GKE Cluster. Master Kubernetes Version was v1.13.12-gke.8
Error Snippet (using github basic authentication)
{"level":"warn","ts":1574408427.519396,"logger":"fallback-logger","caller":"logging/config.go:69","msg":"Fetch GitHub commit ID from kodata failed: open /var/run/ko/HEAD: no such file or directory"}
{"level":"error","ts":1574408428.030245,"logger":"fallback-logger","caller":"git/git.go:40","msg":"Error running git [fetch --depth=1 --recurse-submodules=yes origin master]: exit status 128\nremote: Invalid username or password.\nfatal: Authentication failed for 'https://github.com/husnurrsyafni/hello-world-js/'\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:40\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:91\nmain.main\n\t/workspace/go/src/github.com/tektoncd/pipeline/cmd/git-init/main.go:39\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:200"}
Error Snippet (using github ssh authentication)
{"level":"warn","ts":1574408906.5944016,"logger":"fallback-logger","caller":"logging/config.go:69","msg":"Fetch GitHub commit ID from kodata failed: open /var/run/ko/HEAD: no such file or directory"}
{"level":"error","ts":1574408906.9839404,"logger":"fallback-logger","caller":"git/git.go:40","msg":"Error running git [fetch --depth=1 --recurse-submodules=yes origin master]: exit status 128\nfatal: could not read Username for 'https://github.com': No such device or address\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:40\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:91\nmain.main\n\t/workspace/go/src/github.com/tektoncd/pipeline/cmd/git-init/main.go:39\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:200"}
[git-source-hello-world-git-l6rw8] {"level":"error","ts":1574408907.1080332,"logger":"fallback-logger","caller":"git/git.go:40","msg":"Error running git [pull --recurse-submodules=yes origin]: exit status 1\nfatal: could not read Username for 'https://github.com': No such device or address\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:40\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\t/workspace/go/src/github.com/tektoncd/pipeline/pkg/git/git.go:94\nmain.main\n\t/workspace/go/src/github.com/tektoncd/pipeline/cmd/git-init/main.go:39\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:200"}
Error Snippet (Google Container Registry)
[build-and-push] error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "gcr.io/projectkirin/hello-world:latest": creating push check transport for gcr.io failed: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
Yaml Files
secret/docker-config.yaml
apiVersion: v1
data:
.dockerconfigjson: <cat ~/.docker/config.json | base64 -w 0>
kind: Secret
metadata:
name: docker-config
namespace: default
type: kubernetes.io/dockerconfigjson
secret/github-basic-user-pass.yaml
apiVersion: v1
kind: Secret
metadata:
name: github-basic-user-pass
annotations:
tekton.dev/git-0: https://github.com
type: kubernetes.io/basic-auth
stringData:
username: husnurrsyafni
password: <github password>
secret/github-ssh-auth.yaml
apiVersion: v1
kind: Secret
metadata:
name: github-ssh-auth
annotations:
tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: <cat ~/.ssh/id_rsa | base64 -w 0>
known_hosts: <ssh-keyscan github.com | base64 -w 0>
serviceaccount/sa-docker.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-docker
secrets:
- name: docker-config
- name: github-ssh-auth (or github-basic-user-pass)
pipelineresource/hello-world-git.yaml
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: hello-world-git
spec:
type: git
params:
- name: revision
value: master
- name: url
value: https://github.com/husnurrsyafni/hello-world-js
pipelineresource/hello-world-image.yaml
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: hello-world-image
spec:
type: image
params:
- name: url
value: gcr.io/projectkirin/hello-world
task/hello-world-task.yaml
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
name: build-docker-image-from-git-source
spec:
inputs:
resources:
- name: docker-source
type: git
params:
- name: pathToDockerFile
type: string
description: The path to the dockerfile to build
default: /workspace/docker-source/Dockerfile
- name: pathToContext
type: string
description:
The build context used by Kaniko
(https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
default: /workspace/docker-source
outputs:
resources:
- name: builtImage
type: image
steps:
- name: build-and-push
image: gcr.io/kaniko-project/executor:v0.14.0
# specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
env:
- name: "DOCKER_CONFIG"
value: "/builder/home/.docker/"
command:
- /kaniko/executor
args:
- --dockerfile=$(inputs.params.pathToDockerFile)
- --destination=$(outputs.resources.builtImage.url)
- --context=$(inputs.params.pathToContext)
taskrun/hello-world-taskrun.yaml
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
name: build-docker-image-from-git-source-task-run
spec:
serviceAccountName: sa-docker
taskRef:
name: build-docker-image-from-git-source
inputs:
resources:
- name: docker-source
resourceRef:
name: hello-world-git
params:
- name: pathToDockerFile
value: Dockerfile
- name: pathToContext
value: /workspace/docker-source #configure: may change according to your source
outputs:
resources:
- name: builtImage
resourceRef:
name: hello-world-image
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 19 (4 by maintainers)
@husnurrsyafni I’ve been able to solve my problem.
You need to have GOOGLE_APPLICATION_CREDENTIALS Environment variable for the Kaniko container. In addition, you need to create kaniko-secret based on the kaniko-secret.json file that you download for your GSA service account. Your next steps might be:
Instead of a docker-config secret, put kaniko-secret in there
Mount kaniko-secret properly for the Kaniko build container (replace your build-and-push steps):
Hope this helps. Cheers.