.ssh configs etc are not available when running manual git commands in other steps.

[bitsofinfo]

I have a PipelineResource of type git

When properly configured this yields all the required ssh components under /tekton/home/.ssh and my git repo is cloned under /workspace

I then proceeded to add a step in my Task such as

 - name: pre-build-and-push
      image: ubuntu
      command:
      - /bin/bash
      args:
      - -c
      - |
         cd /workspace/my-git-source
         git pull

This led me down hours of looking into why I kept getting Host key verification failed. errors despite the current user root yielding /home/tekton when having the shell state that ~ is indeed /tekton/home... that contains a legit .ssh dir with all the proper configs/known_hosts etc.

My git pull only worked finally after copying /tekton/home/.ssh to /root/.ssh....

Additional Info

#1836 (comment)

https://tektoncd.slack.com/archives/CJ62C1555/p1580479063149600

[afrittoli]

Thank you for your bug report.

One thing that we need to do for sure is to update the documentation in https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#ssh-authentication-git where it talks about ~/.ssh/config - it should say /tekton/home/.ssh instead.

Apart from that, I'm not sure there's much more we can do. The location where the ssh config is expected to be depends very much on the docker image (and thus on the OS user) that is used in the step - the only thing we can do it to ensure the configuration is available somewhere that can be consumed by steps.

We could also add an example in the docs of how to point git to the correct configuration without the need of an extra step, I believe something like this should work:

steps:
- image: ubuntu
  name: some-git-script
  workingDir: $(outputs.resources.<git-resource-name>.path)
  env:
    name: GIT_SSH_COMMAND
    value: "/usr/bin/ssh -F /home/tekton/.ssh/config"
  script: |
      #!/usr/bin/env sh
      # Access a private git repo
      git pull

[afrittoli]

/kind documentation

[bitsofinfo]

if I have a docker image that runs as root and expects root's $HOME to be in /root and subsequently its ssh confs in /root/.ssh, the image should be able to run as a step in Tekton without jumping through a bunch of hoops.

[bitsofinfo]

#2013

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bitsofinfo]

/reopen
/remove-lifecycle rotten

[tekton-robot]

@bitsofinfo: Reopened this issue.

In response to this:

/reopen
/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ghost]

/remove-lifecycle stale

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bitsofinfo]

/reopen

[tekton-robot]

@bitsofinfo: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ghost]

Starting in 0.24 the HOME directory will no longer be automatically set to /tekton/home. This means creds-init credentials will be placed in /tekton/creds and tasks that use git will need to copy them into the user's home directory. The git-clone catalog task and Git PipelineResource both do this for the user automatically.

Generally I am trying to get Tekton away from the "creds-init" mechanism and promote Workspaces as a way to explicitly accept credentials in tasks. The creds-init mechanism is kinda bad for a bunch of reasons (sprays creds into every Step container, fails really ambiguously and is hard to debug, only supports docker & git, etc etc). However we still need to support it for backwards compatibility reasons.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.