I am new to tekton I want to clone a public github repo. I created the service account and pv/pvc. However, when I try to run the pipelinerun I got permission denied error.
{"level":"error","ts":1702565666.2863512,"caller":"git/git.go:53","msg":"Error running git [init /workspace/output/]: exit status 1\n/workspace/output/.git: Permission denied\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:53\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:88\nmain.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:53\nruntime.main\n\truntime/proc.go:250"}
It is is fixed when I edit the git-clone task and run as root user. However I don't want to run it with root user. How can I run it with non root user.
I also try to follow tekton doc about cloning: link
To install git-clone task for tekton (ref to doc):
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml
or
tkn hub install task git-clone
Here is the pipeline I want o run: (you can use my git repo if you want it is public)
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pipeline-account
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pipeline-role
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pipeline-account-pipeline-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pipeline-role
subjects:
- kind: ServiceAccount
name: pipeline-account
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: blabla
spec:
params:
- name: APP_REPO
type: string
- name: APP_REVISION
type: string
tasks:
- name: git-clone
params:
- name: url
value: $(params.APP_REPO)
- name: revision
value: $(params.APP_REVISION)
- name: refspec
value: ''
- name: submodules
value: 'true'
- name: depth
value: '1'
- name: sslVerify
value: 'true'
- name: crtFileName
value: ca-bundle.crt
- name: subdirectory
value: ''
- name: sparseCheckoutDirectories
value: ''
- name: deleteExisting
value: 'true'
- name: httpProxy
value: ''
- name: httpsProxy
value: ''
- name: noProxy
value: ''
- name: verbose
value: 'true'
- name: gitInitImage
value: >-
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
- name: userHome
value: /home/git
taskRef:
kind: Task
name: git-clone
workspaces:
- name: output
workspace: shared-workspace
workspaces:
- name: shared-workspace
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: clone-test-blabla
spec:
podTemplate:
securityContext:
fsGroup: 65532
params:
- name: APP_REPO
value: 'https://github.com/kaanatesel/tektontest.git'
- name: APP_REVISION
value: main
pipelineRef:
name: blabla
serviceAccountName: pipeline-account
timeouts:
pipeline: 1h0m0s
workspaces:
- name: shared-workspace
persistentVolumeClaim:
claimName: shared-ws-test
Here is my pv/pvc
apiVersion: v1
kind: PersistentVolume
metadata:
name: shared-ws
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /mnt/gitclone
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: shared-ws-test
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi