fix(tekton/v1): request publisher with auth#4568
Conversation
ti-chi-bot
commented
Apr 30, 2026
ti-chi-bot
commented
- ci(tekton): add optional publisher-auth workspace to pipelines and task
- feat(tekton): add publisher-auth secret to build component templates
- feat(tekton): make publisher auth secret name configurable
Add a `publisher-auth-secret-name` parameter to build component templates and bindings, allowing different secrets to be used per environment.
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wuhuizuo The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces basic authentication for the publisher service across several Tekton pipelines and tasks by adding a publisher-auth workspace and updating the delivery logic. Feedback highlights a critical issue where PipelineRun creation will fail if the publisher-auth-secret-name parameter is empty, as Kubernetes does not permit empty secret names in volume sources. Additionally, the shell script in the delivery task should be refactored to use bash arrays for safe command-line argument handling and to use hardcoded workspace paths for consistency.
| - name: publisher-auth | ||
| secret: | ||
| secretName: $(tt.params.publisher-auth-secret-name) |
There was a problem hiding this comment.
This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string (as seen in several TriggerBinding files like gcp-internal-build-params.yaml). Kubernetes does not allow an empty secretName in a Secret volume source. Since the publisher-auth workspace is optional in the Pipeline, it should ideally be omitted from the PipelineRun when no authentication is required. However, since TriggerTemplate does not support conditional workspace blocks, you might need to use a different approach for optional secrets, such as passing the secret name as a parameter to the Pipeline and using secretKeyRef with optional: true in the Task's environment variables instead of a workspace.
| - name: publisher-auth | ||
| secret: | ||
| secretName: $(tt.params.publisher-auth-secret-name) |
There was a problem hiding this comment.
This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string. Kubernetes does not allow an empty secretName in a Secret volume source.
| - name: publisher-auth | ||
| secret: | ||
| secretName: $(tt.params.publisher-auth-secret-name) |
There was a problem hiding this comment.
This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string. Kubernetes does not allow an empty secretName in a Secret volume source.
| - name: publisher-auth | ||
| secret: | ||
| secretName: $(tt.params.publisher-auth-secret-name) |
There was a problem hiding this comment.
This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string. Kubernetes does not allow an empty secretName in a Secret volume source.
| - name: publisher-auth | ||
| secret: | ||
| secretName: $(tt.params.publisher-auth-secret-name) |
There was a problem hiding this comment.
This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string. Kubernetes does not allow an empty secretName in a Secret volume source.
| auth_opt="" | ||
|
|
||
| # If publisher-auth workspace is provided, use basic auth | ||
| if [ -f "$(workspaces.publisher-auth.path)/username" ] && \ | ||
| [ -f "$(workspaces.publisher-auth.path)/password" ]; then | ||
| user="$(cat $(workspaces.publisher-auth.path)/username)" | ||
| pass="$(cat $(workspaces.publisher-auth.path)/password)" | ||
| auth_opt="-u '${user}:${pass}'" | ||
| fi | ||
|
|
||
| deliver() { | ||
| local artifact_url="$1" | ||
| echo "Delivering artifact_url: $artifact_url" | ||
| # shellcheck disable=SC2086 | ||
| response=$(curl -s -X POST "$publisher_url" \ | ||
| $auth_opt \ | ||
| -H "Content-Type: application/json" \ | ||
| -d "{\"artifact_url\":\"$artifact_url\"}") | ||
| echo "Response: $response" |
There was a problem hiding this comment.
Using a string variable to store optional command-line arguments like -u '${user}:${pass}' is fragile. When expanded unquoted in the curl command, the literal single quotes will be passed as part of the credentials to curl, which will cause authentication to fail. Additionally, unquoted expansion ($auth_opt) will break if the username or password contains spaces. Using a bash array is the standard and safe way to handle optional arguments in scripts. Furthermore, use the hardcoded path /workspace/publisher-auth instead of the $(workspaces.publisher-auth.path) variable for consistency with repository standards.
auth_args=()\n\n # If publisher-auth workspace is provided, use basic auth\n if [ -f "/workspace/publisher-auth/username" ] && \\\n [ -f "/workspace/publisher-auth/password" ]; then\n user="$(cat "/workspace/publisher-auth/username")"\n pass="$(cat "/workspace/publisher-auth/password")"\n auth_args=("-u" "${user}:${pass}")\n fi\n\n deliver() {\n local artifact_url="$1"\n echo "Delivering artifact_url: $artifact_url"\n response=$(curl -s -X POST "$publisher_url" \\\n "${auth_args[@]}" \\\n -H "Content-Type: application/json" \\\n -d "{\"artifact_url\":\"$artifact_url\"}")\n echo "Response: $response"\n }References
- In Tekton pipelines, use the hardcoded path /workspace/... to refer to shared directories within the source workspace for consistency, rather than using the $(workspaces.source.path) variable.
|
/hold |
2 participants
