Skip to content

fix(tekton/v1): request publisher with auth #4568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ti-chi-bot wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(tekton/v1): request publisher with auth #4568

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
28063db
ci(tekton): add optional publisher-auth workspace to pipelines and task
wuhuizuo Apr 30, 2026
6db0528
feat(tekton): add publisher-auth secret to build component templates
wuhuizuo Apr 30, 2026
a50934f
feat(tekton): make publisher auth secret name configurable
wuhuizuo Apr 30, 2026
f8546ef
ci(tekton): set publisher-auth secret name for build params
wuhuizuo Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions tekton/v1/pipelines/pingcap-build-package-darwin.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ spec:
description: The workspace where the git repo will be cloned.
- name: mac-ssh-credentials
description: secret contains ssh private key in `id_rsa` key for login mac
- name: publisher-auth
description: Optional. Credentials for publisher basic auth.
optional: true
tasks:
- name: checkout
retries: 2
Expand Down Expand Up @@ -191,6 +194,9 @@ spec:
value: $(tasks.build-binaries.results.pushed)
- name: publisher-url
value: "$(params.publisher-url)"
workspaces:
- name: publisher-auth
workspace: publisher-auth
- name: deliver-images
when:
- input: "$(params.push)"
Expand Down
6 changes: 6 additions & 0 deletions tekton/v1/pipelines/pingcap-build-package-linux.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ spec:
- name: cypress-cache
description: cache for cypress installation files when building frontend projects.
optional: true
- name: publisher-auth
description: Optional. Credentials for publisher basic auth.
optional: true
tasks:
- name: checkout
retries: 2
Expand Down Expand Up @@ -218,6 +221,9 @@ spec:
value: $(tasks.build-binaries.results.pushed)
- name: publisher-url
value: "$(params.publisher-url)"
workspaces:
- name: publisher-auth
workspace: publisher-auth
- name: deliver-images
retries: 2
when:
Expand Down
19 changes: 18 additions & 1 deletion tekton/v1/tasks/delivery/pingcap-deliver-binaries.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: pingcap-deliver-binaries
labels:
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/version: "0.2.0"
annotations:
tekton.dev/pipelines.minVersion: "1.0.0"
tekton.dev/categories: delivery
Expand All @@ -26,6 +26,12 @@ spec:
- name: notify-webhook-url
description: URL of the webhook for notification
default: "http://el-harbor:8080"
workspaces:
- name: publisher-auth
description: |
Optional. Kubernetes Secret with keys 'username' and 'password'.
If provided, the task will use basic auth when calling the publisher.
optional: true
stepTemplate:
image: ghcr.io/pingcap-qe/cd/utils/release:v2025.10.26-7-geb77a69
computeResources:
Expand All @@ -45,11 +51,22 @@ spec:
targetsInfo="/workspace/delivery-targets.yaml"
oci_src="$(params.src)"
publisher_url="$(params.publisher-url)/tiup/delivery-by-rules"
auth_opt=""

# If publisher-auth workspace is provided, use basic auth
if [ -f "$(workspaces.publisher-auth.path)/username" ] && \
[ -f "$(workspaces.publisher-auth.path)/password" ]; then
user="$(cat $(workspaces.publisher-auth.path)/username)"
pass="$(cat $(workspaces.publisher-auth.path)/password)"
auth_opt="-u '${user}:${pass}'"
fi

deliver() {
local artifact_url="$1"
echo "Delivering artifact_url: $artifact_url"
# shellcheck disable=SC2086
response=$(curl -s -X POST "$publisher_url" \
$auth_opt \
-H "Content-Type: application/json" \
-d "{\"artifact_url\":\"$artifact_url\"}")
echo "Response: $response"
Comment on lines +54 to 72
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using a string variable to store optional command-line arguments like -u '${user}:${pass}' is fragile. When expanded unquoted in the curl command, the literal single quotes will be passed as part of the credentials to curl, which will cause authentication to fail. Additionally, unquoted expansion ($auth_opt) will break if the username or password contains spaces. Using a bash array is the standard and safe way to handle optional arguments in scripts. Furthermore, use the hardcoded path /workspace/publisher-auth instead of the $(workspaces.publisher-auth.path) variable for consistency with repository standards.

        auth_args=()\n\n        # If publisher-auth workspace is provided, use basic auth\n        if [ -f "/workspace/publisher-auth/username" ] && \\\n           [ -f "/workspace/publisher-auth/password" ]; then\n          user="$(cat "/workspace/publisher-auth/username")"\n          pass="$(cat "/workspace/publisher-auth/password")"\n          auth_args=("-u" "${user}:${pass}")\n        fi\n\n        deliver() {\n          local artifact_url="$1"\n          echo "Delivering artifact_url: $artifact_url"\n          response=$(curl -s -X POST "$publisher_url" \\\n            "${auth_args[@]}" \\\n            -H "Content-Type: application/json" \\\n            -d "{\"artifact_url\":\"$artifact_url\"}")\n          echo "Response: $response"\n        }
References
  1. In Tekton pipelines, use the hardcoded path /workspace/... to refer to shared directories within the source workspace for consistency, rather than using the $(workspaces.source.path) variable.

Expand Down
2 changes: 2 additions & 0 deletions tekton/v1/triggers/bindings/gcp-classic-build-params.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,7 @@ spec:
params:
- name: registry
value: us-docker.pkg.dev/pingcap-testing-account/hub
- name: publisher-auth-secret-name
value: publisher-auth
- name: publisher-url
value: "https://do2.pingcap.net/publisher"
2 changes: 2 additions & 0 deletions tekton/v1/triggers/bindings/gcp-internal-build-params.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,7 @@ spec:
params:
- name: registry
value: us-docker.pkg.dev/pingcap-testing-account/internal
- name: publisher-auth-secret-name
value: publisher-auth
- name: publisher-url
value: "https://do2.pingcap.net/publisher"
1 change: 1 addition & 0 deletions tekton/v1/triggers/bindings/gcp-ng-build-params.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ spec:
params:
- { name: builder-resources-cpu, value: $(extensions.resource-config.cpu) }
- { name: builder-resources-memory, value: $(extensions.resource-config.memory) }
- { name: publisher-auth-secret-name, value: publisher-auth }
- { name: publisher-url, value: "https://do2.pingcap.net/publisher" }
- { name: registry, value: us-docker.pkg.dev/pingcap-testing-account/tidbx }
- { name: source-ws-size, value: $(extensions.resource-config.sourceWsSize) }
Expand Down
6 changes: 4 additions & 2 deletions tekton/v1/triggers/bindings/ksy-classic-build-params.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ spec:
value: us-docker.pkg.dev/pingcap-testing-account/hub
- name: boskos-server-url
value: http://boskos.ee-cd.svc
- name: publisher-auth-secret-name
value: publisher-auth
- name: publisher-url
value: https://publisher.pingcap.net
- name: git-instead-of
value: >-
https://github.com/ => http://git-cdn.cache.svc:8000/,
git@github.com: => http://git-cdn.cache.svc:8000/
https://github.com/ => http://git-cdn.cache.svc:8000/, git@github.com:
=> http://git-cdn.cache.svc:8000/
27 changes: 14 additions & 13 deletions tekton/v1/triggers/bindings/ksy-dev-build-params.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,19 @@ metadata:
name: ksy-dev-build-params # only use in KSY clusters for dev-builds
spec:
params:
- { name: boskos-server-url, value: http://boskos.ee-cd.svc }
- { name: builder-resources-cpu, value: $(extensions.resource-config.cpu) }
- { name: builder-resources-memory, value: $(extensions.resource-config.memory) }
- { name: ce-context, value: $(extensions.ce-context) }
- { name: component, value: $(extensions.component) }
- { name: force-builder-image, value: $(extensions.custom-params.builder-image) }
- { name: profile, value: $(extensions.custom-params.profile) }
- { name: publisher-url, value: "" } # no need publish in dev-builds
- { name: registry, value: $(extensions.registry) }
- { name: source-ws-size, value: $(extensions.resource-config.sourceWsSize) }
- { name: timeout, value: $(extensions.resource-config.timeout) }
- {name: boskos-server-url, value: http://boskos.ee-cd.svc}
- {name: builder-resources-cpu, value: $(extensions.resource-config.cpu)}
- {name: builder-resources-memory, value: $(extensions.resource-config.memory)}
- {name: ce-context, value: $(extensions.ce-context)}
- {name: component, value: $(extensions.component)}
- {name: force-builder-image, value: $(extensions.custom-params.builder-image)}
- {name: profile, value: $(extensions.custom-params.profile)}
- {name: publisher-auth-secret-name, value: publisher-auth}
- {name: publisher-url, value: ""} # no need publish in dev-builds
- {name: registry, value: $(extensions.registry)}
- {name: source-ws-size, value: $(extensions.resource-config.sourceWsSize)}
- {name: timeout, value: $(extensions.resource-config.timeout)}
- name: git-instead-of
value: >-
https://github.com/ => http://git-cdn.cache.svc:8000/,
git@github.com: => http://git-cdn.cache.svc:8000/
https://github.com/ => http://git-cdn.cache.svc:8000/, git@github.com:
=> http://git-cdn.cache.svc:8000/
15 changes: 15 additions & 0 deletions tekton/v1/triggers/templates/_/build-component-all-platforms.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ spec:
default: ""
- name: boskos-server-url
default: "http://boskos"
- name: publisher-auth-secret-name
description: Name of the Secret containing publisher basic auth credentials.
default: publisher-auth
- name: publisher-url
default: "https://publisher.pingcap.net"
- name: git-instead-of
Expand Down Expand Up @@ -125,6 +128,9 @@ spec:
# - name: cypress-cache
# persistentVolumeClaim:
# claimName: cypress-cache
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
Comment on lines +131 to +133
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string (as seen in several TriggerBinding files like gcp-internal-build-params.yaml). Kubernetes does not allow an empty secretName in a Secret volume source. Since the publisher-auth workspace is optional in the Pipeline, it should ideally be omitted from the PipelineRun when no authentication is required. However, since TriggerTemplate does not support conditional workspace blocks, you might need to use a different approach for optional secrets, such as passing the secret name as a parameter to the Pipeline and using secretKeyRef with optional: true in the Task's environment variables instead of a workspace.

- apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
Expand Down Expand Up @@ -205,6 +211,9 @@ spec:
# - name: cypress-cache
# persistentVolumeClaim:
# claimName: cypress-cache
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
- apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
Expand Down Expand Up @@ -267,6 +276,9 @@ spec:
- name: mac-ssh-credentials
secret:
secretName: mac-ssh-credentials
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
- apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
Expand Down Expand Up @@ -329,3 +341,6 @@ spec:
- name: mac-ssh-credentials
secret:
secretName: mac-ssh-credentials
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
9 changes: 9 additions & 0 deletions tekton/v1/triggers/templates/_/build-component-darwin.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ spec:
default: ""
- name: boskos-server-url
default: "http://boskos"
- name: publisher-auth-secret-name
description: Name of the Secret containing publisher basic auth credentials.
default: publisher-auth
- name: publisher-url
default: "https://publisher.pingcap.net"
- name: git-instead-of
Expand Down Expand Up @@ -110,6 +113,9 @@ spec:
- name: mac-ssh-credentials
secret:
secretName: mac-ssh-credentials
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
Comment on lines +116 to +118
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string. Kubernetes does not allow an empty secretName in a Secret volume source.

- apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
Expand Down Expand Up @@ -176,3 +182,6 @@ spec:
- name: mac-ssh-credentials
secret:
secretName: mac-ssh-credentials
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
9 changes: 9 additions & 0 deletions tekton/v1/triggers/templates/_/build-component-linux.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,9 @@ spec:
- name: force-builder-image
description: force use the builder image to prepare container to build binaries.
default: ""
- name: publisher-auth-secret-name
description: Name of the Secret containing publisher basic auth credentials.
default: publisher-auth
- name: publisher-url
default: "https://publisher.pingcap.net"
- name: git-instead-of
Expand Down Expand Up @@ -126,6 +129,9 @@ spec:
# - name: cypress-cache
# persistentVolumeClaim:
# claimName: cypress-cache
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
Comment on lines +132 to +134
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string. Kubernetes does not allow an empty secretName in a Secret volume source.

- apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
Expand Down Expand Up @@ -206,3 +212,6 @@ spec:
# - name: cypress-cache
# persistentVolumeClaim:
# claimName: cypress-cache
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
6 changes: 6 additions & 0 deletions tekton/v1/triggers/templates/_/build-component-single-platform.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ spec:
default: ""
- name: boskos-server-url
default: "http://boskos"
- name: publisher-auth-secret-name
description: Name of the Secret containing publisher basic auth credentials.
default: publisher-auth
- name: publisher-url
default: "https://publisher.pingcap.net"
- name: git-instead-of
Expand Down Expand Up @@ -134,3 +137,6 @@ spec:
- name: mac-ssh-credentials # for darwin platforms
secret:
secretName: mac-ssh-credentials
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
Comment on lines +140 to +142
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string. Kubernetes does not allow an empty secretName in a Secret volume source.

6 changes: 6 additions & 0 deletions tekton/v1/triggers/templates/pingcap/ctl/build-component-single-platform.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ spec:
default: "{}"
- name: force-builder-image
default: ""
- name: publisher-auth-secret-name
description: Name of the Secret containing publisher basic auth credentials.
default: publisher-auth
- name: publisher-url
default: "https://publisher.pingcap.net"
resourcetemplates:
Expand Down Expand Up @@ -108,3 +111,6 @@ spec:
resources:
requests:
storage: $(tt.params.source-ws-size)
- name: publisher-auth
secret:
secretName: $(tt.params.publisher-auth-secret-name)
Comment on lines +114 to +116
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This mapping will cause the PipelineRun creation to fail when $(tt.params.publisher-auth-secret-name) is an empty string. Kubernetes does not allow an empty secretName in a Secret volume source.