Enhance documentation for the Build authentication methods (#370)

qu1queee · web-flow · commit 27349bb9d6e2 · 2020-09-09T10:31:14.000-04:00
* For #353 Add documentation on the Build authentication methods that can happen during runtime * add copyright headers
diff --git a/HACK.md b/HACK.md
@@ -144,7 +144,9 @@ End-to-end tests can also be executed with the context of private Git repositori
 | `TEST_PRIVATE_GITLAB` | `spec.source.url`              | Private URL, like `git@gitlab.com`    |
 | `TEST_SOURCE_SECRET`  | `spec.source.credentials.name` | Private repository credentials        |
 
-On using `TEST_SOURCE_SECRET`, the environment variable must contain the name of the Kubernetes Secret containing SSH private key, for given private Git repository. See [ssh-authentication](https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#ssh-authentication-git). The secret definition must define the following annotations:
+On using `TEST_SOURCE_SECRET`, the environment variable must contain the name of the Kubernetes Secret containing SSH private key, for given private Git repository. See the [docs](/docs/development/authentication.md) for more information about authentication methods in the Build.
+
+The secret definition must define the following annotations:
 - `tekton.dev/git-0: github.com`
 - `tekton.dev/git-1: gitlab.com`
 
diff --git a/docs/development/authentication.md b/docs/development/authentication.md
@@ -0,0 +1,145 @@
+<!--
+Copyright The Shipwright Contributors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Understanding authentication at runtime
+
+The following document provides an introduction around the different authentication methods that can take place during an image build when using the Build operator.
+
+- [Overview](#overview)
+- [Authentication for Git](#authentication-for-git)
+  - [Basic authentication](#basic-authentication)
+  - [SSH authentication](#ssh-authentication)
+  - [Usage of git secret](#usage-of-git-secret)
+- [Authentication to container registries](#authentication-to-container-registries)
+  - [Docker Hub](#docker-hub)
+  - [Usage of registry secret](#usage-of-registry-secret)
+- [References](#references)
+
+## Overview
+
+There are two places where users might need to define authentication when building images. Authentication to a container registry is the most common one, but also users might have the need to define authentications for pulling source-code from Git.
+
+## Authentication for Git
+
+There are two ways for authenticating into Git (_applies to both GitLab or GitHub_). Also, see more information in the official Tekton [docs](https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#configuring-ssh-auth-authentication-for-git).
+
+### SSH authentication
+
+For the SSH authentication you must use the tekton annotations to specify the hostname(s) of the git repository providers that you use. This is github.com for GitHub, or gitlab.com for GitLab.
+
+As seen in the following example, there are three things to notice:
+
+- The Kubernetes secret should be of the type `kubernetes.io/ssh-auth`
+- The annotations include a value to support both github and gitlab
+- The `data.ssh-privatekey` can be generated by following the command example `base64 <~/.ssh/id_rsa`, where `~/.ssh/id_rsa` is the key used to authenticate into Git.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-git-ssh-auth
+  annotations:
+    tekton.dev/git-0: github.com
+    tekton.dev/git-1: gitlab.com
+type: kubernetes.io/ssh-auth
+data:
+  ssh-privatekey: <base64 <~/.ssh/id_rsa>
+```
+
+### Basic authentication
+
+The Basic authentication is very similar to the ssh one, but with the following differences:
+
+- The Kubernetes secret should be of the type `kubernetes.io/basic-auth`
+- The `stringData` should host your user and password in clear text.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-git-basic-auth
+  annotations:
+    tekton.dev/git-0: https://github.com
+    tekton.dev/git-1: https://gitlab.com
+type: kubernetes.io/basic-auth
+stringData:
+  username: <cleartext username>
+  password: <cleartext password>
+```
+
+### Usage of git secret
+
+With the right secret in place(_note: Ensure creation of secret in the proper Kubernetes namespace_), users should reference it on their Build YAML definitions.
+
+Depending on the secret type, there are two ways of doing this:
+
+When using ssh auth, users should follow:
+
+```yaml
+apiVersion: build.dev/v1alpha1
+kind: Build
+metadata:
+  name: buildah-golang-build
+spec:
+  source:
+    url: git@gitlab.com:eduardooli/newtaxi.git
+    credentials:
+      name: secret-git-ssh-auth
+```
+
+When using basic auth, users should follow:
+
+```yaml
+apiVersion: build.dev/v1alpha1
+kind: Build
+metadata:
+  name: buildah-golang-build
+spec:
+  source:
+    url: https://gitlab.com/eduardooli/newtaxi.git
+    credentials:
+      name: secret-git-basic-auth
+```
+
+## Authentication to container registries
+
+For pushing images to private registries, users require to define a secret in their respective namespace.
+
+### Docker Hub
+
+Follow the following command to generate your secret:
+
+```sh
+kubectl --namespace <YOUR_NAMESPACE> create secret docker-registry <CONTAINER_REGISTRY_SECRET_NAME> \
+  --docker-server=<REGISTRY_HOST> \
+  --docker-username=<USERNAME> \
+  --docker-password=<PASSWORD> \
+  --docker-email=me@here.com
+```
+
+_Notes:_ When generating a secret to access docker hub, the `REGISTRY_HOST` value should be `https://index.docker.io/v1/`, the username is the Docker ID.
+_Notes:_ The value of `PASSWORD` can be your user docker hub password, or an access token. A docker access token can be created via _Account Settings_, then _Security_ in the sidebar, and the _New Access Token_ button.
+
+### Usage of registry secret
+
+With the right secret in place (_note: Ensure creation of secret in the proper Kubernetes namespace_), users should reference it on their Build YAML definitions.
+For container registries, the secret should be placed under the `spec.output.credentials` path.
+
+```yaml
+apiVersion: build.dev/v1alpha1
+kind: Build
+metadata:
+  name: buildah-golang-build
+  ...
+  output:
+    image: docker.io/foobar/sample:latest
+    credentials:
+      name: <CONTAINER_REGISTRY_SECRET_NAME>
+```
+
+## References
+
+See more information in the official Tekton [documentation](https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#configuring-ssh-auth-authentication-for-git) for authentication.
diff --git a/docs/development/deploying.md b/docs/development/deploying.md
@@ -16,6 +16,7 @@ The following set of steps highlight how to deploy a Build operator pod into an
    docker push eeeoo/build-operator:master
    popd
    ```
+
    Just to illustrate the above, you can find the image in [dockerhub](https://hub.docker.com/repository/docker/eeeoo/build-operator)
 
 2. Reference the generated image name in the [operator.yaml](../../deploy/operator.yaml). The `spec.template.containers[0].image` value should be modified.
