Openshift Pipelines Read Permissions Error When Using Git-Clone Task #2143
Description
Description
Bug when using openshift pipelines operator version 1.18, a nfs volume claim template, and the git-clone task, the git-clone task will fail saying that git does not have read access to the tmp file made from the git clone command.
Yaml for the pipeline
kind: Pipeline
metadata:
name: git-clone
namespace: acmeair-project
spec:
tasks:
- name: clone
params:
- name: URL
value: <url>
- name: REVISION
value: <branch>
- name: DELETE_EXISTING
value: 'true'
taskRef:
params:
- name: kind
value: task
- name: name
value: git-clone
- name: namespace
value: openshift-pipelines
resolver: cluster
workspaces:
- name: output
workspace: shared-ws
workspaces:
- name: shared-ws
Error
---> Phase: Cloning '<url>'...
+ exec git-init -url=<url> -revision=<branch> -refspec= -path=/workspace/output/ -sslVerify=true -submodules=true -depth=1 -sparseCheckoutDirectories=
{"level":"error","ts":1750257518.6948926,"caller":"git/git.go:53","msg":"Error running git [remote get-url origin]: exit status 2\nerror: No such remote 'origin'\n","stacktrace":"github.com/tektoncd-catalog/git-clone/git-init/git.run\n\t/go/src/github.com/tektoncd-catalog/git-clone/image/git-init/git/git.go:53\ngithub.com/tektoncd-catalog/git-clone/git-init/git.Fetch\n\t/go/src/github.com/tektoncd-catalog/git-clone/image/git-init/git/git.go:109\nmain.main\n\t/go/src/github.com/tektoncd-catalog/git-clone/image/git-init/main.go:52\nruntime.main\n\t/usr/lib/golang/src/runtime/proc.go:272"}
{"level":"error","ts":1750257543.5860465,"caller":"git/git.go:53","msg":"Error running git [fetch --recurse-submodules=yes --depth=1 origin --update-head-ok --force <branch>]: exit status 128\nfatal: could not open '.git/objects/pack/tmp_pack_NEZzSg' for reading: Permission denied\nfatal: fetch-pack: invalid index-pack output\n","stacktrace":"github.com/tektoncd-catalog/git-clone/git-init/git.run\n\t/go/src/github.com/tektoncd-catalog/git-clone/image/git-init/git/git.go:53\ngithub.com/tektoncd-catalog/git-clone/git-init/git.Fetch\n\t/go/src/github.com/tektoncd-catalog/git-clone/image/git-init/git/git.go:166\nmain.main\n\t/go/src/github.com/tektoncd-catalog/git-clone/image/git-init/main.go:52\nruntime.main\n\t/usr/lib/golang/src/runtime/proc.go:272"}
{"level":"fatal","ts":1750257543.5861356,"caller":"git-init/main.go:53","msg":"Error fetching git repository: failed to fetch [<branch>]: exit status 128","stacktrace":"main.main\n\t/go/src/github.com/tektoncd-catalog/git-clone/image/git-init/main.go:53\nruntime.main\n\t/usr/lib/golang/src/runtime/
When I oc debug <pod name> and I go to the file path that is provided in the error, the temp file made from the git clone has read permissions. I also added different security context to the git run using taskRunTemplate and podTemplate, this produced the same error as above. I then switched to a cephfs for the volume claim template. This produced a successful pipeline run. I am wondering why this same git clone pipeline is not working with the other volume claim template.
Notes
This was tested with openshift pipeline version 1.17.1, 1.18.0, and 1.18.1 on openshift version 4.15, 4.16, and 4.18.