Alauda DevOps Connectors Docs
  • English

    • Using NPM Connector in Tekton Task

    Using NPM Connector in Tekton Tasks enables centralized management of npm registry access and secretless package operations during task execution.

    This document shows how to use multi-connector capability in one TaskRun to:

    • pull dependencies from a mirror registry
    • publish packages to a target registry

    TOC

    Requirements for Tekton TaskMulti-Connector ScenarioPrepare ConnectorsTaskRun Example with nodejs:0.1CA Bundle ExampleUsing ResourceInterface in Pipeline IntegrationFurther Reading

    Requirements for Tekton Task

    Not all Tekton Tasks can use NPM Connector.

    NPM Connector injects temporary registry configuration through Connectors CSI Driver. It provides npmrc and yarnrc configurations that generate .npmrc, .yarnrc.yml, and ca.crt.

    Therefore, Tekton Tasks must meet the following requirements:

    • support mounting an .npmrc file via Workspace
    • support mounting a CA certificate via Workspace (required for HTTPS repositories in forward-proxy MITM mode)

    The catalog nodejs task (0.1) already supports these workspaces:

    • npm-config: package manager configuration workspace
    • ca-bundle: custom CA workspace

    Multi-Connector Scenario

    To install dependencies from one registry and publish to another registry in the same TaskRun, prepare two NPM connectors:

    • npm-mirror-connector: set spec.params.registryType=mirror
    • npm-publish-connector: set spec.params.registryType=publish

    When both connectors are mounted through volumeAttributes.connectors, NPM configuration is rendered with this behavior:

    • dependency download prefers connector with registryType=mirror
    • for nodejs:0.1, the publish endpoint is controlled by publishRepository; use the registryType=publish connector address as the publishRepository value
    INFO

    Before using multiple connectors in one CSI volume, enable enable-multi-connector in connectors-config.

    kubectl -n <connectors-namespace> patch configmap connectors-config \
  --type merge \
  -p '{"metadata":{"annotations":{"skip-sync":"true"}},"data":{"enable-multi-connector":"true"}}'

    Prepare Connectors

    Example connector pair:

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: npm-mirror-connector
spec:
  connectorClassName: npm
  address: https://nexus.example.com/repository/npm-proxy
  auth:
    name: basicAuth
    secretRef:
      name: npm-secret
  params:
  - name: strict-ssl
    value: "false"
  - name: registryType
    value: "mirror"
---
apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: npm-publish-connector
spec:
  connectorClassName: npm
  address: https://nexus.example.com/repository/npm-hosted
  auth:
    name: basicAuth
    secretRef:
      name: npm-secret
  params:
  - name: strict-ssl
    value: "false"
  - name: registryType
    value: "publish"

    TaskRun Example with nodejs:0.1

    After both connectors are ready, reference the built-in nodejs task directly.

    apiVersion: tekton.dev/v1
kind: TaskRun
metadata:
  name: nodejs-npm-multi-connector-demo
spec:
  taskRef:
    name: nodejs
  params:
  - name: command
    value: npm ci && npm run build
  - name: publishRepository
    value: https://nexus.example.com/repository/npm-hosted
  - name: caFileName
    value: ca.crt
  workspaces:
  - name: source
    persistentVolumeClaim:
      claimName: nodejs-source-pvc
  - name: npm-config
    csi:
      driver: connectors-csi
      readOnly: true
      volumeAttributes:
        connectors: "npm-mirror-connector,npm-publish-connector"
        configuration.names: "npmrc,yarnrc"
  - name: ca-bundle
    csi:
      driver: connectors-csi
      readOnly: true
      volumeAttributes:
        connectors: "npm-mirror-connector,npm-publish-connector"
        configuration.names: "npmrc"

    In this example:

    • npm ci resolves dependencies using rendered registry settings from the mirror connector
    • publishRepository triggers npm publish --registry ... in the nodejs task
    • caFileName: ca.crt tells nodejs:0.1 to load the certificate generated by NPM connector from the ca-bundle workspace

    CA Bundle Example

    In forward-proxy MITM mode, all HTTPS npm repository traffic goes through connectors-proxy and must trust the proxy CA. Therefore, when your dependency or publish repository uses https://, always mount ca-bundle and set caFileName to ca.crt.

    spec:
  params:
  - name: caFileName
    value: ca.crt
  workspaces:
  - name: ca-bundle
    csi:
      driver: connectors-csi
      readOnly: true
      volumeAttributes:
        connectors: "npm-mirror-connector,npm-publish-connector"
        configuration.names: "npmrc"

    In this setup, ca.crt is rendered by NPM connector and consumed by nodejs:0.1 through the ca-bundle workspace, so both dependency download and package publish can access HTTPS repositories successfully.

    Using ResourceInterface in Pipeline Integration

    If you integrate connectors from Pipeline UI instead of hand-writing CSI fields, use the NPMRepository ResourceInterface.

    Typical usage flow:

    1. In Pipeline Integration, select interface category NPMRepository.
    2. Select a primary connector with spec.params.registryType=publish, then add other connectors (for example a registryType=mirror connector) to the same integration item. This keeps connector selection consistent with later publishRepository parameter selection in the task.
    3. Bind integration workspaces to the task's npm-config and ca-bundle workspaces.

    At runtime, ResourceInterface renders connector workspace bindings for you:

    • npm-config mounts merged config from selected connectors (multi-connector)
    • ca-bundle mounts certificate configuration for TLS trust

    This means users can keep using nodejs:0.1 directly while delegating connector selection and workspace rendering to Pipeline Integration.

    For details, see ResourceInterface and Pipeline Integration.

    Further Reading