Comment cloner un référentiel git privé dans un pod kubernetes en utilisant des clés ssh dans les secrets?

Question

J'essaie de cloner un référentiel git privé (gitLab) dans un pod kubernetes, en utilisant des clés SSH pour l'authentification. J'ai stocké mes clés dans un secret. Voici le fichier yaml pour le travail qui effectue la tâche souhaitée.

Voici la même question, mais ne donne pas la solution exacte:

Cloner un dépôt git sécurisé dans le pod Kubernetes

Journaux du conteneur init après exécution:

fetch http://dl-cdn.alpinelinux.org/Alpine/v3.7/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/Alpine/v3.7/community/x86_64/APKINDEX.tar.gz v3.7.1-66-gfc22ab4fd3 [http://dl-cdn.alpinelinux.org/Alpine/v3.7/main] v3.7.1-55-g7d5f104fa7 [http://dl-cdn.alpinelinux.org/Alpine/v3.7/community] OK: 9064 distinct packages available OK: 23 MiB in 23 packages Cloning into '/tmp'... Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.

Le fichier yaml qui fonctionne parfaitement pour le dépôt public:

apiVersion: batch/v1 kind: Job metadata: name: nest-build-kaniko labels: app: nest-kaniko-example spec: template: spec: containers: - image: 'gcr.io/kaniko-project/executor:latest' name: kaniko args: ["--dockerfile=/workspace/Dockerfile", "--context=/workspace/", "--destination=aws.dest.cred"] volumeMounts: - mountPath: /workspace name: source - name: aws-secret mountPath: /root/.aws/ - name: docker-config mountPath: /kaniko/.docker/ initContainers: - name: download image: Alpine:3.7 command: ["/bin/sh","-c"] args: ['apk add --no-cache git && git clone https://github.com/username/repo.git /tmp/'] volumeMounts: - mountPath: /tmp name: source restartPolicy: Never volumes: - emptyDir: {} name: source - name: aws-secret secret: secretName: aws-secret - name: docker-config configMap: name: docker-config

Le fichier yaml après avoir utilisé git-sync pour cloner le référentiel privé:

apiVersion: batch/v1 kind: Job metadata: name: nest-build-kaniko labels: app: nest-kaniko-example spec: template: spec: containers: - image: 'gcr.io/kaniko-project/executor:latest' name: kaniko args: ["--dockerfile=/workspace/Dockerfile", "--context=/workspace/", "--destination=aws.dest.cred"] volumeMounts: - mountPath: /workspace name: source - name: aws-secret mountPath: /root/.aws/ - name: docker-config mountPath: /kaniko/.docker/ initContainers: - name: git-sync image: gcr.io/google_containers/git-sync-AMD64:v2.0.4 volumeMounts: - mountPath: /git/tmp name: source - name: git-secret mountPath: "/etc/git-secret" env: - name: GIT_SYNC_REPO value: "git@gitlab.com:username/repo.git" - name: GIT_SYNC_SSH value: "true" - name: GIT_SYNC_DEST value: "/tmp" - name: GIT_SYNC_ONE_TIME value: "true" securityContext: runAsUser: 0 restartPolicy: Never volumes: - emptyDir: {} name: source - name: aws-secret secret: secretName: aws-secret - name: git-secret secret: secretName: git-creds defaultMode: 256 - name: docker-config configMap: name: docker-config

Abu Hanifa · Accepted Answer

Vous pouvez utiliser git-sync

apiVersion: apps/v1 kind: StatefulSet metadata: name: git-sync-test spec: selector: matchLabels: app: git-sync-test serviceName: "git-sync-test" replicas: 1 template: metadata: labels: app: git-sync-test spec: containers: - name: git-sync-test image: <your-main-image> volumeMounts: - name: service mountPath: /var/magic initContainers: - name: git-sync image: k8s.gcr.io/git-sync-AMD64:v2.0.6 imagePullPolicy: Always volumeMounts: - name: service mountPath: /magic - name: git-secret mountPath: /etc/git-secret env: - name: GIT_SYNC_REPO value: <repo-path-you-want-to-clone> - name: GIT_SYNC_BRANCH value: <repo-branch> - name: GIT_SYNC_ROOT value: /magic - name: GIT_SYNC_DEST value: <path-where-you-want-to-clone> - name: GIT_SYNC_PERMISSIONS value: "0777" - name: GIT_SYNC_ONE_TIME value: "true" - name: GIT_SYNC_SSH value: "true" securityContext: runAsUser: 0 volumes: - name: service emptyDir: {} - name: git-secret secret: defaultMode: 256 secretName: git-creds # your-ssh-key

Pour plus de détails, consultez le lien this .

Abu Hanifa · Answer

 initContainers: - name: git-sync image: gcr.io/google_containers/git-sync-AMD64:v2.0.4 volumeMounts: - mountPath: /workspace name: source - name: git-secret mountPath: "/etc/git-secret" env: - name: GIT_SYNC_REPO value: "git@gitlab.com:username/repo.git" - name: GIT_SYNC_SSH value: "true" - name: GIT_SYNC_ROOT value: /workspace - name: GIT_SYNC_DEST value: "tmp" - name: GIT_SYNC_ONE_TIME value: "true"

REMARQUE: définissez GIT_SYNC_ROOT env sur/workspace

Il clone dans /workspace/tmp dans votre répertoire rép_vide source.