K
Q

How to clone a private git repository into a kubernetes pod using ssh keys in secrets?

December 8, 2018

I am trying to clone a private git repository(gitLab) into a kubernetes pod, using SSH keys for authentication. I have stored my keys in a secret. Here is the yaml file for the job that does the desired task.

Heres the same question, but doesnt give the exact solution :

https://stackoverflow.com/questions/41067668/clone-a-secure-git-repo-in-kubernetes-pod

Logs of the init container after execution:

fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
v3.7.1-66-gfc22ab4fd3 [http://dl-cdn.alpinelinux.org/alpine/v3.7/main]
v3.7.1-55-g7d5f104fa7 [http://dl-cdn.alpinelinux.org/alpine/v3.7/community]
OK: 9064 distinct packages available
OK: 23 MiB in 23 packages
Cloning into '/tmp'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The yaml file which works perfectly for public repo:

apiVersion: batch/v1

kind: Job

metadata:

  name: nest-build-kaniko

  labels:

    app: nest-kaniko-example

spec:

  template:

    spec:

      containers:
        -

          image: 'gcr.io/kaniko-project/executor:latest'

          name: kaniko

          args: ["--dockerfile=/workspace/Dockerfile",
                "--context=/workspace/",
                "--destination=aws.dest.cred"]

          volumeMounts:
            -

              mountPath: /workspace

              name: source
            -

              name: aws-secret

              mountPath: /root/.aws/
            -

              name: docker-config

              mountPath: /kaniko/.docker/

      initContainers:
        -

          name: download

          image: alpine:3.7

          command: ["/bin/sh","-c"]

          args: ['apk add --no-cache git && git clone https://github.com/username/repo.git /tmp/']

          volumeMounts:
            -

              mountPath: /tmp

              name: source

      restartPolicy: Never

      volumes:
        -

          emptyDir: {}

          name: source
        -

          name: aws-secret

          secret:

            secretName: aws-secret
        -

          name: docker-config

          configMap:

            name: docker-config

The yaml file after using git-sync for cloning private repository:

apiVersion: batch/v1

kind: Job

metadata:

  name: nest-build-kaniko

  labels:

    app: nest-kaniko-example

spec:

  template:

    spec:

      containers:
        -

          image: 'gcr.io/kaniko-project/executor:latest'

          name: kaniko

          args: ["--dockerfile=/workspace/Dockerfile",
                "--context=/workspace/",
                "--destination=aws.dest.cred"]

          volumeMounts:
            -

              mountPath: /workspace

              name: source
            -

              name: aws-secret

              mountPath: /root/.aws/
            -

              name: docker-config

              mountPath: /kaniko/.docker/

      initContainers:
        -

          name: git-sync

          image: gcr.io/google_containers/git-sync-amd64:v2.0.4

          volumeMounts:
            -

              mountPath: /git/tmp

              name: source
            -

              name: git-secret

              mountPath: "/etc/git-secret"

          env:
            - name: GIT_SYNC_REPO

              value: "git@gitlab.com:username/repo.git"
            - name: GIT_SYNC_SSH

              value: "true"
            - name: GIT_SYNC_DEST

              value: "/tmp"
            - name: GIT_SYNC_ONE_TIME

              value: "true"

          securityContext:

            runAsUser: 0

      restartPolicy: Never

      volumes:
        -

          emptyDir: {}

          name: source
        -

          name: aws-secret

          secret:

            secretName: aws-secret
        -

          name: git-secret

          secret:

            secretName: git-creds

            defaultMode: 256
        -

          name: docker-config

          configMap:

            name: docker-config
-- rohanmehto2
docker
ssh
kubernetes
gitlab
git-clone

Similar Questions

How to switch namespace in kubernetes
" Kubernetes is starting ....." forever error on windows 10
How to use local docker images with microk8s?
Kubernetes: kubectl run: command not found
Automatically use secret when pulling from private registry

2 Answers

December 9, 2018

You can use git-sync

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: git-sync-test
spec:
  selector:
    matchLabels:
      app: git-sync-test
  serviceName: "git-sync-test"
  replicas: 1
  template:
    metadata:
      labels:
        app: git-sync-test
    spec:
      containers:
      - name: git-sync-test
        image: <your-main-image>
        volumeMounts:
        - name: service
          mountPath: /var/magic
      initContainers:
      - name: git-sync
        image: k8s.gcr.io/git-sync-amd64:v2.0.6
        imagePullPolicy: Always
        volumeMounts:
        - name: service
          mountPath: /magic
        - name: git-secret
          mountPath: /etc/git-secret
        env:
        - name: GIT_SYNC_REPO
          value: <repo-path-you-want-to-clone>
        - name: GIT_SYNC_BRANCH
          value: <repo-branch>
        - name: GIT_SYNC_ROOT
          value: /magic
        - name: GIT_SYNC_DEST
          value: <path-where-you-want-to-clone>
        - name: GIT_SYNC_PERMISSIONS
          value: "0777"
        - name: GIT_SYNC_ONE_TIME
          value: "true"
        - name: GIT_SYNC_SSH
          value: "true"
        securityContext:
          runAsUser: 0
      volumes:
      - name: service
        emptyDir: {}
      - name: git-secret
        secret:
          defaultMode: 256
          secretName: git-creds # your-ssh-key

For more details check this link.

-- Abu Hanifa
Source: StackOverflow
December 10, 2018
  initContainers:
    -

      name: git-sync

      image: gcr.io/google_containers/git-sync-amd64:v2.0.4

      volumeMounts:
        -

          mountPath: /workspace

          name: source
        -

          name: git-secret

          mountPath: "/etc/git-secret"

      env:
        - name: GIT_SYNC_REPO

          value: "git@gitlab.com:username/repo.git"
        - name: GIT_SYNC_SSH

          value: "true"
        - name: GIT_SYNC_ROOT

          value: /workspace
        - name: GIT_SYNC_DEST

          value: "tmp"
        - name: GIT_SYNC_ONE_TIME

          value: "true"

NOTE: set GIT_SYNC_ROOT env to /workspace

It'll clone in 

/workspace/tmp
directory in your emptyDir 
source
volume.

-- Abu Hanifa
Source: StackOverflow