(Query) How can I clone GitLab private repository to my k8s container safely(ssh or https no matter)?

[luckymagic7]

I want to cloning git repository to my k8s container.

I can get success with github repository. The yaml file likes below:

apiVersion: v1
kind: Pod
metadata:
  name: syncrepo-volume-pod-test
spec:
  containers:
  - image: k8s.gcr.io/git-sync:v3.0.1
    name: test-server
    volumeMounts:
    - name: git-source
      mountPath: /tmp/git
    env:
    - name: GIT_SYNC_REPO
      value: https://github.com/myrepo.git  ##Changing value
    - name: GIT_SYNC_DEST
      value: git-sync
  volumes:
  - name: git-source
    emptyDir: {}

But when I change GIT_SYNC_REPO to GitLab repository the error comes out:

apiVersion: v1
kind: Pod
metadata:
  name: syncrepo-volume-pod-test
spec:
  containers:
  - image: k8s.gcr.io/git-sync:v3.0.1
    name: test-server
    volumeMounts:
    - name: git-source
      mountPath: /tmp/git
    env:
    - name: GIT_SYNC_REPO
      value: https://gitlab.privatedomain.com/myrepo.git  ##Changing value
    - name: GIT_SYNC_DEST
      value: git-sync
  volumes:
  - name: git-source
    emptyDir: {}

kubectl logs syncrepo-volume-pod-test says:

I0114 13:05:33.800696       1 main.go:179] starting up: ["/git-sync"]
E0114 13:05:33.841060       1 main.go:186] error syncing repo: error running command: exit status 128: "Cloning into '/tmp/git'...\nfatal: could not read Username for 'https://gitlab.privatedomain.com': No such device or address\n"

I can pass my gitlab account and gitlab password like below, but I think it's very insecure:

apiVersion: v1
kind: Pod
metadata:
  name: syncrepo-volume-pod-test
spec:
  containers:
  - image: k8s.gcr.io/git-sync:v3.0.1
    name: test-server
    volumeMounts:
    - name: git-source
      mountPath: /tmp/git
    env:
    - name: GIT_SYNC_REPO
      value: https://GIT_ID:GIT_PASS@gitlab.privatedomain.com/myrepo.git  ##Changing value
    - name: GIT_SYNC_DEST
      value: git-sync
  volumes:
  - name: git-source
    emptyDir: {}

I can see my account and password information at the pod description:
kubectl describe pod syncrepo-volume-pod-test

Name:         syncrepo-volume-pod-test
Namespace:    default
.
.
.

Restart Count:  0
    Requests:
      cpu:  100m
    Environment:
      GIT_SYNC_REPO:  https://realID:realPASSWORD@gitlab.privatedomain.com/myrepo.git  ##Not Good
      GIT_SYNC_DEST:  git-sync
    Mounts:
      /tmp/git from git-source (rw)

.
.
.

I read the docs about ssh https://github.com/kubernetes/git-sync/blob/master/docs/ssh.md
but it didn't work...

Also tried to https, but I don't know what the gitcookie is...

Sorry, my English is bad.

Can you please give me some hints or help?

Thanks!

[thockin]

There are a couple ways to auth. You can use `-username` and `-password`, you can use `-ssh`, or you can use `-cookie-file`. I don't know which are available in gitlab. For username/password you can create a kubernetes Secret and load that via an environment variable and `valueFrom` (so it doesn't appear in your pod spec, and so you can update the password dynamically). For SSH you need to have uploaded the key to your git server. You can create a Secret again, but this time use it as a volume. when you clone via SSH (e.g. ssh://user@host/path or user@host:path), git will try to use the key pair to authenticate you. I don't know much about cookie file, honestly. It seems to be poorly documented even on the web at large and site-specific. You say you tried SSH, but you didn't say how it "didn't work".

…

On Mon, Jan 14, 2019 at 5:18 AM 최준영 ***@***.***> wrote: I want to cloning git repository to my k8s container. I can get success with github repository. The yaml file likes below: apiVersion: v1kind: Podmetadata: name: syncrepo-volume-pod-testspec: containers: - image: k8s.gcr.io/git-sync:v3.0.1 name: test-server volumeMounts: - name: git-source mountPath: /tmp/git env: - name: GIT_SYNC_REPO value: https://github.com/myrepo.git ##Changing value - name: GIT_SYNC_DEST value: git-sync volumes: - name: git-source emptyDir: {} But when I change GIT_SYNC_REPO to GitLab repository the error comes out: apiVersion: v1kind: Podmetadata: name: syncrepo-volume-pod-testspec: containers: - image: k8s.gcr.io/git-sync:v3.0.1 name: test-server volumeMounts: - name: git-source mountPath: /tmp/git env: - name: GIT_SYNC_REPO value: https://gitlab.privatedomain.com/myrepo.git ##Changing value - name: GIT_SYNC_DEST value: git-sync volumes: - name: git-source emptyDir: {} kubectl logs syncrepo-volume-pod-test says: I0114 13:05:33.800696 1 main.go:179] starting up: ["/git-sync"] E0114 13:05:33.841060 1 main.go:186] error syncing repo: error running command: exit status 128: "Cloning into '/tmp/git'...\nfatal: could not read Username for 'https://gitlab.privatedomain.com': No such device or address\n" I can pass my gitlab account and gitlab password like below, but I think it's very insecure: apiVersion: v1kind: Podmetadata: name: syncrepo-volume-pod-testspec: containers: - image: k8s.gcr.io/git-sync:v3.0.1 name: test-server volumeMounts: - name: git-source mountPath: /tmp/git env: - name: GIT_SYNC_REPO value: ***@***.***/myrepo.git ##Changing value - name: GIT_SYNC_DEST value: git-sync volumes: - name: git-source emptyDir: {} I can see my account and password information at the pod description: kubectl describe pod syncrepo-volume-pod-test Name: syncrepo-volume-pod-test Namespace: default .. . .. Restart Count: 0 Requests: cpu: 100m Environment: GIT_SYNC_REPO: ***@***.***/myrepo.git GIT_SYNC_DEST: git-sync Mounts: /tmp/git from git-source (rw) .. . .. I read the docs about ssh https://github.com/kubernetes/git-sync/blob/master/docs/ssh.md but it didn't work... Also tried to https, but I don't know what the gitcookie is... Sorry, my English is bad. Can you please give me some hints or help? Thanks! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#126>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVG2KrZfXU1QCXdjli2HYFdcRQd-vks5vDIOkgaJpZM4Z-Oyp> .

[luckymagic7]

@thockin
I made a k8s secret.

First, I scanned known_hosts from my GitLab server:
ssh-keyscan gitlab.privatedomain.com > /tmp/known_hosts

Second, made a k8s secret:
kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa --from-file=known_hosts=/tmp/known_hosts

Write a yaml file:

apiVersion: v1
kind: Pod
metadata:
  name: syncrepo-volume-pod-test
spec:
  containers:
  - image: k8s.gcr.io/git-sync:v3.0.1
    name: test-server
    volumeMounts:
    - name: git-source
      mountPath: /tmp/git
    - name: git-secret
      mountPath: /etc/git-secret
    env:
    - name: GIT_SYNC_REPO
      value: https://gitlab.privatedomain.com/myrepo.git  ##Changing value
    - name: GIT_SYNC_DEST
      value: git-sync
    - name: GIT_SYNC_SSH
      value: "true"
  volumes:
  - name: git-secret
    secret:
      secretName: git-creds
      defaultMode: 256
  - name: git-source
    emptyDir: {}

make a pod: kubectl apply -f gitlab.yaml

describing pod:

Name:         syncrepo-volume-pod-test
Namespace:    default
.
.
.

Image:          k8s.gcr.io/git-sync:v3.0.1
    Image ID:       docker-pullable://k8s.gcr.io/git-sync@sha256:fc4152d373e79ca680704713f7b748dd25f63f87b4a17c4edfd7bb7bc5a11be0
    Port:           <none>
    Host Port:      <none>
    State:          Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Tue, 15 Jan 2019 11:26:18 +0900
      Finished:     Tue, 15 Jan 2019 11:26:18 +0900
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Tue, 15 Jan 2019 11:26:17 +0900
      Finished:     Tue, 15 Jan 2019 11:26:17 +0900
    Ready:          False
    Restart Count:  1
    Requests:
      cpu:  100m
    Environment:
      GIT_SYNC_REPO:  https://gitlab.privatedomain.com/myrepo.git
      GIT_SYNC_DEST:  git-sync
      GIT_SYNC_SSH:   true
    Mounts:
      /etc/git-secret from git-secret (rw)
      /tmp/git from git-source (rw)

.
.
.

Events:
  Type     Reason                 Age              From                                                      Message
  ----     ------                 ----             ----                                                      -------
  Normal   Scheduled              8s               default-scheduler                                         Successfully assigned syncrepo-volume-pod-test

.
.
.

 Normal   Pulled                 2s               kubelet, myclusterIP Container image "k8s.gcr.io/git-sync:v3.0.1" already present on machine
  Warning  BackOff                1s               kubelet, myclusterIP Back-off restarting failed container

logging pod:

I0115 02:26:18.619676       1 main.go:179] starting up: ["/git-sync"]
E0115 02:26:18.666985       1 main.go:186] error syncing repo: error running command: exit status 128: "Cloning into '/tmp/git'...\nfatal: could not read Username for 'https://gitlab.privatedomain.com': No such device or address\n"

How can I debug more?

[luckymagic7]

My GitLab server runs on the Docker. I think it could be a cause of matter.

And then, how can I ssh-keyscan my GitLab server on Docker? Too confusing...

[stp-ip]

Don't use the https url. Use git/ssh instead: git@gitlab.privatedomain.com/myrepo.git

[luckymagic7]

my mistake... I’ll try using ssh url and follow up the issue.

[luckymagic7]

After I changed my yaml to use ssh address:

apiVersion: v1
kind: Pod
metadata:
  name: syncrepo-volume-pod-test
spec:
  containers:
  - image: k8s.gcr.io/git-sync:v3.0.1
    name: test-server
    volumeMounts:
    - name: git-source
      mountPath: /tmp/git
    - name: git-secret
      mountPath: /etc/git-secret
    env:
    - name: GIT_SYNC_REPO
      value: git@gitlab.privatedomain.com/myrepo.git
    - name: GIT_SYNC_DEST
      value: git-sync
    - name: GIT_SYNC_SSH
      value: "true"
  volumes:
  - name: git-secret
    secret:
      secretName: git-creds
      defaultMode: 256
  - name: git-source
    emptyDir: {}

the pod runs normally...

But I can't see my git repo contents at the pod.
kubectl exec -it syncrepo-volume-pod-test ls /tmp/git

Nothing comes out... 😢

[stp-ip]

What do your logs (kubectl logs syncrepo-volume-pod-test) say?

[luckymagic7]

I0115 12:26:23.354464       1 main.go:179] starting up: ["/git-sync"]
E0115 12:28:30.714449       1 main.go:186] error syncing repo: error running command: exit status 128: "Cloning into '/tmp/git'...\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n"

[luckymagic7]

oh, and pod died again...
syncrepo-volume-pod-test 0/1 CrashLoopBackOff 9 43m

[stp-ip]

Can't reproduce this last failure. Seems to work with my test setup.
Hard to pinpoint the issue without reproduction.
How does your known_hosts file look like?
Can you git clone via ssh in an alpine container in the same cluster?
kubectl run -it alpine --image=alpine -- sh
# apk add --no-cache git openssh-client

[luckymagic7]

No, I can't cloning my repo to alpine linux..

kubectl run -it alpine --image=alpine -- sh
# apk add --no-cache git openssh-client
# ssh-keygen

I added a id_rsa.pub key to my gitlab account, and:

# git clone git@gitlab.privatedomain.com/myrepo.git
Cloning into 'myrepo'...

ssh: connect to host gitlab.privatedomain.com port 22: Operation timed out
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I think my git repo has a problem... In my company, we made the GitLab server by Docker.
Below is docker ps:

CONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS                 PORTS                                                          NAMES
277461d7be33        gitlab/gitlab-ce              "/assets/wrapper"        7 months ago        Up 6 weeks (healthy)   0.0.0.0:22->22/tcp, 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   company_gitlab_1

[luckymagic7]

@thockin @stp-ip
I'll close the issue, I heard that our GitLab repository's 22 port is blocked because of secure issue.

I think I can use https by @thockin

Thanks again guys!!

[luckymagic7]

apiVersion: v1
kind: Pod
metadata:
  name: syncrepo-volume-pod-test
spec:
  containers:
  - image: k8s.gcr.io/git-sync:v3.0.1
    name: test-server
    volumeMounts:
    - name: git-source
      mountPath: /tmp/git
    env:
    - name: GIT_SYNC_REPO
      value: https://gitlab.privatedomain.com/myrepo.git  ##Changing value
    - name: GIT_SYNC_BRANCH
      value: production
    - name: GIT_SYNC_DEPTH
      value: "1"
    - name: GIT_SYNC_DEST
      value: git-sync
    - name: GIT_SYNC_USERNAME
      valueFrom:
        secretKeyRef:
          name: git-creds
          key: username
    - name: GIT_SYNC_PASSWORD
      valueFrom:
        secretKeyRef:
          name: git-creds
          key: password
  volumes:
  - name: git-source
    emptyDir: {}