如何使用秘密中的ssh密钥将私有git存储库克隆到kubernetes容器中? | 使用秘密中的ssh密钥将私有git存储库克隆到kubernete

本文介绍了如何使用秘密中的ssh密钥将私有git存储库克隆到kubernetes容器中?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在尝试使用SSH密钥将私有git仓库(gitLab)克隆到kubernetes pod中.我将密钥存储在一个秘密中.这是执行所需任务的作业的yaml文件.

I am trying to clone a private git repository(gitLab) into a kubernetes pod, using SSH keys for authentication. I have stored my keys in a secret. Here is the yaml file for the job that does the desired task.

这里有相同的问题，但没有给出确切的解决方案:

Heres the same question, but doesnt give the exact solution :

在Kubernetes容器中克隆安全的git仓库

执行后初始化容器的日志:

Logs of the init container after execution:

fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
v3.7.1-66-gfc22ab4fd3 [http://dl-cdn.alpinelinux.org/alpine/v3.7/main]
v3.7.1-55-g7d5f104fa7 [http://dl-cdn.alpinelinux.org/alpine/v3.7/community]
OK: 9064 distinct packages available
OK: 23 MiB in 23 packages
Cloning into '/tmp'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

非常适合公共回购的yaml文件:

The yaml file which works perfectly for public repo:

apiVersion: batch/v1
kind: Job
metadata:
  name: nest-build-kaniko
  labels:
    app: nest-kaniko-example
spec:
  template:
    spec:
      containers:
        -
          image: 'gcr.io/kaniko-project/executor:latest'
          name: kaniko
          args: ["--dockerfile=/workspace/Dockerfile",
                "--context=/workspace/",
                "--destination=aws.dest.cred"]
          volumeMounts:
            -
              mountPath: /workspace
              name: source
            -
              name: aws-secret
              mountPath: /root/.aws/
            -
              name: docker-config
              mountPath: /kaniko/.docker/
      initContainers:
        -
          name: download
          image: alpine:3.7
          command: ["/bin/sh","-c"]
          args: ['apk add --no-cache git && git clone https://github.com/username/repo.git /tmp/']
          volumeMounts:
            -
              mountPath: /tmp
              name: source
      restartPolicy: Never
      volumes:
        -
          emptyDir: {}
          name: source
        -
          name: aws-secret
          secret:
            secretName: aws-secret
        -
          name: docker-config
          configMap:
            name: docker-config

使用git-sync克隆私有存储库后的yaml文件:

The yaml file after using git-sync for cloning private repository:

apiVersion: batch/v1
kind: Job
metadata:
  name: nest-build-kaniko
  labels:
    app: nest-kaniko-example
spec:
  template:
    spec:
      containers:
        -
          image: 'gcr.io/kaniko-project/executor:latest'
          name: kaniko
          args: ["--dockerfile=/workspace/Dockerfile",
                "--context=/workspace/",
                "--destination=aws.dest.cred"]
          volumeMounts:
            -
              mountPath: /workspace
              name: source
            -
              name: aws-secret
              mountPath: /root/.aws/
            -
              name: docker-config
              mountPath: /kaniko/.docker/
      initContainers:
        -
          name: git-sync
          image: gcr.io/google_containers/git-sync-amd64:v2.0.4
          volumeMounts:
            -
              mountPath: /git/tmp
              name: source
            -
              name: git-secret
              mountPath: "/etc/git-secret"
          env:
            - name: GIT_SYNC_REPO
              value: "[email protected]:username/repo.git"
            - name: GIT_SYNC_SSH
              value: "true"
            - name: GIT_SYNC_DEST
              value: "/tmp"
            - name: GIT_SYNC_ONE_TIME
              value: "true"
          securityContext:
            runAsUser: 0
      restartPolicy: Never
      volumes:
        -
          emptyDir: {}
          name: source
        -
          name: aws-secret
          secret:
            secretName: aws-secret
        -
          name: git-secret
          secret:
            secretName: git-creds
            defaultMode: 256
        -
          name: docker-config
          configMap:
            name: docker-config

推荐答案

您可以使用 git-sync

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: git-sync-test
spec:
  selector:
    matchLabels:
      app: git-sync-test
  serviceName: "git-sync-test"
  replicas: 1
  template:
    metadata:
      labels:
        app: git-sync-test
    spec:
      containers:
      - name: git-sync-test
        image: <your-main-image>
        volumeMounts:
        - name: service
          mountPath: /var/magic
      initContainers:
      - name: git-sync
        image: k8s.gcr.io/git-sync-amd64:v2.0.6
        imagePullPolicy: Always
        volumeMounts:
        - name: service
          mountPath: /magic
        - name: git-secret
          mountPath: /etc/git-secret
        env:
        - name: GIT_SYNC_REPO
          value: <repo-path-you-want-to-clone>
        - name: GIT_SYNC_BRANCH
          value: <repo-branch>
        - name: GIT_SYNC_ROOT
          value: /magic
        - name: GIT_SYNC_DEST
          value: <path-where-you-want-to-clone>
        - name: GIT_SYNC_PERMISSIONS
          value: "0777"
        - name: GIT_SYNC_ONE_TIME
          value: "true"
        - name: GIT_SYNC_SSH
          value: "true"
        securityContext:
          runAsUser: 0
      volumes:
      - name: service
        emptyDir: {}
      - name: git-secret
        secret:
          defaultMode: 256
          secretName: git-creds # your-ssh-key

有关更多详细信息，请单击此链接.

For more details check this link.

这篇关于如何使用秘密中的ssh密钥将私有git存储库克隆到kubernetes容器中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！