Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to clone private GitHub repository inside a Pod in Kubernetes using Secrets #3

Open
rushabh31 opened this issue Jul 20, 2020 · 0 comments
Open

How to clone private GitHub repository inside a Pod in Kubernetes using Secrets #3

rushabh31 opened this issue Jul 20, 2020 · 0 comments
Labels
blog kubernetes

Comments

@rushabh31
Copy link
Owner

rushabh31 commented Jul 20, 2020
edited
Loading

This is a step-by-step guide to help you clone a private GitHub repository inside the Pod in Kubernetes Argo workflow.

  • Table of Content

    • Create a secret with .ssh keys using kubectl
    • Using secret inside YAML file to access secret.

  • Pre-requisite

    • minikube or Kubernetes and Argo workflow up and running (Refer the previous blog for installation).
    • Basic understanding of Kubernetes.

What is Secrets in Kubernetes:

Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible.

A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image.

To use a secret, a pod needs to reference the secret. A secret can be used with a Pod in three ways:

- As files in a volume mounted on one or more of its containers.
- As a container environment variable.
- By the kubelet when pulling images for the Pod.

Steps to create a Secret for .ssh keys.

We want to use the .ssh keys inside a Pod to clone a private repository and to share a .ssh keys, we need to create a secret using the below command.

_ Note: Replace below path with an original path for .ssh keys._**

  1. Create a secret:
kubectl create secret generic --namespace nsname ssh-key-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from file=ssh-publickey=/path/to/.ssh/id_rsa.pub

Once you create a secret using the above command, you will see the below message.

secret "ssh-key-secret" created
  1. Describe a secret:
kubectl describe secret ssh-key-secret

kubectl describe secret --namespace nsname ssh-key-secret
  1. Get a list of all secrets available:

To get a list of all defined secrets, you can below command.

kubectl get secret

# if you want to list all secrets in a particular namespace then use this:
kubectl get secret -n nsname

Use secrets inside YAML:

Now you can create a Pod which references the secret with the ssh key and consumes it in a volume

**Note: I am using the Argo Workflow template.

  1. Creating YAML file with appropriate parameters to access secrets inside Pod:
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  name: dag-ssh-test
spec:
  entrypoint: ssh-test
  volumes:
  - name: my-secret-vol
    secret:
      secretName: ssh-key-secret

  templates:
  - name: ssh-test
    dag:
     tasks:
      - name: p1
        template: p1

  - name: p1
    container: 
      image: python:3.7.4-buster
      volumeMounts:
      - name: my-secret-vol
        mountPath: "/.ssh/"
      command:
        - "bash"
        - "-c"
        - >
          apt-get update;
          apt-get install jq -y;
  1. Run the YAML file using below ARGO CLI command:
argo submit -n argo job.yaml

When the container's command runs, the pieces of the secret key will be available in:

/.ssh/ssh-publickey
/.ssh/ssh-privatekey

The container is then free to use the secret data to establish an ssh connection.

Using above secret to clone private GitHub repository.

  1. Below yaml contains code to use ssh secret to clone private GitHub repository
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  name: dag-ssh-test
spec:
  entrypoint: ssh-test
  volumes:
  - name: my-secret-vol
    secret:
      secretName: ssh-key-secret

  templates:
  - name: ssh-test
    dag:
     tasks:
      - name: p1
        template: p1

  - name: p1
    container: 
      image: python:3.7.4-buster
      volumeMounts:
      - name: my-secret-vol
        mountPath: "/.ssh/"
      command:
        - "bash"
        - "-c"
        - >
          apt-get update;
          apt-get install jq -y;
          SSH_PRIVATE_KEY=$(</.ssh/id_rsa);
          mkdir /root/.ssh;
          echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa;
          touch /root/.ssh/known_hosts;
          ssh-keyscan github.com >> /root/.ssh/known_hosts;
          chmod 400 /root/.ssh/id_rsa;
          git clone [email protected]/repo_name.git /opt/app;

**Note: You can access your GitHub repository at /opt/app path.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blog kubernetes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rushabh31