Description
This is a step-by-step guide to help you clone a private GitHub repository inside the Pod in Kubernetes Argo workflow.
-
Table of Content
- Create a secret with .ssh keys using
kubectl - Using secret inside
YAMLfile to access secret.
- Create a secret with .ssh keys using
-
Pre-requisite
- minikube or Kubernetes and Argo workflow up and running (Refer the previous blog for installation).
- Basic understanding of Kubernetes.
What is Secrets in Kubernetes:
Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible.
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image.
To use a secret, a pod needs to reference the secret. A secret can be used with a Pod in three ways:
- As files in a volume mounted on one or more of its containers.
- As a container environment variable.
- By the kubelet when pulling images for the Pod.
Steps to create a Secret for .ssh keys.
We want to use the .ssh keys inside a Pod to clone a private repository and to share a .ssh keys, we need to create a secret using the below command.
_ Note: Replace below path with an original path for .ssh keys._**
- Create a secret:
kubectl create secret generic --namespace nsname ssh-key-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from file=ssh-publickey=/path/to/.ssh/id_rsa.pub
Once you create a secret using the above command, you will see the below message.
secret "ssh-key-secret" created
- Describe a secret:
kubectl describe secret ssh-key-secret
kubectl describe secret --namespace nsname ssh-key-secret
- Get a list of all secrets available:
To get a list of all defined secrets, you can below command.
kubectl get secret
# if you want to list all secrets in a particular namespace then use this:
kubectl get secret -n nsname
Use secrets inside YAML:
Now you can create a Pod which references the secret with the ssh key and consumes it in a volume
**Note: I am using the Argo Workflow template.
- Creating YAML file with appropriate parameters to access secrets inside Pod:
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
name: dag-ssh-test
spec:
entrypoint: ssh-test
volumes:
- name: my-secret-vol
secret:
secretName: ssh-key-secret
templates:
- name: ssh-test
dag:
tasks:
- name: p1
template: p1
- name: p1
container:
image: python:3.7.4-buster
volumeMounts:
- name: my-secret-vol
mountPath: "/.ssh/"
command:
- "bash"
- "-c"
- >
apt-get update;
apt-get install jq -y;
- Run the YAML file using below ARGO CLI command:
argo submit -n argo job.yaml
When the container's command runs, the pieces of the secret key will be available in:
/.ssh/ssh-publickey
/.ssh/ssh-privatekey
The container is then free to use the secret data to establish an ssh connection.
Using above secret to clone private GitHub repository.
- Below yaml contains code to use ssh secret to clone private GitHub repository
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
name: dag-ssh-test
spec:
entrypoint: ssh-test
volumes:
- name: my-secret-vol
secret:
secretName: ssh-key-secret
templates:
- name: ssh-test
dag:
tasks:
- name: p1
template: p1
- name: p1
container:
image: python:3.7.4-buster
volumeMounts:
- name: my-secret-vol
mountPath: "/.ssh/"
command:
- "bash"
- "-c"
- >
apt-get update;
apt-get install jq -y;
SSH_PRIVATE_KEY=$(</.ssh/id_rsa);
mkdir /root/.ssh;
echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa;
touch /root/.ssh/known_hosts;
ssh-keyscan github.com >> /root/.ssh/known_hosts;
chmod 400 /root/.ssh/id_rsa;
git clone [email protected]/repo_name.git /opt/app;
**Note: You can access your GitHub repository at /opt/app path.