kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use secure defaults (check hostkeys)

This commit is contained in:
Pieter Lange 2017-04-21 15:09:37 +02:00
parent 1e31f00426
commit 3b8bf0308c
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/git-sync/main.go
View File

@ -472,6 +472,7 @@ func setupGitSSH() error {
log.V(1).Infof("setting up git SSH credentials")
var pathToSSHSecret = "/etc/git-secret/ssh"
var pathToSSHKnownHosts = "/etc/git-secret/known_hosts"
fileInfo, err := os.Stat(pathToSSHSecret)
if err != nil {
@ -483,7 +484,7 @@ func setupGitSSH() error {
}
//set env variable GIT_SSH_COMMAND to force git use customized ssh command
err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret))
err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=%s -i %s", pathToSSHKnownHosts, pathToSSHSecret))
if err != nil {
return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err)
}

13
docs/ssh.md
View File

@ -6,15 +6,21 @@ Git-sync supports using the SSH protocol for pulling git content.
Create a Secret to store your SSH private key, with the Secret keyed as "ssh". This can be done one of two ways:
***Method 1:***
Obtain the host keys for your git server:
```
ssh-keyscan $YOUR_GIT_HOST > /tmp/known_hosts
```
Use the ``kubectl create secret`` command and point to the file on your filesystem that stores the key. Ensure that the file is mapped to "ssh" as shown (the file can be located anywhere).
```
kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa
kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa --from-file=known_hosts=/tmp/known_hosts
```
***Method 2:***
Write a config file for a Secret that holds your SSH private key, with the key (pasted as plaintext) mapped to the "ssh" field.
Write a config file for a Secret that holds your SSH private key, with the key (pasted in base64 encoded plaintext) mapped to the "ssh" field.
```
{
"kind": "Secret",
@ -23,7 +29,8 @@ Write a config file for a Secret that holds your SSH private key, with the key (
"name": "git-creds"
},
"data": {
"ssh": <private-key>
"ssh": <base64 encoded private-key>
"known_hosts": <base64 encoded known_hosts>
}
```