kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #58 from pieterlange/fix/check-hostkeys 

Use secure defaults (check hostkeys)
This commit is contained in:
Tim Hockin 2017-04-24 17:51:18 -07:00 committed by GitHub
parent 1e31f00426 899cf5974e
commit 433fe7a28c
2 changed files with 28 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cmd/git-sync/main.go
View File

@ -66,6 +66,8 @@ var flPassword = flag.String("password", envString("GIT_SYNC_PASSWORD", ""),
var flSSH = flag.Bool("ssh", envBool("GIT_SYNC_SSH", false), var flSSH = flag.Bool("ssh", envBool("GIT_SYNC_SSH", false),
"use SSH for git operations") "use SSH for git operations")
var flSSHKnownHosts = flag.Bool("ssh-known-hosts", envBool("GIT_KNOWN_HOSTS", false),
"enable SSH known_hosts verification")
var log = newLoggerOrDie() var log = newLoggerOrDie()
@ -152,7 +154,7 @@ func main() {
} }
if *flSSH { if *flSSH {
if err := setupGitSSH(); err != nil { if err := setupGitSSH(*flSSHKnownHosts); err != nil {
fmt.Fprintf(os.Stderr, "ERROR: can't configure SSH: %v\n", err) fmt.Fprintf(os.Stderr, "ERROR: can't configure SSH: %v\n", err)
os.Exit(1) os.Exit(1)
} }
@ -468,10 +470,11 @@ func setupGitAuth(username, password, gitURL string) error {
return nil return nil
} }
func setupGitSSH() error { func setupGitSSH(setupKnownHosts bool) error {
log.V(1).Infof("setting up git SSH credentials") log.V(1).Infof("setting up git SSH credentials")
var pathToSSHSecret = "/etc/git-secret/ssh" var pathToSSHSecret = "/etc/git-secret/ssh"
var pathToSSHKnownHosts = "/etc/git-secret/known_hosts"
fileInfo, err := os.Stat(pathToSSHSecret) fileInfo, err := os.Stat(pathToSSHSecret)
if err != nil { if err != nil {
@ -482,8 +485,18 @@ func setupGitSSH() error {
return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode()) return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
} }
if setupKnownHosts {
_, err := os.Stat(pathToSSHKnownHosts)
if err != nil {
return fmt.Errorf("error: could not find SSH known_hosts file: %v", err)
}
err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=%s -i %s", pathToSSHKnownHosts, pathToSSHSecret))
} else {
err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret))
}
//set env variable GIT_SSH_COMMAND to force git use customized ssh command //set env variable GIT_SSH_COMMAND to force git use customized ssh command
err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret))
if err != nil { if err != nil {
return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err) return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err)
} }

15
docs/ssh.md
View File

@ -6,15 +6,21 @@ Git-sync supports using the SSH protocol for pulling git content.
Create a Secret to store your SSH private key, with the Secret keyed as "ssh". This can be done one of two ways: Create a Secret to store your SSH private key, with the Secret keyed as "ssh". This can be done one of two ways:
***Method 1:*** ***Method 1:***
Obtain the host keys for your git server:
```
ssh-keyscan $YOUR_GIT_HOST > /tmp/known_hosts
```
Use the ``kubectl create secret`` command and point to the file on your filesystem that stores the key. Ensure that the file is mapped to "ssh" as shown (the file can be located anywhere). Use the ``kubectl create secret`` command and point to the file on your filesystem that stores the key. Ensure that the file is mapped to "ssh" as shown (the file can be located anywhere).
``` ```
kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa kubectl create secret generic git-creds --from-file=ssh=~/.ssh/id_rsa --from-file=known_hosts=/tmp/known_hosts
``` ```
***Method 2:*** ***Method 2:***
Write a config file for a Secret that holds your SSH private key, with the key (pasted as plaintext) mapped to the "ssh" field. Write a config file for a Secret that holds your SSH private key, with the key (pasted in base64 encoded plaintext) mapped to the "ssh" field.
``` ```
{ {
"kind": "Secret", "kind": "Secret",
@ -23,7 +29,8 @@ Write a config file for a Secret that holds your SSH private key, with the key (
"name": "git-creds" "name": "git-creds"
}, },
"data": { "data": {
"ssh": <private-key> "ssh": <base64 encoded private-key>
"known_hosts": <base64 encoded known_hosts>
} }
``` ```
@ -32,6 +39,8 @@ Create the Secret using ``kubectl create -f``.
kubectl create -f /path/to/secret-config.json kubectl create -f /path/to/secret-config.json
``` ```
Invoke the `git-sync` binary with the `-ssh-known-hosts` parameter to enforce `known_hosts` checking. This will be enabled by default in a future release.
## Step 2: Configure Pod/Deployment Volume ## Step 2: Configure Pod/Deployment Volume
In your Pod or Deployment configuration, specify a Volume for mounting the Secret. Ensure that secretName matches the name you used when creating the Secret (e.g. "git-creds" used in both above examples). In your Pod or Deployment configuration, specify a Volume for mounting the Secret. Ensure that secretName matches the name you used when creating the Secret (e.g. "git-creds" used in both above examples).