kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add feature flag to enable ssh host key verification.

This commit is contained in:
Pieter Lange 2017-04-24 10:11:44 +02:00
parent 3b8bf0308c
commit 899cf5974e
2 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
cmd/git-sync/main.go
View File

@ -66,6 +66,8 @@ var flPassword = flag.String("password", envString("GIT_SYNC_PASSWORD", ""),
var flSSH = flag.Bool("ssh", envBool("GIT_SYNC_SSH", false), var flSSH = flag.Bool("ssh", envBool("GIT_SYNC_SSH", false),
"use SSH for git operations") "use SSH for git operations")
var flSSHKnownHosts = flag.Bool("ssh-known-hosts", envBool("GIT_KNOWN_HOSTS", false),
"enable SSH known_hosts verification")
var log = newLoggerOrDie() var log = newLoggerOrDie()
@ -152,7 +154,7 @@ func main() {
} }
if *flSSH { if *flSSH {
if err := setupGitSSH(); err != nil { if err := setupGitSSH(*flSSHKnownHosts); err != nil {
fmt.Fprintf(os.Stderr, "ERROR: can't configure SSH: %v\n", err) fmt.Fprintf(os.Stderr, "ERROR: can't configure SSH: %v\n", err)
os.Exit(1) os.Exit(1)
} }
@ -468,7 +470,7 @@ func setupGitAuth(username, password, gitURL string) error {
return nil return nil
} }
func setupGitSSH() error { func setupGitSSH(setupKnownHosts bool) error {
log.V(1).Infof("setting up git SSH credentials") log.V(1).Infof("setting up git SSH credentials")
var pathToSSHSecret = "/etc/git-secret/ssh" var pathToSSHSecret = "/etc/git-secret/ssh"
@ -483,8 +485,18 @@ func setupGitSSH() error {
return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode()) return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode())
} }
//set env variable GIT_SSH_COMMAND to force git use customized ssh command if setupKnownHosts {
_, err := os.Stat(pathToSSHKnownHosts)
if err != nil {
return fmt.Errorf("error: could not find SSH known_hosts file: %v", err)
}
err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=%s -i %s", pathToSSHKnownHosts, pathToSSHSecret)) err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=%s -i %s", pathToSSHKnownHosts, pathToSSHSecret))
} else {
err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret))
}
//set env variable GIT_SSH_COMMAND to force git use customized ssh command
if err != nil { if err != nil {
return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err) return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err)
} }

2
docs/ssh.md
View File

@ -39,6 +39,8 @@ Create the Secret using ``kubectl create -f``.
kubectl create -f /path/to/secret-config.json kubectl create -f /path/to/secret-config.json
``` ```
Invoke the `git-sync` binary with the `-ssh-known-hosts` parameter to enforce `known_hosts` checking. This will be enabled by default in a future release.
## Step 2: Configure Pod/Deployment Volume ## Step 2: Configure Pod/Deployment Volume
In your Pod or Deployment configuration, specify a Volume for mounting the Secret. Ensure that secretName matches the name you used when creating the Secret (e.g. "git-creds" used in both above examples). In your Pod or Deployment configuration, specify a Volume for mounting the Secret. Ensure that secretName matches the name you used when creating the Secret (e.g. "git-creds" used in both above examples).