diff --git a/Dockerfile.in b/Dockerfile.in index 5a26983..e023562 100644 --- a/Dockerfile.in +++ b/Dockerfile.in @@ -19,15 +19,11 @@ MAINTAINER Tim Hockin ADD bin/ARG_ARCH/ARG_BIN /ARG_BIN ENV GIT_SYNC_DEST /git -# Move the existing SSH binary, then replace it with the wrapper script RUN apk update --no-cache && apk add \ ca-certificates \ coreutils \ git \ openssh-client -RUN mv /usr/bin/ssh /usr/bin/ssh-binary -ADD ssh-wrapper.sh /usr/bin/ssh -RUN chmod 755 /usr/bin/ssh USER nobody:nobody ENTRYPOINT ["/ARG_BIN"] diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go index 70c46c6..7832b00 100644 --- a/cmd/git-sync/main.go +++ b/cmd/git-sync/main.go @@ -471,7 +471,9 @@ func setupGitAuth(username, password, gitURL string) error { func setupGitSSH() error { log.V(1).Infof("setting up git SSH credentials") - fileInfo, err := os.Stat("/etc/git-secret/ssh") + var pathToSSHSecret = "/etc/git-secret/ssh" + + fileInfo, err := os.Stat(pathToSSHSecret) if err != nil { return fmt.Errorf("error: could not find SSH key Secret: %v", err) } @@ -480,5 +482,11 @@ func setupGitSSH() error { return fmt.Errorf("Permissions %s for SSH key are too open. It is recommended to mount secret volume with `defaultMode: 256` (decimal number for octal 0400).", fileInfo.Mode()) } + //set env variable GIT_SSH_COMMAND to force git use customized ssh command + err = os.Setenv("GIT_SSH_COMMAND", fmt.Sprintf("ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i %s", pathToSSHSecret)) + if err != nil { + return fmt.Errorf("Failed to set the GIT_SSH_COMMAND env var: %v", err) + } + return nil } diff --git a/ssh-wrapper.sh b/ssh-wrapper.sh deleted file mode 100644 index d5408b4..0000000 --- a/ssh-wrapper.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -# Copyright 2016 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This script wraps the standard SSH binary so that the mounted SSH key can be used without user confirmation. -# In the Dockerfile, the original SSH binary is moved to /usr/bin/ssh-binary (and is then used as the base command here). -# This script is moved to /usr/bin/ssh so that Git uses it by default. - -# The "UserKnownHostsFile" and "StrictHostKeyChecking" options avoid the user confirmation check. -# The -i flag specifies where the SSH key is located. - -secret_path=/etc/git-secret/ssh -ssh-binary -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i $secret_path "$@"