diff --git a/docs/askpass-url.md b/docs/askpass-url.md index f226dda..841cc47 100644 --- a/docs/askpass-url.md +++ b/docs/askpass-url.md @@ -2,9 +2,9 @@ ## Step 1: Create a GIT_ASKPASS HTTP Service -The GIT ASKPASS Service expose via HTTP and provide the answer to GIT_ASKPASS. +The GIT ASKPASS Service is exposed via HTTP and provide the answer to GIT_ASKPASS. -Example of the servcie's output, see more at +Example of the service's output, see more at ```json username=xxx@example.com @@ -18,23 +18,19 @@ In your git-sync container configuration, specify the GIT_ASKPASS_URL The credentials will pass in plain text, make sure the connection between git-sync and GIT ASKPASS Service are secure. -The recommended way is the ASKPASS Service running within the same pod as git-sync. +The recommended situation are: -See as a full example which use GCE Node Service Account credential to access Google Cloud Source Repo. +* ASKPASS Service running within the same pod as git-sync. +* ASKPASS Service rely on [GCE metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata) to get service account's credential to access Google Cloud Source Repo. -```json -{ - name: "git-sync", - ... - env: [ - { - name: "GIT_SYNC_REPO", - value: "https://source.developers.google.com/p/[GCP PROJECT ID]/r/[REPO NAME]" - }, { - name: "GIT_ASKPASS_URL", - value: "http://localhost:9102/git_askpass", - }, - ... - ] -} +See as a full example. + +```yaml +name: "git-sync" +... +env: + - name: "GIT_SYNC_REPO", + value: "https://source.developers.google.com/p/[GCP PROJECT ID]/r/[REPO NAME]" + - name: "GIT_ASKPASS_URL", + value: "http://localhost:9102/git_askpass", ``` diff --git a/docs/cookie-file.md b/docs/cookie-file.md index 894cae3..8bbaeb2 100644 --- a/docs/cookie-file.md +++ b/docs/cookie-file.md @@ -22,16 +22,12 @@ In your Pod or Deployment configuration, specify a Volume for mounting the cookie-file Secret. Make sure to set `secretName` to the same name you used to create the secret (`git-cookie-file` in the example above). -```json -volumes: [ - { - "name": "git-secret", - "secret": { - "secretName": "git-cookie-file", - } - }, - ... -], +```yaml +volumes: + - name: git-secret + secret: + secretName: git-cookie-file + defaultMode: 0440 ``` ## Step 3: Configure git-sync container @@ -42,26 +38,16 @@ environment variable `GIT_COOKIE_FILE` to "true", and to use a git repo (`--repo` flag or `GIT_SYNC_REPO` env) is set to use a URL with the HTTP protocol. -```json -{ - name: "git-sync", - ... - env: [ - { - name: "GIT_SYNC_REPO", - value: "https://github.com/kubernetes/kubernetes.git" - }, { - name: "GIT_COOKIE_FILE", - value: "true", - }, - ... - ] - volumeMounts: [ - { - "name": "git-secret", - "mountPath": "/etc/git-secret" - }, - ... - ], -} +```yaml +name: "git-sync" +... +env: + - name: GIT_SYNC_REPO + value: https://github.com/kubernetes/kubernetes.git + - name: GIT_COOKIE_FILE + value: true +volumeMounts: + - name: git-secret + mountPath: /etc/git-secret + readOnly: true ``` diff --git a/docs/ssh.md b/docs/ssh.md index 5208696..8f7519a 100644 --- a/docs/ssh.md +++ b/docs/ssh.md @@ -130,7 +130,7 @@ spec: - name: git-secret secret: secretName: git-creds - defaultMode: 288 # = mode 0440 + defaultMode: 0440 containers: - name: git-sync image: k8s.gcr.io/git-sync:v3.1.1 @@ -145,6 +145,7 @@ spec: volumeMounts: - name: git-secret mountPath: /etc/git-secret + readOnly: true securityContext: fsGroup: 65533 # to make SSH key readable ```