Skip to content

NimTechnology

Trình bày các công nghệ CLOUD một cách dễ hiểu.

  • Kubernetes & Container
    • Docker
    • Kubernetes
      • Ingress
    • Helm Chart
    • Isito-EnvoyFilter
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Vault
    • Longhorn – Storage
    • VictoriaMetrics
    • MetalLB
    • Kong Gateway
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Spinnaker
    • Jenkins
    • Harbor
    • TeamCity
    • Git
      • Bitbucket
  • Coding
    • Terraform
      • GCP – Google Cloud
      • AWS – Amazon Web Service
    • Golang
    • Laravel
    • Python
    • Jquery & JavaScript
    • Selenium
  • Log & Monitor
    • DataDog
    • Prometheus
    • Grafana
    • ELK
      • Kibana
      • Logstash
  • BareMetal
    • NextCloud
  • Toggle search form

[git-sync] an auto simple that pulls a git repository into a container on Kubernetes

Posted on November 12, 2021April 18, 2022 By nim No Comments on [git-sync] an auto simple that pulls a git repository into a container on Kubernetes

Đôi khi chúng ta sẽ có nhu cầu copy code hay data trên github nhưng ko cần deploy lại workload trên kubernetes
Chúng ta có nhiều các khác nhau và cách của mình là sử dụng git-sync

Contents

  • 1) Overview git-sync
  • 2) Practise
    • 2.1) authen with git by username/pass/token
      • 2.1.1) Declared Environment
    • 2.2) authen with git by ssh key
  • 2.3) result

1) Overview git-sync

Đây là link github chính của git-sync:
https://github.com/kubernetes/git-sync

Anh em để ý 2 cột mà mình đánh dấu.
Đó mấy cái khai báo trong k8s để git-sync nó biết mình clone repo nào?

Tìm hiều về Using Secrets as environment variables tí nữa chúng ta sẽ sử dụng:
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables

Mình lab trên github

2) Practise

2.1) authen with git by username/pass/token

2.1.1) Declared Environment

Cách này mình nghĩ là đơn giản và mình cũng hay saì cách này.

Tài liệu tham khảo từ 1 anh hàn
https://ddii.dev/kubernetes/git-sync/#

Mình tham khảo từ trang của anh trai ở trên và chúng

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: git-sync-demo
  name: git-sync-demo
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: git-sync-demo
  template:
    metadata:
      labels:
        app: git-sync-demo
    spec:
      containers:
      - name: nginx
        image: nginx:1.14-alpine
        ports:
        - containerPort: 80
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      - name: git-sync
        image: k8s.gcr.io/git-sync:v3.1.1
        imagePullPolicy: Always
        env:
          - name: "GIT_SYNC_REPO"
            value: "https://github.com/mrnim94/git-sync-demo.git"
          - name: "GIT_SYNC_ROOT"
            value: "/usr/share/nginx"
          - name: "GIT_SYNC_DEST"
            value: "html"
          - name: GIT_SYNC_BRANCH
            value: master
          - name: "GIT_SYNC_USERNAME"
            valueFrom:
              secretKeyRef:
                name: "secret-git-sync"
                key: "GIT_SYNC_USERNAME"
          - name: "GIT_SYNC_PASSWORD"
            valueFrom:
              secretKeyRef:
                name: "secret-git-sync"
                key: "GIT_SYNC_PASSWORD"
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      volumes:
      - name: git-sync-volume
        emptyDir: {}
      - name: git-secret
        secret:
          secretName: git-creds
          defaultMode: 288 # = mode 0440
      securityContext:
        fsGroup: 65533 # to make SSH key readable
---
kind: Service
apiVersion: v1
metadata:
  name: git-sync-demo
spec:
  type: NodePort
  selector:
    app: git-sync-demo
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

Bạn thấy trên yaml là cả nginx và git-sync sẽ cùng mount vào volume git-sync-volume
git-sync sẽ auto detect và clone code về volume thế nginx cũng có vì mount chung volume

Chúng tạo secret trên k8s

Tiến hành deploy

Bạn thấy trong pod của ta sẽ có 2 container.

2.2) authen with git by ssh key

Giờ chúng ta cần add ssh key lên github:

Sau khi add xong thì bạn submit
Đây là nơi mình lấy file id_rsa.pub

Giờ test login với github:

ssh -T git@github.com -i /root/.ssh/id_rsa
root@k8s-master:~# ssh -T git@github.com -i /root/.ssh/id_rsa_k0s 
The authenticity of host 'github.com (20.205.243.166)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ýe
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added 'github.com,20.205.243.166' (ECDSA) to the list of known hosts.
Hi mrnim94! You've successfully authenticated, but GitHub does not provide shell access.

Đã login thành công

vi ~/.ssh/config

Host github.com
      Preferredauthentications publickey
      IdentityFile /root/.ssh/id_rsa_k0s
git clone git@github.com:mrnim94/git-sync-demo.git
Cloning into 'git-sync-demo'...
remote: Enumerating objects: 7, done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 7
Receiving objects: 100% (7/7), done.
Resolving deltas: 100% (1/1), done.

Vậy là ssh-key đã hoặt động ngon lành.

Giờ đến bước tiếp theo.
Lấy các host keys để gọi git server của bạn
Bước này khá quan trong và bị các bạn bỏ khá nhiều nên bị lỗi

YOUR_GIT_HOST=github.com
ssh-keyscan $YOUR_GIT_HOST > /tmp/known_hosts

Giờ lên k8s tạo secret.

Cách 1:

kubectl create secret generic git-creds \
    --from-file=ssh=$HOME/.ssh/id_rsa_k0s\
    --from-file=known_hosts=/tmp/known_hosts
apiVersion: v1
data:
  known_hosts: Z2l0aHViLmNvbSBzc2gtcnNhIEFBQUFCM056YUMxeWMyRUFBQUFCSXdBQUFRRUFxMkE3aFJHbWRubTl0VURiTzlJRFN3Qks2VGJRYStQWFlQQ1B5NnJiVHJUdHc3UEhrY2NLcnBwMHlWaHA1SGRFSWNLcjZwTGxWREJmT0xYOVFVc3lDT1Ywd3pmaklKTmxHRVlzZGxMSml6SGhibjJtVWp2U0FIUXFaRVRZUDgxZUZ6TFFOblBIdDRFVlZVaDdWZkRFU1U4NEtlem1ENVFsV3BYTG12VTMxL3lNZitTZTh4aEhUdktTQ1pJRkltV3dvRzZtYlVvV2Y5bnpwSW9hU2pCK3dlcXFVVW1wYWFhc1hWYWw3MkorVVgyQisyUlBXM1JjVDBlT3pRZ3FsSkwzUktyVEp2ZHNqRTNKRUF2R3EzbEdIU1pYeTI4RzNza3VhMlNtVmkvdzR5Q0U2Z2JPRHFuVFdsZzcrd0M2MDR5ZEdYQThWSmlTNWFwNDNKWGlVRkZBYVE9PQpnaXRodWIuY29tIGVjZHNhLXNoYTItbmlzdHAyNTYgQUFBQUUyVmpaSE5oTFhOb1lUSXRibWx6ZEhBeU5UWUFBQUFJYm1semRIQXlOVFlBQUFCQkJFbUtTRU5qUUVlek9teGtaTXk3b3BLZ3dGQjlua3Q1WVJyWU1qTnVHNU44N3VSZ2c2Q0xyYm81d0FkVC95NnYwbUtWMFUydzBXWjJZQi8rK1Rwb2NrZz0KZ2l0aHViLmNvbSBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJT01xcW5rVnpybTBTZEc2VU9vcUtMc2FiZ0g1Qzlva1dpMGRoMmw5R0tKbAo=
  ssh: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJGd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFRRUF0UE5pdUlKVkViTHJ4RUhxbno2d29EczRPZkdkWGpDbWN4Y0xOL2EvYmMyZnJIMTM2NTE4Cjl2a0ZCMjBydm96Zms5MExNL2MxQ3c5d1ZqRCt1WklLblZndFRNZkJoT2ZPdSthWWxHSHE2YlZ5R3JaL0E3WGRZd3RtU3YKUVVuUEdtUnhqeUY3WTNHd1V6WkRtaFJXeFhaclVLQzMvNHdvdzZtT0RWNU5vbFo5RkpYTDVOQTczT0ViMkVpMW5ZVGc5KwpOYjQwdzlyYVFtbmQ4V2pYY2g4aHAxdXNPdTVCcGRpL01FSWJUM3lDa3U1U0xZSXUyR3VhTWRkTGYwdVdPRjhySlg1Q3dGClhQMmdwTDJWejIxN1NlVmZDdUR4ajlVa3VBdktkZlhNSGxnQm16SE9YYUt6UGZUbTd0RHBOb1ZCbm9EN3NSSWtERklXVlMKSHRtMXljNmFUd0FBQThoZktWMDhYeWxkUEFBQUFBZHpjMmd0Y25OaEFBQUJBUUMwODJLNGdsVVJzdXZFUWVxZlByQ2dPegpnNThaMWVNS1p6RndzMzlyOXR6WitzZlhmcm5YejIrUVVIYlN1K2pOK1QzUXN6OXpVTEQzQldNUDY1a2dxZFdDMU14OEdFCjU4Njc1cGlVWWVycHRYSWF0bjhEdGQxakMyWks5QlNjOGFaSEdQSVh0amNiQlROa09hRkZiRmRtdFFvTGYvakNqRHFZNE4KWGsyaVZuMFVsY3ZrMER2YzRSdllTTFdkaE9EMzQxdmpURDJ0cENhZDN4YU5keUh5R25XNnc2N2tHbDJMOHdRaHRQZklLUwo3bEl0Z2k3WWE1b3gxMHQvUzVZNFh5c2xma0xBVmMvYUNrdlpYUGJYdEo1VjhLNFBHUDFTUzRDOHAxOWN3ZVdBR2JNYzVkCm9yTTk5T2J1ME9rMmhVR2VnUHV4RWlRTVVoWlZJZTJiWEp6cHBQQUFBQUF3RUFBUUFBQVFFQXFVeVNUL2s1S0g4VGthTHUKcHFHYjFiNnlnxxxNIMTECHNOLOGYxxxJDdWhsQUpJRFUvcHNLZGxHb3pnbjJXUHVLckZaT2RuMWNtQlhrNHFWV3o4cUJHdThYSwp5MGJZTHo3NnFHeFUwaDhxcU9oSzFNSGV3amVGQSsyejArTHVDaExKbjNMY3dNTGQxQlA1bWxGSi9LNE01V0UvVk1lYWY1CkVlVHJxaitxUUIxT0pBdWNYSnp3NzZFbXRWSlYrN24rRUJySExwdUxTd3FicWx2T2YzQTNLbkVnQUVJMGMwRFRlbU9yejEKcThseVJUVTdsa0VScjQwSHAyVWxER1lvbEtscmdCQy9wOFkyTFJ1blFQTExqd0N5YXpsM1lzVWhvVnJXM3dLR2tMZkQzYwoyNi9Nak9OdmFWaFVIeDdpaXdzTFNJaExuUzB2b2ZZQndnWS93Z3dxMDU4eVVRQUFBSUJHOTNIZE5wS0R4SEI5eGdZQWtrCkh4Y3RNcGpnQkg4ZkxqYms0MmNrNjdGeEhValJxZ0hlVmFzQWxMZnNjb2ltR1RzZTJUYk1TSzMreEdEbHlnbU1CdjNsa00KbHBJZEc4N1BDUnlIVEZuRHN5UjhjR3c4Uk5sbkprNDlicjVVWWhGVmZqazNmMVJ4VWRXbHhUTXZHdTJNU1NDZnNYN01wNgpyNDR3bytWSUg3QkFBQUFJRUEyenYwRmY3OGl1b2owMyt0SllVTFdEM1JFVDhmdk5oMFZNNGlyQWxSRlpCdENTTGVnUXc1CmlBYVJCbFdadnlnWURuNWR6dlJ1YXZSZERKSkdBNlNPZzRFTFRVbzRNeTh0VkRWcTdyZGZBcG81ZnJwL1czeE1QanRyZW8KMkRGYmtCWm9GSE1RVXhvNmczdlNYRXArZnM0SGxsUnVzc2tlb2JoTjhrcTlCMmx0a0FBQUNCQU5OTDNkWFNWVEhQUmZvVgpUblhwdHpXeXhzcWpXdXBLZGZTMHp1Mm5ZeVRVUk1rbjRTb1R0enE1V3pHTTdTVUpuVVdodm9pVktkTWh0WUx6MGU5eVZVCk5TSHBqRW5SWm85eWVYYTM0WFhRUVNGTVBKL2VWMDU0S0JxY09oSW9ySWU0Sm1kSDd6MFZJVmdEYkN5N1g3aXpqRmNFYnQKUEp0c3FXbzNUWnlSZjVGbkFBQUFEM0p2YjNSQWF6aHpMVzFoYzNSbGNnRUNBdz09Ci0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2022-04-18T14:45:43Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:known_hosts: {}
        f:ssh: {}
      f:type: {}
    manager: kubectl-create
    operation: Update
    time: "2022-04-18T14:45:43Z"
  name: git-creds
  namespace: default
  resourceVersion: "12473109"
  uid: a05369a3-3504-4793-be6c-0bef49b1a9fe
type: Opaque

Lưu ý:
Với private key bạn không nêu chơi cách copy bằng tay sau đó dán lên rancher bị nó bị sai.
Because you can’t to avoid a new line character on the end of the line

Hướng encrypt base64 từ string hay file:
Mình đã thử trên MAC

echo -n "STRING" | base64

cat /root/.ssh/id_rsa_k0s -n | base64

-n is to avoid a new line character on the end of the line.

Ok giờ ta sẽ có file yaml deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: git-sync-demo
  name: git-sync-demo
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: git-sync-demo
  template:
    metadata:
      labels:
        app: git-sync-demo
    spec:
      containers:
      - name: nginx
        image: nginx:1.14-alpine
        ports:
        - containerPort: 80
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      - name: git-sync
        image: k8s.gcr.io/git-sync/git-sync:v3.5.0
        imagePullPolicy: Always
        args:
          - "-ssh=true"
          - "--ssh-known-hosts=false" #if you don't use known-hosts
          - "-repo=git@github.com:mrnim94/git-sync-demo.git"
          - "-branch=master"
          - "-dest=html"
          - "-root=/usr/share/nginx"
          - "-wait=5"
          - "-max-sync-failures=-1"
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
        - name: git-ssh
          mountPath: /etc/git-secret
          readOnly: true
      volumes:
      - name: git-sync-volume
        emptyDir: {}
      - name: git-ssh
        secret:
          secretName: git-creds
          defaultMode: 288 # = mode 0440
      securityContext:
        fsGroup: 65533 # to make SSH key readable
---
kind: Service
apiVersion: v1
metadata:
  name: git-sync-demo
spec:
  type: NodePort
  selector:
    app: git-sync-demo
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

mình sẽ để link để mọi người tham khảo
https://dev.betterdoc.org/software/engineering,/kubernetes,/devops/2020/08/07/accessing-a-github-repository-within-kubernetes-via-a-sidecar-container.html
https://ddii.dev/kubernetes/git-sync/#
https://github.com/kubernetes/git-sync/issues/126
https://coderedirect.com/questions/350965/how-to-clone-a-private-git-repository-into-a-kubernetes-pod-using-ssh-keys-in-se
https://github.com/kubernetes/git-sync/blob/master/docs/ssh.md

2.3) result

Khi anh/em exec container nginx và kiểm tra thì có file nhé
Anh truy cập sẽ như sau.

Giờ bạn sửa trên git và commit

web đã thay đổi
log của git-sync
Git, Kubernetes & Container

Post navigation

Previous Post: [Kubernestes] I waiting too long but my workload is still unavailable
Next Post: [Istio] Workload injected Istio that can’t connect Database(Redis, PostgreSQL) – excludeOutboundPorts or excludeIPRanges

More Related Articles

[Docker] Comand Docker hay quên!! Docker
[Nextcloud] Hướng dẫn tăng dung lượng upload file trong Docker nextcloud – upload_max_filesize Kubernetes & Container
[kiali] Config authentication on Kiali. Isito-EnvoyFilter
[Kubernetes] Gateway API – Ingress And Service Mesh Spec Replacement? Kubernetes & Container
[Goldilocks] Help you identify a starting point for resource requests and limits. Kubernetes & Container
Using curl to download a specific file on github Git

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tham Gia Group DevOps nhé!
Để Nim có nhiều động lực ra nhiều bài viết.
Để nhận được những thông báo mới nhất.

Recent Posts

  • [Prometheus/Grafana] Install Prometheus and Grafana on ubuntu. March 27, 2023
  • [Kong Gateway] WebSocket connection failed March 26, 2023
  • [Nextcloud] Can’t download files to have a size bigger than 2Gi on NextCloud – RaspBerry March 24, 2023
  • [Datadog] Using DataDog to monitor all services on kubernetes March 19, 2023
  • [Metrics Server] Failed to make webhook authorizer request: the server could not find the requested resource March 17, 2023

Archives

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021

Categories

  • BareMetal
    • NextCloud
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Git
      • Bitbucket
    • Harbor
    • Jenkins
    • Spinnaker
    • TeamCity
  • Coding
    • Golang
    • Jquery & JavaScript
    • Laravel
    • Python
    • Selenium
    • Terraform
      • AWS – Amazon Web Service
      • GCP – Google Cloud
  • Kubernetes & Container
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Docker
    • Helm Chart
    • Isito-EnvoyFilter
    • Kong Gateway
    • Kubernetes
      • Ingress
    • Longhorn – Storage
    • MetalLB
    • Vault
    • VictoriaMetrics
  • Log & Monitor
    • DataDog
    • ELK
      • Kibana
      • Logstash
    • Grafana
    • Prometheus
  • Uncategorized
  • Admin

Copyright © 2023 NimTechnology.