Skip to content

NimTechnology

Trình bày các công nghệ CLOUD một cách dễ hiểu.

  • Kubernetes & Container
    • Docker
    • Kubernetes
      • Ingress
    • Helm Chart
    • Isito-EnvoyFilter
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Vault
    • Longhorn – Storage
    • VictoriaMetrics
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Spinnaker
    • Jenkins
  • Coding
    • Terraform
      • GCP – Google Cloud
      • AWS – Amazon Web Service
    • Golang
    • Laravel
    • Jquery & JavaScript
    • Git
    • Selenium
  • Log & Monitor
    • Prometheus
    • Grafana
    • ELK
      • Kibana
      • Logstash
  • BareMetal
  • Toggle search form

[git-sync] an auto simple that pulls a git repository into a container on Kubernetes

Posted on November 12, 2021April 18, 2022 By nim No Comments on [git-sync] an auto simple that pulls a git repository into a container on Kubernetes

Đôi khi chúng ta sẽ có nhu cầu copy code hay data trên github nhưng ko cần deploy lại workload trên kubernetes
Chúng ta có nhiều các khác nhau và cách của mình là sử dụng git-sync

Contents

  • 1) Overview git-sync
  • 2) Practise
    • 2.1) authen with git by username/pass/token
      • 2.1.1) Declared Environment
    • 2.2) authen with git by ssh key
  • 2.3) result

1) Overview git-sync

Đây là link github chính của git-sync:
https://github.com/kubernetes/git-sync

Anh em để ý 2 cột mà mình đánh dấu.
Đó mấy cái khai báo trong k8s để git-sync nó biết mình clone repo nào?

Tìm hiều về Using Secrets as environment variables tí nữa chúng ta sẽ sử dụng:
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables

Mình lab trên github

2) Practise

2.1) authen with git by username/pass/token

2.1.1) Declared Environment

Cách này mình nghĩ là đơn giản và mình cũng hay saì cách này.

Tài liệu tham khảo từ 1 anh hàn
https://ddii.dev/kubernetes/git-sync/#

Mình tham khảo từ trang của anh trai ở trên và chúng

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: git-sync-demo
  name: git-sync-demo
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: git-sync-demo
  template:
    metadata:
      labels:
        app: git-sync-demo
    spec:
      containers:
      - name: nginx
        image: nginx:1.14-alpine
        ports:
        - containerPort: 80
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      - name: git-sync
        image: k8s.gcr.io/git-sync:v3.1.1
        imagePullPolicy: Always
        env:
          - name: "GIT_SYNC_REPO"
            value: "https://github.com/mrnim94/git-sync-demo.git"
          - name: "GIT_SYNC_ROOT"
            value: "/usr/share/nginx"
          - name: "GIT_SYNC_DEST"
            value: "html"
          - name: GIT_SYNC_BRANCH
            value: master
          - name: "GIT_SYNC_USERNAME"
            valueFrom:
              secretKeyRef:
                name: "secret-git-sync"
                key: "GIT_SYNC_USERNAME"
          - name: "GIT_SYNC_PASSWORD"
            valueFrom:
              secretKeyRef:
                name: "secret-git-sync"
                key: "GIT_SYNC_PASSWORD"
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      volumes:
      - name: git-sync-volume
        emptyDir: {}
      - name: git-secret
        secret:
          secretName: git-creds
          defaultMode: 288 # = mode 0440
      securityContext:
        fsGroup: 65533 # to make SSH key readable
---
kind: Service
apiVersion: v1
metadata:
  name: git-sync-demo
spec:
  type: NodePort
  selector:
    app: git-sync-demo
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

Bạn thấy trên yaml là cả nginx và git-sync sẽ cùng mount vào volume git-sync-volume
git-sync sẽ auto detect và clone code về volume thế nginx cũng có vì mount chung volume

Chúng tạo secret trên k8s

Tiến hành deploy

Bạn thấy trong pod của ta sẽ có 2 container.

2.2) authen with git by ssh key

Giờ chúng ta cần add ssh key lên github:

Sau khi add xong thì bạn submit
Đây là nơi mình lấy file id_rsa.pub

Giờ test login với github:

ssh -T git@github.com -i /root/.ssh/id_rsa
root@k8s-master:~# ssh -T git@github.com -i /root/.ssh/id_rsa_k0s 
The authenticity of host 'github.com (20.205.243.166)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ýe
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added 'github.com,20.205.243.166' (ECDSA) to the list of known hosts.
Hi mrnim94! You've successfully authenticated, but GitHub does not provide shell access.

Đã login thành công

vi ~/.ssh/config

Host github.com
      Preferredauthentications publickey
      IdentityFile /root/.ssh/id_rsa_k0s
git clone git@github.com:mrnim94/git-sync-demo.git
Cloning into 'git-sync-demo'...
remote: Enumerating objects: 7, done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 7
Receiving objects: 100% (7/7), done.
Resolving deltas: 100% (1/1), done.

Vậy là ssh-key đã hoặt động ngon lành.

Giờ đến bước tiếp theo.
Lấy các host keys để gọi git server của bạn
Bước này khá quan trong và bị các bạn bỏ khá nhiều nên bị lỗi

YOUR_GIT_HOST=github.com
ssh-keyscan $YOUR_GIT_HOST > /tmp/known_hosts

Giờ lên k8s tạo secret.

Cách 1:

kubectl create secret generic git-creds \
    --from-file=ssh=$HOME/.ssh/id_rsa_k0s\
    --from-file=known_hosts=/tmp/known_hosts
apiVersion: v1
data:
  known_hosts: Z2l0aHViLmNvbSBzc2gtcnNhIEFBQUFCM056YUMxeWMyRUFBQUFCSXdBQUFRRUFxMkE3aFJHbWRubTl0VURiTzlJRFN3Qks2VGJRYStQWFlQQ1B5NnJiVHJUdHc3UEhrY2NLcnBwMHlWaHA1SGRFSWNLcjZwTGxWREJmT0xYOVFVc3lDT1Ywd3pmaklKTmxHRVlzZGxMSml6SGhibjJtVWp2U0FIUXFaRVRZUDgxZUZ6TFFOblBIdDRFVlZVaDdWZkRFU1U4NEtlem1ENVFsV3BYTG12VTMxL3lNZitTZTh4aEhUdktTQ1pJRkltV3dvRzZtYlVvV2Y5bnpwSW9hU2pCK3dlcXFVVW1wYWFhc1hWYWw3MkorVVgyQisyUlBXM1JjVDBlT3pRZ3FsSkwzUktyVEp2ZHNqRTNKRUF2R3EzbEdIU1pYeTI4RzNza3VhMlNtVmkvdzR5Q0U2Z2JPRHFuVFdsZzcrd0M2MDR5ZEdYQThWSmlTNWFwNDNKWGlVRkZBYVE9PQpnaXRodWIuY29tIGVjZHNhLXNoYTItbmlzdHAyNTYgQUFBQUUyVmpaSE5oTFhOb1lUSXRibWx6ZEhBeU5UWUFBQUFJYm1semRIQXlOVFlBQUFCQkJFbUtTRU5qUUVlek9teGtaTXk3b3BLZ3dGQjlua3Q1WVJyWU1qTnVHNU44N3VSZ2c2Q0xyYm81d0FkVC95NnYwbUtWMFUydzBXWjJZQi8rK1Rwb2NrZz0KZ2l0aHViLmNvbSBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJT01xcW5rVnpybTBTZEc2VU9vcUtMc2FiZ0g1Qzlva1dpMGRoMmw5R0tKbAo=
  ssh: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJGd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFRRUF0UE5pdUlKVkViTHJ4RUhxbno2d29EczRPZkdkWGpDbWN4Y0xOL2EvYmMyZnJIMTM2NTE4Cjl2a0ZCMjBydm96Zms5MExNL2MxQ3c5d1ZqRCt1WklLblZndFRNZkJoT2ZPdSthWWxHSHE2YlZ5R3JaL0E3WGRZd3RtU3YKUVVuUEdtUnhqeUY3WTNHd1V6WkRtaFJXeFhaclVLQzMvNHdvdzZtT0RWNU5vbFo5RkpYTDVOQTczT0ViMkVpMW5ZVGc5KwpOYjQwdzlyYVFtbmQ4V2pYY2g4aHAxdXNPdTVCcGRpL01FSWJUM3lDa3U1U0xZSXUyR3VhTWRkTGYwdVdPRjhySlg1Q3dGClhQMmdwTDJWejIxN1NlVmZDdUR4ajlVa3VBdktkZlhNSGxnQm16SE9YYUt6UGZUbTd0RHBOb1ZCbm9EN3NSSWtERklXVlMKSHRtMXljNmFUd0FBQThoZktWMDhYeWxkUEFBQUFBZHpjMmd0Y25OaEFBQUJBUUMwODJLNGdsVVJzdXZFUWVxZlByQ2dPegpnNThaMWVNS1p6RndzMzlyOXR6WitzZlhmcm5YejIrUVVIYlN1K2pOK1QzUXN6OXpVTEQzQldNUDY1a2dxZFdDMU14OEdFCjU4Njc1cGlVWWVycHRYSWF0bjhEdGQxakMyWks5QlNjOGFaSEdQSVh0amNiQlROa09hRkZiRmRtdFFvTGYvakNqRHFZNE4KWGsyaVZuMFVsY3ZrMER2YzRSdllTTFdkaE9EMzQxdmpURDJ0cENhZDN4YU5keUh5R25XNnc2N2tHbDJMOHdRaHRQZklLUwo3bEl0Z2k3WWE1b3gxMHQvUzVZNFh5c2xma0xBVmMvYUNrdlpYUGJYdEo1VjhLNFBHUDFTUzRDOHAxOWN3ZVdBR2JNYzVkCm9yTTk5T2J1ME9rMmhVR2VnUHV4RWlRTVVoWlZJZTJiWEp6cHBQQUFBQUF3RUFBUUFBQVFFQXFVeVNUL2s1S0g4VGthTHUKcHFHYjFiNnlnxxxNIMTECHNOLOGYxxxJDdWhsQUpJRFUvcHNLZGxHb3pnbjJXUHVLckZaT2RuMWNtQlhrNHFWV3o4cUJHdThYSwp5MGJZTHo3NnFHeFUwaDhxcU9oSzFNSGV3amVGQSsyejArTHVDaExKbjNMY3dNTGQxQlA1bWxGSi9LNE01V0UvVk1lYWY1CkVlVHJxaitxUUIxT0pBdWNYSnp3NzZFbXRWSlYrN24rRUJySExwdUxTd3FicWx2T2YzQTNLbkVnQUVJMGMwRFRlbU9yejEKcThseVJUVTdsa0VScjQwSHAyVWxER1lvbEtscmdCQy9wOFkyTFJ1blFQTExqd0N5YXpsM1lzVWhvVnJXM3dLR2tMZkQzYwoyNi9Nak9OdmFWaFVIeDdpaXdzTFNJaExuUzB2b2ZZQndnWS93Z3dxMDU4eVVRQUFBSUJHOTNIZE5wS0R4SEI5eGdZQWtrCkh4Y3RNcGpnQkg4ZkxqYms0MmNrNjdGeEhValJxZ0hlVmFzQWxMZnNjb2ltR1RzZTJUYk1TSzMreEdEbHlnbU1CdjNsa00KbHBJZEc4N1BDUnlIVEZuRHN5UjhjR3c4Uk5sbkprNDlicjVVWWhGVmZqazNmMVJ4VWRXbHhUTXZHdTJNU1NDZnNYN01wNgpyNDR3bytWSUg3QkFBQUFJRUEyenYwRmY3OGl1b2owMyt0SllVTFdEM1JFVDhmdk5oMFZNNGlyQWxSRlpCdENTTGVnUXc1CmlBYVJCbFdadnlnWURuNWR6dlJ1YXZSZERKSkdBNlNPZzRFTFRVbzRNeTh0VkRWcTdyZGZBcG81ZnJwL1czeE1QanRyZW8KMkRGYmtCWm9GSE1RVXhvNmczdlNYRXArZnM0SGxsUnVzc2tlb2JoTjhrcTlCMmx0a0FBQUNCQU5OTDNkWFNWVEhQUmZvVgpUblhwdHpXeXhzcWpXdXBLZGZTMHp1Mm5ZeVRVUk1rbjRTb1R0enE1V3pHTTdTVUpuVVdodm9pVktkTWh0WUx6MGU5eVZVCk5TSHBqRW5SWm85eWVYYTM0WFhRUVNGTVBKL2VWMDU0S0JxY09oSW9ySWU0Sm1kSDd6MFZJVmdEYkN5N1g3aXpqRmNFYnQKUEp0c3FXbzNUWnlSZjVGbkFBQUFEM0p2YjNSQWF6aHpMVzFoYzNSbGNnRUNBdz09Ci0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2022-04-18T14:45:43Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:known_hosts: {}
        f:ssh: {}
      f:type: {}
    manager: kubectl-create
    operation: Update
    time: "2022-04-18T14:45:43Z"
  name: git-creds
  namespace: default
  resourceVersion: "12473109"
  uid: a05369a3-3504-4793-be6c-0bef49b1a9fe
type: Opaque

Lưu ý:
Với private key bạn không nêu chơi cách copy bằng tay sau đó dán lên rancher bị nó bị sai.
Because you can’t to avoid a new line character on the end of the line

Hướng encrypt base64 từ string hay file:
Mình đã thử trên MAC

echo -n "STRING" | base64

cat /root/.ssh/id_rsa_k0s -n | base64

-n is to avoid a new line character on the end of the line.

Ok giờ ta sẽ có file yaml deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: git-sync-demo
  name: git-sync-demo
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: git-sync-demo
  template:
    metadata:
      labels:
        app: git-sync-demo
    spec:
      containers:
      - name: nginx
        image: nginx:1.14-alpine
        ports:
        - containerPort: 80
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      - name: git-sync
        image: k8s.gcr.io/git-sync/git-sync:v3.5.0
        imagePullPolicy: Always
        args:
          - "-ssh=true"
          - "--ssh-known-hosts=false" #if you don't use known-hosts
          - "-repo=git@github.com:mrnim94/git-sync-demo.git"
          - "-branch=master"
          - "-dest=html"
          - "-root=/usr/share/nginx"
          - "-wait=5"
          - "-max-sync-failures=-1"
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
        - name: git-ssh
          mountPath: /etc/git-secret
          readOnly: true
      volumes:
      - name: git-sync-volume
        emptyDir: {}
      - name: git-ssh
        secret:
          secretName: git-creds
          defaultMode: 288 # = mode 0440
      securityContext:
        fsGroup: 65533 # to make SSH key readable
---
kind: Service
apiVersion: v1
metadata:
  name: git-sync-demo
spec:
  type: NodePort
  selector:
    app: git-sync-demo
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

mình sẽ để link để mọi người tham khảo
https://dev.betterdoc.org/software/engineering,/kubernetes,/devops/2020/08/07/accessing-a-github-repository-within-kubernetes-via-a-sidecar-container.html
https://ddii.dev/kubernetes/git-sync/#
https://github.com/kubernetes/git-sync/issues/126
https://coderedirect.com/questions/350965/how-to-clone-a-private-git-repository-into-a-kubernetes-pod-using-ssh-keys-in-se
https://github.com/kubernetes/git-sync/blob/master/docs/ssh.md

2.3) result

Khi anh/em exec container nginx và kiểm tra thì có file nhé
Anh truy cập sẽ như sau.

Giờ bạn sửa trên git và commit

web đã thay đổi
log của git-sync
Git, Kubernetes & Container

Post navigation

Previous Post: [Kubernestes] I waiting too long but my workload is still unavailable
Next Post: [Istio] Workload injected Istio that can’t connect Database(Redis, PostgreSQL) – excludeOutboundPorts or excludeIPRanges

More Related Articles

[Istio/Recheck Envoy] Test các features liên quan đến EnvoyFilter trên Istio . Isito-EnvoyFilter
[Istio-Multi Cluster] Tutorial is very detailed to install Primary-Remote on different networks Isito-EnvoyFilter
[Docker] Comand Docker hay quên!! Docker
[KUBECONFIG] Tìm hiểu về –kubeconfig và –context trong kubeconfig để quan lý nhiều cluster k8s Kubernetes
[Docker] Temporary failure in name resolution Docker
[Kubernetes] How to delete POD is Terminating and very stubborn Kubernetes

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tham Gia Group DevOps nhé!
Để Nim có nhiều động lực ra nhiều bài viết.
Để nhận được những thông báo mới nhất.

Recent Posts

  • [Argocd/Vault] Integrate Vault inside Argocd by the plugin July 1, 2022
  • [Vault] Using Service Acount of Kubernetes to login Vault system. June 28, 2022
  • Protected: My Assignment  June 24, 2022
  • [Spinnaker] Spinnaker writes too many logs – Reduce spinnaker log level June 22, 2022
  • [Jenkins] Jobs will be created automatically by Jenkins Job Builder June 20, 2022

Archives

  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021

Categories

  • BareMetal
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Jenkins
    • Spinnaker
  • Coding
    • Git
    • Golang
    • Jquery & JavaScript
    • Laravel
    • Selenium
    • Terraform
      • AWS – Amazon Web Service
      • GCP – Google Cloud
  • Kubernetes & Container
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Docker
    • Helm Chart
    • Isito-EnvoyFilter
    • Kubernetes
      • Ingress
    • Longhorn – Storage
    • Vault
    • VictoriaMetrics
  • Log & Monitor
    • ELK
      • Kibana
      • Logstash
    • Grafana
    • Prometheus
  • Uncategorized
  • Admin

Copyright © 2022 NimTechnology.