[git-sync] an auto simple that pulls a git repository into a container on Kubernetes

Posted on By nim No Comments on [git-sync] an auto simple that pulls a git repository into a container on Kubernetes

Đôi khi chúng ta sẽ có nhu cầu copy code hay data trên github nhưng ko cần deploy lại workload trên kubernetes
Chúng ta có nhiều các khác nhau và cách của mình là sử dụng git-sync

1) Overview git-sync

Đây là link github chính của git-sync:
https://github.com/kubernetes/git-sync

Anh em để ý 2 cột mà mình đánh dấu.
Đó mấy cái khai báo trong k8s để git-sync nó biết mình clone repo nào?

Tìm hiều về Using Secrets as environment variables tí nữa chúng ta sẽ sử dụng:
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables

Mình lab trên github

2) Practise

2.1) authen with git by username/pass/token

2.1.1) Declared Environment

Cách này mình nghĩ là đơn giản và mình cũng hay saì cách này.

Tài liệu tham khảo từ 1 anh hàn
https://ddii.dev/kubernetes/git-sync/#

Mình tham khảo từ trang của anh trai ở trên và chúng 

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: git-sync-demo
  name: git-sync-demo
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: git-sync-demo
  template:
    metadata:
      labels:
        app: git-sync-demo
    spec:
      containers:
      - name: nginx
        image: nginx:1.14-alpine
        ports:
        - containerPort: 80
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      - name: git-sync
        image: k8s.gcr.io/git-sync:v3.1.1
        imagePullPolicy: Always
        env:
          - name: "GIT_SYNC_REPO"
            value: "https://github.com/mrnim94/git-sync-demo.git"
          - name: "GIT_SYNC_ROOT"
            value: "/usr/share/nginx"
          - name: "GIT_SYNC_DEST"
            value: "html"
          - name: GIT_SYNC_BRANCH
            value: master
          - name: "GIT_SYNC_USERNAME"
            valueFrom:
              secretKeyRef:
                name: "secret-git-sync"
                key: "GIT_SYNC_USERNAME"
          - name: "GIT_SYNC_PASSWORD"
            valueFrom:
              secretKeyRef:
                name: "secret-git-sync"
                key: "GIT_SYNC_PASSWORD"
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      volumes:
      - name: git-sync-volume
        emptyDir: {}
      - name: git-secret
        secret:
          secretName: git-creds
          defaultMode: 288 # = mode 0440
      securityContext:
        fsGroup: 65533 # to make SSH key readable
---
kind: Service
apiVersion: v1
metadata:
  name: git-sync-demo
spec:
  type: NodePort
  selector:
    app: git-sync-demo
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

Bạn thấy trên yaml là cả nginx và git-sync sẽ cùng mount vào volume git-sync-volume
git-sync sẽ auto detect và clone code về volume thế nginx cũng có vì mount chung volume

Chúng tạo secret trên k8s

Tiến hành deploy

Bạn thấy trong pod của ta sẽ có 2 container.

2.2) authen with git by ssh key

Giờ chúng ta cần add ssh key lên github:

Sau khi add xong thì bạn submit
Đây là nơi mình lấy file id_rsa.pub

Giờ test login với github:

ssh -T git@github.com -i /root/.ssh/id_rsa
root@k8s-master:~# ssh -T git@github.com -i /root/.ssh/id_rsa_k0s 
The authenticity of host 'github.com (20.205.243.166)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ýe
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added 'github.com,20.205.243.166' (ECDSA) to the list of known hosts.
Hi mrnim94! You've successfully authenticated, but GitHub does not provide shell access.

Đã login thành công

vi ~/.ssh/config

Host github.com
      Preferredauthentications publickey
      IdentityFile /root/.ssh/id_rsa_k0s
git clone git@github.com:mrnim94/git-sync-demo.git
Cloning into 'git-sync-demo'...
remote: Enumerating objects: 7, done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 7
Receiving objects: 100% (7/7), done.
Resolving deltas: 100% (1/1), done.

Vậy là ssh-key đã hoặt động ngon lành.

Giờ đến bước tiếp theo.
Lấy các host keys để gọi git server của bạn
Bước này khá quan trong và bị các bạn bỏ khá nhiều nên bị lỗi 

YOUR_GIT_HOST=github.com
ssh-keyscan $YOUR_GIT_HOST > /tmp/known_hosts

Giờ lên k8s tạo secret.

Cách 1:

kubectl create secret generic git-creds \
    --from-file=ssh=$HOME/.ssh/id_rsa_k0s\
    --from-file=known_hosts=/tmp/known_hosts
apiVersion: v1
data:
  known_hosts: Z2l0aHViLmNvbSBzc2gtcnNhIEFBQUFCM056YUMxeWMyRUFBQUFCSXdBQUFRRUFxMkE3aFJHbWRubTl0VURiTzlJRFN3Qks2VGJRYStQWFlQQ1B5NnJiVHJUdHc3UEhrY2NLcnBwMHlWaHA1SGRFSWNLcjZwTGxWREJmT0xYOVFVc3lDT1Ywd3pmaklKTmxHRVlzZGxMSml6SGhibjJtVWp2U0FIUXFaRVRZUDgxZUZ6TFFOblBIdDRFVlZVaDdWZkRFU1U4NEtlem1ENVFsV3BYTG12VTMxL3lNZitTZTh4aEhUdktTQ1pJRkltV3dvRzZtYlVvV2Y5bnpwSW9hU2pCK3dlcXFVVW1wYWFhc1hWYWw3MkorVVgyQisyUlBXM1JjVDBlT3pRZ3FsSkwzUktyVEp2ZHNqRTNKRUF2R3EzbEdIU1pYeTI4RzNza3VhMlNtVmkvdzR5Q0U2Z2JPRHFuVFdsZzcrd0M2MDR5ZEdYQThWSmlTNWFwNDNKWGlVRkZBYVE9PQpnaXRodWIuY29tIGVjZHNhLXNoYTItbmlzdHAyNTYgQUFBQUUyVmpaSE5oTFhOb1lUSXRibWx6ZEhBeU5UWUFBQUFJYm1semRIQXlOVFlBQUFCQkJFbUtTRU5qUUVlek9teGtaTXk3b3BLZ3dGQjlua3Q1WVJyWU1qTnVHNU44N3VSZ2c2Q0xyYm81d0FkVC95NnYwbUtWMFUydzBXWjJZQi8rK1Rwb2NrZz0KZ2l0aHViLmNvbSBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJT01xcW5rVnpybTBTZEc2VU9vcUtMc2FiZ0g1Qzlva1dpMGRoMmw5R0tKbAo=
  ssh: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJGd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFRRUF0UE5pdUlKVkViTHJ4RUhxbno2d29EczRPZkdkWGpDbWN4Y0xOL2EvYmMyZnJIMTM2NTE4Cjl2a0ZCMjBydm96Zms5MExNL2MxQ3c5d1ZqRCt1WklLblZndFRNZkJoT2ZPdSthWWxHSHE2YlZ5R3JaL0E3WGRZd3RtU3YKUVVuUEdtUnhqeUY3WTNHd1V6WkRtaFJXeFhaclVLQzMvNHdvdzZtT0RWNU5vbFo5RkpYTDVOQTczT0ViMkVpMW5ZVGc5KwpOYjQwdzlyYVFtbmQ4V2pYY2g4aHAxdXNPdTVCcGRpL01FSWJUM3lDa3U1U0xZSXUyR3VhTWRkTGYwdVdPRjhySlg1Q3dGClhQMmdwTDJWejIxN1NlVmZDdUR4ajlVa3VBdktkZlhNSGxnQm16SE9YYUt6UGZUbTd0RHBOb1ZCbm9EN3NSSWtERklXVlMKSHRtMXljNmFUd0FBQThoZktWMDhYeWxkUEFBQUFBZHpjMmd0Y25OaEFBQUJBUUMwODJLNGdsVVJzdXZFUWVxZlByQ2dPegpnNThaMWVNS1p6RndzMzlyOXR6WitzZlhmcm5YejIrUVVIYlN1K2pOK1QzUXN6OXpVTEQzQldNUDY1a2dxZFdDMU14OEdFCjU4Njc1cGlVWWVycHRYSWF0bjhEdGQxakMyWks5QlNjOGFaSEdQSVh0amNiQlROa09hRkZiRmRtdFFvTGYvakNqRHFZNE4KWGsyaVZuMFVsY3ZrMER2YzRSdllTTFdkaE9EMzQxdmpURDJ0cENhZDN4YU5keUh5R25XNnc2N2tHbDJMOHdRaHRQZklLUwo3bEl0Z2k3WWE1b3gxMHQvUzVZNFh5c2xma0xBVmMvYUNrdlpYUGJYdEo1VjhLNFBHUDFTUzRDOHAxOWN3ZVdBR2JNYzVkCm9yTTk5T2J1ME9rMmhVR2VnUHV4RWlRTVVoWlZJZTJiWEp6cHBQQUFBQUF3RUFBUUFBQVFFQXFVeVNUL2s1S0g4VGthTHUKcHFHYjFiNnlnxxxNIMTECHNOLOGYxxxJDdWhsQUpJRFUvcHNLZGxHb3pnbjJXUHVLckZaT2RuMWNtQlhrNHFWV3o4cUJHdThYSwp5MGJZTHo3NnFHeFUwaDhxcU9oSzFNSGV3amVGQSsyejArTHVDaExKbjNMY3dNTGQxQlA1bWxGSi9LNE01V0UvVk1lYWY1CkVlVHJxaitxUUIxT0pBdWNYSnp3NzZFbXRWSlYrN24rRUJySExwdUxTd3FicWx2T2YzQTNLbkVnQUVJMGMwRFRlbU9yejEKcThseVJUVTdsa0VScjQwSHAyVWxER1lvbEtscmdCQy9wOFkyTFJ1blFQTExqd0N5YXpsM1lzVWhvVnJXM3dLR2tMZkQzYwoyNi9Nak9OdmFWaFVIeDdpaXdzTFNJaExuUzB2b2ZZQndnWS93Z3dxMDU4eVVRQUFBSUJHOTNIZE5wS0R4SEI5eGdZQWtrCkh4Y3RNcGpnQkg4ZkxqYms0MmNrNjdGeEhValJxZ0hlVmFzQWxMZnNjb2ltR1RzZTJUYk1TSzMreEdEbHlnbU1CdjNsa00KbHBJZEc4N1BDUnlIVEZuRHN5UjhjR3c4Uk5sbkprNDlicjVVWWhGVmZqazNmMVJ4VWRXbHhUTXZHdTJNU1NDZnNYN01wNgpyNDR3bytWSUg3QkFBQUFJRUEyenYwRmY3OGl1b2owMyt0SllVTFdEM1JFVDhmdk5oMFZNNGlyQWxSRlpCdENTTGVnUXc1CmlBYVJCbFdadnlnWURuNWR6dlJ1YXZSZERKSkdBNlNPZzRFTFRVbzRNeTh0VkRWcTdyZGZBcG81ZnJwL1czeE1QanRyZW8KMkRGYmtCWm9GSE1RVXhvNmczdlNYRXArZnM0SGxsUnVzc2tlb2JoTjhrcTlCMmx0a0FBQUNCQU5OTDNkWFNWVEhQUmZvVgpUblhwdHpXeXhzcWpXdXBLZGZTMHp1Mm5ZeVRVUk1rbjRTb1R0enE1V3pHTTdTVUpuVVdodm9pVktkTWh0WUx6MGU5eVZVCk5TSHBqRW5SWm85eWVYYTM0WFhRUVNGTVBKL2VWMDU0S0JxY09oSW9ySWU0Sm1kSDd6MFZJVmdEYkN5N1g3aXpqRmNFYnQKUEp0c3FXbzNUWnlSZjVGbkFBQUFEM0p2YjNSQWF6aHpMVzFoYzNSbGNnRUNBdz09Ci0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2022-04-18T14:45:43Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:known_hosts: {}
        f:ssh: {}
      f:type: {}
    manager: kubectl-create
    operation: Update
    time: "2022-04-18T14:45:43Z"
  name: git-creds
  namespace: default
  resourceVersion: "12473109"
  uid: a05369a3-3504-4793-be6c-0bef49b1a9fe
type: Opaque

Lưu ý:
Với private key bạn không nêu chơi cách copy bằng tay sau đó dán lên rancher bị nó bị sai.
Because you can’t to avoid a new line character on the end of the line

Hướng encrypt base64 từ string hay file:
Mình đã thử trên MAC

echo -n "STRING" | base64

cat /root/.ssh/id_rsa_k0s -n | base64

-n is to avoid a new line character on the end of the line.

Ok giờ ta sẽ có file yaml deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: git-sync-demo
  name: git-sync-demo
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: git-sync-demo
  template:
    metadata:
      labels:
        app: git-sync-demo
    spec:
      containers:
      - name: nginx
        image: nginx:1.14-alpine
        ports:
        - containerPort: 80
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
      - name: git-sync
        image: k8s.gcr.io/git-sync/git-sync:v3.5.0
        imagePullPolicy: Always
        args:
          - "-ssh=true"
          - "--ssh-known-hosts=false" #if you don't use known-hosts
          - "-repo=git@github.com:mrnim94/git-sync-demo.git"
          - "-branch=master"
          - "-dest=html"
          - "-root=/usr/share/nginx"
          - "-wait=5"
          - "-max-sync-failures=-1"
        volumeMounts:
        - name: git-sync-volume
          mountPath: /usr/share/nginx
        - name: git-ssh
          mountPath: /etc/git-secret
          readOnly: true
      volumes:
      - name: git-sync-volume
        emptyDir: {}
      - name: git-ssh
        secret:
          secretName: git-creds
          defaultMode: 288 # = mode 0440
      securityContext:
        fsGroup: 65533 # to make SSH key readable
---
kind: Service
apiVersion: v1
metadata:
  name: git-sync-demo
spec:
  type: NodePort
  selector:
    app: git-sync-demo
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

mình sẽ để link để mọi người tham khảo
https://dev.betterdoc.org/software/engineering,/kubernetes,/devops/2020/08/07/accessing-a-github-repository-within-kubernetes-via-a-sidecar-container.html
https://ddii.dev/kubernetes/git-sync/#
https://github.com/kubernetes/git-sync/issues/126
https://coderedirect.com/questions/350965/how-to-clone-a-private-git-repository-into-a-kubernetes-pod-using-ssh-keys-in-se
https://github.com/kubernetes/git-sync/blob/master/docs/ssh.md

2.3) result

Khi anh/em exec container nginx và kiểm tra thì có file nhé
Anh truy cập sẽ như sau.

Giờ bạn sửa trên git và commit

web đã thay đổi
log của git-sync
Git, Kubernetes & Container

More Related Articles

[Keycloak/OAuth2] Install Keycloak by helm on Kubernetes Kubernetes & Container
[OPA Gatekeeper] Sử dụng openpolicyagent để ngăn chặn việc apply yaml tuỳ tiện và sai lên kubernetes! Kubernetes & Container
[Longhorn/Storage] Install Longhorn on Kubernetes through helm and config Taints and Tolerations Kubernetes & Container
[Kubernetes] Lesson7: k8s Easy – Pod Kubernetes & Container
[Jenkins/Git] Why do My Jenkins get env.BRANCH_NAME of Git that is Null Git
[HPA/Kubernetes] Scale Up As Usual, Scale Down Very Gradually – behavior in HPA K8s Kubernetes

Leave a Reply

Your email address will not be published. Required fields are marked *