3.5.7. git-sync¶
Using SSH with git-sync [1]¶
Step 1: Create Secret¶
前提:
// Obtain the host keys for your git server:
$ ssh-keyscan $YOUR_GIT_HOST > /tmp/known_hosts
// 实例:
$ ssh-keyscan git.zhaoweiguo.com > /tmp/known_hosts
Method 1:
// 指定git的密钥和known_hosts(指定secret名: git-creds)
$> kubectl create secret generic git-creds \
--from-file=ssh=/Users/zhaoweiguo/.ssh/gordon.git \
--from-file=known_hosts=/tmp/known_hosts
Method 2:
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
"name": "git-creds"
},
"data": {
"ssh": <base64 encoded private-key> # 这儿是密钥的base64
"known_hosts": <base64 encoded known_hosts> # 这儿是known_hosts的base64
}
}
// 执行
$> kubectl create -f /path/to/secret-config.json
Step 2: Configure Pod/Deployment volume¶
# ...
volumes:
- name: git-secret
secret:
secretName: git-creds
defaultMode: 288 # 0440
# ...
Step 3: Configure git-sync container¶
# ...
containers:
- name: git-sync
image: k8s.gcr.io/git-sync:v9.3.76
args:
- "-ssh"
- "-repo=git@github.com:foo/bar"
- "-dest=bar"
- "-branch=master"
volumeMounts:
- name: git-secret
mountPath: /etc/git-secret
securityContext:
runAsUser: 65533 # git-sync user
# ...
最后:完整实例¶
apiVersion: apps/v1
kind: Deployment
metadata:
name: git-sync
spec:
selector:
matchLabels:
demo: git-sync
template:
metadata:
labels:
demo: git-sync
spec:
volumes:
- name: git-secret
secret:
secretName: git-creds
defaultMode: 288 # 10进制转为8进制: = mode 0440
containers:
- name: git-sync
image: registry.cn-hangzhou.aliyuncs.com/xxxxxxxx/git-sync:v3.1.1
args:
- "-ssh"
- "-repo=git@gitee.com:weiguo/demo.git" # git地址
- "-dest=demo" # clone下来后项目文件夹名字
- "-branch=master" # 指定分支名
- "-depth=1"
securityContext:
runAsUser: 65533 # git-sync user(指定用户)
volumeMounts:
- name: git-secret
mountPath: /etc/git-secret
securityContext:
fsGroup: 65533 # to make SSH key readable(指定用户组)
说明:
1. git免登录所需密钥和known_hosts所需目录: /etc/git-secret
2. clone下来项目目录: $HOME,这儿是/tmp目录
3. 使用用户65533和组65533clone项目
4. 使用defaultMode288指定ssh文件的mode440:
$> ls -alh /etc/git-secret/..data/
-r--r----- 1 root nogroup 653 Jul 20 10:57 known_hosts
-r--r----- 1 root nogroup 1.7K Jul 20 10:57 ssh
git-sync可用命令¶
Usage of ./bin/darwin_amd64/git-sync:
-alsologtostderr
log to standard error as well as files
-branch string
the git branch to check out (default "master")
-change-permissions int
the file permissions to apply to the checked-out files
-cookie-file
use git cookiefile
-depth int
use a shallow clone with a history truncated to the specified number of commits
-dest string
the name at which to publish the checked-out files under --root (defaults to leaf dir of --repo)
-git string
the git command to run (subject to PATH search) (default "git")
-http-bind string
the bind address (including port) for git-sync's HTTP endpoint
-http-metrics
enable metrics on git-sync's HTTP endpoint (default true)
-http-pprof
enable the pprof debug endpoints on git-sync's HTTP endpoint
-log_backtrace_at value
when logging hits line file:N, emit a stack trace
-log_dir string
If non-empty, write log files in this directory
-logtostderr
log to standard error instead of files
-max-sync-failures int
the number of consecutive failures allowed before aborting (the first pull must succeed, -1 disables aborting for any number of failures after the initial sync)
-one-time
exit after the initial checkout
-password string
the password to use
-repo string
the git repository to clone
-rev string
the git revision (tag or hash) to check out (default "HEAD")
-root string
the root directory for git operations (default "/Users/zhaoweiguo/git")
-ssh
use SSH for git operations
-ssh-key-file string
the ssh key to use (default "/etc/git-secret/ssh")
-ssh-known-hosts
enable SSH known_hosts verification (default true)
-ssh-known-hosts-file string
the known hosts file to use (default "/etc/git-secret/known_hosts")
-stderrthreshold value
logs at or above this threshold go to stderr
-timeout int
the max number of seconds for a complete sync (default 120)
-username string
the username to use
-v value
log level for V logs
-version
print the version and exit
-vmodule value
comma-separated list of pattern=N settings for file-filtered logging
-wait float
the number of seconds between syncs
-webhook-backoff duration
if a webhook call fails (dependant on webhook-success-status) this defines how much time to wait before retrying the call (default 3s)
-webhook-method string
the method for the webook to send with (default "POST")
-webhook-success-status int
the status code which indicates a successful webhook call. A value of -1 disables success checks to make webhooks fire-and-forget (default 200)
-webhook-timeout duration
the timeout used when communicating with the webhook target (default 1s)
-webhook-url string
the URL for the webook to send to. Default is "" which disables the webook.