1. Answers
  2. Providing SSH keys for Git repositories access within pods

How do I provide SSH keys for Git repositories access within pods?

To provide SSH keys for Git repositories access within Kubernetes pods, we can use Kubernetes Secrets to store the SSH keys and mount these secrets as volumes in the pods. This way, the SSH keys are securely provided to the pods, allowing them to access private Git repositories.

Here is a detailed explanation of how to achieve this using Pulumi:

  1. Create a Kubernetes Secret: Store the SSH private key in a Kubernetes Secret. This secret will be mounted into the pod, allowing the pod to use the SSH key for Git operations.
  2. Create a Kubernetes Pod: Define a pod that mounts the secret as a volume. The pod will use this volume to access the SSH key.

Steps:

  1. Create a Kubernetes Secret: This secret will hold the SSH private key.
  2. Create a Kubernetes Pod: This pod will have the secret mounted as a volume and use it to access the Git repository.

Pulumi Program

The following Pulumi program demonstrates how to create a Kubernetes Secret and a Pod that uses this secret to access a Git repository via SSH.

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Define the SSH private key
const sshPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----
YOUR_PRIVATE_KEY_HERE
-----END OPENSSH PRIVATE KEY-----`;

// Create a Kubernetes Secret to store the SSH private key
const sshKeySecret = new k8s.core.v1.Secret("ssh-key-secret", {
    metadata: {
        name: "ssh-key-secret",
    },
    stringData: {
        "ssh-privatekey": sshPrivateKey,
    },
});

// Create a Kubernetes Pod that uses the SSH key to access a Git repository
const pod = new k8s.core.v1.Pod("git-ssh-pod", {
    metadata: {
        name: "git-ssh-pod",
    },
    spec: {
        containers: [
            {
                name: "git-container",
                image: "alpine/git",
                command: ["sh", "-c", "git clone git@github.com:your/repo.git /repo && sleep 3600"],
                volumeMounts: [
                    {
                        name: "ssh-key-volume",
                        mountPath: "/root/.ssh",
                        readOnly: true,
                    },
                ],
                env: [
                    {
                        name: "GIT_SSH_COMMAND",
                        value: "ssh -i /root/.ssh/ssh-privatekey -o StrictHostKeyChecking=no",
                    },
                ],
            },
        ],
        volumes: [
            {
                name: "ssh-key-volume",
                secret: {
                    secretName: "ssh-key-secret",
                    items: [
                        {
                            key: "ssh-privatekey",
                            path: "ssh-privatekey",
                            mode: 0o600,
                        },
                    ],
                },
            },
        ],
    },
});

// Export the name of the pod
export const podName = pod.metadata.name;

Explanation

  1. Define the SSH Private Key: We define a variable sshPrivateKey that contains the SSH private key. Replace YOUR_PRIVATE_KEY_HERE with your actual private key.

  2. Create a Kubernetes Secret: We create a Kubernetes Secret named ssh-key-secret that stores the SSH private key. This secret is created with the stringData field where the key is ssh-privatekey.

  3. Create a Kubernetes Pod: We create a pod named git-ssh-pod with a single container that runs the alpine/git image. The container:

    • Clones a Git repository using the SSH key.
    • Mounts the SSH key secret as a volume at /root/.ssh.
    • Sets the GIT_SSH_COMMAND environment variable to use the SSH key for Git operations.
  4. Export the Pod Name: The name of the pod is exported as podName.

This setup allows the pod to securely use the SSH key to access private Git repositories. The SSH key is stored as a Kubernetes Secret and mounted into the pod, ensuring secure and controlled access.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up