How do I provide SSH keys for Git repositories access within pods?
To provide SSH keys for Git repositories access within Kubernetes pods, we can use Kubernetes Secrets to store the SSH keys and mount these secrets as volumes in the pods. This way, the SSH keys are securely provided to the pods, allowing them to access private Git repositories.
Here is a detailed explanation of how to achieve this using Pulumi:
- Create a Kubernetes Secret: Store the SSH private key in a Kubernetes Secret. This secret will be mounted into the pod, allowing the pod to use the SSH key for Git operations.
- Create a Kubernetes Pod: Define a pod that mounts the secret as a volume. The pod will use this volume to access the SSH key.
Steps:
- Create a Kubernetes Secret: This secret will hold the SSH private key.
- Create a Kubernetes Pod: This pod will have the secret mounted as a volume and use it to access the Git repository.
Pulumi Program
The following Pulumi program demonstrates how to create a Kubernetes Secret and a Pod that uses this secret to access a Git repository via SSH.
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Define the SSH private key
const sshPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----
YOUR_PRIVATE_KEY_HERE
-----END OPENSSH PRIVATE KEY-----`;
// Create a Kubernetes Secret to store the SSH private key
const sshKeySecret = new k8s.core.v1.Secret("ssh-key-secret", {
metadata: {
name: "ssh-key-secret",
},
stringData: {
"ssh-privatekey": sshPrivateKey,
},
});
// Create a Kubernetes Pod that uses the SSH key to access a Git repository
const pod = new k8s.core.v1.Pod("git-ssh-pod", {
metadata: {
name: "git-ssh-pod",
},
spec: {
containers: [
{
name: "git-container",
image: "alpine/git",
command: ["sh", "-c", "git clone git@github.com:your/repo.git /repo && sleep 3600"],
volumeMounts: [
{
name: "ssh-key-volume",
mountPath: "/root/.ssh",
readOnly: true,
},
],
env: [
{
name: "GIT_SSH_COMMAND",
value: "ssh -i /root/.ssh/ssh-privatekey -o StrictHostKeyChecking=no",
},
],
},
],
volumes: [
{
name: "ssh-key-volume",
secret: {
secretName: "ssh-key-secret",
items: [
{
key: "ssh-privatekey",
path: "ssh-privatekey",
mode: 0o600,
},
],
},
},
],
},
});
// Export the name of the pod
export const podName = pod.metadata.name;
Explanation
Define the SSH Private Key: We define a variable
sshPrivateKey
that contains the SSH private key. ReplaceYOUR_PRIVATE_KEY_HERE
with your actual private key.Create a Kubernetes Secret: We create a Kubernetes Secret named
ssh-key-secret
that stores the SSH private key. This secret is created with thestringData
field where the key isssh-privatekey
.Create a Kubernetes Pod: We create a pod named
git-ssh-pod
with a single container that runs thealpine/git
image. The container:- Clones a Git repository using the SSH key.
- Mounts the SSH key secret as a volume at
/root/.ssh
. - Sets the
GIT_SSH_COMMAND
environment variable to use the SSH key for Git operations.
Export the Pod Name: The name of the pod is exported as
podName
.
This setup allows the pod to securely use the SSH key to access private Git repositories. The SSH key is stored as a Kubernetes Secret and mounted into the pod, ensuring secure and controlled access.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.