I have a Pod on OpenShift 3.11 (Kubernetes 1.11). From that POD I need to push to a GitHub Repository using a passphrased SSH-Key. Now I can create a secret just fine:
apiVersion: v1
data:
known_hosts: Yml...
passphrase: abcde...
ssh-privatekey: LS0...
kind: Secret
metadata:
name: git-ssh-mirror
namespace: mynamespace
type: kubernetes.io/ssh-auth
I have not idea though, how then to hook up this Secret in a way, that the Pod would work with both the Privatekey as well as the Passphrase.
Any pointers would be appreciated.
The passphrase and ssh-privatekey fields in the data section of the git-ssh-mirror secret created can be mounted inside the container either as:
GIT_SSH_PASSPHRASE and GIT_SSH_PRIVATEKEY inside the container:...
kind: Pod
...
spec:
containers:
- name: mycontainer
image: myimage
env:
- name: GIT_SSH_PASSPHRASE
valueFrom:
secretKeyRef:
name: git-ssh-mirror
key: passphrase
- name: GIT_SSH_PRIVATEKEY
valueFrom:
secretKeyRef:
name: git-ssh-mirror
key: ssh-privatekeyNow, use the environment variables GIT_SSH_PASSPHRASE and GIT_SSH_PRIVATEKEY inside the container to access the SSH passphrase and private key respectively needed to push to the GitHub repository.
...
kind: Pod
...
spec:
containers:
- name: mycontainer
image: myimage
volumeMounts:
- name: git-ssh-secrets
mountPath: "/etc/mypath"
readOnly: true
volumes:
- name: git-ssh-secrets
secret:
secretName: git-ssh-mirrorNow, the values of passphrase and ssh-privatekey in the git-ssh-mirror secret created are base-64 decoded and stored in the read-only files /etc/mypath/passphrase and /etc/mypath/ssh-privatekey respectively inside the container. Use them to push to the GitHub repository.
If the passphrase or SSH private key needs to be base-64 decoded, use the base64 --decode command.