-
-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a feature to clone modules via SSH keys during terraform_validate stage #426
Comments
That's from https://ukrops.slack.com/archives/C3R001CHW/p1659634407658399 TL;DR Possible solution: |
@MaxymVlasov @yermulnik Wanted to get your thoughts on implementation here before I start working this...I think this moves out of just the Primary issues are getting SSH keys and public SSH host keys inside the container. I think my preference initially is to provide For keys:
docker run -v ${SSH_AUTH_SOCK}:/run/ssh.socket -e SSH_AUTH_SOCK=/run/ssh.socket would be necessary.
For public host keys:
or
it's easy enough to parse out the hostnames from these, and run @gartemiev do you think this would meet your needs? Is there a case that makes more sense to you? |
Well, yeah, that's a bit of a hassle 🤔 I'm leaning to an option to mount What I actually mean is that we should not interfere with any user-related stuff, but only provide an option on how to overcome GitHub's limitation with user-side actions. Does it make sense to you folks? |
I spent some time experimenting with this, and I think @yermulnik's plan for just providing documentation on how to solve this (with We could put a simple plan in the I've put notes below (primarily for myself), but if agreed that @yermulnik's plan makes sense, I can put together a pass at docs and the minor NotesFor host keys, while not ideal I think using SSH option If the user wants to bind their existing On Github this plan would allow using read-only repository level deployment keys, or account level SSH keys. Other systems (private hosted git repos, Codecommit, etc) shouldn't have an issue either. One issue with Github repository deployment keys is they have to be unique per repository, so if there are multiple private github repos referenced in the code, the As an example, let's say I have 2 Github repositories,
$ PROJSSH="/home/john/src/proj-sshdir"
$ mkdir -p $PROJSSH
$ ssh-keygen -t ed25519 -C "github_security_group_buildkey" -N "" -f "$PROJSSH/id_github_security_group_buildkey"
$ ssh-keygen -t ed25519 -C "github_vpc_buildkey" -N "" -f "$PROJSSH/id_github_vpc_buildkey"
$ gh repo deploy-key add "$PROJSSH/id_github_security_group_buildkey.pub" -t "john security_group buildkey" -R tofupup/private-tf-security-group
$ gh repo deploy-key add "$PROJSSH/id_github_vpc_buildkey.pub" -t "john vpc buildkey" -R tofupup/private-tf-vpc
❯ cat $PROJSSH/config
Host gh_security_group
Hostname github.com
ControlMaster no
IdentitiesOnly yes
IdentityFile ~/.ssh/id_github_security_group_buildkey
StrictHostKeyChecking no
Host gh_vpc
Hostname github.com
ControlMaster no
IdentitiesOnly yes
IdentityFile ~/.ssh/id_github_vpc_buildkey
StrictHostKeyChecking no
source = "git::ssh://git@gh_security_group/tofupup/private-tf-security-group"
source = "git::ssh://git@gh_vpc/tofupup/private-tf-vpc" |
A separate file is OK, put it in the docs/ folder. Wiki has lack of search, so for me it is useless. I could introduce the mkdocs->gh-pages integration later, if we will have many docs |
+1 to file instead of wiki. @tofupup Thanks for your time and effort. What you wrote in the latest post looks reasonable and good to me. |
This issue has been automatically marked as stale because it has been open 30 days |
This issue has been automatically marked as stale because it has been open 30 days |
It would be great to add a feature to be able to clone modules via SSH keys during terraform_validate stage.
The text was updated successfully, but these errors were encountered: