[RFE] - Deploy SSH keys to enable Git actions on SSH only accessible SCM #21740
Comments
ahussey-redhat
added
the
kind/enhancement
che-bot
added
the
status/need-triage
amisevsk
added
severity/P1
|
To add context, there was some work on supporting SSH keys in the DevWorkspace Operator to make project cloning work automatically, but this is generally frustrated by different containers having different home directories (e.g. This comment has some initial work in the DevWorkspace Operator to support this. Working from this, I'm able to configure my workspaces to clone private GitHub repos as follows: # Work in a temporary directory
cd $(mktemp -d)
# Generate a new SSH key with no passphrase. This key must be uploaded to GitHub
ssh-keygen -t ed25519 -C "[email protected]" -N "" -f ./id_ed25519
# Create ssh_config to point to mounted keys
cat > ./ssh_config <<EOF
host *
IdentityFile /etc/ssh/id_ed25519
StrictHostKeyChecking = no
EOF
# Create secret to store SSH key and config
kubectl create secret generic git-ssh-key \
--from-file=id_ed25519=./id_ed25519 \
--from-file=id_ed25519.pub=./id_ed25519.pub \
--from-file=ssh_config=./ssh_config
# Annotate secret to mount it to DevWorkspaces. Note we use /etc/ssh
# since this is the global config file and is unaffected by home dir
kubectl patch secret git-ssh-key --type merge -p \
'{"metadata": {
"labels": {
"controller.devfile.io/mount-to-devworkspace": "true",
"controller.devfile.io/watch-secret": "true"
},
"annotations": {
"controller.devfile.io/mount-path": "/etc/ssh/",
"controller.devfile.io/mount-as": "subpath"
}
}
}'This stores the SSH keypair in |
amisevsk
added
severity/P2
|
Note that the solution above works without any intervention from Che itself, and relies on DevWorkspace Operator functionality exclusively. Che could potentially wrap the process above to simplify setting up the DWO secret. |
|
Closing this issue now that the documentation has been updated to include the process of using SSH keys. |
Is your enhancement related to a problem? Please describe
Some private (not publically accessible) Source Control Management (SCM) solutions can have PKI authentication. In this situation, it is generally much easier to use SSH to interact; for example when cloning, pulling or pushing to a repository.
Currently it doesn't appear as though there is a way to specify SSH keys to use when interacting with a repository, nor a way to deploy/inject SSH keys into the container that is responsible for initially cloning repositories (
theia-idein some cases?), nor in theworkspacecontainer.In the downstream
Dev SpacesSSH keys are automatically generated, but this would be inefficient to use, as you would need to add them to the Git repository everytime you start up your workspace.Describe the solution you'd like
My preferred solution, would be to create a kubernetes secret containing the private and public SSH keys.
The secret would have a label or annotation so that CHE/DS is aware the secret exists, and deploys/injects/maps the SSH keys into the appropriate locations in order to allow Git actions to occur without manual intervention.
Describe alternatives you've considered
Current workflow consists of:
a. ensure
devfilecontainsprojectsthat usesshnothttpsdevfiletheia-idecontainercpthe secrets from/etc/secrets/git-ssh-secret/*to~/.sshchmod 0600 ~/.ssh/<private-key>retryAdditional context
This is my repo that I have been using for testing:
https://github.com/ahussey-redhat/devspaces/tree/develop
@vinokurig - tagging you for reference
The text was updated successfully, but these errors were encountered: