search

kubernetes / git-sync

A sidecar app which clones a git repo and keeps it in sync with the upstream.
Apache License 2.0
2.14k stars 409 forks source link

GitLab via ssh key #853

Closed gray380 closed 6 months ago

gray380 commented 6 months ago

Hello,

Could you help me to find out the root cause of "Permission Denied".

I've added public ssh key to the gitlab's user profile and check it against the private key:

ssh -i git-sync_airflow.prv -T git@gitlab.bank.lan

Welcome to GitLab, @git-sync!

and I've added this private key to the docker compose file as well:

  airflow-git-sync:
    image: registry.k8s.io/git-sync/git-sync:v4.1.0
    command: "--repo=git@gitlab.bank.lan:sre/dags.git --root=/dags"
    user: "git-sync:0"
    volumes:
      - ${AIRFLOW_PROJ_DIR:-.}/dags:/dags
      - ./git-sync_airflow.prv:/etc/git-secret/git-sync_airflow.prv
    environment:
      GITSYNC_REF: "main"
      GITSYNC_SSH_KEY_FILE: "/etc/git-secret/git-sync_airflow.prv"
      GITSYNC_SSH_KNOWN_HOSTS: false

The git-sync user has access to the repo via WebUI. I can clone the repo with this private key from the console:

git clone git@gitlab.bank.lan:sre/dags.git --config core.sshCommand="ssh -i  git-sync_airflow.prv"
Cloning into 'dags'...

You're entered RESTRICTED ZONE!

Unauthorized access or intrusion into operation of computing systems
are persecuted by criminal law.

To exit press your terminal Escape characters or close terminal window.

remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 6 (delta 1), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (6/6), done.
Resolving deltas: 100% (1/1), done.

But when I start the container it fails with the following error:

{"logger":"","ts":"2023-12-27 17:12:20.623776","caller":{"file":"main.go","line":784},"msg":"too many failures, aborting","error":"Run(git ls-remote -q git@gitlab.bank.lan:sre/dags.git main main^{}): exit status 128: { stdout: \"\", stderr: \"Warning: Permanently added 'gitlab.bank.lan' (ED25519) to the list of known hosts.\\r\\n\\nYou're entered RESTRICTED ZONE!\\n\\nUnauthorized access or intrusion into operation of computing systems\\nare persecuted by criminal law.\\n\\nTo exit press your terminal Escape characters or close terminal window.\\n\\nLoad key \\\"/etc/git-secret/git-sync_airflow.prv\\\": Permission denied\\r\\nPermission denied, please try again.\\r\\nPermission denied, please try again.\\r\\nReceived disconnect from 172.24.1.23 port 22:2: Too many authentication failures\\r\\nDisconnected from 172.24.1.23 port 22\\r\\nfatal: Could not read from remote repository.\\n\\nPlease make sure you have the correct access rights\\nand the repository exists.\" }","failCount":1}

Best regards Serhiy.

thockin commented 6 months ago

Can you exec into that container image with that config (volumes, etc) and try SSH manually?

Alo, can you run git-sync with -v 6 and post logs?

thockin commented 6 months ago

Also, look in the logs for which UID git-sync is running, and make sure that the volume with the SSH key matches - the error suggests SSH can't read the key

gray380 commented 6 months ago

@thockin I completely forgot about the key's gid/uid, thanks a lot!