RangerRick
commented
3 weeks ago I would be surprised if any particular public ssh key is pre-populated in any way.
The error message you mentioned is host-key validation, so my first guess is you would need to make a ~/.ssh/known_hosts file for the netbox user (which I think is just ubuntu in the images) just like you get when manually saying "yes" the first time you connect to an ssh server.
You could define a configmap with the contents, and then use worker.extraVolumes and worker.extraVolumeMounts to stick it in the right place.
Another option would be to make a worker.initContainers entry with a configmap script mounted into it that knows how to set up the environment to reach your resources, so you can do more complicated things that run before the worker starts, like so:
# (in values.yaml):
worker:
initContainers:
- name: init-gitlab-env
command: ['/opt/gitlab/init.sh']
volumes:
- name: "gitlab-config"
configMap:
name: "gitlab-config"
defaultMode: 0755
volumeMounts:
- name: "gitlab-config"
mountPath: /opt/gitlab/init.sh
subPath: init.sh
readOnly: true
---
# (create a new file and deploy to your cluster, eg configmap-gitlab.yaml)
apiVersion: v1
kind: ConfigMap
metadata:
name: netbox-gitlab-config
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.netbox.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.netbox.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
init.sh: |-
#!/bin/sh
# ...do whatever you need to here
tbartschat
Hi all,
first of all I want to thank you for maintaining this Netbox helm-chart project, this makes it very simple to deploy Netbox in a k8s based enviroment and make our live much easier, great stuff!
We are currently working on an integration of a Netbox instance for production environment. We got a lot of different requirement, one of them is that we can use GitLab as datasource in Netbox.
Here we run into some issues, maybe you can assists and support here to find a working solution.
Let me explain our setup first.
General settings
Kubernetes Version: v1.30.0 OS Version: Ubuntu 22.04.4 LTS Netbox Helm Chart Version: 5.0.0-beta.78 Netbox appVersion: v4.0.9
Netbox is running on self-hosted k8s cluster using an ingress and a self-signed cert, GitLab is running on a self-hosted virtual machine with a self-signed cert.
If I wan to clone a GitLab project as datasource in Netbox via GUI, it is failing.
1st attempt via HTTPS
We have a self-hosted GitLab instance with a self-signed certificate, if I want to clone a project it fails, because of "SSL: CERTIFICATE_VERIFY_FAILED".
Log Messages of netbox-worker pod:
SyncError("Fetching remote data failed (GitProtocolError): HTTPSConnectionPool(host='xxxxxxxx', port=443): Max retries exceeded with url: /gitlab/thdd/engineering/master_templates.git/info/refs?service=git-upload-pack (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))")My first intension was to add extraEnvs to the netbox-worker pod, that SSL verification will skip.
I have tried it with following Envs:
But all of the extraEnvs doesn't solve the issue, cloning a GitLab Project is still not possible, logging messages is the same.
My second intension was, to let Netbox know about the self-signed GitLab cert, so I mounted the related cert into the netbox-worker pod via extraVolumeMounts and extraVolumes and set extraEnvs to use the mounted cert path for validation.
But this attempt was also not successful, so I moved on to use SSH for cloning.
2nd attempt via SSH
Same setup, but different way to clone the GitLab project, this time via SSH.
But here I run into a different issue, because of host key verification is failing.
Log Messages of netbox-worker pod:
SyncError('Fetching remote data failed (HangupException): Host key verification failed.\r')So first intension was to generate ssh key pairs inside the netbox-worker pod, after changing the security context from "readOnlyRootFilesystem: true" to "readOnlyRootFilesystem: false" I was able to generate a ssh key pair and import the public key to GitLab.
But this wasn't successful, I have the assumption that Netbox is using a different key which is generated by default during the installation/creation of the netbox-worker pod. I also have also tried to use the ssh keys of the k8s-worker nodes, because in a tcpdump on the GitLab VM I saw the ssh request for cloning was coming from the k8s-worker node IPs, but this is most likely because of the ingress settings, and it was also failing with these ssh keys.
Finally, I'm stucked again ... argh.
So my two questions are:
Can you please support here, do you have any ideas for solving this issue ?
Thanks in advance.