Skip to content

Setting up SSH authentication

Jump to bottom
Emilien Lancelot edited this page Feb 1, 2023 · 7 revisions

What is SSH authentication

SSH keys are a pair of files. There's the public key and the private key. The public key must be uploaded to public serveurs (Github, etc) or VMs (if you wish to authenticate against an OS). The private key must be kept safe and should not be shared with anyone. It is possible to add a password on keys. Adding a password is in general highly recommanded because even if the keys are stolen the theif cannot use them. In the case of Gitfaas you MUST NOT set a password. If you do, Gifaas won't be able to clone the remote repo as it isn't aware of the password itself.

ℹ️ If you have setup authentication using personal token (recommanded) then you don't have to set up SSH authentication.

Create a SSH key

On linux : $ ssh-keygen -t ed25519 -C "your_email@example.com"
⚠️ Do not set a password on the key. Leave the field blank to create a password less key ⚠️
Save the key to your .ssh folder.

More information on creating ssh keys here

Setup SSH key authentication on Github

    1. cat your public key and copy the content to your ring buffer.
cat ~/.ssh/<you_public_key>.pub
    1. Go to settings (not the project settings)
    1. Click on the "Access" section
    1. Click "New ssh key" or "add ssh key"
    1. Paste the content of the public key in the text area
    1. Finish by clicking the "Add ssh key" button

Click here to read Github's documentation on adding a key.

Setup SSH key authentication in Gitlab

    1. cat your public key and copy the content to your ring buffer.
cat ~/.ssh/<you_public_key>.pub
    1. On the top bar, in the top right corner, select your avatar.
    1. Select Preferences.
    1. On the left sidebar, select SSH Keys.
    1. In the Key box, paste the contents of your public key.
    1. Select Add key.

Click here to read Gitlab's documentation on adding a key.

Setup SSH authentication in Gitfaas helm chart

To setup the Gitfaas helm chart we recommand that you edit the values.yaml directly. Edit helm_chart/values.yaml.

  • Step 1:
    Edit the value app => git => sshKey => usePrivateKey. Update the value from "no" to "yes".

  • Step 2:
    Create a Kubernetes secret in Gitfaas namespace that contains the SSH private key that will be used to clone the repo.
    ⚠️ The file name containing the private key MUST be id_rsa. You can use the bellow command to create the secret. It will force the correct file name in the secret regardless of the file name of the key on disk.

 kubectl create secret generic gitfaas-ssh-key --from-file=id_rsa=<path_to_private_key> -n <namespace>

Edit the value app => git => sshkey => privKeySecretName. Update the value if necessary (gitfaas-ssh-key by default) with the secret name that you have used.

  • Step 3:
    This is the tricky part... To prevent man in the middle attacks SSH will ask you if the remote signature is really what you expect it to be. By default Gitfaas has no idea if the signature is correct or not. This option is a multiline value that allows you to setup a know_host file corresponding to the signature of the remote server you wish Gitfaas to connect to. This way Gitfaas will be aware of the correct signature and all will be safe.

ℹ️ To bypass completely this step you can go right to the next one and set the strictHostKeyChecking to "no". Although it is highly recommanded you do not do this unless you are sure that MIM attacks are rather impossible (ie: contacting private instance of Gitlab on private network, etc).

To generate the signature of the remote host you should use the linux command ssh-keyscan from a trusted network (one that you know for sure isn't being target by MIM):

ssh-keyscan <REPLACE_WITH_REMOTE_GIT_SERVER> > keys.txt # For example, using Gitlab: ssh-keyscan gitlab.com > keys.txt

For Github and Gitlab the signatures are available online so you don't have to scan:

  • Click here to get the official fingerprints from Github.com.
  • Click here to get the offical fingerprints from Gitlab.com.

Back to the helm chart, add the content of keys.txt to app => git => sshkey => knowHostsMultiLine. Respect indentation !

  • Step 4:
    Edit app => git => sshkey => strictHostKeyChecking.
    If you did step 3 you should keep the default value : "yes". If you didn't do step 3 then update this value to "no". This is not recommanded as Gitfaas will accept any remote signature presented to him.

Install Gitfaas using a SSH key

Now that the values.yaml is correctly setup you should proceed with the installation.

cd helm_chart helm install . # Provided that you corretly set up the rest of the chart

During boot, Gitfaas will try to clone the remote repo. Look out for the logs of the "git" container inside the Gitfaas pods. Any errors during clone should be logged there.

kubectl logs -n gitfaas <gitfaas-pod-name> -c git -f
Clone this wiki locally