argo-workflow: secrets for git
- 2 minutes read - 256 wordsI needed to clone one of my private repositories in one workflow of argo-workflows. I did’t figure a way to mount git artifact into a shared volume at that time. I sought to other options and find https://github.com/argoproj/argo-workflows/issues/1428 and https://www.jeffgeerling.com/blog/2019/mounting-kubernetes-secret-single-file-inside-pod.
The comment https://github.com/argoproj/argo-workflows/issues/1428#issuecomment-775911838 gives an example to add user name and password into https url. Upon I checked the logs, I found that user and password are shown in the logs of a workflow. That is not secure way to do that.
https://www.jeffgeerling.com/blog/2019/mounting-kubernetes-secret-single-file-inside-pod uses postStart to do the magic. Basically I think the solution is okay. I might chose this way if I had only one secret.
After reading the documentation and searching issues in argo-workflow, you will find argo-workflow doesn’t support the way tekton to handle git basic authentication. I still have an option .netrc. After several trials and debugs, Here is my final working example.
# netrc secret
apiVersion: v1
data:
.netrc: aaa=
kind: Secret
metadata:
creationTimestamp: null
name: netrc
---
# partial workflow
volumes:
- name: netrc-vol
secret:
secretName: netrc
items:
- key: .netrc
path: .netrc
templates:
- name: git-clone
container:
image: golang:1.18
command: [ sh, -euxc ]
args:
- |
git clone -v -b "dev" https://gitee.com/jackliusr/demo.api2.git
cd demo.api2
git checkout "{{workflow.parameters.revision}}"
git show -m --name-only |\
grep -E -o '^(Global|Local)\/src\/Modules\/(\w|\.)*\/' | sort |\
uniq -u > /src/demo.api2/changes.txt
workingDir: /src/
env:
volumeMounts:
- mountPath: /src
name: workdir
- mountPath: /root
name: netrc-volWith hindsight, I think argo-workflow maybe consider to add .netrc support as a feature when I found that