Spring Cloud Config Server 使用 SSH 密钥用于 Git 并在 Docker 中运行
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/47024826/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Cloud Config Server using SSH key for Git and running in Docker
提问by Wpigott
I found many questions and tutorials before finally putting this all together. Wanted to document it so somebody else can save many hours of frustration.
在最终将它们放在一起之前,我发现了许多问题和教程。想要记录它,以便其他人可以节省许多小时的挫败感。
I am trying to get a private git repository on BitBucket to work with Spring Boot Config Server using deploy keys and have it run in Docker. I am running into many issues.
我正在尝试在 BitBucket 上获取一个私有 git 存储库,以使用部署密钥与 Spring Boot Config Server 一起工作,并让它在 Docker 中运行。我遇到了很多问题。
- How to actually configure using the application.yml files.
- 如何使用 application.yml 文件进行实际配置。
I cant seem to figure out where I should put the SSH info. All tutorials seem to be for https.
我似乎无法弄清楚我应该把 SSH 信息放在哪里。所有教程似乎都是针对 https 的。
- How to provide the private key to the configuration. For Dev the syntax for inline in YML is a pain. For production, you have to provide it via an environment variable, which is another syntax chore.
- 如何为配置提供私钥。对于 Dev 来说,YML 中的内联语法是一种痛苦。对于生产,您必须通过环境变量提供它,这是另一种语法杂务。
I keep getting an error that the private key is invalid.
我不断收到私钥无效的错误消息。
- How to get the Docker container to trust the host key without that pesky "do you trust this guy" prompt.
- 如何让 Docker 容器在没有那种讨厌的“你信任这个人”提示的情况下信任主机密钥。
There seems to be several ways to make this work, but only one that worked for me.
似乎有几种方法可以使这项工作发挥作用,但只有一种方法对我有用。
回答by Wpigott
First piece is the configuration. You want to ignore the standard private key and use one provided as an environment variable. (SSH_KEY). Also, the git repo is an EV (GIT_URL) but you can hardcode if you want.
第一部分是配置。您想忽略标准私钥并使用作为环境变量提供的私钥。(SSH_KEY)。此外,git repo 是一个 EV (GIT_URL),但您可以根据需要进行硬编码。
spring:
cloud:
config:
server:
git:
uri: ${GIT_URL}
ignore-local-ssh-settings: true
private-key: ${SSH_KEY}
Part 2 is tricky. For Dev, you want the key inline, so you need to use a pipe to prefix the block in YAML. (Note this key is throw away as in I just generated it and have now thrown it away)
第 2 部分很棘手。对于 Dev,您需要内联键,因此您需要使用管道来为 YAML 中的块添加前缀。(注意这个键被扔掉了,因为我刚刚生成它,现在已经扔掉了)
private-key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAszmCR06LVHk/kNYV6LoYgEfHlK4rp75sCsRJ7rdAbWNED+yB
bneOm5gue0LGIhT7iTP9D7aN6bKVHv1SBconCA7Pa2NMA9epcMT5ecJc8ndpZOFn
iqM77jmMMPvj8EIC06w5oK5zoYwpGotYQFHllf8M+20HtW2fZdPYAYwLcVdmc5tI
vLoS+10qw5D3X9zrwk2Cbt37Iqnz1cHOQq+g7sxgVgt18aIKKeg0JslaGqSlWMoT
ICUMHj89E4BMHj8ND8otSXHL+VhN+ghd7w1MpckxLWBsNs1+G1FuiJEVAtRq/j+8
SOilxgifvI1LqpZ5kO01XFlmkcuN4NMT03qpcwIDAQABAoIBAB5oQGk2sz7mv1kk
aV0tzaBeDUd1cWSpUw1UljKRFrY4ZEDLYH5MfH57iE9TWehIZRC3KFU1JMikitZS
JktjK9IbKSfQFgKE4XOHh8gXqMteZRw/feCwpydYzic1ZUvK903QZ4qSbn3XGNYv
FA79lhUny50Qt4EZkzSkh35js0FMSR9VmyXENxN6IgXUZyoaNAATr44Vkd488BY2
7PvdOniemo8/8p4Ij0Aq9Q7rOtm77ZXjyFRX5mDTi2ndSllMEhVcWXHSii+ukbvF
117Ns+8M7VWroNfRzI+Ilm/Xz/ePOLlNoYcY0h5+QM9vMPTX9Cpl5WofgOMK1sKd
mSdI4ukCgYEA12kcu0aDyIrEPHcyaT9izSFply0Uon2QKS9EQn6cr83vaEGViamh
f5q1coYouGnsLfbgKolEMKsYtbmJvInPFDCdc2x0Fmc207Wp1OECsN+HwElEXkrs
uPDpGQgs5odjN5Grue9837920oG3UBBdVDAKly2dTOcvoWW+88seFSUCgYEA1P7f
p78HDMQ8zTy5+3Rd4+lmJjPsY618XxSQ80j8Elrhi/DyTMA0XGc5c3cKRPmSj+JD
GN34WQbw7JO2mKM7YJs+tkSBeTKce8F3cZQy1jy3LNHCtfXylOxmxOFKynV5h2b/
jno+pGdmAPK5yvnGASd2eujtzt+AL07XiD2LnLcCgYEAsFRz131WfP/SuShdlLf1
WbODKuQVIxojuwLdHo1kF6k805v0G/dGoxzycOgPRz41vj57q3Yn4qr8FC3n6PTq
FT3idUyPDpO41r67Ye469KxWBHo1Q/aTJqTWOs5tatvixOcyqoa3MrUZQCI8+4YZ
z8Nvt+b3/66zV6vhDtHzMx0CgYAvWW2M0+mUS/ecRHivzqGkrdkYewh87C8uz9qd
SsdGqU9kla63oy7Ar+3Unkz5ImYTeGAkIgw4dlOOtBOugPMNOdXKHRaPQ9IHrO2J
oUFf4OVzoDnhy4ge1SLPd6nxsgXPNPVwzfopABdr9Ima9sWusgAjuK5NA+ByI9vE
HLJxpwKBgQCTM938cdx457ag1hS6EaEKyqljS1/B8ozptB4cy3h0hzw0crNmW84/
1Lt9MJmeR4FrWitQkkVLZL3SrYzrP2i+uDd4wVVD5epvnGP/Bk6g05/eB9LgDRx/
EeBgS282jUBkXZ6WpzqHCcku3Avs3ajzsC1WaEYx0tCiBxSkiJlaLQ==
-----END RSA PRIVATE KEY-----
On the production front, you need to use a bash variable at the command prompt to store your key before you pass it to the Docker command that runs your container. Example:
在生产方面,在将密钥传递给运行容器的 Docker 命令之前,您需要在命令提示符下使用 bash 变量来存储密钥。例子:
$ pem=$( cat path_to_key )
$ docker run -e "SSH_KEY=$pem" configserver
At this point you should have the application taken care of. Now all you need is to get past the ssh host not trusted problem. For this, add these lines in your Dockerfile. Replace "bitbucket.org" with whatever host you want. These commands create the ssh config directory, fix the permissions, and then create and populate the knownhosts file.
此时,您应该处理应用程序。现在您需要做的就是解决 ssh 主机不受信任的问题。为此,在您的 Dockerfile 中添加这些行。用你想要的任何主机替换“bitbucket.org”。这些命令创建 ssh 配置目录,修复权限,然后创建并填充 knownhosts 文件。
RUN mkdir -p /root/.ssh
RUN chmod 700 /root/.ssh
RUN ssh-keyscan bitbucket.org > /root/.ssh/known_hosts
回答by Marco Massenzio
I wanted to add a further twist on this, that would hopefully remove the need to mess around with SSH keys in the YAML file (or in env variables), which is usually A Bad Idea.
我想对此进行进一步的修改,希望可以消除在 YAML 文件(或 env 变量)中处理 SSH 密钥的需要,这通常是一个坏主意。
This revolves around the SSH Config file, so if the app does not have access to it, or it cannot be modified, this won't work (but I cannot think of any real-world situation in which this would apply, including Cloud deployments: either AWS Cloudformation templates, or Kubernetes ConfigMaps would provide useful workarounds).
这围绕着 SSH 配置文件,所以如果应用程序无权访问它,或者无法修改它,这将不起作用(但我想不出任何适用的实际情况,包括云部署:AWS Cloudformation 模板或 Kubernetes ConfigMaps 将提供有用的解决方法)。
The issue revolves (for the most part) around the (rather inexplicable) limitation of not being able to specify a private key file in the Spring Config application properties.
该问题(在大多数情况下)围绕无法在 Spring Config 应用程序属性中指定私钥文件的(相当莫名其妙的)限制。
In your ~/.ssh/configfile, you can add the following:
在您的~/.ssh/config文件中,您可以添加以下内容:
Host git-config
HostName github.myserver.example.com
User someone
IdentityFile /path/to/private_key
(I need to connect to a private GitHub Enterprise server and the user associated with the SSH key is not the same as the application server is being run under: this works just fine; if that's not the case, simply use github.comfor the HostName, and omit the User)
(我需要连接到一个私人GitHub的企业服务器,并与SSH密钥关联的用户是不一样的应用服务器正处于运行:这工作就好了;如果不是这种情况,只需使用github.com的HostName,并忽略的User)
Then, instead of using the actual GitHub URI, something like:
然后,而不是使用实际的 GitHub URI,类似于:
[email protected]:my-team/config-properties-demo.git
[email protected]:my-team/config-properties-demo.git
you replace git-configfor the host:
你替换git-config主机:
spring:
cloud:
config:
server:
git:
uri: git@git-config:my-team/config-properties-demo.git
strictHostKeyChecking: false
It is indeed a bit cumbersome, but relatively easy to automate. A much preferable option would be for Spring Config to add another option that points to the private key material:
确实有点麻烦,但相对容易自动化。一个更可取的选择是 Spring Config 添加另一个指向私钥材料的选项:
spring:
cloud:
config:
server:
git:
uri: [email protected]:my-team/config-properties-demo.git
user: someone
private_key_file: /path/to/private_key
strictHostKeyChecking: false
I guess this is one for the "enhancement requests" section...
我想这是“增强请求”部分的一个......
回答by Ryan Hansen
Pardon the necro, but this is the #1 result on Google (from SO) when searching for how to do SSH authentication with Git repos when the config server is deployed to an environment with an ephemeral file system - and I believe I have found a way to do just that. Below is a gist of what I am currently doing to make that happen for my client.
请原谅死灵,但这是当配置服务器部署到具有临时文件系统的环境时搜索如何使用 Git 存储库进行 SSH 身份验证时在 Google(来自 SO)上的#1 结果 - 我相信我已经找到了方法来做到这一点。以下是我目前正在为我的客户实现这一目标的要点。
https://gist.github.com/hanserya/43b00162741fa3022481301db60e8acd
https://gist.github.com/hanserya/43b00162741fa3022481301db60e8acd
It is definitely an ugly duckling, but is functional and should serve as solid footing for anyone that needs it. With this implementation, you'll be able to mount a volume to a container running the config server. Then, just configure the environment to use the volume as the SSH directory with the spring.cloud.config.server.git.sshLocation configuration key via whatever medium works best for you (env variables, bootstrap.yml, etc...)
它绝对是一只丑小鸭,但功能齐全,应该为任何需要它的人提供坚实的基础。通过此实现,您将能够将卷挂载到运行配置服务器的容器。然后,只需将环境配置为使用 spring.cloud.config.server.git.sshLocation 配置密钥的卷作为 SSH 目录,通过任何最适合您的介质(环境变量、bootstrap.yml 等...)
Happy Coding!
快乐编码!
