Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh secrets mounted as root/root in container #795

Open
jjmartres opened this issue Dec 18, 2023 · 2 comments
Open

ssh secrets mounted as root/root in container #795

jjmartres opened this issue Dec 18, 2023 · 2 comments
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@jjmartres
Copy link

jjmartres commented Dec 18, 2023
edited by viceice

Hi there !

The ssh secrets is mounted as root in the container running as ubuntu user. So the SSh key is not readable:

ubuntu@plop-sr4d2:/usr/src/app$ cd 
ubuntu@plop-sr4d2:~$ ls -lah
total 68K
drwxrwxr-x 1 ubuntu root 4.0K Dec 18 16:08 .
drwxr-xr-x 1 root   root 4.0K Dec 16 10:45 ..
-rw-rw-r-- 1 ubuntu root  220 Feb 25  2020 .bash_logout
-rw-rw-r-- 1 ubuntu root 3.7K Feb 25  2020 .bashrc
drwxrwxr-x 2 ubuntu root 4.0K Dec 16 13:52 .dart
-rw-rw-r-- 1 ubuntu root   39 Dec 16 13:52 .flutter
-rw-rw-r-- 1 ubuntu root   45 Dec 16 13:53 .gemrc
drwxrwxr-x 2 ubuntu root 4.0K Dec 16 13:52 .gradle
drwxrwxr-x 2 ubuntu root 4.0K Dec 16 13:52 .m2
drwxrwxr-x 3 ubuntu root 4.0K Dec 16 19:49 .npm
drwxrwxr-x 4 ubuntu root 4.0K Dec 16 19:49 .npm-global
-rw-rw-r-- 1 ubuntu root   35 Dec 16 19:49 .npmrc
drwxrwxr-x 3 ubuntu root 4.0K Dec 16 13:52 .nuget
-rw-rw-r-- 1 ubuntu root  807 Feb 25  2020 .profile
drwxrwxrwt 3 root   root  120 Dec 18 16:08 .ssh
drwxrwxr-x 2 ubuntu root 4.0K Dec 16 10:45 bin
drwxrwxr-x 2 ubuntu root 4.0K Dec 16 10:45 env.d
ubuntu@plop-sr4d2:~$

Here is my value file:

cronjob:
  schedule: "0 1 * * *"
  timeZone: CET 
  suspend: false
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 2
  successfulJobsHistoryLimit: 4
  jobRestartPolicy: Never
  jobBackoffLimit: 2

renovate:
  securityContext:
    runAsUser: 1000
    fsGroup: 1000
  config: |
    {
      gitUrl: 'ssh',
      platform: 'gitlab',
      persistRepoData: true,
      logLevel: '${log_level}',
      onboardingConfig: {
        extends: ['renovate/renovate-config'], // reference to config project that we created
      },
      autodiscover: false,
      repositories: [
         hidden
      ],
    }
  configIsSecret: true

ssh_config:
  enabled: true
  id_rsa: |-
    hidden
  config: |
    Host gitlab.com
      User git
      StrictHostKeyChecking no
      UserKnownHostsFile=/dev/null
      PasswordAuthentication no
      IdentityFile ~/.ssh/id_rsa

secrets:
  RENOVATE_GIT_AUTHOR: hidden
  GITHUB_COM_TOKEN: hidden
  RENOVATE_TOKEN: hidden

serviceAccount:
  create: true
  annotations:
    iam.gke.io/gcp-service-account: hidden

How can I solve this ?
@viceice viceice added the bug Something isn't working label Jan 8, 2024
@viceice
Copy link
Member

viceice commented Jan 8, 2024

I think we need to add something here:

https://github.com/renovatebot/helm-charts/blob/main/charts%2Frenovate%2Ftemplates%2Fcronjob.yaml#L103

@viceice
Copy link
Member

viceice commented Jan 8, 2024
edited

it seems it's not easily possible, here's a complex workaround

https://stackoverflow.com/a/57908921

@viceice viceice added the help wanted Extra attention is needed label Jan 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jjmartres @viceice