I am preparing a k8 manifest to deploy one custom application and that requires a "git clone" in some pods and I face an error with it.
So I thought of first isolating the git part and testing in a simple pod. But I get the same error there as well.
Error is:
URL using bad/illegal format or missing URL
My test pod and secret YAML manifest as follows:
apiVersion: v1
kind: Secret
metadata:
name: secret-manager
namespace: sec-manager
type: Opaque
data:
gitlab-access-token: SOMETOKEN
---
apiVersion: v1
kind: Pod
metadata:
name: "sec-manager"
namespace: sec-manager
labels:
app: sec-manager
use: passwordmanager
spec:
containers:
- name: disk-checker
image: "alpine:latest"
command: ["/bin/sh"]
args:
- "-c"
- |
apk add --no-cache git;
git --version;
cd /root;
git clone https://gitlab-ci-token:[email protected]/ORG/infra/deploy/apps/sec-manager.git;
sleep 9999;
env:
- name: GITLABTOKEN
valueFrom:
secretKeyRef:
name: secret-manager
key: gitlab-access-token
Pod log shows the git clone command fails:
→ kubectl -n sec-manager logs sec-manager
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
(1/7) Installing ca-certificates (20220614-r0)
(2/7) Installing brotli-libs (1.0.9-r6)
(3/7) Installing nghttp2-libs (1.47.0-r0)
(4/7) Installing libcurl (7.83.1-r4)
(5/7) Installing expat (2.5.0-r0)
(6/7) Installing pcre2 (10.40-r0)
(7/7) Installing git (2.36.3-r0)
Executing busybox-1.35.0-r17.trigger
Executing ca-certificates-20220614-r0.trigger
OK: 19 MiB in 21 packages
git version 2.36.3
Cloning into '@gitlab.com/ORG/infra/deploy/apps/sec-manager.git'...
fatal: unable to access 'https://gitlab-ci-token:glpat-252jb98b39/': URL using bad/illegal format or missing URL
But if I run the following command manually inside the same pod, it works fine.
git clone https://gitlab-ci-token:[email protected]/ORG/infra/deploy/apps/sec-manager.git
so I believe some YAML parsing error of some characters in shell commands in Pod but unable to figure out which one and how exactly to correct the lines.
Any ideas?
CodePudding user response:
Found where the problem exists.
The issue is a newline being automatically added to the base64 encoded string.
For example, if the original token is 12345 we can base64 encode as follows:
▶ echo "12345" | base64
MTIzNDUK
But there is a high chance a trailing space or newline comes at the end of the string and the encoded string will likely be wrong and not the encoded one of our actual token.
To prevent any trailing newline or space, use the flag -n
with echo
:
▶ echo -n "12345" | base64
MTIzNDU=
You can see the encoded token difference compared to the first result.
Basically, the same issue was happening with my gitlab-access-token
value from the Kubernetes secret secret-manager
. The newline was breaking the git repo URL after the env variable $GITLABTOKEN