Home > Enterprise >  Using token from shell env variable not working for git clone in commands defined for Pod
Using token from shell env variable not working for git clone in commands defined for Pod

Time:11-11

I am preparing a k8 manifest to deploy one custom application and that requires a "git clone" in some pods and I face an error with it.

So I thought of first isolating the git part and testing in a simple pod. But I get the same error there as well.

Error is:

URL using bad/illegal format or missing URL

My test pod and secret YAML manifest as follows:

apiVersion: v1
kind: Secret
metadata:
  name: secret-manager
  namespace: sec-manager
type: Opaque
data:
  gitlab-access-token: SOMETOKEN

---

apiVersion: v1
kind: Pod
metadata:
  name: "sec-manager"
  namespace: sec-manager
  labels:
    app: sec-manager
    use: passwordmanager
spec:
  containers:
  - name: disk-checker
    image: "alpine:latest"
    command: ["/bin/sh"]
    args:
      - "-c"
      - |
        apk add --no-cache git;
        git --version;
        cd /root;
        git clone https://gitlab-ci-token:[email protected]/ORG/infra/deploy/apps/sec-manager.git;
        sleep 9999;
    env:
      - name:  GITLABTOKEN
        valueFrom:
          secretKeyRef:
            name:  secret-manager
            key:  gitlab-access-token

Pod log shows the git clone command fails:

→ kubectl -n sec-manager logs sec-manager 
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
(1/7) Installing ca-certificates (20220614-r0)
(2/7) Installing brotli-libs (1.0.9-r6)
(3/7) Installing nghttp2-libs (1.47.0-r0)
(4/7) Installing libcurl (7.83.1-r4)
(5/7) Installing expat (2.5.0-r0)
(6/7) Installing pcre2 (10.40-r0)
(7/7) Installing git (2.36.3-r0)
Executing busybox-1.35.0-r17.trigger
Executing ca-certificates-20220614-r0.trigger
OK: 19 MiB in 21 packages
git version 2.36.3
Cloning into '@gitlab.com/ORG/infra/deploy/apps/sec-manager.git'...
fatal: unable to access 'https://gitlab-ci-token:glpat-252jb98b39/': URL using bad/illegal format or missing URL

But if I run the following command manually inside the same pod, it works fine.

git clone https://gitlab-ci-token:[email protected]/ORG/infra/deploy/apps/sec-manager.git

so I believe some YAML parsing error of some characters in shell commands in Pod but unable to figure out which one and how exactly to correct the lines.

Any ideas?

CodePudding user response:

Found where the problem exists.

The issue is a newline being automatically added to the base64 encoded string.

For example, if the original token is 12345 we can base64 encode as follows:

▶ echo "12345" | base64
MTIzNDUK

But there is a high chance a trailing space or newline comes at the end of the string and the encoded string will likely be wrong and not the encoded one of our actual token.

To prevent any trailing newline or space, use the flag -n with echo:

▶ echo -n "12345" | base64
MTIzNDU=

You can see the encoded token difference compared to the first result.

Basically, the same issue was happening with my gitlab-access-token value from the Kubernetes secret secret-manager. The newline was breaking the git repo URL after the env variable $GITLABTOKEN

enter image description here

  • Related