Working to clone a git repository that requires credentials because it is private (to complicate it more, it has a submodule that is also private, but this is a secondary question). I would like to clone in the remote but not giving it the rights to write in the repo. So, maybe wrong, I discarded to use ssh key but https with login/passwd.
- name: "git clone"
git:
repo: https://{{ username | urlencode }}:{{ password | urlencode }}@gitlab.com/(...)/repo.git
dest: {{ sources_dir }}/repo.git
update: yes
This seems to work, but when I check the remote I see the credentials leaked there.
$ cd repo.git
$ git remote -v
origin https://<username>:<password>@gitlab.com/(...)/repo.git
The alternative I'm working with, expect
doesn't seem to catch the responses.
- name: "git clone"
expect:
chdir: {{ sources_dir }}
command: git clone repo: https://gitlab.com/(...)/repo.git repo.git
responses:
(?i)username: {{ username | urlencode }}
(?i)password: {{ password | urlencode }}
The output seems to be something like:
Cloning into 'repo.git'...
Username for 'https://gitlab.com': Password for 'https://<username>@gitlab.com':
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://gitlab.com/(...)/repo.git/
Checked that the password (stored in a ansible-vault) is correct, from this answer seems that the username is catch (because it is printed in the stdout) but the auth fails anyway.
The general question is how this clone can be made without transferring rights to the place of the clone over the repo? And also understand how this regex in the responses would work. Also some information about ansible with git submodules could be nice, but I'll try further investigation from my side.
Thanks
CodePudding user response:
Following the comment from β.εηοιτ.βε I found how to make this git statement work in ansible.
First this has been to create an specific ssh key
to be used as a deployment key:
ssh-keygen -t ed25519 -C "ansible deploy key for gitlab"
With password and the password stored in the ansible-vault (as gitlab_deploy_key_passwd
). The file is saved in the path of the roles in ansible.
In the gitlab project, one has to go the "Settings > Repository > Deploy Keys" and place the content of the "gitlab_deploy_key_ed25519.pub".
In ansible, it is necessary to have a set of tasks to copy the private key (password protecte) in the remote as well as configure ssh to use it when talk with gitlab.
- name: "gitlab deploy key"
block:
- name: ".ssh directory with the best rights"
file:
path: /home/{{ ansible_user_id }}/.ssh
state: directory
mode: "u=rwx,g=,o="
owner: "{{ ansible_user_id }}"
group: "{{ ansible_user_id }}"
- name: "gitlab deploy key copy"
copy:
src: "../files/gitlab_deploy_key_ed25519"
dest: "/home/{{ ansible_user_id }}/.ssh"
mode: "u=rwx,g=,o="
owner: "{{ ansible_user_id }}"
group: "{{ ansible_user_id }}"
- name: "gitlab deploy key config"
blockinfile:
path: "/home/{{ ansible_user_id }}/.ssh/config"
block: |
Host gitlab.com
User git
Hostname gitlab.com
IdentityFile /home/{{ ansible_user_id }}/.ssh/gitlab_deploy_key_ed25519
With this a "git clone" task can be setup:
- name: "git clone"
expect:
chdir: "{{ sources_dir }}"
command: "git clone [email protected]:(...)/repo.git repo.git"
responses:
passphrase: "{{ gitlab_deploy_key_passwd }}"
So then, the repo is present in the remote without storing any private information there (or at least store it somehow protected). It is read-only and even this read requires a password that is as save as the ansible-vault. (I haven't understand why in this case the expect
worked with the passphrase but didn't with the username/password).
This clones the repo without initializing the submodules, but from here the git commands in further ansible tasks will have access to the necessary things to do that.
CodePudding user response:
To add to the comment, you have here an example using a credential helper:
- name: Configure Git credential storage
command: "git config --global credential.helper store"
- name: Populate the Git credential store
template:
src: files/git_credentials.j2
dest: /home/appuser/.git-credentials
owner: appuser
group: appuser
mode: u=rw,g=,o=
no_log: true
With template;
https://{{ gitlab_username|urlencode }}:{{ gitlab_password|urlencode }}@gitlab.example.org
You can also use the git_config_module
to set the credential helper (instead of command
)