Using SSH Key for S2I Builds

This post was written by Christian Hernandez, Solution Architect of the OpenShift Tiger Team.

OpenShift enables you to take source code and choose a builder image in a process called S2I (source to image). This process takes your source code and layers it on top of the builder image to create your application running inside a docker container.

This works well when the source code is hosted on a Git repository (Github, GitLab, BitBucket, etc) that is public. That is, the source code is available for anyone to just clone. This is the norm for a lot of OpenSource projects and works really well.

However, in a lot of organizations, the SCM system is either hosted internally or behind a security construct like username/password and/or a sshkey-based authentication system. In this blog I will show you how to use the sshkey-based method.

NOTE: Currently, only SSH key based authentication is supported.

Create An Application using S2I

I will be using a simple PHP applicaiton that is hosted on Github (this will work with any Git compatable SCM that supports ssh-keys). Using the "ssh" URI, I will create a new application.

$ oc new-app openshift/php~git@github.com:christianh814/php-example-ose3.git

imagestreams/php-example-ose3

buildconfigs/php-example-ose3

deploymentconfigs/php-example-ose3

services/php-example-ose3

A build was created - you can run `oc start-build php-example-ose3` to start it.

Service "php-example-ose3" created at 172.30.245.22 with port mappings 8080.

Run 'oc status' to view your app.

The build will automatically fire off. It will take a little while but this build should fail.

oc get builds

NAME                 TYPE      STATUS    POD

php-example-ose3-1   Source    Failed    php-example-ose3-1-build

Inspect the logs to see the output of the failure.

$ oc build-logs php-example-ose3-1

I0930 17:18:59.377859       1 sti.go:74] The value of ALLOWED_UIDS is [1-]

I0930 17:18:59.460461       1 docker.go:228] Pulling image registry.access.redhat.com/openshift3/php-55-rhel7:latest

I0930 17:19:58.068606       1 sti.go:96] Creating a new S2I builder with build config: "Builder Name:\t\tApache 2.4 with PHP 5.5\nBuilder Image:\t\tregistry.access.redhat.com/openshift3/php-55-rhel7:latest\nSource:\t\t\tgit@github.com:christianh814/php-example-ose3.git\nOutput Image Tag:\t172.30.177.205:5000/demo/php-example-ose3:latest\nEnvironment:\t\tOPENSHIFT_BUILD_NAME=php-example-ose3-1,OPENSHIFT_BUILD_NAMESPACE=demo,OPENSHIFT_BUILD_SOURCE=git@github.com:christianh814/php-example-ose3.git\nIncremental Build:\tdisabled\nRemove Old Build:\tdisabled\nForce Pull:\t\tdisabled\nQuiet:\t\t\tdisabled\nLayered Build:\t\tdisabled\nDocker Endpoint:\tunix:///var/run/docker.sock\n"

I0930 17:19:58.070965       1 docker.go:211] Image registry.access.redhat.com/openshift3/php-55-rhel7:latest available locally

I0930 17:19:58.076539       1 sti.go:124] Preparing to build 172.30.177.205:5000/demo/php-example-ose3:latest

I0930 17:19:58.203682       1 clone.go:30] Cloning sources and all GIT submodules into "/tmp/sti374599129/upload/src"

E0930 17:20:00.251015       1 git.go:102] Clone failed: Host key verification failed.

fatal: Could not read from remote repository.
Please make sure you have the correct access rights
 and the repository exists.
 I0930 17:20:00.251527 1 clone.go:35] Git clone failed: exit status 128
 I0930 17:20:00.251594 1 cleanup.go:23] Removing temporary directory /tmp/sti374599129
 I0930 17:20:00.251630 1 fs.go:99] Removing directory '/tmp/sti374599129'
 F0930 17:20:00.252693 1 builder.go:54] Build error: exit status 128
 

As you would have guessed it, the build failed because it could not get the source code. Let's fix that!

Create SSH Key

If you do not have an SSH key already uploaded to your SCM, then you can create one

$ ssh-keygen -C "email_address@example.com"

This will ask you some question (like where you would like to store your key and if you want to use a passphrase - don't use a passphrase). The repository keys are located in the $HOME/.ssh/ directory, and the public key is named id_rsa.pub by default.

Now take the public key (by default $HOME/.ssh/id_rsa.pub) and upload it to your SCM.

Create a secret

Now that you have your key and you've uploaded it to your SCM system; you have to create a secret before using it. We'll call it scmsecret for the purposes of this blog. Note that you provide the private key for this step.

$ oc secrets new scmsecret ssh-privatekey=$HOME/.ssh/id_rsa

secret/scmsecret

Once you've created the secret add it to the builder serviceaccount so that the account has the ability to clone the source code.

For OpenShift v3.2

$ oc secrets add serviceaccount/builder secrets/scmsecret

For OpenShift v3.3

$ oc secrets link builder scmsecret

Add secret to the buildConfig

Now that the scmsecret has been added to the builder serviceaccount you need to add it to the buildConfig of your application. To do this you need to run oc edit bc/php-example-ose3 and add sourceSecret to the source section. Make sure you provide the secret by name (in this case it's scmsecret)

In the end the buildConfig should look like this

$ oc get bc/php-example-ose3 -o json

{

    "kind": "BuildConfig",

    "apiVersion": "v1",

    "metadata": {

        "name": "php-example-ose3",

        "namespace": "demo",

        "selfLink": "/osapi/v1beta3/namespaces/demo/buildconfigs/php-example-ose3",

        "uid": "9c4a38d6-67b8-11e5-ba77-fa163e2e3caf",

        "resourceVersion": "27496",

        "creationTimestamp": "2015-09-30T21:17:09Z",

        "labels": {

            "app": "php-example-ose3"

        }

    },

    "spec": {

        "triggers": [

            {

                "type": "GitHub",

                "github": {

                    "secret": "03sUVtvNy_VPHARimFyV"

                }

            },

            {

                "type": "Generic",

                "generic": {

                    "secret": "axHQA92sZSuFa5Vv-0z4"

                }

            },

            {

                "type": "ImageChange",

                "imageChange": {

                    "lastTriggeredImageID": "registry.access.redhat.com/openshift3/php-55-rhel7:latest"

                }

            }

        ],

        "source": {

            "type": "Git",

            "git": {

                "uri": "git@github.com:christianh814/php-example-ose3.git"

            },

            "sourceSecret": {

                "name": "scmsecret"

            }

        },

        "strategy": {

            "type": "Source",

            "sourceStrategy": {

                "from": {

                    "kind": "ImageStreamTag",

                    "namespace": "openshift",

                    "name": "php:latest"

                }

            }

        },

        "output": {

            "to": {

                "kind": "ImageStreamTag",

                "name": "php-example-ose3:latest"

            }

        },

        "resources": {}

    },

    "status": {

        "lastVersion": 1

    }

}

Build your application

Once you've added the scmsecret to your build config you can start the build process

$ oc start-build php-example-ose3

php-example-ose3-2

After a bit the build will start. You can check the logs as it runs

$ oc build-logs php-example-ose3-2

You should see a sucessful build after it has finished

$ oc get builds

NAME                 TYPE      STATUS     POD

php-example-ose3-1   Source    Failed     php-example-ose3-1-build

php-example-ose3-2   Source    Complete   php-example-ose3-2-build

At this point you can now proceed as you would normally would with any other application and create a route.

$ oc expose svc/php-example-ose3

NAME               HOST/PORT   PATH      SERVICE            LABELS                 TLS TERMINATION

php-example-ose3                         php-example-ose3   app=php-example-ose3   
$ oc get routes
 NAME HOST/PORT PATH SERVICE LABELS TLS TERMINATION
 php-example-ose3 php-example-ose3-demo.sbx.osecloud.com php-example-ose3 app=php-example-ose3
 

Summary

In this article we have seen how you can add an sshkey to OpenShift so that it can clone a repository that has ssh-keys enabled.

Author

Christian Hernandez
Solution Architect
US CSO Solution Architect- OpenShift Tiger Team
@christianh814