1.4.4.4. 生成到 Git 服务器的 SSH 连接
在
data的sshKey字段中创建一个 secret 来包含您的私有 SSH 密钥。如果密钥需要使用密码短语进行保护,在passphrase字段中指定密码。此 secret 必须与频道 CR 位于同一命名空间中。使用oc命令创建此 secret,以创建 secret genericgit-ssh-key --from-file=sshKey=./.ssh/id_rsa,然后添加以 base64 编码的passphrase。请参见以下示例:apiVersion: v1 kind: Secret metadata: name: git-ssh-key namespace: channel-ns data: sshKey: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQ21GbGN6STFOaTFqZEhJQUFBQUdZbU55ZVhCMEFBQUFHQUFBQUJDK3YySHhWSIwCm8zejh1endzV3NWODMvSFVkOEtGeVBmWk5OeE5TQUgcFA3Yk1yR2tlRFFPd3J6MGIKOUlRM0tKVXQzWEE0Zmd6NVlrVFVhcTJsZWxxVk1HcXI2WHF2UVJ5Mkc0NkRlRVlYUGpabVZMcGVuaGtRYU5HYmpaMmZOdQpWUGpiOVhZRmd4bTNnYUpJU3BNeTFLWjQ5MzJvOFByaDZEdzRYVUF1a28wZGdBaDdndVpPaE53b0pVYnNmYlZRc0xMS1RrCnQwblZ1anRvd2NEVGx4TlpIUjcwbGVUSHdGQTYwekM0elpMNkRPc3RMYjV2LzZhMjFHRlMwVmVXQ3YvMlpMOE1sbjVUZWwKSytoUWtxRnJBL3BUc1ozVXNjSG1GUi9PV25FPQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K passphrase: cGFzc3cwcmQK type: Opaque
使用 secret 配置频道。请参见以下示例:
apiVersion: apps.open-cluster-management.io/v1 kind: Channel metadata: name: my-channel namespace: channel-ns spec: configMapRef: name: git-known-hosts secretRef: name: git-ssh-key pathname: <Git SSH URL> type: Git订阅控制器使用提供的 Git 主机名执行
ssh-keyscan来构建known_hosts列表,以防止 SSH 连接中的 Man-in-the-middle(MITM)攻击。如果要跳过此步骤并使用不安全的连接,请在频道配置中使用insecureSkipVerify: true。这不是最佳方案,特别是在生产环境中。apiVersion: apps.open-cluster-management.io/v1 kind: Channel metadata: name: my-channel namespace: channel-ns spec: secretRef: name: git-ssh-key pathname: <Git SSH URL> type: Git insecureSkipVerify: true
