Issue
It is possible, through either https or ssh to clone from a private repo without creating a secrets file with my git credentials? I don’t see why this is recommended, anyone in the kubernetes cluster can view my git credentials if they wanted to…
Both of the top two answers advocate this dangerously unsafe practice
see and also.
I’ve also been looking at git-sync but it also wants to expose the git credentials to everyone in the cluster see this answer.
Is it assumed that you’d have a service account for this? What if I don’t have a service account? Am I just out of luck?
Solution
The credentials have to exist somewhere and a Secret is the best place for them. You wouldn’t give access to "anyone" though, you should use the Kubernetes RBAC policy system to limit access to Secret objects to only places and people that need them. There are other solutions which read directly from some other database (Hashicorp Vault, AWS SSM, GCP SM, etc) but they are generally the same in terms of access control since the pod would be authenticating to that other system using its ServiceAccount token which … is in a Secret. If you go full-out on this I’m sure you can find some kind of HSM which supports GitHub but unless you have a lot of hundreds of thousands of dollars to burn, that seems like overkill vs. just writing a better RBAC policy.
Answered By – coderanger
This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0