Using token from shell env variable not working for git clone in commands defined for Pod


I am preparing a k8 manifest to deploy one custom application and that requires a "git clone" in some pods and I face an error with it.

So I thought of first isolating the git part and testing in a simple pod. But I get the same error there as well.

Error is:

URL using bad/illegal format or missing URL

My test pod and secret YAML manifest as follows:

apiVersion: v1
kind: Secret
  name: secret-manager
  namespace: sec-manager
type: Opaque
  gitlab-access-token: SOMETOKEN


apiVersion: v1
kind: Pod
  name: "sec-manager"
  namespace: sec-manager
    app: sec-manager
    use: passwordmanager
  - name: disk-checker
    image: "alpine:latest"
    command: ["/bin/sh"]
      - "-c"
      - |
        apk add --no-cache git;
        git --version;
        cd /root;
        git clone https://gitlab-ci-token:[email protected]/ORG/infra/deploy/apps/sec-manager.git;
        sleep 9999;
      - name:  GITLABTOKEN
            name:  secret-manager
            key:  gitlab-access-token

Pod log shows the git clone command fails:

→ kubectl -n sec-manager logs sec-manager 
(1/7) Installing ca-certificates (20220614-r0)
(2/7) Installing brotli-libs (1.0.9-r6)
(3/7) Installing nghttp2-libs (1.47.0-r0)
(4/7) Installing libcurl (7.83.1-r4)
(5/7) Installing expat (2.5.0-r0)
(6/7) Installing pcre2 (10.40-r0)
(7/7) Installing git (2.36.3-r0)
Executing busybox-1.35.0-r17.trigger
Executing ca-certificates-20220614-r0.trigger
OK: 19 MiB in 21 packages
git version 2.36.3
Cloning into ''...
fatal: unable to access 'https://gitlab-ci-token:glpat-252jb98b39/': URL using bad/illegal format or missing URL

But if I run the following command manually inside the same pod, it works fine.

git clone https://gitlab-ci-token:[email protected]/ORG/infra/deploy/apps/sec-manager.git

so I believe some YAML parsing error of some characters in shell commands in Pod but unable to figure out which one and how exactly to correct the lines.

Any ideas?


Found where the problem exists.

The issue is a newline being automatically added to the base64 encoded string.

For example, if the original token is 12345 we can base64 encode as follows:

▶ echo "12345" | base64

But there is a high chance a trailing space or newline comes at the end of the string and the encoded string will likely be wrong and not the encoded one of our actual token.

To prevent any trailing newline or space, use the flag -n with echo:

▶ echo -n "12345" | base64

You can see the encoded token difference compared to the first result.

Basically, the same issue was happening with my gitlab-access-token value from the Kubernetes secret secret-manager. The newline was breaking the git repo URL after the env variable $GITLABTOKEN




enter image description here

Answered By – vjwilson

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published