Is it possible to use an HTTPS URL for a Git repository? #2898
-
|
I've deployed Lagoon-Core and Lagoon-Remote in a cluster located behind a TIC (firewall). When the project repository has an HTTPS URL, the build process fails within seconds. (I'm not seeing any logs with explicit error messages; I haven't yet managed to set up the full logging infrastructure, though) According to this:
The problem is that outgoing SSH connection attempts are dropped by the TIC. There is no way around this. The message above about SSH compatibility is unambiguous. However, looking through the scripts, nothing really jumps out at me as a reason that SSH should be required. Could you tell me if this is by design, or due to limitations in HTTPS cloning, or if it should work but I'm messing something up? 😃 |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
|
Hey @ndouglas, we use ssh git urls so that we can use deploy keys to access the repository, and the deploy keys can be added to the repository with read only, because Lagoon doesn't need to push into the repo at all. If your repository is public, then the https endpoint should work, as there isn't a reason to try and authenticate. Lagoon doesn't support private repositories that only support HTTPs as the source to pull from, because there isn't currently a way to inject user credentials or api tokens to log in to whichever git provider you're using. This isn't something that I think I've seen requested before either, but we could possibly build this functionality in. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @shreddedbacon! That's very helpful. Yeah, we have a public repo. I didn't realize the specifics of how the TIC was implemented. I believe what happens is that outgoing HTTPS requests are answered by a MITM proxy server, which obv presents an internal certificate that must be trusted by the requesting process. So I think it might've been failing immediately because Git was seeing that internal TLS cert and (rightly) bailing. So I built my own derivative of the Thanks again for your help, Ben, I deeply appreciate it. |
Beta Was this translation helpful? Give feedback.
-
|
Ah yes, that MITM would probably cause quite a few issues. Injecting the internal cert into the kbdd image is a good step, just make sure you do it the alpine way, might be better to do it in the image kbdd is built from which is https://github.com/uselagoon/lagoon/blob/main/images/kubectl/Dockerfile |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, that makes sense. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
a quick note on the fork of |
Beta Was this translation helpful? Give feedback.
-
|
Ah, thanks! I'm sure that catch saved me a lot of time. |
Beta Was this translation helpful? Give feedback.
-
|
We will be looking at this again shortly - the kubectl-build-deploy-dind image is updated far more regularly than the others (and indeed the rest of Lagoon) - so it makes more sense to split that out into a separate repo with it's own test/release process |
Beta Was this translation helpful? Give feedback.
Hey @ndouglas, we use ssh git urls so that we can use deploy keys to access the repository, and the deploy keys can be added to the repository with read only, because Lagoon doesn't need to push into the repo at all.
If your repository is public, then the https endpoint should work, as there isn't a reason to try and authenticate.
Lagoon doesn't support private repositories that only support HTTPs as the source to pull from, because there isn't currently a way to inject user credentials or api tokens to log in to whichever git provider you're using.
This isn't something that I think I've seen requested before either, but we could possibly build this functionality in.