kustomize
kustomize copied to clipboard
kubernetes-sigs
Server lacks SSH keys
Describe the bug The server that runs the CI pipeline when users open a PR doesn't have ssh keys. We currently skip all ssh tests in remoteload_test.go because the server returns an error. Once the server has ssh keys, the server should produce the expected output for those tests.
Files that can reproduce the issue
remoteload_test.go contains ssh tests for which skip: true. If you delete this line and run these tests on the server, you will observe errors caused by the lack of ssh keys instead of the expected behavior.
Expected output An example ssh test case is TestRemoteResourceSsh/scp_shorthand. The expected output is:
=== RUN TestRemoteResourceSsh/scp_shorthand
--- PASS: TestRemoteResourceSsh/scp_shorthand
Actual output For the same example test cases as above, the actual output due to the lack of ssh keys is:
=== RUN TestRemoteResourceSsh/scp_shorthand
remoteload_test.go:70:
Error Trace: remoteload_test.go:70
remoteload_test.go:159
Error: Received unexpected error:
exit status 128
git cmd = '/usr/local/bin/git fetch --depth=1 origin v1.0.6'
sigs.k8s.io/kustomize/api/internal/git.gitRunner.run.func1
/Users/runner/work/kustomize/kustomize/api/internal/git/gitrunner.go:51
sigs.k8s.io/kustomize/api/internal/utils.TimedCall.func1
/Users/runner/work/kustomize/kustomize/api/internal/utils/timedcall.go:16
runtime.goexit
/Users/runner/hostedtoolcache/go/1.18.1/x64/src/runtime/asm_amd64.s:1571
accumulation err='accumulating resources from '[email protected]:kubernetes-sigs/kustomize//examples/multibases/dev/?ref=v1.0.6': evalsymlink failure on '/private/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/kustomize-1472700803/[email protected]:kubernetes-sigs/kustomize/examples/multibases/dev/?ref=v1.0.6' : lstat /private/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/kustomize-1472700803/[email protected]:kubernetes-sigs: no such file or directory'
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateResources
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:419
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:189
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:182
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).makeCustomizedResMap
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:128
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).MakeCustomizedResMap
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:119
sigs.k8s.io/kustomize/api/krusty.(*Kustomizer).Run
/Users/runner/work/kustomize/kustomize/api/krusty/kustomizer.go:89
sigs.k8s.io/kustomize/api/krusty_test.testRemoteResource
/Users/runner/work/kustomize/kustomize/api/krusty/remoteload_test.go:62
sigs.k8s.io/kustomize/api/krusty_test.TestRemoteResourceSsh.func1
/Users/runner/work/kustomize/kustomize/api/krusty/remoteload_test.go:159
testing.tRunner
/Users/runner/hostedtoolcache/go/1.18.1/x64/src/testing/testing.go:1439
runtime.goexit
/Users/runner/hostedtoolcache/go/1.18.1/x64/src/runtime/asm_amd64.s:1571
accumulating resources
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).accumulateTarget
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:191
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).AccumulateTarget
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:182
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).makeCustomizedResMap
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:128
sigs.k8s.io/kustomize/api/internal/target.(*KustTarget).MakeCustomizedResMap
/Users/runner/work/kustomize/kustomize/api/internal/target/kusttarget.go:119
sigs.k8s.io/kustomize/api/krusty.(*Kustomizer).Run
/Users/runner/work/kustomize/kustomize/api/krusty/kustomizer.go:89
sigs.k8s.io/kustomize/api/krusty_test.testRemoteResource
/Users/runner/work/kustomize/kustomize/api/krusty/remoteload_test.go:62
sigs.k8s.io/kustomize/api/krusty_test.TestRemoteResourceSsh.func1
/Users/runner/work/kustomize/kustomize/api/krusty/remoteload_test.go:159
testing.tRunner
/Users/runner/hostedtoolcache/go/1.18.1/x64/src/testing/testing.go:1439
runtime.goexit
/Users/runner/hostedtoolcache/go/1.18.1/x64/src/runtime/asm_amd64.s:1571
Test: TestRemoteResourceSsh/scp_shorthand
--- FAIL: TestRemoteResourceSsh/scp_shorthand (0.26s)
Kustomize version Master branch, which is currently at commit 17b42a9.
Platform Linux and MacOS
/triage accepted
In the meantime, we should only skip the tests if we're on CI, since they should pass locally. It's not ideal, but we do run the tests locally as part of the release process, so we would still at least catch any issues at that stage.
Summarizing some offline conversation with @KnVerey
Only ssh keys belonging to valid github users can clone from github, even for public repos. Deploy Key provides an alternative if one only need read-only access to a specific GitHub repo.
The tests in remote_test.go access only 2 repos, https://github.com/kubernetes-sigs/kustomize and https://github.com/annasong20/kustomize-test.
It should be enough to do the following:
- create an SSH key that is then added as a deploy key to both repos. The ssh key should then be able to clone both repos.
- add the private key as a secret to kustomize’s repo [docs].
- add the secret to the ssh_key field in the actions/checkout config for the github action. This involves modifying the
checkoutaction to add anssh_keyfield https://github.com/kubernetes-sigs/kustomize/blob/master/.github/workflows/go.yml#L25-L28. Something like the below, assuming the secret was namedDEPLOY_KEY:
- name: Check out code into the Go module directory
uses: actions/checkout@v2
with:
ssh-key: ${{ secrets.DEPLOY_KEY }}
Based on the docs, this should configure the git CLI to use this ssh key automatically.
[1] The docs didn't mention if the same private key can be used as the deploy key for multiple repos. I didn't test it out but it seems ok in theory.
Thanks for the investigation! I think that plan makes sense. I've created a read-only deploy key and added it as a secret named DEPLOY_SSH_KEY.
@KnVerey we also discussed removing anna's repo from the tests since we only want to clone this repo. I took a look.
It’s being used as an example of a repo that has kustomization.yaml at the root of the repo, where the repospec would not have a path component. I don’t know how important that is, but this code path can’t be exercised on the kustomize repo for obvious reasons. If we want to keep those tests, i’d recommend cloning her repo into somewhere that the team has co-ownership of, maybe kustomize-sigs.
It’s being used as an example of a repo that has kustomization.yaml at the root of the repo, where the repospec would not have a path component. I don’t know how important that is, but this code path can’t be exercised on the kustomize repo for obvious reasons. If we want to keep those tests, i’d recommend cloning her repo into somewhere that the team has co-ownership of, maybe kustomize-sigs.
@mightyguava What's the name of the test? I'm wondering if it would be sufficient to have a unit test for repospec with an empty path, rather than need a full repo for whatever code that the test is covering.
There are a few of them, here's one https://github.com/kubernetes-sigs/kustomize/blob/416eed97c49aa8e9ea44d627c15dafd395b61739/api/krusty/remoteload_test.go#L132-L137. You can find the rest if you search annasong20 in that file.