ansible git clone without rights on the remote

Question

Working to clone a git repository that requires credentials because it is private (to complicate it more, it has a submodule that is also private, but this is a secondary question). I would like to clone in the remote but not giving it the rights to write in the repo. So, maybe wrong, I discarded to use ssh key but https with login/passwd.

- name: "git clone"
  git:
    repo: https://{{ username | urlencode }}:{{ password | urlencode }}@gitlab.com/(...)/repo.git
    dest: {{ sources_dir }}/repo.git
    update: yes

This seems to work, but when I check the remote I see the credentials leaked there.

$ cd repo.git
$ git remote -v
origin https://<username>:<password>@gitlab.com/(...)/repo.git

The alternative I'm working with, expect doesn't seem to catch the responses.

- name: "git clone"
  expect:
    chdir: {{ sources_dir }}
    command: git clone repo: https://gitlab.com/(...)/repo.git repo.git
    responses:
      (?i)username: {{ username | urlencode }}
      (?i)password: {{ password | urlencode }}

The output seems to be something like:

Cloning into 'repo.git'...
Username for 'https://gitlab.com': Password for 'https://<username>@gitlab.com': 
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://gitlab.com/(...)/repo.git/

Checked that the password (stored in a ansible-vault) is correct, from this answer seems that the username is catch (because it is printed in the stdout) but the auth fails anyway.

The general question is how this clone can be made without transferring rights to the place of the clone over the repo? And also understand how this regex in the responses would work. Also some information about ansible with git submodules could be nice, but I'll try further investigation from my side.

Thanks

You will be much happier using one of the [git credential helpers](https://git-scm.com/docs/gitcredentials#_custom_helpers); if you're comfortable writing the credentials to disk and then deleting them, using [`.netrc`](https://manpages.ubuntu.com/manpages/jammy/en/man3/libcurl-tutorial.3.html#passwords) is also a solution — mdaniel, Apr 09 '22 at 17:25
In Gitlab (in Github too, this said) you have what is called a "Deploy Key". You should be able to see this in the repository settings. This is what is usually used in those type of cases. On top of that deploy key are, per default, read only (you usually have an option to make them read/write). — β.εηοιτ.βε, Apr 09 '22 at 17:37

score 1 · Answer 1 · answered Apr 10 '22 at 13:34

Following the comment from β.εηοιτ.βε I found how to make this git statement work in ansible.

First this has been to create an specific ssh key to be used as a deployment key:

ssh-keygen -t ed25519 -C "ansible deploy key for gitlab"

With password and the password stored in the ansible-vault (as gitlab_deploy_key_passwd). The file is saved in the path of the roles in ansible.

In the gitlab project, one has to go the "Settings > Repository > Deploy Keys" and place the content of the "gitlab_deploy_key_ed25519.pub".

In ansible, it is necessary to have a set of tasks to copy the private key (password protecte) in the remote as well as configure ssh to use it when talk with gitlab.

- name: "gitlab deploy key"
  block:
  - name: ".ssh directory with the best rights"
    file:
      path: /home/{{ ansible_user_id }}/.ssh
      state: directory
      mode: "u=rwx,g=,o="
      owner: "{{ ansible_user_id }}"
      group: "{{ ansible_user_id }}"
  - name: "gitlab deploy key copy"
    copy:
      src: "../files/gitlab_deploy_key_ed25519"
      dest: "/home/{{ ansible_user_id }}/.ssh"
      mode: "u=rwx,g=,o="
      owner: "{{ ansible_user_id }}"
      group: "{{ ansible_user_id }}"
  - name: "gitlab deploy key config"
    blockinfile:
      path: "/home/{{ ansible_user_id }}/.ssh/config"
      block: |
        Host gitlab.com
                User git
                Hostname gitlab.com
                IdentityFile /home/{{ ansible_user_id }}/.ssh/gitlab_deploy_key_ed25519

With this a "git clone" task can be setup:

- name: "git clone"
  expect:
    chdir: "{{ sources_dir }}"
    command: "git clone git@gitlab.com:(...)/repo.git repo.git"
    responses:
      passphrase: "{{ gitlab_deploy_key_passwd }}"

So then, the repo is present in the remote without storing any private information there (or at least store it somehow protected). It is read-only and even this read requires a password that is as save as the ansible-vault. (I haven't understand why in this case the expect worked with the passphrase but didn't with the username/password).

This clones the repo without initializing the submodules, but from here the git commands in further ansible tasks will have access to the necessary things to do that.

score 0 · Answer 2 · answered Apr 10 '22 at 00:43

To add to the comment, you have here an example using a credential helper:

    - name: Configure Git credential storage
      command: "git config --global credential.helper store"
    - name: Populate the Git credential store
      template:
        src: files/git_credentials.j2
        dest: /home/appuser/.git-credentials
        owner: appuser
        group: appuser
        mode: u=rw,g=,o=
      no_log: true

With template;

https://{{ gitlab_username|urlencode }}:{{ gitlab_password|urlencode }}@gitlab.example.org

You can also use the git_config_module to set the credential helper (instead of command)

ansible git clone without rights on the remote

2 Answers2