VSC connection (via GithubApp) SSH over HTTPS

k21205 · February 25, 2023, 3:21pm

Hi.

I installed Waypoint on an EKS cluster running behind a corporate proxy. I am trying to connect to VSC from the UI, but Github Organization is rejecting HTTPS connections, so I need to connect via SSH. However, the Corporate Proxy blocks port 22.

So, I found SSH over HTTP support in the Github Document

I specified org-<id>@ssh.github.com:<org-name>/<repo-neme>.git as the source URL, but Waypoint’s Job logs show an attempt to access on port 22

Has anyone already tried this configuration?

k21205 · February 25, 2023, 6:19pm

I’m starting to understand a little more now, but a new mystery has arisen. A profile with PROXY settings is placed for the ODR generated from the Static runner:

waypoint runner profile set \
    -name=odr-profile \
    -plugin-type=kubernetes \
    -oci-url=docker.io/hashicorp/waypoint-odr:0.11.0 \
    -default \
    -env-var=WAYPOINT_SERVER_ADDR=waypoint-server:9701 \
    -env-var=HTTP_PROXY=http://proxy.address:port \
    -env-var=http_proxy=http://proxy.address:port \
    -env-var=HTTPS_PROXY=http://proxy.address:port \
    -env-var=https_proxy=http://proxy.address:port \
    -env-var=NO_PROXY=10.0.0.0/8,172.20.0.0/8,cluster.local.,.cluster.local,.svc,localhost,127.0.0.1,169.254.169.254,.waypoint,waypoint-ui,waypoint-server \
    -env-var=no_proxy=10.0.0.0/8,172.20.0.0/8,cluster.local.,.cluster.local,.svc,localhost,127.0.0.1,169.254.169.254,.waypoint,waypoint-ui,waypoint-server \
    -plugin-config=runner-profile.json

I set up a Private Key for the GitHub App and entered the following in the Source URL:
ssh://org-<orgid>@ssh.github.com:443/orgame/reponame.git

From stdout of the odr, I could see that it is trying to access the site via HTTPS, but when I check the Proxy server log, nothing is recorded. The server could not be reached. Does ODR not respect PROXY environment variables?

» Runner logs:
2023-02-25T18:09:33.381Z [DEBUG] waypoint.runner.agent.runner: job finished: job_id=01GT4W4352B24EF3SM9PF9WGPM job_op="*gen.Job_Init"
  error=
  | rpc error: code = Aborted desc = Git clone failed: dial tcp 20.27.177.118:443: connect: connection timed out
  | 
  | Output: 
  
2023-02-25T18:09:33.381Z [WARN]  waypoint.runner.agent.runner: error during job execution: job_id=01GT4W4352B24EF3SM9PF9WGPM job_op="*gen.Job_Init"
  err=
  | rpc error: code = Aborted desc = Git clone failed: dial tcp 20.27.177.118:443: connect: connection timed out
  | 
  | Output: 
  
2023-02-25T18:09:33.386Z [DEBUG] waypoint.runner.agent: handled our one job in ODR mode, exiting
2023-02-25T18:09:33.386Z [INFO]  waypoint.runner.agent: quit request received, gracefully stopping runner
2023-02-25T18:09:33.386Z [WARN]  waypoint.runner.agent.runner.config.watcher: exiting due to context ended

briancain · March 1, 2023, 5:49pm

@k21205 - One thing I would check is when an on-demand runner is spawned, those environment variables you’ve set for your runner profile is actually set on the runner. You might need to update your Kubernetes cluster to not clean up short-lived tasks (which is what ODR spawns as in k8s), but if you can get access to the ODR pod, are those environment variables set?

k21205 · March 2, 2023, 3:28am

@briancain Hi, Thanks for reaching out!
This is part of the Describe of the short-lived ODR Pod that is actually generated:

Name:             waypoint-task-01gtg54fg4m5qb3gjfmzq1sca9-nbjct
Namespace:        waypoint
Priority:         0
Controlled By:  Job/waypoint-task-01gtg54fg4m5qb3gjfmzq1sca9
Containers:
  waypoint-task-01gtg54fg4m5qb3gjfmzq1sca9:
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Thu, 02 Mar 2023 12:16:30 +0900
      Finished:     Thu, 02 Mar 2023 12:16:31 +0900
    Environment:
      WAYPOINT_SERVER_TLS:              true
      WAYPOINT_SERVER_ADDR:             waypoint-server:9701
      HTTPS_PROXY:                      http://proxy.address:port
      HTTP_PROXY:                       http://proxy.address:port
      NO_PROXY:                         10.0.0.0/8,172.20.0.0/8,cluster.local.,.cluster.local,.svc,localhost,127.0.0.1,169.254.169.254,.internal,.waypoint,waypoint-ui,waypoint-server
      WAYPOINT_SERVER_TOKEN:            <token>
      WAYPOINT_RUNNER_ID:               <runner-id>
      container:                        docker
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-fpt2b (ro)

This ensures that environment variables are properly assigned. Environment variables are properly assigned. I noticed that SSH over HTTPS is only an SSH protocol even if the port is 443. Therefore, these Proxy settings are ignored…

So I tried to access the repository on an HTTPS basis using the Github App installation ID:
https://x-access-token:ghs_<token>@github.com/<orgname>/<reponame>.git

It is interesting to note that while accessing this URL locally successfully retrieves refs, Waypoint ODR returns the following log from go-git:

error=
  | rpc error: code = Aborted desc = Git clone failed: Get "https://x-access-token:***@github.com/<orgname>/<reponame>.git/info/refs?service=git-upload-pack": Forbidden
  | 
  | Output: