Page MenuHomeDevCentral

Figure how to deploy automatically /var/51-wwwroot credentials
Open, HighPublic

Description

To clone Git repositories, we need a key, but when provisioning a new server, if we generate a new key, it won't be available on Git repositories hosting like GitHub.

So, currently, deployment fails like this:

----------
          ID: /var/51-wwwroot/api
    Function: git.latest
        Name: ssh://vcs@devcentral.nasqueron.org:5022/source/api.git
      Result: False
     Comment: Failed to check remote refs: Host key verification failed.
              fatal: Could not read from remote repository.

              Please make sure you have the correct access rights
              and the repository exists.
     Started: 13:25:53.395911
    Duration: 113.33 ms
     Changes:

Perhaps a master key would be more pertinent, if so, that's a candidate for Vault.

Event Timeline

dereckson triaged this task as High priority.Dec 16 2019, 14:08
dereckson created this task.
dereckson updated the task description. (Show Details)

Perhaps a master key would be more pertinent, if so, that's a candidate for Vault.

We've a deploy key in salt master, let's use it.

But what if a server doesn't have the saltmaster role? T1569 will take care of that.

D2151 works well, but there are two issues:

  • a conflict between devserver and saas-mediawiki roles -> /var/51-wwwroot/saas-mediawiki Comment: Group mediawiki is not available
  • /var/51-wwwroot/tools/includes/mediawikibot.php: File not found, but that exhibits a symlink issue (filed as T1575)

It seems it's also possible to store the deploy key on the master, as long as it's fine to copy it to the server:

salt/states/git.py
for ident_path in identity:
    if 'salt://' in ident_path:

That means this key should match a read-only access.