Associate SSH Private Key With Git Repository
The following guide goes over how to create an SSH key that can be used with your Git repository, store that secret in torero's secret store, and then ultimately associate that SSH key with a torero repository so that it can be used during service execution when a repository is cloned.
This is necessary if your repository uses SSH based authentication to perform a Git clone. It should be noted that torero supports SSH authentication but does not support any http authentication for the Git clones that are performed during service execution.
This guide assumes that you already have your secret store set up with an encryption key. If you do not yet have torero's secret store configured, see the general secrets documentation.
Generate Git SSH Key
Use SSH Keygen to generate a key specifically for usage with torero.
>_ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/jared/.ssh/id_ed25519): ./torero-git-key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./torero-git-key
Your public key has been saved in ./torero-git-key.pub
The key fingerprint is:
SHA256:CqPZH763k3ktyGB5JcGH1j97CQzr2bg3h6I0Vm4j4+Q [email protected]
The key's randomart image is:
+--[ED25519 256]--+
| . o |
| = + |
| . o = |
| . o = |
| o .S+.+ + . |
| + o+..o+ o o |
| o ..o+B++o o |
| o BB==.= . |
| +oE= + o |
+----[SHA256]-----+In the output you can see that the private and public ssh key is generated in our current directory.
>_ ls | grep git-key
torero-git-key
torero-git-key.pubThe file content from torero-git-key.pub will need to be placed in your preferred Git service as a new Authentication key.
We will be using Gitlab in our demonstration. Navigate to the Gitlab SSH Settings and see all your keys listed.
Click Add new key and paste in the contents of your SSH public key like what is shown below.
Adding Private Key To Secret Store
Now that our public key is in Gitlab we will now need to add our private key to torero's secret store. This is as simple as running the following command where the private key is:
>_ torero create secret git-key --value "@/path/to/new/ssh/key/for/torero/torero-git-key"
Successfully created secret
Name: git-keyIn the command above we leveraged the @ symbol to state that this is a file and with the full path to the private key which
in our case was the torero-git-key file created in our openssl command.
For demonstration purposes we can view the contents of our the SSH key in torero's secret store now.
>_ torero describe secret git-key
To securely output the decrypted data, the secret is saved in a temporary location and displayed in your default editor set
by whatever $EDITOR environment variable you have set. To set a different $EDITOR, see the example syntax below.
export EDITOR=nanoIf an editor is not set, torero will default to vim.
Once you close your editor, the file that was used to display your secret's contents is deleted.
Referencing An SSH Key On Repo Creation
When creating a repository you can pass in the SSH key's name in the secret store via the --private-key-name flag.
>_ torero create repository some-private-repo --url [email protected]:example/automations/example-automations.git --private-key-name git-key
Successfully created the repository
Name: some-private-repo
Description:
Url: [email protected]:example/automations/example-automations.git
Reference:
Tags:
Private Key Name: git-keyNow, when you create a service, make sure to reference the repository resource that you just created and observe that torero will be able to authenticate with your Git server.