Gitea

This will guide the user through setting up a cluster-wide repository with public keys for facilitating bare-metal deployments.

Steps

This guide consists of the following steps:

  • Create a gitea user

  • Create a repo called ssh-public-keys

  • Add credentials to local repo

  • Push repo to Gitea

Setup Gitea

This segment will setup the gitea service for use.

  1. Create a Gitea user.

    sudo -u gitea -i gitea -c /etc/gitea/gitea.ini admin user create --username `whoami` --random-password --email `whoami`@`hostname`.local --admin

    The output will include the generated password, take note of the printed password:

    The password will only print this one time. If this password is forgotten, it can be changed via the gitea command. 
    generated random password is 'gFoExCuDNPua'
New user 'root' has been successfully created!

  2. Create an access token.

    Save this token somewhere safe, it will only be printed this one time. 
    token="$(sudo -u gitea -i gitea -c /etc/gitea/gitea.ini admin user generate-access-token --scopes all --username `whoami` --raw)"

  3. Create the SSH public key repository.

    curl \
   -sf \
   -X POST "http://bootserver/git/api/v1/user/repos" \
   -H "accept: application/json" \
   -H "Authorization: token $token" \
   -H "Content-Type: application/json" \
   -d '{"name": "ssh-public-keys", "private": false}"' \
   -o /dev/null \
   -w "%{http_code}"

    The output should print the following HTTP code:

    201

  4. Add the management VM’s SSH key(s) to the Git user’s account.

    for key in /`whoami`/.ssh/*.pub; do
    echo -n "$key "
    curl \
        -sf \
        -X POST \
        "http://bootserver/git/api/v1/admin/users/`whoami`/keys" \
        -H "accept: application/json" \
        -H "Authorization: token $token" \
        -H "Content-Type: application/json" \
        -d '{"key": "'"$(cat "$key")"'", "read_only": true, "title": "default"}' \
        -o /dev/null \
        -w "%{http_code}"
done

    The output should print 201 for each key added. If the command is ran a second time to add more keys, existing keys will print 422.

  5. Configure the root Git user.

    email="$(curl -sf -X GET "http://bootserver/git/api/v1/users/`whoami`" -H "accept: application/json" -H "Authorization: token $token" | jq -r .email)"
git config --global user.email "$email"

Adding deployment keys

This segment will add all generated deployment keys from the management-vm to the repository.

Access to all bare-metal deployed nodes is intentionally only setup for the management VM. Broadening this access for other servers is strictly left to the discretion of the user.

  1. Clone the SSH public key repository.

    ssh_url="$(curl -f -s -f -X GET "http://bootserver/git/api/v1/repos/`whoami`/ssh-public-keys" -H "accept: application/json" -H "Authorization: token $token" | jq -r .ssh_url)"
ssh-keyscan -p 2222 bootserver >> /root/.ssh/known_hosts
git clone "$ssh_url"
cd ssh-public-keys

  2. Create the SSH public-key payload.

    touch ssh-public-keys.json
for key in /`whoami`/.ssh/*.pub; do
    yq -i eval -o json '.ssh_authorized_keys += ["'"$(cat "$key")"'"]' ssh-public-keys.json
done

  3. Commit and push the JSON file.

    git add ssh-public-keys.json
git commit -m "Initial keys."
git push

The SSH Key repository is now ready for deploying hypervisors and other bare-metal images.

The graphical user interface may be accessed via the eth3 IP address at the /git sub-path: http://my-systems-dns-name/git (e.g. the same IP and/or hostname used to access the management-VM through SSH).