Configure SSH Key#
Objectives#
- Generate a organization level SSH keypair.
- Securely store the keypair in Vault for added protection.
Key Results#
- SSH keypair with read write access is generated.
- Public key is stored in SCM (GitHub)
- SSH key is securely stored in Vault and can be accessed only by authorized entities, enhancing security.
Prerequisites#
- Infra GitOps Repository is configured.
- A User that has access to all the repositories in your SCM organization/group.
Tutorial#
Creating SSH KeyPair#
-
Generate an ssh keypair. You can follow the official GitHub documentation for this.
Note
Save the keypair cautiously, you'll need to add it to Vault and GitHub.
-
Once you've generated the keypair, go to your GitHub account
settings
for the top-right corner on your profile. -
Navigate to
SSH and GPG Keys
-
Click
Add New Key
in SSH Key section. -
Now add the public key of the keypair you generated earlier.
Adding Private Key to Vault#
Now that we have added the public key to GitHub, let's add the private key to Vault.
-
Access Vault from
Forecastle
console, searchVault
and open theVault
tile. -
From the drop-down menu under
Method
, selectOIDC
and click onSign in with OIDC Provider
. -
You will be brought to the
Vault
console. You should seecommon-shared-secrets
folder. -
Click on
common-shared-secrets
. -
You will now be brought to the
secrets
and theconfigurations
. Click oncreate secret
. -
Let's create a
git-ssh-creds
secret for our webhook secret. Write the name of the secret inpath
which isgit-ssh-creds
. Addsecret data
- key:
id_rsa
, value: (The SSH Private Key). Hit save.
- key:
Adding External Secret#
Since we want the git-ssh-creds
secret to be deployed in all of the tenant namespaces, we will use a multi-tenant-operator template to deploy it.
-
Open up the
infra-gitops-config
repository that we have already bootstrapped. -
Open the
tenant-operator-config
folder and create atemplates
folder inside it: -
Now create a file named
git-ssh-creds-template.yaml
and add the following content:apiVersion: tenantoperator.stakater.com/v1alpha1 kind: Template metadata: name: git-ssh-creds resources: manifests: - apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: git-ssh-creds spec: secretStoreRef: name: tenant-vault-secret-store kind: SecretStore refreshInterval: "1m0s" target: name: git-ssh-creds creationPolicy: 'Owner' template: data: id_rsa: "{{ .id_rsa }}" data: - secretKey: id_rsa remoteRef: key: git-ssh-creds property: api_private_key
-
Create another file named
git-ssh-creds-tgi.yaml
and add the following content: