Add an internal GitHub repository as a backup GitOps remote

Your clone of the GitOps repo is configured with an origin remote that points to https://github.com/arrikto/deployments. To access this remote, you have already configured your management environment with an SSH key provided by Arrikto.

In order to add a Git remote for backup purposes, that also resides in GitHub, you need first to instruct SSH to select the proper key for each remote. This guide will help you extend your Git/SSH configuration so that you can specify the SSH key to use for the internal GitHub repository.

Procedure

  1. Specify the name of your internal GitHub repository, for example:

    root@rok-tools:/# export GIT_INTERNAL_REPO=internal/deployments

  2. Copy the private SSH key:

    1. Open a terminal and run:

      root@rok-tools:/# cat > /root/.ssh/id_rsa_internal

      The above command will appear to hang while it is waiting for user input.

    2. Copy the text from your private SSH key, including the -----BEGIN OPENSSH PRIVATE KEY----- and -----END OPENSSH PRIVATE KEY----- lines.

    3. Paste the text into the terminal, including the -----BEGIN OPENSSH PRIVATE KEY----- and -----END OPENSSH PRIVATE KEY----- lines.

    4. Press ctrl-d to inform cat that there is no more input.

    5. Verify that cat has saved the key to /root/.ssh/id_rsa_internal:

      root@rok-tools:/# ls /root/.ssh/id_rsa_internal

  3. Set the correct permissions for the file:

    root@rok-tools:/# chmod 400 /root/.ssh/id_rsa_internal

  4. Generate the public SSH key based on your private key:

    root@rok-tools:/# ssh-keygen -yf ~/.ssh/id_rsa_internal > ~/.ssh/id_rsa_internal.pub

  5. Create an extra SSH configuration directory for user root, if it doesn’t exist:

    root@rok-tools:/# mkdir -p /root/.ssh/config.d

  6. Add an SSH configuration file that instructs SSH to use the internal key when it connects to internal.github.com:

    root@rok-tools:/# cat > /root/.ssh/config.d/internal <<EOF > Host internal.github.com > Hostname github.com > IdentitiesOnly yes > IdentityFile /root/.ssh/id_rsa_internal > EOF

    Note

    • Host is a dummy hostname that your Git remote will have, to force SSH use a specific key for it.
    • Hostname is the actual hostname that SSH will use for the connection.
    • IdentitiesOnly is a flag that makes SSH use only this specific key for this host.
    • IdentityFile is the location of the private SSH key.

  7. Create the main SSH configuration file for user root, if it doesn’t exist:

    root@rok-tools:/# touch /root/.ssh/config

  8. Extend /root/.ssh/config with a directive that includes additional configuration files under the /root/.ssh/config.d directory:

    root@rok-tools:/# grep -q '^Include config.d/*' /root/.ssh/config \ > || echo -en "\nInclude config.d/*" >> /root/.ssh/config

  9. Run keychain to start the SSH agent and use all your SSH identities:

    root@rok-tools:~# eval "$(keychain --eval id_rsa id_rsa_internal)" * keychain 2.8.2 ~ http://www.funtoo.org * Starting ssh-agent... * Adding 2 ssh key(s): /root/.ssh/id_rsa /root/.ssh/id_rsa_internal * ssh-add: Identities added: /root/.ssh/id_rsa /root/.ssh/id_rsa_internal

    Troubleshooting

    can’t find id_rsa

    If the above command shows the following warning message:

    Warning: can't find id_rsa; skipping

    it means that keychain could not find the file ~/.ssh/id_rsa, which normally contains your private SSH key.

    To proceed, follow the Configure Git guide to configure your private SSH key.

    Cannot find public key for id_rsa

    If the above command shows the following warning message:

    Warning: Cannot find public key for id_rsa

    it means that keychain clould not find the file ~/.ssh/id_rsa.pub, which normally contains your public SSH key.

    To proceed, generate the public SSH key based on your private key:

    root@rok-tools:~# ssh-keygen -yf /root/.ssh/id_rsa > /root/.ssh/id_rsa.pub

    Warning

    Whenever you run a guide that runs the keychain command, do not forget to add your internal key as well. Use the following command instead of the one displayed in the instructions:

    root@rok-tools:~# eval "$(keychain --eval id_rsa id_rsa_internal)"

  10. Verify that you can connect to github.com with the Arrikto deployment key:

    root@rok-tools:/# ssh -T -o BatchMode=yes git@github.com

    You should see the following message:

    Hi arrikto/deployments! You've successfully authenticated, but GitHub does not provide shell access.

  11. Verify that you can connect to internal.github.com with your internal SSH key:

    root@rok-tools:/# ssh -T -o BatchMode=yes git@internal.github.com

    You should see the same message as above, albeit with a different name than arrikto/deployments.

  12. Change your current directory to the one you cloned the GitOps repository to:

    root@rok-tools:/# cd ~/ops/deployments

  13. Create a Git remote named internal that points to the host you have added in the SSH configuration:

    root@rok-tools:~/ops/deployments# git remote add internal git@internal.github.com:${GIT_INTERNAL_REPO?}

    • If the above command fails with:

      fatal: remote internal already exists.

      then you already have a Git remote named internal. You can update the URL it points to:

      root@rok-tools:~/ops/deployments# git remote set-url internal git@internal.github.com:${GIT_INTERNAL_REPO?}

  14. Ensure you have read access to all of the remotes:

    root@rok-tools:~/ops/deployments# git fetch --all

Summary

You have successfully configured access to an internal GitHub repository in your management environment.

What’s Next

You can check out the rest of the maintenance operations that you can perform on your cluster.