Skip to content

Summary

This KB explains how to configure gitFS on the salt master to use SSH authentication instead of user/pass when using pygit2 back end

This guide assumes the pygit2 backend is installed and available on the Salt master. On RHEL/Oracle Linux this typically requires python3-pygit2 and libgit2.

1. Create a SSH public/private key on the salt master

If the server is a new build it may not have an SSH identity setup for root yet.

mkdir -p /root/.ssh
ssh-keygen -t ed25519 -f /root/.ssh/gitfs_ed25519 -N ''
chmod 600 /root/.ssh/gitfs_ed25519
chmod 644 /root/.ssh/gitfs_ed25519.pub

2. Upload public key to your git repository

Navigate to SSH section on the git repository you wish to add.
On github.com this is under: https://github.com/<User>/<reponame>/settings/keys/new

Provide a name for the key and paste the public key contents in the Key section

cat /root/.ssh/gitfs_ed25519.pub

3. Add the git repository to the known_hosts on the salt master

We need to add the public key offered by the git server to the known_hosts file on the salt master. We can do this using ssh-keyscan and appending the output to our knoww_hosts file.

ssh-keyscan github.com >> /root/.ssh/known_hosts
chmod 644 /root/.ssh/known_hosts

4. Update/Create a new gitfs_remotes configuration file

On the salt master we add a new configuration file under /etc/salt/master.d that tells salt to load this git repository and make it available.

gitfs_provider: pygit2
gitfs_pubkey: /root/.ssh/gitfs_ed25519.pub
gitfs_privkey: /root/.ssh/gitfs_ed25519


gitfs_remotes:
  - git@github.com:<Username>/you-repo-name.git:
    - base: main
    - mountpoint: examples

You should remove any user, password or insecure_auth lines for the entry you are updating an existing entry.

Restart the salt master 

systemctl restart salt-master

Wait a min or two to for salt to sync the repository and then verify it is available by running:

[root@saltmaster]# salt-run fileserver.file_list backend=gitfs
- examples/README.md
- examples/statefiles/linux/fileserver/init.sls
- examples/statefiles/windows/install_zip.sls

You should see the repositories files listed under example which was the mount point we set above in our gitfs_remotes config file (Line 9)

When you make changes to the git repo you must run salt-run fileserver.update on the salt master to pull down the changes.