I have a private git repository, which I can make a deploy SSH key authorized to read.
I see two SSH keys juju seems to talk about in the docs… one when you juju add-ssh-key ... and the key under your hosts .local/share/juju/ssh/
I’ve tried to add both my LXD hosts public key to the git repositorys deploy key AND the juju .local... key
neither seem to get a public key into any models or machines that I bring up… am I misunderstanding something ?
$ juju ssh-keys
Keys used in model: admin/default
SOME_KEY_HERE (mymail@email.com)
from within a model
ubuntu@juju-60307e-3:~$ ls -la .ssh/
total 6
drwx------ 2 ubuntu ubuntu 4 Jun 4 21:56 .
drwxr-xr-x 6 ubuntu ubuntu 12 Jun 4 22:05 ..
-rw------- 1 ubuntu ubuntu 1554 Jun 4 21:52 authorized_keys
-rw-r--r-- 1 ubuntu ubuntu 884 Jun 4 21:56 known_hosts
the public key is indeed added via add-ssh-key to the authorized_keys … but where would I add keys (or can I) for when performing juju charm installations , setups, etc…
I have a host public key, where my LXD host is… and where my juju charm is being developed. I have given that machine access (READ / WRITE) via SSH Pub key in the linux ubuntu host… but I am unable to see where to inject that key so that the charms INSTALL hook can leverage the public key, and git clone the private repository… is it there and I am just not aware ? isn’t it supposed to copy keys into ~/.ssh/ ?
Edit:
When inside a unit, I check for the active public key and it is not activated… nor can I find it within the model
Seems there are some keys here, but I wonder if it is the one under .local/ in the lxd host, it seems the key changes slightly inside the model to have the model id on it… and this is causing authentication issues with github I think
What you want is to be able to deploy your charm, such that it gets the private-key for a known SSH credential, so that it can SSH to another machine and get access to git.
Things like “juju add-ssh-key” are all about adding a credential’s public key to the list of authorized keys. They aren’t about giving that machine/unit/model a private key to pretend to be you.
What you really want is a configuration item on a charm, which is a private key that it can use to connect to other machines. And then when you deploy the charm, you would supply that private key as part of “–config”. eg:
(In YAML, ‘|’ lets you represent a multiline string as just an indented block).
Given the size and sensitivity of private keys, and the fact that they are generally file content, it would also make sense to make the private key an optional ‘resource’ that you provide.
This functionally acts similar to config, except they are expected to be file content rather than strings. (inside the charm you call ‘resource-get name’ which will download the file from the Juju controller, and prints out the path-on-disk for the local copy of the file.)
Either way, it is some sort of configuration-of-the-charm, because you are dealing with private keys (since you are asking the application to pretend to be someone, not to allow someone you know to connect).
I found a temp work around for now, but this is exactly what i was after… in the end I want to pip install straight off the git repositories…otherwise I go down the path of needing to run a private pypi index or artifactory… in order for juju to be able to find the assets.
I think the private-key at deploy time is the right way for now, thank you!