Manage Keys with Puppet for puppet-vcsrepo

Question

I'm setting up some server configuration in my company and we have some internal repositories that run over ssh through bzr that I need to get. I wanted to use puppet-vcsrepo to pull these in and I saw that it has a way we can use a keyfile to get what we want. What is the best way to go about this?

I'm probably going to make a user account for each of us, but do I have to put my private key into puppet as a file and then transfer it over? How do I manage keys inside of puppet so I can checkout repositories ssh without using username and password?

Here is a link to the information: https://github.com/puppetlabs/puppetlabs-vcsrepo/blob/master/README.BZR.markdown

It says to manage keys with puppet, but I couldn't exactly find what I need to know in order to manage the keys correctly.

Answer 1

Don't know much about BZR... will answer as if it was a git/github based question

• If you are github based, use deploy keys (readonly access, easily revokable) and not a developer key.
• You can manage the key by copying them in ~/.ssh and configure ssh to use it ?

file { '/user/home/.ssh/id_rsa-github-mycompany' :
 ... # access right ....
}

vcsrepo { "/path/to/repo":
  ...
  require => File[ '/user/home/.ssh']
}

you may need to tweek also the .ssh/config to use this identify file and modify the host name of the git repository

Host github-mycompany-project
HostName github.com
  User git
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/id_rsa-github-mycompany
  IdentitiesOnly yes

Another option use an exec and the git_ssh_wrapper gem instead of vcsrepo ?