Managing Git repositories and SSH keys
There are two deployment flavors in tsuru: using git push
and tsuru
. The former is optional, while the latter will always beavailable. This document focus on the usage of the Git deployment flavor.
app-deploy
In order to allow tsuru users to use git push
for deployments, tsuruadministrators need to install and configure Gandalf.
Gandalf will store and manage all Git repositories and SSH keys, as well asusers. When tsuru is configured to use Gandalf, it will interact with theGandalf API in the following actions:
- When creating a new user in tsuru, a corresponding user will be created inGandalf;
- When removing a user from tsuru, the corresponding user will be removed fromGandalf;
- When creating an app in tsuru, a new repository for the app will be createdin Gandalf. All users in the team that owns the app will be authorized toaccess this repository;
- When removing an app, the corresponding repository will be removed fromGandalf;
- When adding a user to a team in tsuru, the corresponding user in Gandalf willgain access to all repositories matching the applications that the team hasaccess to;
- When removing a user from a team in tsuru, the corresponding user in Gandalfwill lose access to the repositories that he/she has access to because of theteam he/she is leaving;
- When adding a team to an application in tsuru, all users from the team willgain access to the repository matching the app;
- When removing a team from an application in tsuru, all users from the teamwill lose access to the repository, unless they’re in another team that alsohave access to the application.
When user runs agit push
, the communication happens directly between theuser host and the Gandalf host, and Gandalf will notify tsuru the newdeployment using a git hook.
Managing SSH public keys
In order to be able to send git pushes to the Git server, users need to havetheir key registered in Gandalf. When Gandalf is enabled, tsuru will enablethe usage of three commands for SSH public keys management:
- tsuru key-add
- tsuru key-remove
- tsuru key-list
Each of these commands have a corresponding API endpoint, so other clients oftsuru can also manage keys through the API.
tsuru will not store any public key data, all the data related to SSH keys ishandled by Gandalf alone, and when Gandalf is not enabled, those key commandswill not work.