After you have configured authentication through HAProxy or NGINX as described in Configure Aptly authentication through HAProxy or Configure Aptly authentication through NGINX, enable authentication for Aptly repositories.
To enable authentication for Aptly repositories:
Log in to the Salt Master node.
Select from the following options:
For MCP versions starting from 2019.2.7, specify the following parameters
in the linux:system:repo
pillar in
cluster/<cluster_name>/infra/init.yml
:
linux:
system:
common_repo_secured:
user: aptly_user
password: <aptly_user_password>
secured_repos: [ 'all' ]
Specify all
in the secured_repos
parameter to enable
authentication for all available repositories. To enable authentication
for a list of repositories, specify them within secured_repos
. For
example:
linux:
system:
...
common_repo_secured:
user: aptly_user
password: <aptly_user_password>
secured_repos: [ 'test1', 'test2' ]
repo:
test1:
...
test2:
...
test3:
secure: False
...
In the example above, the test1
and test2
repositories will be
secured. However, the repo
parameter has precedence over
common_repo_secured
. Therefore, the test3
repository will not be
secured.
For MCP versions prior to 2019.2.7, specify the entire pillar structure in the configuration files of the Aptly repositories. For details, see Use secured sources for mirrors, repositories, and files.
For example:
linux:
system:
...
common_repo_secured:
arch: deb
protocol: http
user: aptly_user
password: <aptly_user_password>
distribution: stable
component: main
repo:
test1:
secure: true
url: <mirror_address>/ubuntu
test2:
secure: true
url: <mirror_address>/ubuntu
Apply the new Linux repository configuration on the nodes that are using Aptly:
salt -C '<target_compound>' saltutil.sync_all
salt -C '<target_compound>' state.apply linux.system.repo
If you use MAAS, also enable authentication for Aptly repositories for MAAS:
Obtain the Aptly repositories for MAAS. For example:
salt-call pillar.get _param:maas_region_main_archive
local:
http://10.10.0.14/update/proposed//ubuntu/
salt-call pillar.get _param:maas_region_boot_sources_maas_ephemeral_v3_bs_url
local:
http://10.10.0.14:8078/2019.2.0/maas-ephemeral-v3/
salt-call pillar.get maas:cluster:saltstack_repo_trusty
local:
deb [arch=amd64] http://10.10.0.14/2019.2.0//saltstack-2017.7//trusty/ trusty main
salt-call pillar.get maas:cluster:saltstack_repo_xenial
local:
deb [arch=amd64] http://10.10.0.14/2019.2.0//saltstack-2017.7//xenial/ xenial main
In the cluster/<name>/infra/maas.yml
file, specify the following
pillar using the obtained repositories and Aptly credentials. For
example:
parameters:
_param:
maas_region_main_archive: http://aptly_user:<aptly_user_password>@10.10.0.14/update/proposed//ubuntu/
maas_region_boot_sources_maas_ephemeral_v3_bs_url: http://aptly_user:<aptly_user_password>@10.10.0.14:8078/2019.2.0/maas-ephemeral-v3/
maas:
cluster:
saltstack_repo_trusty: deb [arch=amd64] http://aptly_user:<aptly_user_password>@10.10.0.14/2019.2.0//saltstack-2017.7//trusty/ trusty main
saltstack_repo_xenial: deb [arch=amd64] http://aptly_user:<aptly_user_password>@10.10.0.14/2019.2.0//saltstack-2017.7//xenial/ xenial main
Apply the MAAS configuration changes:
salt -C 'I@salt:master' saltutil.sync_all
salt -C 'I@salt:master' state.sls maas