Enable authentication for Aptly repositories

Enable authentication for Aptly repositories

After you have configured authentication through HAProxy or NGINX as described in Configure Aptly authentication through HAProxy or Configure Aptly authentication through NGINX, enable authentication for Aptly repositories.

To enable authentication for Aptly repositories:

  1. Log in to the Salt Master node.

  2. Select from the following options:

    • For MCP versions starting from 2019.2.7, specify the following parameters in the linux:system:repo pillar in cluster/<cluster_name>/infra/init.yml:

      linux:
        system:
          common_repo_secured:
            user: aptly_user
            password: <aptly_user_password>
            secured_repos: [ 'all' ]
      

      Specify all in the secured_repos parameter to enable authentication for all available repositories. To enable authentication for a list of repositories, specify them within secured_repos. For example:

      linux:
        system:
          ...
          common_repo_secured:
            user: aptly_user
            password: <aptly_user_password>
            secured_repos: [ 'test1', 'test2' ]
          repo:
            test1:
              ...
            test2:
              ...
            test3:
              secure: False
              ...
      

      In the example above, the test1 and test2 repositories will be secured. However, the repo parameter has precedence over common_repo_secured. Therefore, the test3 repository will not be secured.

    • For MCP versions prior to 2019.2.7, specify the entire pillar structure in the configuration files of the Aptly repositories. For details, see Use secured sources for mirrors, repositories, and files.

      For example:

      linux:
        system:
          ...
          common_repo_secured:
            arch: deb
            protocol: http
            user: aptly_user
            password: <aptly_user_password>
            distribution: stable
            component: main
          repo:
            test1:
              secure: true
              url: <mirror_address>/ubuntu
            test2:
              secure: true
              url: <mirror_address>/ubuntu
      
  3. Apply the new Linux repository configuration on the nodes that are using Aptly:

    salt -C '<target_compound>' saltutil.sync_all
    salt -C '<target_compound>' state.apply linux.system.repo
    
  4. If you use MAAS, also enable authentication for Aptly repositories for MAAS:

    1. Obtain the Aptly repositories for MAAS. For example:

      salt-call pillar.get _param:maas_region_main_archive
      local:
          http://10.10.0.14/update/proposed//ubuntu/
      
      salt-call pillar.get _param:maas_region_boot_sources_maas_ephemeral_v3_bs_url
      local:
          http://10.10.0.14:8078/2019.2.0/maas-ephemeral-v3/
      
      salt-call pillar.get maas:cluster:saltstack_repo_trusty
      local:
          deb [arch=amd64] http://10.10.0.14/2019.2.0//saltstack-2017.7//trusty/ trusty main
      
      salt-call pillar.get maas:cluster:saltstack_repo_xenial
      local:
          deb [arch=amd64] http://10.10.0.14/2019.2.0//saltstack-2017.7//xenial/ xenial main
      
    2. In the cluster/<name>/infra/maas.yml file, specify the following pillar using the obtained repositories and Aptly credentials. For example:

      parameters:
        _param:
          maas_region_main_archive: http://aptly_user:<aptly_user_password>@10.10.0.14/update/proposed//ubuntu/
          maas_region_boot_sources_maas_ephemeral_v3_bs_url: http://aptly_user:<aptly_user_password>@10.10.0.14:8078/2019.2.0/maas-ephemeral-v3/
        maas:
          cluster:
            saltstack_repo_trusty: deb [arch=amd64] http://aptly_user:<aptly_user_password>@10.10.0.14/2019.2.0//saltstack-2017.7//trusty/ trusty main
            saltstack_repo_xenial: deb [arch=amd64] http://aptly_user:<aptly_user_password>@10.10.0.14/2019.2.0//saltstack-2017.7//xenial/ xenial main
      
    3. Apply the MAAS configuration changes:

      salt -C 'I@salt:master' saltutil.sync_all
      salt -C 'I@salt:master' state.sls maas