# Install Bundles from a Private Git Repository
# Overview
The standard deployment of the Entando Component Repository (ECR) assumes that bundles are checked out from public Git repositories. Public repositories do not require user authentication, but if a customer chooses to limit repository access to specific Git accounts, a private key is required. This document details how to allow the ECR to access a private Git repository.
For more background information please consult
# Using SSH keys with Git
Entando supports connecting to Git repositories with SSH keys. While SSH Git URLs are accepted, HTTPS git URLs are not. For the private key to work correctly, the SSH syntax of git@github.com:THE-REPO-OWNER-NAME/THE-REPO-NAME.git must be used (the HTTPS syntax of https://github.com/THE-REPO-OWNER-NAME/THE-REPO-NAME.git is not permitted).
Using the SSH method a developer can generate a public/private keypair, then register the public key with the Git server while securely storing the private key locally. An operation requiring authentication will trigger the Git command line utility to perform a search and compare between the local private key and the public key provided by the server. If the two keys are identical, the operation is allowed to complete.
Entando allows a Kubernetes Secret containing a Git SSH private key to be mounted in the container hosting the Entando Component Manager service. This container is deployed with the EntandoApp and can be configured from the EntandoApp Custom Resource. To prepare a Secret, first generate the keypair locally using a Docker image, then create the Secret from the directory where the keypair was generated.
# Tutorial
Below is the recommended flow on Linux.
Navigate to a local folder where you intend to create the Secret
Generate the SSH keypair from the known SSH client Docker image
Run the Docker container in interactive mode and mount the default user SSH directory to a local directory
docker run -it -v $PWD/entando_ssh:/root/.ssh kroniak/ssh-client /bin/bashGenerate the keypair from the shell of the resulting container
ssh-keygenSelect all of the default options, e.g. no passphrase, etc.
Attempt to add the fingerprint to the known_hosts file by connecting to your Git server and responding "yes" to the prompt
ssh git@github.comThis command is expected to fail.
Run
exit
Create the Secret.
You are now back in the local operating system's shell and can navigate to the directory that was mounted using Docker.
To give yourself access to this folder and create a Secret with the content
1. Change the folder permissions
```
sudo chmod ag+r entando_ssh -R
```
2. Create a Secret from the directory
```
kubectl create secret generic my-git-secret --from-file=entando_ssh -n <<your-namespace>>
```
3. Confirm that the Secret exists and has at least two keys: known_hosts, and id_rsa. Without these two keys Entando cannot log into Git.
```
kubectl get secret my-git-secret -n <<your-namespace>> -o yaml
```
Link the resulting private key to the account of a user who has access to the applicable Git repositories. Ideally this should be a dedicated service account user with restricted read only access. For GitHub accounts, you can follow the official GitHub instructions. (opens new window) When prompted, provide the public key that was generated in the entando_ssh directory
entando_ssh/id_rsa.pubModify the EntandoApp resource you are deploying to mount the Secret in the
spec.ecrGitSshSecretNameproperty. Note: In Entando 6.3.2 the EntandoApp resource must be configured prior to installation.
kind: "EntandoApp"
metadata:
annotations: {}
labels: {}
name: "quickstart"
spec:
dbms: none
replicas: 1
ecrGitSshSecretName: my-git-secret
standardServerImage: wildfly
ingressPath: /entando-de-app
ingressHostName: ampie.apps.serv.run
environmentVariables:
- name: SPRING_PROFILES_ACTIVE
value: "default,swagger"