The Version Control Service (VCS) includes a web interface for repository management, pull requests, and a visual view of all repositories and organizations. The following URL is for the VCS web interface:
https://vcs.SHASTA_CLUSTER_DNS_NAME
On cluster nodes, the VCS service can be accessed through the gateway. VCS credentials for the crayvcs user are required before cloning a repository (see
VCS administrative user below).
To clone a repository in the cray organization, use the following command:
git clone https://api-gw-service-nmn.local/vcs/cray/REPO_NAME.gitThe Cray System Management (CSM) product installation creates the administrative user crayvcs that is used by CSM and other product installers to import their configuration
content into VCS.
The initial VCS credentials for the crayvcs user are obtained with the following command:
kubectl get secret -n services vcs-user-credentials --template={{.data.vcs_password}} | base64 --decodeThe initial VCS login credentials for the crayvcs user are stored in three places:
vcs-user-credentialsKubernetes secret: This is used to initialize the other two locations, as well as providing a place where other users can query for the password.- VCS (Gitea): These credentials are used when pushing to Git using the default username and password. The password should be changed through the Gitea UI.
- Keycloak: These credentials are used to access the VCS UI. They must be changed through Keycloak. For more information on accessing Keycloak, see Access the Keycloak User Management UI.
WARNING: These three sources of credentials are not synced by any mechanism. Changing the default password requires that is it changed in all three places. Changing only one may result in difficulty determining the password at a later date, or may result in losing access to VCS altogether.
To change the password in the vcs-user-credentials Kubernetes secret, use the following procedure:
-
Log in to Keycloak with the default
admincredentials.Point a browser at
https://auth.SYSTEM_DOMAIN_NAME/keycloak/admin, replacingSYSTEM_DOMAIN_NAMEwith the actual NCN's DNS name.The following is an example URL for a system:
https://auth.cmn.system1.us.cray.com/keycloak/adminUse the following
adminlogin credentials:-
Username:
admin -
The password can be obtained with the following command:
kubectl get secret -n services keycloak-master-admin-auth \ --template={{.data.password}} | base64 --decode
-
-
Ensure the selected Realm is
Shastafrom the top-left dropdown in the left sidebar. -
From the left sidebar, under the
Managesection, selectUsers. -
In the
Search...textbox, type incrayvcsand click the search icon. -
In the filtered table below, click on the ID for the row that shows
crayvcsin theUsernamecolumn. -
Go to the
Credentialstab and change the password.Enter the new password in the
Reset Passwordform. EnsureTemporaryis switched off. Click onReset Passwordbutton. -
Log in to Gitea with the default
admincredentials.Point the browser at
https://vcs.SHASTA_CLUSTER_DNS_NAME/vcs/user/settings/account.If presented with Keycloak login, use
crayvcsas the username and the new VCS password. Wait to be redirected to the Gitea login page before continuing to the next step. -
Use the following Gitea login credentials:
-
Username:
crayvcs -
The old VCS password, which can be obtained with the following command:
kubectl get secret -n services vcs-user-credentials \ --template={{.data.vcs_password}} | base64 --decode
-
-
Enter the existing password (from previous step), new password, and confirmation, and then click
Update Password. -
Now SSH into
ncn-w001orncn-m001. -
Run
git clone https://github.com/Cray-HPE/csm.git. -
Copy the directory
vendor/stash.us.cray.com/scm/shasta-cfg/stable/utilsto the desired working directory. -
Change directories to be in the working directory set in the previous step.
-
Save a local copy of the
customizations.yamlfile.kubectl get secrets -n loftsman site-init -o jsonpath='{.data.customizations\.yaml}' | base64 -d > customizations.yaml
-
Change the password in the
customizations.yamlfile.The Gitea
crayvcspassword is stored in thevcs-user-credentialsKubernetes Secret in theservicesnamespace. This must be updated so that clients which need to make requests can authenticate with the new password.In the
customizations.yamlfile, set the values for thegiteakeys in thespec.kubernetes.sealed_secretsfield. The value in the data element where the name ispasswordneeds to be changed to the new Gitea password. The section below will replace the existing sealed secret data in thecustomizations.yamlfile.For example:
gitea: generate: name: vcs-user-credentials data: - type: static args: name: vcs_password value: my_secret_password - type: static args: name: vcs_username value: crayvcs
-
Encrypt the values after changing the
customizations.yamlfile../utils/secrets-seed-customizations.sh customizations.yaml
If the above command complains that it cannot find
certs/sealed_secrets.crt, then run the following commands to create it:mkdir -p ./certs && ./utils/bin/linux/kubeseal --controller-name sealed-secrets --fetch-cert > ./certs/sealed_secrets.crt
-
Upload the modified
customizations.yamlfile to Kubernetes.kubectl delete secret -n loftsman site-init kubectl create secret -n loftsman generic site-init --from-file=customizations.yaml
-
Get the current cached
sysmgmtmanifest and save it into agitea.yamlfile.kubectl get cm -n loftsman loftsman-sysmgmt -o jsonpath='{.data.manifest\.yaml}' > gitea.yaml
-
Run the following command to remove non-Gitea charts from the
gitea.yamlfile. This will also change themetadata.nameso that it does not overwrite thesysmgmt.yamlfile that is stored in theloftsmannamespace.for i in $(yq r gitea.yaml 'spec.charts[*].name' | grep -Ev '^gitea'); do yq d -i gitea.yaml 'spec.charts(name=='"$i"')'; done yq w -i gitea.yaml metadata.name gitea yq d -i gitea.yaml spec.sources yq w -i gitea.yaml spec.sources.charts[0].location 'https://packages.local/repository/charts' yq w -i gitea.yaml spec.sources.charts[0].name csm-algol60 yq w -i gitea.yaml spec.sources.charts[0].type repo
-
Example
gitea.yamlafter the command is run:Example:
apiVersion: manifests/v1beta1 metadata: name: sysmgmt spec: charts: - name: gitea namespace: services source: csm-algol60 values: cray-service: sealedSecrets: - apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: annotations: sealedsecrets.bitnami.com/cluster-wide: 'true' ... sources: charts: - location: https://packages.local/repository/charts name: csm-algol60 type: repo ...
-
Generate the manifest that will be used to redeploy the chart with the modified resources.
manifestgen -c customizations.yaml -i gitea.yaml -o manifest.yaml
-
Validate that the
manifest.yamlfile only contains chart information for Gitea, and that the sources chart location points tohttps://packages.local/repository/charts. -
Re-apply the
giteaHelm chart with the updatedcustomizations.yamlfile.This will update the
vcs-user-credentialsSealedSecret which will cause the SealedSecret controller to update the Secret.loftsman ship --manifest-path ${PWD}/manifest.yaml -
Verify that the Secret has been updated.
Give the SealedSecret controller a few seconds to update the Secret, then run the following command to see the current value of the Secret:
kubectl get secret -n services vcs-user-credentials \ --template={{.data.vcs_password}} | base64 --decode -
Save an updated copy of
customizations.yamlto thesite-initsecret in theloftsmanKubernetes namespace.CUSTOMIZATIONS=$(base64 < customizations.yaml | tr -d '\n') kubectl get secrets -n loftsman site-init -o json | jq ".data.\"customizations.yaml\" |= \"$CUSTOMIZATIONS\"" | kubectl apply -f -
The VCS UI uses Keycloak to authenticate users on the system. However, users from external authentication sources are not automatically associated with permissions in the cray
Gitea organization. As a result, users configured via Keycloak can log in and create organizations and repositories of their own, but they cannot modify the cray organization
that is created during system installation, unless they are given permissions to do so.
The crayvcs Gitea admin user that is created during CSM installation can log in to the UI via Keycloak. To allow users other than crayvcs to have access to repositories in
the cray organization, use the following procedure:
-
Log in to VCS as the
crayvcsuser on the system.URL:
https://vcs.SHASTA_CLUSTER_DNS_NAME -
Navigate to the
crayorganization owners page.URL:
https://vcs.SHASTA_CLUSTER_DNS_NAME/vcs/cray/teams/owners -
Enter the username of the user who should have access to the organization in the
Search user...text field, and click theAdd Team Memberbutton.
IMPORTANT The
Ownerrole has full access to all repositories in the organization, as well as administrative access to the organization, including the ability to create and delete repositories.
For granting non-administrative access to the organization and its repositories, create a new team at the following URL:
https://vcs.SHASTA_CLUSTER_DNS_NAME/vcs/org/cray/teams/new
Select the permissions appropriately, and then navigate to the following URL to add members to the newly created team:
https://vcs.SHASTA_CLUSTER_DNS_NAME/vcs/org/cray/teams/NEWTEAM
Data for Gitea is stored in two places: Git content is stored directly in a PVC, while structural data, such as Gitea users and the list and attributes of repositories, is stored in a Postgres database. Because of this, both sources must be backed up and restored together.
-
Determine which Postgres member is the leader.
kubectl exec gitea-vcs-postgres-0 -n services -c postgres -it -- patronictl listExample output:
+ Cluster: gitea-vcs-postgres (6995618180238446669) -----+----+-----------+ | Member | Host | Role | State | TL | Lag in MB | +----------------------+--------------+--------+---------+----+-----------+ | gitea-vcs-postgres-0 | 10.45.0.21 | Leader | running | 1 | | | gitea-vcs-postgres-1 | 10.46.128.19 | | running | 1 | 0 | | gitea-vcs-postgres-2 | 10.47.0.21 | | running | 1 | 0 | +----------------------+--------------+--------+---------+----+-----------+ -
Log into the leader pod and dump the data to a local file.
POSTGRES_LEADER=gitea-vcs-postgres-0 kubectl exec -it ${POSTGRES_LEADER} -n services -c postgres -- pg_dumpall -c -U postgres > gitea-vcs-postgres.sql
-
Determine what secrets are associated with the PostgreSQL credentials:
kubectl get secrets -n services | grep gitea-vcs-postgres.credentialsExample output:
postgres.gitea-vcs-postgres.credentials Opaque 2 13d service-account.gitea-vcs-postgres.credentials Opaque 2 13d standby.gitea-vcs-postgres.credentials Opaque 2 13d -
Export each secret to a manifest file:
SECRETS="postgres service-account standby" echo "---" > gitea-vcs-postgres.manifest for secret in $SECRETS; do kubectl get secret "${secret}.gitea-vcs-postgres.credentials" -n services -o yaml >> gitea-vcs-postgres.manifest echo "---" >> gitea-vcs-postgres.manifest done
-
Edit the manifest file to remove
creationTimestamp,resourceVersion,selfLink, anduidfor each entry. -
Copy all files to a safe location.
The VCS Postgres backups should be accompanied by backups of the VCS PVC. The export process can be run at any time while the service is running using the following commands:
POD=$(kubectl -n services get pod -l app.kubernetes.io/instance=gitea -o json | jq -r '.items[] | .metadata.name')
kubectl -n services exec ${POD} -- tar -cvf vcs.tar /var/lib/gitea/
kubectl -n services cp ${POD}:vcs.tar ./vcs.tarBe sure to save the resulting tar file to a safe location.
When restoring the VCS Postgres database, the PVC should also be restored to the same point in time. The restore process can be run at any time while the service is running using the following commands:
POD=$(kubectl -n services get pod -l app.kubernetes.io/instance=gitea -o json | jq -r '.items[] | .metadata.name')
kubectl -n services cp ./vcs.tar ${POD}:vcs.tar
kubectl -n services exec ${POD} -- tar -xvf vcs.tar
kubectl -n services rollout restart deployment gitea-vcsAn alternative to the separate backups of the Postgres and PVC data is to backup the Git data. This has the advantage that only one backup is needed and that the Git backups can be imported into any Git server, not just Gitea. This has the disadvantage that some information about the Gitea deployment is lost (such as user and organization information) and may need to be recreated manually if the VCS deployment is lost.
The following scripts create and use a vcs-content directory that contains all Git data. This should be copied to a safe location after export, and moved back to the system before import.
WARNING: The following example uses the VCS
adminusername and password in plaintext on the command line, meaning it will be stored in the shell history as well as be visible to all users on the system in the process table. These dangers can be avoided by modifying or replacing thecurlcommand (such as supplying the credentials tocurlusing the--netrc-fileargument instead of the--userargument, or replacing it with a simple Python script).
RESULTS=vcs-content
mkdir $RESULTS
VCS_USER=$(kubectl get secret -n services vcs-user-credentials --template={{.data.vcs_username}} | base64 --decode)
VCS_PASSWORD=$(kubectl get secret -n services vcs-user-credentials --template={{.data.vcs_password}} | base64 --decode)
git config --global credential.helper store
echo "https://${VCS_USER}:${VCS_PASSWORD}@api-gw-service-nmn.local" > ~/.git-credentials
for repo in $(curl -s https://api-gw-service-nmn.local/vcs/api/v1/orgs/cray/repos --user ${VCS_USER}:${VCS_PASSWORD}| jq -r '.[] | .name') ; do
git clone --mirror https://api-gw-service-nmn.local/vcs/cray/${repo}.git
cd ${repo}.git
git bundle create ${repo}.bundle --all
cp ${repo}.bundle ../$RESULTS
cd ..
rm -r $repo.git
doneSOURCE=vcs-content
VCS_USER=$(kubectl get secret -n services vcs-user-credentials --template={{.data.vcs_username}} | base64 --decode)
VCS_PASSWORD=$(kubectl get secret -n services vcs-user-credentials --template={{.data.vcs_password}} | base64 --decode)
git config --global credential.helper store
echo "https://${VCS_USER}:${VCS_PASSWORD}@api-gw-service-nmn.local" > ~/.git-credentials
for file in $(ls $SOURCE); do
repo=$(echo $file | sed 's/.bundle$//')
git clone --mirror ${SOURCE}/${repo}.bundle
cd ${repo}.git
git remote set-url origin https://api-gw-service-nmn.local/vcs/cray/${repo}.git
git push
cd ..
rm -r ${repo}.git
donePrior to import, the repository structure may need to be recreated if it has not already been by an install.
Adjust the repository list as necessary, if any additional repositories are present. Repository settings such as public or private will also need to be manually set, if applicable.
For example:
WARNING: The following example uses the VCS
adminusername and password in plaintext on the command line, meaning it will be stored in the shell history as well as be visible to all users on the system in the process table. These dangers can be avoided by modifying or replacing thecurlcommand (such as supplying the credentials tocurlusing the--netrc-fileargument instead of the--userargument, or replacing it with a simple Python script).
VCS_USER=$(kubectl get secret -n services vcs-user-credentials --template={{.data.vcs_username}} | base64 --decode)
VCS_PASSWORD=$(kubectl get secret -n services vcs-user-credentials --template={{.data.vcs_password}} | base64 --decode)
REPOS="analytics-config-management cos-config-management cpe-config-management slurm-config-management sma-config-management uan-config-management csm-config-management"
for repo in $REPOS ; do
curl -X POST https://api-gw-service-nmn.local/vcs/api/v1/orgs/cray/repos -u ${VCS_USER}:${VCS_PASSWORD} -d name=${repo}
done