1. Private Model Artifact Repositories Access through Deploy Keys


    To manage access to private model artifact repositories, you typically use deploy keys. A deploy key is an SSH key that is stored on your server and grants access to a single repository of code. In infrastructure as code, deploying and managing these keys can be done programmatically using Pulumi and a compatible provider such as GitHub or GitLab.

    Here's a detailed explanation of how you can achieve this in Pulumi with Python:

    1. github.RepositoryDeployKey: This resource is used to manage deploy keys for GitHub repositories, granting read-only or read-write access to the repository.
    2. gitlab.DeployKey: Similarly, for GitLab repositories, we use this resource to add SSH keys as deploy keys to the specified project, with optional write access.

    In both cases, the deploy key is an SSH public key that you generate and associate with the repository. When a deployment occurs, services that have access to the private key can authenticate with the respective cloud service to access the repository.

    Below is a Pulumi Python program that demonstrates how you might configure deploy keys for both GitHub and GitLab. This code will create new deploy keys for specific repositories when applied.

    import pulumi import pulumi_github as github import pulumi_gitlab as gitlab # Replace these variables with your own data github_repo_name = 'my-github-repo' gitlab_project_id = 'my-gitlab-project-id' ssh_key_public = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...' # Replace with your public deploy key # Create a deploy key for a GitHub repository github_deploy_key = github.RepositoryDeployKey("github-deploy-key", title="my-deploy-key", # A name to identify the deploy key key=ssh_key_public, # The public part of the deploy key read_only=True, # Set to False to allow write access repository=github_repo_name, ) # Create a deploy key for a GitLab project gitlab_deploy_key = gitlab.DeployKey("gitlab-deploy-key", title="my-deploy-key", # A name to identify the deploy key key=ssh_key_public, # The public part of the deploy key can_push=False, # Set to True to allow write access project=gitlab_project_id, ) # Export the deploy key IDs for both GitHub and GitLab pulumi.export("github_deploy_key_id", github_deploy_key.id) pulumi.export("gitlab_deploy_key_id", gitlab_deploy_key.id)

    In both resources, the title is the name you want to give the deploy key, and key is where you place your SSH public key. For GitHub, the read_only attribute defines whether the deploy key has the permissions to write to the repository. In GitLab, this is controlled by the can_push attribute. Make sure to set read_only or can_push to False if you need write access for deployments.

    Finally, the export statements at the bottom of the program make the IDs of the created deploy keys available in the Pulumi stack's outputs. These can be used to reference the deploy keys outside of Pulumi if necessary.

    Replace my-github-repo and my-gitlab-project-id with the actual identifiers for your repository and GitLab project, respectively. Also, replace the dummy SSH key provided in ssh_key_public with your actual SSH public key.

    To generate an SSH key pair to use as a deploy key, you can run:

    ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

    When prompted, you can specify the file to save the key and whether to use a passphrase for additional security. The public key file (commonly ending with .pub) is what you would put into the ssh_key_public variable. Keep the private key secure and don't share it.

    Remember to install the pulumi_github and pulumi_gitlab Python packages if you haven't already:

    pip install pulumi_github pulumi_gitlab

    This code presumes that your Pulumi configuration is already set up for GitHub and GitLab, meaning you've configured the respective access tokens needed to authenticate with these providers.