Ci/cd user for uploading cookbook


#1

So I'm working on getting testing and deployment of cookbooks into Gitlab pipelines. Right now I'm getting hung up on the final step of uploading a cookbook after all my tests pass.

What's the most straightforward way of achieving this? I've been leaning towards dropping a knife.rb and client.pem into the pipeline and simply doing a knife cookbook upload as the final step, assuming tests pass. If this is the way to go, is there a way to restrict the perms on the client to only be able to upload a new cookbook?

Right now I'm working in a dev environment so cookbook versioning isn't a huge concern just yet.

Is there a better way about this?


#2

Hi,

I am not aware of any other way regarding the authentication but the client.rb is a ruby file and as such you can run code in it. Most importantly you can use environment variables with ENV["VAR"].
When uploading a cookbook with knife you can specify --freeze which does not allow uploading the same version again (unless you --force it). You can also use Berkshelf to upload the cookbook with its dependencies which automagically freezes the version for you.


#3

So creating a 'normal' user is the route of least permissions while still being able to upload cookbooks?
I was hoping for something similar to a service account but this sounds about right after looking through the docs.


#4

Regarding permissions you could create a normal user, put him a group and assign this group only the required permissions [1] to upload cookbooks.

[1] https://github.com/chef/knife-acl