Deploy from github, using individual keys


#1

I feel like this has been done, demonstrated, but I couldn’t find
anything on it.

Flow:

Provision a box
At some point in the run, pull a branch from github (master, tag, etc)
Restart service if changed

By using a GitHub deploy key, I can automate this for prod, sure.

But if I’m using Vagrant, and I want to restrict access to the deploy
key, is there a known way for me to specify “use a user’s ssh-agent
forwarded ssh key instead”.

Ideas, blogs, thoughts?
-M


#2

Hey Mike,

Here is a post I made on how we do deploy keys:

Our solution is to use a new deploy key for every run and then clean them
up later with a batch job. However, this doesn’t really solve the problem,
just makes it so that now the valuable thing is your Github API key. Unsure
if there is a good way to use a the hosts ssh-agent from Vagrant, though
you may be able to hack something together with a Vagrant plugin.

Andrew

On Thu, Jun 27, 2013 at 8:10 AM, Mike miketheman@gmail.com wrote:

I feel like this has been done, demonstrated, but I couldn’t find
anything on it.

Flow:

Provision a box
At some point in the run, pull a branch from github (master, tag, etc)
Restart service if changed

By using a GitHub deploy key, I can automate this for prod, sure.

But if I’m using Vagrant, and I want to restrict access to the deploy
key, is there a known way for me to specify “use a user’s ssh-agent
forwarded ssh key instead”.

Ideas, blogs, thoughts?
-M


#3

I haven’t tried this, but you can specify JSON data in your Vagrantfile.

If your deploy process gets your deploy key from an attribute, you can
override that in the Vagrantfile. And, since a Vagrantfile is just ruby,
you could get that key from just reading in a user’s SSH public key file.

Something like

Vagrant.configure(“2”) do |config|
config.vm.provision “chef_server” do |chef|
# …

chef.json = {
  "myapp" => {
    "deploy_key" => File.read(ENV['MYORG_DEPLOY_KEY'] ||

“#{ENV[‘HOME’]}/.ssh/id_rsa.pub”)
}
}
endend

Maybe?

-Matt Moretti

On Thu, Jun 27, 2013 at 8:10 AM, Mike miketheman@gmail.com wrote:

I feel like this has been done, demonstrated, but I couldn’t find
anything on it.

Flow:

Provision a box
At some point in the run, pull a branch from github (master, tag, etc)
Restart service if changed

By using a GitHub deploy key, I can automate this for prod, sure.

But if I’m using Vagrant, and I want to restrict access to the deploy
key, is there a known way for me to specify “use a user’s ssh-agent
forwarded ssh key instead”.

Ideas, blogs, thoughts?
-M


#4

On Thu, Jun 27, 2013 at 4:42 PM, Andrew Gross andrew@yipit.com wrote:

Unsure if there is a good way to use a the hosts ssh-agent from Vagrant,
though you may be able to hack something together with a Vagrant plugin.

I just add this to my Vagrantfile:

Forward SSH authentication agent

config.ssh.forward_agent = true


Ronan Amicel


#5

I would either use a data bag to store the key, or use a shared volume.

I actually do use a data bag, which works great with my test-kitchen workflow. In the event I need something fancy, there’s always https://github.com/edelight/chef-solo-search.

On 2013-06-27, at 05:10, Mike miketheman@gmail.com wrote:

I feel like this has been done, demonstrated, but I couldn’t find
anything on it.

Flow:

Provision a box
At some point in the run, pull a branch from github (master, tag, etc)
Restart service if changed

By using a GitHub deploy key, I can automate this for prod, sure.

But if I’m using Vagrant, and I want to restrict access to the deploy
key, is there a known way for me to specify “use a user’s ssh-agent
forwarded ssh key instead”.

Ideas, blogs, thoughts?
-M