How should I handle the problem of the pubkey auth for git repos in Chef recipes?


#1

Hello list,

I want to use Chef as “executable documentation” for my server(s)
infrastructure. The classic Chef+Chef Server (or opscode platform) conf is
overkill for me, so I’m using the “good old” chef-solo.

I’m writing my own recipe as a way to practice. The goal of this recipe is
to describe my current Server in Chef, and allow me to recreate it
somewhere else (both server provisioning and app provisioning). I’m using
Vagrant to test it out.

My question is: How should I handle the problem of the pubkey auth for git
repos? Is there a way to “tunnel” the private key from my workstation? I’ve
seen the “secret databag” solution, but I found it a bit awkward to setup.
Another solution perhaps would be to go to the server and manually create a
key pair, upload the pub key to github and then point to it in the recipe
configuration, however, this requires some manual labor that can’t be
avoided (uploading the key to github).

What would be the best way to solve this problem? Any insights appreciated!

Thanks in advance,

  • Marcelo.

#2

For GitHub specifically, the OAuth solution rings true:

Managing an SSH Keypair and adding it to a GitHub account is also viable
with the API(s), but I’d suggest evaluating the HTTPS + OAuth solution.

A light weight solution may be to (human) generate a once-off deployment
key, add it to the GitHub repo (only one deployment key per repo is
allowed), or add it to a generic GitHub account (and add this account to
your repos’) and then, as you’ve mentioned, store the keypair in an
encrypted (or non) data-bag. The benefit to this is the model is
appropriate for non GitHub “git” installations.

Cheers,

AJ

On 13 November 2012 15:43, Marcelo de Moraes Serpa celoserpa@gmail.comwrote:

Hello list,

I want to use Chef as “executable documentation” for my server(s)
infrastructure. The classic Chef+Chef Server (or opscode platform) conf is
overkill for me, so I’m using the “good old” chef-solo.

I’m writing my own recipe as a way to practice. The goal of this recipe is
to describe my current Server in Chef, and allow me to recreate it
somewhere else (both server provisioning and app provisioning). I’m using
Vagrant to test it out.

My question is: How should I handle the problem of the pubkey auth for git
repos? Is there a way to “tunnel” the private key from my workstation? I’ve
seen the “secret databag” solution, but I found it a bit awkward to setup.
Another solution perhaps would be to go to the server and manually create a
key pair, upload the pub key to github and then point to it in the recipe
configuration, however, this requires some manual labor that can’t be
avoided (uploading the key to github).

What would be the best way to solve this problem? Any insights appreciated!

Thanks in advance,

  • Marcelo.

#3

Hi AJ,

Wow, thanks for the heads up about github Oauth, I was clueless about that,
that sounds like an interesting solution to consider.

A light weight solution may be to (human) generate a once-off deployment
key, add it to the GitHub repo (only one deployment key per repo is
allowed), or add it to a generic GitHub account (and add this account to
your repos’) and then, as you’ve mentioned, store the keypair in an
encrypted (or non) data-bag. The benefit to this is the model is
appropriate for non GitHub “git” installations.

I was thinking about using my own private key, but this sounds safer.
Thanks for the idea. I’m using encrypted data-bags with chef-solo through
knife-solo (awesome plugin by the way!).

Cheers,

  • Marcelo.

On Mon, Nov 12, 2012 at 10:49 PM, AJ Christensen aj@junglist.gen.nz wrote:

For GitHub specifically, the OAuth solution rings true:
https://github.com/blog/1270-easier-builds-and-deployments-using-git-over-https-and-oauth

Managing an SSH Keypair and adding it to a GitHub account is also viable
with the API(s), but I’d suggest evaluating the HTTPS + OAuth solution.

A light weight solution may be to (human) generate a once-off deployment
key, add it to the GitHub repo (only one deployment key per repo is
allowed), or add it to a generic GitHub account (and add this account to
your repos’) and then, as you’ve mentioned, store the keypair in an
encrypted (or non) data-bag. The benefit to this is the model is
appropriate for non GitHub “git” installations.

Cheers,

AJ

On 13 November 2012 15:43, Marcelo de Moraes Serpa celoserpa@gmail.comwrote:

Hello list,

I want to use Chef as “executable documentation” for my server(s)
infrastructure. The classic Chef+Chef Server (or opscode platform) conf is
overkill for me, so I’m using the “good old” chef-solo.

I’m writing my own recipe as a way to practice. The goal of this recipe
is to describe my current Server in Chef, and allow me to recreate it
somewhere else (both server provisioning and app provisioning). I’m using
Vagrant to test it out.

My question is: How should I handle the problem of the pubkey auth for
git repos? Is there a way to “tunnel” the private key from my workstation?
I’ve seen the “secret databag” solution, but I found it a bit awkward to
setup. Another solution perhaps would be to go to the server and manually
create a key pair, upload the pub key to github and then point to it in the
recipe configuration, however, this requires some manual labor that can’t
be avoided (uploading the key to github).

What would be the best way to solve this problem? Any insights
appreciated!

Thanks in advance,

  • Marcelo.