Installing package from secured http


#1

I have some binaries on a web server that I’d like to install via the package resource. The issue i’m having is that the binaries are on a secured web server that requires authentication.

What is the best way for me to authenticate to the server?


#2

how would you do it in a command line? answer that and get to the point where you will find yourself asking if you will be using a password and where to safely store this password… if you have a mechanism for safely passing secure secrets… then you’re set…

if not… consider including the binaries in the cookbook…

anyways…
remote_file with headers like this…

headers( “Authorization”=>“Basic #{ Base64.encode64(”#{username}:#{password}").gsub("\n", “”) }" )

you need to set and get the username and password some way

if your site requires more than httpbasic… then go back to… how would you do it command line and work thru it again…


#4

Thanks, your explanation makes sense. I am using vault so the creds shouldn’t be a problem. The only issue I have with including the binaries/ packages in the cookbook file folder is some of the packages are quite large and I’d prefer not taking up disk space with the files. I’ll see if I can get around this with some logic in the recipe unless there is an easier way?


#5

Storing binaries in cookbooks is a bad practice and you should avoid it…Store it in something like nexus, artifactory, etc.


#7

Why is it bad practice?


#8

There are many reasons, for one your cookbooks become large and must be transferred from the chef server to the client even if the binary is not needed. While it might be “ok” in small scale this can quickly get out of hand. Take for example a java cookbook, you would have lots of binaries as you need each version to choose from and for each arch type supported. This is also true for each version of the cookbook so if you don’t clean up older versions you consume wasted space on each server.