Knife-windows - Correct way to set auth proxy settings

Chef Infra (archive)
1

First off, I’m a Chef n00b, so any patience with Chef n00bery is much appreciated. Trying to get Chef Server and some Server 2012R2 machines going, and struggling mightily with our authenticated proxy.

I see the wget.ps1 file that’s created on-the-fly via knife-windows on our target VM, which is using System.Net.WebClient to make the web request to download the Chef agent. It looks like this is being generated from ~/.chefdk/gem/ruby/2.1.0/gems/knife-windows-1.4.1/lib/chef/knife/core/windows_bootstrap_context.rb. The Ruby code appears to be looking for the bootstrap_proxy command line parameter, and if set it’s passing that information along to the wget.ps1 script.

In our environment, however, we need more than that - I need to set some authenticated user settings. What’s the best way to do that?

What I’ve done, which appears to work fairly well, is modify the windows_bootstrap_context.rb file to add the proxy settings (hardcoded for now, but I could abstract them as well):

win_wget_ps = <<-WGET_PS
param(
   [String] $remoteUrl,
   [String] $localPath
)

$ProxyUrl = $env:http_proxy;
$webClient = new-object System.Net.WebClient;

if ($ProxyUrl -ne '') {
  $WebProxy = New-Object System.Net.WebProxy($ProxyUrl,$true)
  $WebClient.Proxy = $WebProxy
}

$WebClient.Proxy.Credentials = New-Object System.Net.NetworkCredential("username","password","domain")

$webClient.DownloadFile($remoteUrl, $localPath);
WGET_PS

Same thing goes for the knife client file, which also is created by the same windows_bootstrap_context.rb script - I’ve added some additional code to set the auth user proxy settings there too:

  if knife_config[:bootstrap_proxy]
    client_rb << "\n"
    client_rb << %Q{http_proxy        "#{knife_config[:bootstrap_proxy]}"\n}
    client_rb << %Q{http_proxy_user        'username'\n}
    client_rb << %Q{http_proxy_pass        'password'\n}
    client_rb << %Q{https_proxy       "#{knife_config[:bootstrap_proxy]}"\n}
    client_rb << %Q{https_proxy_user        'username'\n}
    client_rb << %Q{https_proxy_pass        'password'\n}
    client_rb << %Q{no_proxy          "#{knife_config[:bootstrap_no_proxy]}"\n} if knife_config[:bootstrap_no_proxy]
  end

Any help would be very much appreciated.

2

One of the easier ways to get around the proxy craziness is to stash the installer somewhere behind your firewall and use the --msi-url <uri to where your installer is available> to knife bootstrap. Then it won’t have to hit the internet to get the installer bits.

1 Like
3

Brilliant! I reverted my windows_bootstrap_context.rb to no longer have my proxy settings and used the --msi-url to hit a web-hosted version of the msi in our network - worked perfectly (and much cleaner).

Our authenticated (AD-based) proxy is the bane of my IT existence, especially with any kind of web-based automation. :rage:

Is that msi-url parameter documented anywhere? I couldn’t find it in the knife-bootstrap or knife-windows documentation anywhere. Super useful.

Thanks Steven!

4

@rayterrill I’m not sure if it’s documented anywhere off-hand. I remember the PR going in to knife-windows and knife bootstrap windows winrm --help confirmed it was there for me.

5

@Steven_Murawski All good. Thanks so much Steven! :slight_smile: