Git authentication in Chef

Question

When deploying an application with Chef, I've got the code base set to be cloned from a private github repository with the following resource:

git '/mnt/application' do
    repository 'git@github.com:organization/repository'

    reference 'master'
    action :sync

    user node.application.user
    group node.application.user
end

However, after scanning the documentation for the git resource, I can't see how you supply the key file for authentication. I'm also confused as to how to store this key in a data bag, as the file contains a bunch of new lines. Any ideas?

I have detailed the workflow [here](http://stackoverflow.com/questions/23621251/how-do-i-authenticate-when-i-do-a-git-clone-with-chef/23736540#23736540) — zabumba, Feb 10 '15 at 13:45

score 27 · Answer 1 · edited May 23 '17 at 12:02

27

ssh_wrapper "ssh -i /some/path/id_rsa"

In case someone comes across this, the above didn't work for me, I kept getting the error:

error: cannot run ssh -i /some/path/id_rsa: No such file or directory

What specifying ssh_wrapper does is it sets the GIT_SSH environment variable, and it turns out you can't provide parameters in the GIT_SSH environment variable (see Git clone with custom SSH using GIT_SSH error).

Instead, you would need to write your script to a file first, then set GIT_SSH to it.

So:

file "/some/path/git_wrapper.sh" do
  owner "your_user"
  mode "0755"
  content "#!/bin/sh\nexec /usr/bin/ssh -i /some/path/id_rsa \"$@\""
end

And change the git resource part to:

git "/opt/mysources/couch" do
  repository "git://git.apache.org/couchdb.git"
  reference "master"
  action :sync
  ssh_wrapper "/some/path/git_wrapper.sh"
end

edited May 23 '17 at 12:02

Community

1
1

answered Sep 03 '14 at 01:43

psamaan

381
3
8

2

This was my experience too. Same problem, same solution. – Noah Gibbs Dec 08 '14 at 13:00
6

Also it's useful to add `-o "StrictHostKeyChecking=no"` parameter to ssh to skip host key check. – Poma Apr 25 '15 at 14:03
1

This answer is useful for what it does detail, but it lacks an explanation of how to get the private key onto the node. Of course, that can be done manually, but before that happens this will fail. – user1071847 Jun 16 '17 at 17:22

Draco Ater · Answer 2 · 2014-05-27T10:39:26.730

12

We use the similar setup for Mercurial, but it should be the same with Git, I hope.

We use ssh keys to authenticate. The key is stored in encrypted databag (with newlines replaced by "\n"). First of all this private key is created on the node from databag.

git_key = Chef::EncryptedDataBagItem.load( "private_keys", "git_key" )
file "/some/path/id_rsa" do
  content git_key['private']
end

And then use it when connecting to git repository using ssh_wrapper:

git "/opt/mysources/couch" do
  repository "git://git.apache.org/couchdb.git"
  reference "master"
  action :sync
  ssh_wrapper "ssh -i /some/path/id_rsa" #the path to our private key file
end

edited May 27 '14 at 10:39

answered Dec 09 '13 at 13:28

Draco Ater

20,820
8
62
86

Hey Draco, this is new to me, I am reading the [doc](http://docs.opscode.com/chef/essentials_data_bags.html) but I am struggling a little. It would be great help for a newbie like me if you could detail (spoon feed) how you store the SSH key in an encrypted databag. Hope you find time for this. – zabumba May 13 '14 at 13:53
` knife data bag create private_keys git_key --secret-file ~/.ssh/id_rsa` is this how you do it? – zabumba May 13 '14 at 15:22
1

`content git_key[:private]` didn't work for me, BUT `content git_key['private']` did – zabumba May 13 '14 at 21:06

score 1 · Answer 3 · answered Dec 22 '13 at 07:56

1

if you are in a linux distribution store your ssh key in <your home directory>/.ssh and add github.com to <your home directory>/.ssh/known_hosts

You can add github.com to known_hosts using the following command

ssh-keyscan -H github.com >> <your home directory>/.ssh/known_hosts

After doing this you can clone your repo using git resource of chef

answered Dec 22 '13 at 07:56

Vineeth Guna

388
4
10

Vineeth - I think they mean for GitHub (and other) private repos that use an SSH key for authentication and won't let you clone without it. – Noah Gibbs Dec 08 '14 at 13:01

score 1 · Answer 4 · answered May 31 '16 at 14:09

I went through same problem, Only thing I was missing was this command then everything went well:

GIT_SSH_COMMAND="ssh -i ~/.ssh/bitbucket_rsa"

Reference and for my whole steps can be found at my blog: http://www.sadafnoor.com/blog/simplest-way-to-write-your-chef-cookbook-that-git-clone-private-repo-using-bitbucket-deploy-key/

score 0 · Answer 5 · answered Jul 30 '18 at 19:36

Based on the hint by sadaf2605, this was the easiest way for me – I just had to make sure to set the correct user/group as well as turn off StrictHostKeyChecking:

git '/path/to/destination' do
  environment 'GIT_SSH_COMMAND' => 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /path/to/private_key'
  repository 'git@github.com:your/repo.git'
  reference 'master'
  action :sync
  user 'vagrant'
  group 'vagrant'
end

score 0 · Answer 6 · answered Jul 13 '23 at 17:18

0

I fixed it for myself by specifying ssh key in ~/.ssh/config

Host chef.example.com
 HostName chef.example.com
 IdentityFile ~/.ssh/chef.pem

The ~/.ssh/chef.pem being the same key I use to ssh into server.

answered Jul 13 '23 at 17:18

james.c.funk

465
4
8

pedrosfdcarneiro · Answer 7 · 2017-11-20T20:44:58.630

-1

You should try this cookbook https://github.com/poise/application_git. It solves the problem that you mentioned.

With this cookbook, you can use application_git resource, specifiyng the private key:

application_git '/srv/myapp' do
  repository 'git@github.com:organization/repository'
  deploy_key '/some/path/id_rsa'
end

edited Nov 20 '17 at 20:44

answered Nov 20 '17 at 18:20

pedrosfdcarneiro

321
3
9

Git authentication in Chef

7 Answers7

Linked

Related