Checkout git repo with chef with ssh key
Question
Hello I am having issues getting chef to checkout my git repo using an ssh key from my data_bag.
Below is my git resource:
repo_key = search(:git, "id:git_key").first
git_key_file = "#{Chef::Config['file_cache_path']}/git_key/id_rsa"
directory "#{Chef::Config['file_cache_path']}/git_key" do
action :create
end
file git_key_file do
content repo_key['deploy_key']
mode "0755"
action :create_if_missing
end
git "/usr/share/my_repo" do
repository "git@github.com:my_name/some_repo.git"
checkout_branch "#{node["my_app"][:test_branch]}"
action :sync
ssh_wrapper "ssh -i #{git_key_file}"
end
When I run: sudo chef-client
I get the error below:
STDERR: error: cannot run ssh -i /var/chef/cache/git_key/id_rsa: No such file or directory
I have ssh'ed into the server and I can verify that the key file is in the proper place and contains the key.
Solution
While your private-key file may be in the right place, my [limited] understanding is that the GIT_SSH
variable must be the path to an executable script rather than a command itself.
Thankfully, there is a much easier way to set-up Git to use a particular SSH key per repository that doesn't rely on setting environmental variables or creating new scripts. The general process is described in this SuperUser answer, which is to specify the custom SSH command as an "external transport" in the repository location. Here is how I use the method in a Chef recipe:
# Add a deployment key to the node from chef-vault, e.g. at
# /path/to/some_repo_deployment_key
# /path/to/some_repo_deployment_key.pub
git "/usr/share/my_repo" do
# The following line ensures that our repo-specific deployment
# ssh-key will be used for all clone & fetch operations.
repository "ext::ssh -i /path/to/some_repo_deployment_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no git@github.com %S /my_name/some_repo.git"
checkout_branch "master"
action :sync
end
After the repository has been cloned, git fetch
and git push
operations from within the working-directory will used the same key, making further automation more independent of environmental setup than some of the other techniques which rely on ssh
's key-discovery mechanisms.
OTHER TIPS
It seems like you found the answer to this (too open of permissions) but here is the relevant info from my ssh man page:
...
~/.ssh/identity
~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_ed25519
~/.ssh/id_rsa
Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute).
ssh will simply ignore a private key file if it is accessible by others. It is possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file using 3DES.
I actually solved this problem by, running following:
GIT_SSH_COMMAND="ssh -i ~/.ssh/bitbucket_rsa"
On chef recipe adding something like this:
execute 'git ssh' do
command 'GIT_SSH_COMMAND="ssh -i ~/.ssh/#{rsa['name']}"'
user "centos"
end
Reference and for my whole steps can be found at my blog: http://www.sadafnoor.com/blog/simplest-way-to-write-your-chef-cookbook-that-git-clone-private-repo-using-bitbucket-deploy-key/