当我使用Chef进行git克隆时,如何进行身份验证?

3

我对这些完全是新手,但我猜我会使用SSH密钥……那么如何使用呢?

git '/home/vagrant/foo' do
    repository 'me@repo.domain.com:/usr/git/app.git'

    reference 'master'
    action :sync

    user "vagrant"
    group "vagrant"
end
1个回答

5

以下是我使用的方法:

1 - 生成SSH密钥对(公钥+私钥)

将公钥添加到您的git仓库中。

2 - 生成加密密钥

openssl rand -base64 512 > encrypted_data_bag_secret

3 - 使用Knife创建加密数据袋

$ knife data bag create private_keys git_key --secret-file encrypted_data_bag_secret

这将打开您喜欢的编辑器(vim),然后您需要添加您的私钥:
{
  "name": "data_bag_item_private_keys_git_key",
  "json_class": "Chef::DataBagItem",
  "chef_type": "data_bag_item",
  "data_bag": "private_keys",
  "raw_data": {
    "id": "git_key",
    "private": "Add HERE you private key, replace the newlines by \n"     <===== this is going to be a very long string of caracters
  }
}

重要提示:请用 \n 替换您的私钥中的换行符

4 - 在您的脚本中:

secret = Chef::EncryptedDataBagItem.load_secret("/vagrant/encrypted_data_bag_secret")
git_key = Chef::EncryptedDataBagItem.load( "private_keys", "git_key", secret)
#git_key = Chef::DataBagItem.load( "private_keys_not_encrypted", "git_key")
file "/home/otto/.ssh/id_rsa" do
  content git_key['private'] 
  owner "otto"
  group "otto"
  mode 00600
  action [:delete, :create]
end

5 - 查看加密数据包的内容

$ knife data bag show private_keys git_key
id:      git_key
private:
  cipher:         aes-256-cbc
  encrypted_data: osuRPsasdfasdfasdfasdfaKutAXYrklKwn+zAgtlQZsFZNRKCyDf1Lc
  2jtRZeGye0WHEKbVCtO7+arpytY7jNA4prOsK6iF1+cJsKcIBDtiNuurt80V
  ljGJ5RNfvAtW5HJb2P7Sw75RyQQruKha0fsbyWTKwyssXnXZbmGxEFb+Vz4m
  vEiU0tVk7/M04zAw34beEfnmAKNAae4TAgrlYg8bdQcxBi6zIdj5AW1VGBsh
  xaxFdfEXvNcSwMBX9w3Yyj7xVzI7fj3QHqnJl/p4VKhwoOlCahbJqh3A72xc
  l0mg0aPYfASulVuLm6U+KywzonOOVqXpeNYPtz+bW5v6Wa4cIM3aJ0JcObDw
  BNqe0goDRHjz6YJBKW9RT5EiRJPZbdNWJaEZhEawW/e9lyLq/A44sZhC+m0I
  ...
  [FILTERED]
  ...
  6RA/9XxH7pGJpJtxVYGWSQB1diHcpaT1Vg7RT48L7WZJjJcK0ZQHYZpXfIB2
  jUfIM3VY3ceD12unbZPI6FifdFq74qlr0fF4WM6V7WhJTgx3V3xCYLkjnhD9
  9mchWqaBa9oYNoflSR0vl21j2gywDG0LPI5bbgTU+Gu5A+XsGirW/FYfKS28
  08+B64Qvep0axtocs3GN2hOb

  iv:             dTFABrasdfasdfaLh5bNIJeUWQ==

  version:        1

6 - 将你的公钥添加到你的节点

cookbook_file "/home/otto/.ssh/id_rsa.pub" do
  source "id_rsa.pub"     <=== Contains the public key
  mode "0644"
end

cookbook_file "/home/otto/.ssh/known_hosts" do
  source "known_hosts" <=== BitBucket host
  mode "0644"               
end

7 - 确认您能连接到BitBucket

$ ssh -T git@bitbucket.org 
The authenticity of host 'bitbucket.org ([FILTERED])' can't be established.
RSA key fingerprint is [FILTERED].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bitbucket.org,[FILTERED]' (RSA) to the list of known hosts.
authenticated via a deploy key.

You can use git or hg to connect to Bitbucket. Shell access is disabled.

重要提示:执行此命令后,您将拥有一个 known_hosts 文件,并需要将其添加到您的 cookbook 中。将其复制到您的 cookbook 的 files/default 文件夹中。

完成上述步骤后,您就可以 git clone 您的代码仓库了。

我认为我已经准确记录了我所做的事情,但您可以随时提出问题。


网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接