How to automate cloning private GitHub with Chef

Question

Everyday I must launch new EC2 instances (or any other server with public IP). I'm provisioning it with Chef, creating vhosts, uploading databases etc.

I need to clone there a couple of private repos from GitHub. What would be the best way to do this?

1. I could manually generate an ssh key, and add it for each GitHub repo I need, then run the script - but it's a lot of work.
2. I could go for git clone git://user:password@github.com/*****/*****.git, but obviously I don't want to store my password this way
3. What else?

Is there any way to:

• store a private key (or password?) in a recipe/cookbook or
• generate new key, and synchronize it via API with GitHub (but this would lead to hundreds of keys in my GitHub account)

Answer 1

Shameless plug: the deploy_key cookbook.

I created this cookbook with this precise use case in mind. It manages the entire lifecycle of deploy keys in GitHub, BitBucket and GitLab. It creates a key locally (so that it never has to be sent over the network), adds it to the repo as a deploy_key (read-only, so that these keys don't ever push changes to the repo), and can be used to delete the key files and remove the keys from the repo.

All actions are idempotent so if you're afraid your repos will be flooded with too many deploy_keys you can either remove the key from the repo after use (via Chef, :remove action), or have a periodic clean up task to delete all deploy_keys. Next time Chef runs, it will notice that the key is absent and re-add it.

The only secret you need to protect are the credentials to the repo, which can be protected in the same way you do other secrets.

Answer 2

Store your key in an S3 bucket and use IAM roles/policies to control access. Citadel makes this easy to integrate with Chef. See my post about secrets management with Chef for a summary of other options.