Integrations/Chef

Manage and distribute cookbooks with Chef on Cloudsmith

Chef is a powerful infrastructure automation platform that lets teams define, configure, and manage IT resources as code using cookbooks and recipes. Cloudsmith gives you a secure, fully managed repository to store and distribute those cookbooks, with fine-grained access controls, vulnerability scanning, and a global CDN to serve artifacts to your nodes reliably wherever they run.

How we support Chef

Cloudsmith gives Chef teams a secure, centralised home for cookbooks and infrastructure artifacts, with the controls and visibility your operations require.
    Private cookbook repositories
    Host your internal Chef cookbooks in private Cloudsmith repositories. Control exactly which teams and nodes can pull cookbook versions, keeping proprietary configuration logic off public registries.
    Vulnerability scanning and policy enforcement
    Every cookbook and dependency pushed to Cloudsmith is scanned for vulnerabilities. Use OPA Rego policies to block non-compliant packages before they reach your Chef nodes.
    Global CDN delivery
    Cloudsmith serves cookbooks from 600+ edge points of presence worldwide, so Chef clients converging across distributed data centres and cloud regions always pull from a nearby, low-latency source.
    Secure authentication with entitlement tokens
    Use Cloudsmith entitlement tokens to authenticate Chef clients and Knife commands to your repositories. Tokens are scoped, rotatable, and never expose your main API key in cookbook configurations.
    Full audit trail and observability
    Every cookbook push, pull, and policy event is logged. Query client logs via the Cloudsmith API or export raw log files to understand exactly which nodes are consuming which cookbook versions.

Why teams integrate Cloudsmith with Chef

Centralising your cookbook storage in Cloudsmith removes the operational friction that slows down infrastructure automation and creates security blind spots.
Without CloudsmithCookbooks are scattered across internal file shares, Chef Supermarket, and ad-hoc Git repos. Teams lack a consistent, versioned source of truth, and uploading broken cookbooks can silently override working versions across all nodes.
With CloudsmithAll cookbooks live in a single Cloudsmith repository with immutable versioning. Broken uploads are blocked before they reach the Chef server, and every version is preserved for safe rollback.
Without CloudsmithChef clients pulling cookbooks over long distances experience slow convergence runs, increasing the time it takes to apply configuration changes across your node fleet.
With CloudsmithCloudsmith's global CDN delivers cookbooks from the edge closest to each node. Convergence runs complete faster and more reliably, whether your nodes are in a single region or spread across the globe.
Without CloudsmithAPI keys and credentials are hardcoded into Knife configs or shared across teams, making it difficult to rotate access or trace which pipeline or person published a cookbook.
With CloudsmithScoped entitlement tokens give each team or service account its own credential. Tokens are rotated independently, and every push and pull is tied to a specific identity in the audit log.

Frequently asked questions

  1. You configure a Cloudsmith repository as your Knife target by setting your workspace, repository slug, and an entitlement token or API key in your knife.rb. The Cloudsmith docs provide copy-paste configuration snippets with your credentials pre-filled. Once configured, knife cookbook upload works as normal.

  2. Yes. Chef clients authenticate to Cloudsmith using an entitlement token embedded in the repository URL or passed as a header. Cloudsmith supports both token-based and API key authentication, and tokens can be scoped to read-only access so nodes cannot accidentally modify the repository.

  3. Yes. Cloudsmith scans packages for known vulnerabilities and can enforce OPA Rego policies that quarantine or block packages that fail your security criteria. You can configure the Block Until Scan feature to ensure no cookbook is served to nodes until all security and licence checks have completed.

  4. You can mirror your Chef environment promotion model in Cloudsmith by using separate repositories for development, staging, and production. Cloudsmith's package promotion moves a verified cookbook artifact between repositories without re-uploading, preserving its integrity and provenance trail.

  5. Yes. Cloudsmith upstream proxying lets you cache cookbooks from Chef Supermarket or any external source into your own private repository. Your nodes pull from Cloudsmith, protecting you against upstream outages, rate limits, or packages being unexpectedly removed from the public registry.

Integrations

Discover more Cloudsmith Integrations