[chef] Re: Re: Ideas for using Chef across VPN

[Dmitry V'yal < >]

Hello Bryan and others,

> On Sun, May 16, 2010 at 4:25 AM, Dmitry 
> V'yal<
>  >
>   wrote:
> > I have some ideas about using chef-solo to bootstrap chef-client and OpenVPN
> > client on the workstations but I'm interesting in comments from more
> > experienced chef users.
> >
> > Is it a feasible idea? How best to manage openvpn keys?
>
> I've done this with EC2 nodes that needed to communicate with other
> servers in a physical datacenter.
>
> I manually created the keypairs and added them to a central chef
> repository. When a new node is built, a number of prerequisite tasks
> are completed related to the EC2 instance, then the openvpn cookbook
> is copied out to the node. Chef-solo runs, and brings up a vpn
> connection. Then chef-client runs to register with a chef-server on
> the other side of the VPN link.

Looks like my task is almost the same. The biggest problem for me is 
distributing the generated keys. You said you stored them in central 
chef repository, how did a freshly created node get it's key from there?

Currently I'm writing a receipt which unpacks the key from zip archive 
generated by rake client task from openvpn cookbook from opscode. I
'm almost done, but this scheme looks quite inelegant for me.

> It took quite a bit of tinkering to get this functional, mostly
> because of OpenVPN being quirky, but once I did its easy to appreciate
> configuration management when it can bring up an openvpn link on a
> fresh EC2 node in an instant.

would you mind sharing this?

Best wishes,
Dmitry