I like Chef solo a lot. :-). wrt. credentials, what I have done is to use a KVP store which exposes a web service which is script friendly, thus no complicated XML answers. This way the scripts get the password only when they need it and you never need to persist the info into your SCM. If you prefer a pure WS, then you'll need to create a client for it. There are a couple of issues to deal with thus: 1) How do you secure access to the KVP store? -- For this you can use things like firewall rules or keys that are pre-injected into you images to authenticate clients against the KVP store. 2) You're adding one more service, which means you'll need to manage it. In order to minimize this, make your KVP store use an already existing store? IOW, instead of XML or a WS, say you already have LDAP, maybe you just need a client program that queries LDAP for your credentials and you need to populate properly your LDAP hierarchy. > From: > Date: Sat, 5 Jun 2010 10:22:12 +0100 > To: > Subject: [chef] Handling Passwords with Chef Solo > > > > From: Stuart Ellis < > > > Date: 5 June 2010 10:13:00 GMT+01:00 > > To: > > Subject: [chef] Handling Passwords with Chef Solo > > Reply-To: > > > > Hello, > > > > I've just started to use Chef Solo and have been really pleased with it, but am curious as to how people are currently managing passwords with it. This hasn't been an issue for most things, but I've now built up a fairly complete cookbook for a Rails server, and can see that I need to manage the MySQL root password and the password for a system account in order to fully automate the setup. > > > I'm sorry - I ought to have said "handling passwords securely". The facilities for setting system account and MySQL root passwords work fine, but I've so far used them by embedded these passwords into the JSON and test cookbook, which feels like the wrong approach. > > --- > Stuart Ellis > > > > > Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. Learn more. |
Archive powered by MHonArc 2.6.16.