[chef] Re: Re: Re: Re: Re: should I be using chef?


Chronological Thread 
  • From: Charles Sullivan < >
  • To:
  • Cc: Brad Knowles < >
  • Subject: [chef] Re: Re: Re: Re: Re: should I be using chef?
  • Date: Tue, 27 Dec 2011 10:14:33 -0600

It would be nice if Chef supported multiple validation keys and had ACL support.  Possibly something similar to how Amazon does IAM policies.  

Brad,

For now you could always pre-generate a pool of client/node keys if you really need to keep your validation key secret.

Fellow Austinite - Charles

On Tue, Dec 27, 2011 at 9:45 AM, Brad Knowles < "> > wrote:
On Dec 27, 2011, at 9:31 AM, Jake Vanderdray wrote:

>  How do you mange your validator PEM?  Do you end up doing the
> initial install for the developers and put the PEM on manually, or do
> you openly share the validator within your organization?

That's shared openly by all systems and users in the company.  Of course, we're a small shop -- seven people at the moment, although I understand that they're looking to fill some positions.  And of those, not all are developers.  Of the developers we have, most aren't doing much of anything at all with Chef -- as the Ops guy, I'm the primary one doing most of the work with Chef.

Pretty much all of our systems are (or will be) VMs "in the cloud".  Our developers do have local machines that they work from, but those are primarily used as a place to jump off into the actual development work that is done elsewhere.

To be honest, if you're using a Chef-managed environment, I don't see how you can avoid sharing the validator PEM amongst all systems.  For those people who are developers but who don't need root access to their development machines, I could see where they wouldn't have open access to the validator PEM, but everyone doing anything with Chef would need to have access.

>  We're testing out using Vagrant instances for developers that get
> built with our normal chef cookbooks.  I'd love to just be able to
> point people at a wiki page of instructions and let it be self-serve.

We could use vagrant, but we really want to get away from having any physical hardware that we have to manage, beyond the desktops that each person sits in front of -- and they're mostly responsible for managing those machines.

We do have a server with a few VMs loaded on it, and that machine has been used for some development to date, but going forward I think we're going to get away from that.


Of course, in a larger shop, I could see where our flat development architecture wouldn't necessarily work so well.

--
Brad Knowles < "> >
SAGE Level IV, Chef Level 0.0.1




--
Charles Sullivan
">




Archive powered by MHonArc 2.6.16.

§