[chef] Synchronising clients/PEMs between multiple chef servers


Chronological Thread 
  • From: Dan Adams < >
  • To: < >
  • Subject: [chef] Synchronising clients/PEMs between multiple chef servers
  • Date: Tue, 15 May 2012 09:24:20 +0100
  • Mail-reply-to: < >

Hi

I have a situation in which I have two chef servers, both of which the clients need to be able to authenticate against. I'm sure there's multiple scenarios in which others might need to achieve the same - a failover chef server pair, rebuild chef server after server failure, migration to a more powerful replacement chef server etc.

The issue I have is that I cannot find an easy mechanism to set up a client against multiple chef servers. My nodes, roles, cookbooks etc are all in-repo and I can import from them. I want to use the same model for clients., but the client keys although in-repo don't seem to have a "knife client import" or "knife client upload-from-pem" action for them, so I'm not clear on what the workflow is for importing a client from a PEM file.

I have set the chef-validator client PEM and the validation.pem to the same on both chef servers. Things I have tried so far:
1) "knife client create" on one host, then "knife client create" on the other, posting in the public key in the JSON file
2) "knife client create" on both hosts, then "knife client edit" on the second host, pasting in the public key in the JSON file

In neither of the above tests was the client added with the same public key on both hosts when I did a "knife client show [CLIENTNAME]"

However, if I update the public key for the client directly in the couchDB using the value from the second server:

curl -X GET "http://127.0.0.1:5984/chef/_design/clients/_view/all_id"; | grep [CLIENTNAME]
curl -X GET http://127.0.0.1:5984/chef/5f25e314-c6c8-46df-90fb-5736a15472b0 > client.txt
vi client.txt
curl -X PUT -d @client.txt -H "Content-type: application/json" http://127.0.0.1:5984/chef/5f25e314-c6c8-46df-90fb-5736a15472b0

then the client private key (in /tmp/test.pem) can authenticate against both servers:

~]# knife client list --server-url 'http://server1:4000' --key /tmp/test.pem --user test
You authenticated successfully to http://server1:4000 as test
~]# knife client list --server-url 'http://server2:4000' --key /tmp/test.pem --user test
You authenticated successfully to http://server2:4000 as test

So am I missing some really easy way of importing a client to a chef server? Is there another workflow for this that I'm missing?

Many thanks

Dan



Archive powered by MHonArc 2.6.16.

§