chef - [chef] Re: Synchronising clients/PEMs between multiple chef servers

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Synchronising clients/PEMs between multiple chef servers

From: Ranjib Dey < >
To:
Cc:
Subject: [chef] Re: Synchronising clients/PEMs between multiple chef servers
Date: Tue, 15 May 2012 14:04:08 +0530

why not replicating couch directly ?

http://guide.couchdb.org/draft/replication.html

or if you want only the client certs you can just grab them selectively and replicate it.

On Tue, May 15, 2012 at 1:54 PM, Dan Adams < " target="_blank"> > wrote:

Hi

I have a situation in which I have two chef servers, both of which the clients need to be able to authenticate against. I'm sure there's multiple scenarios in which others might need to achieve the same - a failover chef server pair, rebuild chef server after server failure, migration to a more powerful replacement chef server etc.

The issue I have is that I cannot find an easy mechanism to set up a client against multiple chef servers. My nodes, roles, cookbooks etc are all in-repo and I can import from them. I want to use the same model for clients., but the client keys although in-repo don't seem to have a "knife client import" or "knife client upload-from-pem" action for them, so I'm not clear on what the workflow is for importing a client from a PEM file.

I have set the chef-validator client PEM and the validation.pem to the same on both chef servers. Things I have tried so far:
1) "knife client create" on one host, then "knife client create" on the other, posting in the public key in the JSON file
2) "knife client create" on both hosts, then "knife client edit" on the second host, pasting in the public key in the JSON file

In neither of the above tests was the client added with the same public key on both hosts when I did a "knife client show [CLIENTNAME]"

However, if I update the public key for the client directly in the couchDB using the value from the second server:

curl -X GET "http://127.0.0.1:5984/chef/_design/clients/_view/all_id" | grep [CLIENTNAME]
curl -X GET http://127.0.0.1:5984/chef/5f25e314-c6c8-46df-90fb-5736a15472b0 > client.txt
vi client.txt
curl -X PUT -d @client.txt -H "Content-type: application/json" http://127.0.0.1:5984/chef/5f25e314-c6c8-46df-90fb-5736a15472b0

then the client private key (in /tmp/test.pem) can authenticate against both servers:

~]# knife client list --server-url 'http://server1:4000' --key /tmp/test.pem --user test
You authenticated successfully to http://server1:4000 as test
~]# knife client list --server-url 'http://server2:4000' --key /tmp/test.pem --user test
You authenticated successfully to http://server2:4000 as test

So am I missing some really easy way of importing a client to a chef server? Is there another workflow for this that I'm missing?

Many thanks

Dan

[chef] Chef CI Pipeline, Dan Adams, 05/10/2012
- [chef] Re: Chef CI Pipeline, AJ Christensen, 05/10/2012
  - [chef] Re: Chef CI Pipeline, Dan Adams, 05/11/2012
    - [chef] Re: Re: Chef CI Pipeline, Andrew Crump, 05/13/2012
      - [chef] Re: Re: Chef CI Pipeline, Dan Adams, 05/14/2012
        
        [chef] Re: Re: Re: Chef CI Pipeline, Andrew Crump, 05/14/2012
        
        [chef] Synchronising clients/PEMs between multiple chef servers, Dan Adams, 05/15/2012
        
        [chef] Re: Synchronising clients/PEMs between multiple chef servers, Ranjib Dey, 05/15/2012
        [chef] Re: Synchronising clients/PEMs between multiple chef servers, Dan Adams, 05/15/2012