chef - [chef] Re: Synchronising clients/PEMs between multiple chef servers

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Synchronising clients/PEMs between multiple chef servers

From: Dan Adams < >
To: < >
Subject: [chef] Re: Synchronising clients/PEMs between multiple chef servers
Date: Tue, 15 May 2012 10:55:42 +0100
Mail-reply-to: < >

Hi

Thanks for the suggestion. Is this something you've used yourself? Just replicate at the level ""http://127.0.0.1:5984/chef/_design/clients"; ?

Cheers

Dan

On 15.05.2012 09:34, Ranjib Dey wrote:

why not replicating couch directly ?
http://guide.couchdb.org/draft/replication.html [8]

or if you want only the client certs you can just grab them
selectively and replicate it.

On Tue, May 15, 2012 at 1:54 PM, Dan Adams
<
[9]> wrote:

Hi

I have a situation in which I have two chef servers, both of which
the clients need to be able to authenticate against. I'm sure
there's multiple scenarios in which others might need to achieve the
same - a failover chef server pair, rebuild chef server after server
failure, migration to a more powerful replacement chef server etc.

The issue I have is that I cannot find an easy mechanism to set up
a client against multiple chef servers. My nodes, roles, cookbooks
etc are all in-repo and I can import from them. I want to use the
same model for clients., but the client keys although in-repo don't
seem to have a "knife client import" or "knife client
upload-from-pem" action for them, so I'm not clear on what the
workflow is for importing a client from a PEM file.

I have set the chef-validator client PEM and the validation.pem to
the same on both chef servers. Things I have tried so far:
1) "knife client create" on one host, then "knife client create" on
the other, posting in the public key in the JSON file
2) "knife client create" on both hosts, then "knife client edit" on
the second host, pasting in the public key in the JSON file

In neither of the above tests was the client added with the same
public key on both hosts when I did a "knife client show
[CLIENTNAME]"

However, if I update the public key for the client directly in the
couchDB using the value from the second server:

curl -X GET
"http://127.0.0.1:5984/chef/_design/clients/_view/all_id [1]" ;| grep
[CLIENTNAME]
curl -X GET
http://127.0.0.1:5984/chef/5f25e314-c6c8-46df-90fb-5736a15472b0 [2]

client.txt

vi client.txt
curl -X PUT -d @client.txt -H "Content-type: application/json"
http://127.0.0.1:5984/chef/5f25e314-c6c8-46df-90fb-5736a15472b0
[3]

then the client private key (in /tmp/test.pem) can authenticate
against both servers:

~]# knife client list --server-url
'http://server1:4000 [4]' --key /tmp/test.pem --user test
You authenticated successfully to http://server1:4000 [5] as test

~]# knife client list --server-url
'http://server2:4000 [6]' --key /tmp/test.pem --user test
You authenticated successfully to http://server2:4000 [7] as test

So am I missing some really easy way of importing a client to a
chef server? Is there another workflow for this that I'm missing?

Many thanks

Dan

[chef] Chef CI Pipeline, Dan Adams, 05/10/2012
- [chef] Re: Chef CI Pipeline, AJ Christensen, 05/10/2012
  - [chef] Re: Chef CI Pipeline, Dan Adams, 05/11/2012
    - [chef] Re: Re: Chef CI Pipeline, Andrew Crump, 05/13/2012
      - [chef] Re: Re: Chef CI Pipeline, Dan Adams, 05/14/2012
        
        [chef] Re: Re: Re: Chef CI Pipeline, Andrew Crump, 05/14/2012
        
        [chef] Synchronising clients/PEMs between multiple chef servers, Dan Adams, 05/15/2012
        
        [chef] Re: Synchronising clients/PEMs between multiple chef servers, Ranjib Dey, 05/15/2012
        [chef] Re: Synchronising clients/PEMs between multiple chef servers, Dan Adams, 05/15/2012