[chef] Re: Chef in "Pure Infrastructure-As-Code" Mode?

[Dan Adams < >]

On 23.06.2012 15:34, Torben Knerr wrote:
> I was just wondering if someone is running Chef in "pure
> infrastructure-as-code" mode (couldn't find a better term), i.e. all
> changes to your infrastructure are done via git only, so that you can
> trace whatever has been done in 'git log'.

The thing that stops people being able to do this is generally twofold 
- firstly that Chef covers off configuration via git, but not runbook 
changes (eg an apache restart across all servers). Whilst you can use 
"knife ssh" as your runbook automation tool, you can't do that through 
git, so you have no visibility through git log. The second factor is 
that Chef cookbooks are mainly in the application space and don't extend 
right down to kernel tweaks etc (that I've seen yet anyway) or even if 
the cookbooks are available the discussion and setups I've seen, people 
are mostly managing apps/daemons/services/configs using Chef, not the 
lower level routing, kernel tweaks etc (though I'm sure *some* people 
are).

Those two factors aside, we do use the "knife edit" type flow never or 
very rarely and everything is created or edited via our git repo, so 
very close to your ideal. The exception would be for client PEM files. 
I've sure it would be possible to generate these not using knife, then 
add them to the git repo, then import them to Chef via knife? But I'm 
not sure this would give you anything over creating the client PEM files 
and then adding them to the repo. I have been meaning to ask how other 
people manage this flow actually, since currently for us it is the most 
clunky and cumbersome to get a client both registered in the couch via 
knife, and also created as PEM files within the repo. How is everyone 
else managing this? Thoughts?

> As for the after-commit hook, I'm not sure whether 'rake install' in
> the chef repo (or the backend side) would be smart enough to not
> introduce lots of artificial changes (guess it would re-upload _all_
> cookbooks, roles, databags, nodes, etc even if I change only a tiny
> bit in a single node json).

I'm afraid I'm not really familiar with rake and can't really 
understand what you're trying to do here. Our flow involves committing 
to git, which triggers a commit hook that finds files midified in that 
commit, figures what knife commands are needed to run based on these 
changes (not always simple) and then executes them against the chef 
server. I should really throw this up on github or something because it 
would probably be useful to others?

Cheers

Dan