[chef] Best Practices for Retrieving Generated Passwords

Chronological Thread 
  • From: Dane Elwell < >
  • To: < >
  • Subject: [chef] Best Practices for Retrieving Generated Passwords
  • Date: Mon, 03 Dec 2012 16:12:32 +0000


I work for a small ISP with about 23,000 servers and I'm trying to get some configuration management in the mix to help deploy/support a new product we're about to roll out.

I'm currently in the process of biting off more than I can chew with Chef, so some of this may be Chef 101. I apologise if I'm asking stupid questions, but I've not been able to find a solid answer elsewhere (and I would consider my Google-fu fairly tuned).

We have an in-house application that helps us to manage our inventory, assets, passwords, etc for the all the servers we host. I need to get Chef to configure a server with users and passwords, along with generating some other information to go into various configuration files on the server. These must all be retrieved and placed into our in-house system so we have them all on record.

I've had a look at the Users cookbook and I see this can generate passwords and such, and then (from what I can ascertain) those items become available through `knife node show nodename -m`. Which is fine for the odd server here and there, but I intend to use this to deploy a few hundred servers, so automation is a must.

Two questions:

* (Likely Chef 101 but I've not seen how to do this yet) Is there a way I can store arbitrary data for the local node somewhere? For example, if I generate a username and password for a haproxy statistics page, where can I then retrieve these from? Use of an encrypted databag? This is probably me just not RTFM to be fair - links appreciated.

* How can I gather this username/password information in a more automated way? Is there an API of some kind that can be called to retrieve this information from the Chef server? Unfortunately the in-house system is developed by a separate team, so I don't have many options for integration beyond "here's an API, implement this". I'm more than happy to write glue code for this if necessary.

I hope my requirements make sense, and I apologise again for being clueless. :)


Archive powered by MHonArc 2.6.16.