[chef] Re: Best Practices for Retrieving Generated Passwords

Chronological Thread 
  • From: Jacobo García < >
  • To:
  • Subject: [chef] Re: Best Practices for Retrieving Generated Passwords
  • Date: Mon, 3 Dec 2012 17:22:49 +0100

Hi Dane,

Chef provides a place where you can store this kind of information, it is called data bags[1], for a security plus you can use encrypted data bags[2]. Data bags provide also a convenient way to retrieve the information on chef recipes.

Chef exposes a full REST API[3], so you can get information out of chef doing using curl or any http library you want. Also if you use ruby, you can use chef itself to consume the chef server API[4].

[1] http://wiki.opscode.com/display/chef/Data+Bags
[2] http://wiki.opscode.com/display/chef/Encrypted+Data+Bags
[3] http://wiki.opscode.com/display/chef/Server+API
[4] http://wiki.opscode.com/display/chef/Making+Authenticated+API+Requests

Hope this helps,

Jacobo García López de Araujo

On Mon, Dec 3, 2012 at 5:12 PM, Dane Elwell < " target="_blank"> > wrote:

I work for a small ISP with about 23,000 servers and I'm trying to get some configuration management in the mix to help deploy/support a new product we're about to roll out.

I'm currently in the process of biting off more than I can chew with Chef, so some of this may be Chef 101. I apologise if I'm asking stupid questions, but I've not been able to find a solid answer elsewhere (and I would consider my Google-fu fairly tuned).

We have an in-house application that helps us to manage our inventory, assets, passwords, etc for the all the servers we host. I need to get Chef to configure a server with users and passwords, along with generating some other information to go into various configuration files on the server. These must all be retrieved and placed into our in-house system so we have them all on record.

I've had a look at the Users cookbook and I see this can generate passwords and such, and then (from what I can ascertain) those items become available through `knife node show nodename -m`. Which is fine for the odd server here and there, but I intend to use this to deploy a few hundred servers, so automation is a must.

Two questions:

* (Likely Chef 101 but I've not seen how to do this yet) Is there a way I can store arbitrary data for the local node somewhere? For example, if I generate a username and password for a haproxy statistics page, where can I then retrieve these from? Use of an encrypted databag? This is probably me just not RTFM to be fair - links appreciated.

* How can I gather this username/password information in a more automated way? Is there an API of some kind that can be called to retrieve this information from the Chef server? Unfortunately the in-house system is developed by a separate team, so I don't have many options for integration beyond "here's an API, implement this". I'm more than happy to write glue code for this if necessary.

I hope my requirements make sense, and I apologise again for being clueless. :)


Archive powered by MHonArc 2.6.16.