[chef] RE: Best Practices for Retrieving Generated Passwords

[Matt Ray < >]

What you've described is not an uncommon issue, you have a number of options 
for dealing with storing data on your nodes or retrieving it dynamically. I 
assume you have a means of bootstrapping the machines and you want to create 
a user and password during the bootstrap and pull that from your API. The 
simplest way would be to create an cookbook that is part of your initial 
bootstrap that pulls this data from your API and creates the user. The user 
data could be stored on the node by the cookbook and then accessed from the 
Chef server via search (accessible via API, knife or within recipes). The 
users cookbook is pulling from a data bag to get the user data, you're just 
going to call your in-house API to essentially do the same thing.

If encrypting the data is more of a concern, you may want to use encrypted 
data bags to store the users and passwords, but then you will need to 
distribute the decryption key for use by the cookbook.

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.

 
 | (512) 731-2218
Twitter, IRC, GitHub: mattray

________________________________________
From: Dane Elwell 

 
Sent: Monday, December 03, 2012 10:12 AM
To: 

 
Subject: [chef] Best Practices for Retrieving Generated Passwords

Hi,

I work for a small ISP with about 23,000 servers and I'm trying to get
some configuration management in the mix to help deploy/support a new
product we're about to roll out.

I'm currently in the process of biting off more than I can chew with
Chef, so some of this may be Chef 101. I apologise if I'm asking stupid
questions, but I've not been able to find a solid answer elsewhere (and
I would consider my Google-fu fairly tuned).

We have an in-house application that helps us to manage our inventory,
assets, passwords, etc for the all the servers we host. I need to get
Chef to configure a server with users and passwords, along with
generating some other information to go into various configuration files
on the server. These must all be retrieved and placed into our in-house
system so we have them all on record.

I've had a look at the Users cookbook and I see this can generate
passwords and such, and then (from what I can ascertain) those items
become available through `knife node show nodename -m`. Which is fine
for the odd server here and there, but I intend to use this to deploy a
few hundred servers, so automation is a must.

Two questions:

* (Likely Chef 101 but I've not seen how to do this yet) Is there a way
I can store arbitrary data for the local node somewhere? For example, if
I generate a username and password for a haproxy statistics page, where
can I then retrieve these from? Use of an encrypted databag? This is
probably me just not RTFM to be fair - links appreciated.

* How can I gather this username/password information in a more
automated way? Is there an API of some kind that can be called to
retrieve this information from the Chef server? Unfortunately the
in-house system is developed by a separate team, so I don't have many
options for integration beyond "here's an API, implement this". I'm more
than happy to write glue code for this if necessary.

I hope my requirements make sense, and I apologise again for being
clueless. :)

Dane