[chef] Using chef-server as Berkshelf source

[Joe Nuspl < >]

Since a chef-server can be a Berkshelf source, I'm wondering how people are 
dealing with client keys.

Our CI will take care of uploading cookbook so "developer" access will be 
read-only.

I see a couple ways to approach this:

1) One global client.pem that all developers will use.  Since the endpoint is 
behind a VPN, if that key gets out, the  exposure is mitigated.

2) Managing individual client per developer.  Although this is the most 
"secure", it does carry the highest ongoing maintenance cost.

3) Disabling authentication all together (i.e. chef-zero)

4) Since I already have access to the developer's ssh public via LDAP, 
somehow tie them together.

What are others doing?

        Joe