Best practice for deploy with versioning


#1

Hello,

I would like to know about best practices about how to deploy internal
applications using Chef to control the versions.

I used before with the the versions as attribute inside some roles or
recipe, but we need some sysadmin to do the deploy.

Now, I would like to give to the developers the option to do the deploy by
themselves without need to give them write permission on chef-repo.

Thanks


– Tiago Cruz


#2

Drive it off an attribute or data bag and give them the ability to
manipulate that. You can do that via letting them update the data bag
in the UI or via knife, or you can write a utility that lets them
update it with ACLs that you establish in the utility.

Minimum Viable Product for that last thing would be a command line tool
that runs setuid or setgid to some user which has read access to a chef
user credential on disk (mode 400 or 440 so users can’t read it without
the utility) and then updates the data bag for the user. Then users
could run that from the command line, and it could only allow updating
that data bag and could do additional sanity checking, validation,
authorization, audit logging, e-mail alerts, etc before doing the data
bag upload. Obviously taint check your inputs since it would need to
run with elevated privs. Or you could get crazy and write a web app in
an MVC framework and just have data models that map onto data bags in
Chef.

I’d start with the Chef ACLs around data bags in the UI/knife first and
see if that worked for you though.

On Thu Sep 18 12:27:07 2014, Tiago Cruz wrote:

Hello,

I would like to know about best practices about how to deploy internal
applications using Chef to control the versions.

I used before with the the versions as attribute inside some roles or
recipe, but we need some sysadmin to do the deploy.

Now, I would like to give to the developers the option to do the
deploy by themselves without need to give them write permission on
chef-repo.

Thanks


– Tiago Cruz


#3

developers can publish the version in a separate remote file (for exampe an
s3 file named /service_release) which is outside chef server (no data bag,
no role/recipe) etc. And chef recipes can consume that and then pass the
version to deploy resource.

if you have CI you can automate this as a post successful build hook. I
have used this : s3 to store the version in a fixed url, use chef’s deploy
to do the actual deployment (rails and php). But for my case it was
automatic on staging, and manually gated for production (i.e you have to
click a button in CI server to update the production release version, after
a green build)

On Thu, Sep 18, 2014 at 12:41 PM, Lamont Granquist lamont@opscode.com
wrote:

Drive it off an attribute or data bag and give them the ability to
manipulate that. You can do that via letting them update the data bag in
the UI or via knife, or you can write a utility that lets them update it
with ACLs that you establish in the utility.

Minimum Viable Product for that last thing would be a command line tool
that runs setuid or setgid to some user which has read access to a chef
user credential on disk (mode 400 or 440 so users can’t read it without the
utility) and then updates the data bag for the user. Then users could run
that from the command line, and it could only allow updating that data bag
and could do additional sanity checking, validation, authorization, audit
logging, e-mail alerts, etc before doing the data bag upload. Obviously
taint check your inputs since it would need to run with elevated privs. Or
you could get crazy and write a web app in an MVC framework and just have
data models that map onto data bags in Chef.

I’d start with the Chef ACLs around data bags in the UI/knife first and
see if that worked for you though.

On Thu Sep 18 12:27:07 2014, Tiago Cruz wrote:

Hello,

I would like to know about best practices about how to deploy internal
applications using Chef to control the versions.

I used before with the the versions as attribute inside some roles or
recipe, but we need some sysadmin to do the deploy.

Now, I would like to give to the developers the option to do the
deploy by themselves without need to give them write permission on
chef-repo.

Thanks


– Tiago Cruz