For cookbook publishing, first you need to decide where your source of truth lies. Is it going to be:
- Source control
- Supermarket
- Chef Server
- Binary store (like Artifactory, Nexus, etc.)
Each of these has their pros and cons. (One thing you will hit quickly is where the source of truth for secrets should be and will it be different than cookbook source).
Ideally it’s source control (yes, I store my secrets encrypted in source control), and if you’re starting from scratch this is the recommended way, but not all shops are configured this way. Facebook has some great tools to support this - they have a tool called grocery delivery that can keep chef servers all synced up with source control. This can also be adapted to do the same for a private supermarket.
For my cookbook pipeline, yes I just have a pipeline trigger on any source code change, and the deliver stage runs “knife supermarket share”.
One problem that you will hit when you have a chef-repo
style cookbook repository is figuring out which cookbook changed. You might have to write some code to support this. So you may want to go with the “one-cookbook-per-repo” style instead if that works for you.
Bootstrapping a private supermarket can be tough to automate if you are using community cookbooks. One problem you will hit immediately if you try to git add every cookbook one by one is that there will be a dependency order in “depends” for non-trivial cookbooks. If you don’t have all the dependencies for a cookbook, it will fail to publish to the supermarket. So you want something to scan for all dependencies and publish those. Unfortunately Chef Automate does not provide any tooling to help bootstrap a supermarket. You may need to “prime" the supermarket once by hand to get all the dependencies, but after that publishing cookbook-by-cookbook should be fine. (As after the initial, you should always have a cookbook’s dependencies, even if they might be a little older, and that at least won’t block publishing by knife supermarket share
). You can write code to scan a cookbook’s dependencies, but the problem is getting the order right for the first time.
Also, hopefully you never forked or modified a chef cookbook with the same name as an upstream supermarket cookbook. In my shop, we take care to preface all our cookbook names with a unique prefix so we never conflict with upstream cookbook names. But that’s another consideration with a private supermarket.
Another issue that you will hit almost immediately with cookbooks is version bumping in the metadata. Some have a “delivery local” step for devs to check to see that the cookbook version hasn’t already been published, to remind them to bump the version. In my shop, we follow the Facebook approach and go versionless with our cookbooks and our devs use attributes as “feature flags”. But this requires some rigor, and Chef Automate doesn’t have great tooling to support feature flags. I supplement this with a service called “LaunchDarkly”.
Finally if you don’t have this already, you probably want to make sure you have some sort of binary store for your Chef Automate workflows to store state/files between stages/steps. Artifactory is a popular choice, and it does a great job to support the “source of truth” being source control. I’ve been experimenting with using Artifactory as the Chef cookbook store myself to replace supermarket. One great feature it has is the ability to have “virtual” repos that combine together different sources. So it solves the bootstrapping problem for a supermarket above by letting you mirror the upstream supermarket on the net, and combine that together with your local cookbooks. Unfortunately I’m still working through some speed issues with JFrog’s implementation in my pilot implementation - for my cookbook set, I’ve discovered that it is an order of magnitude slower than the official private supermarket, which makes it almost unusable. I’m working with JFrog to hopefully get this issue resolved (I also notice that in the latest Berkshelf it now has Artifactory as a source, which might help with this).
These are some things I can think of off the top of my head.