Bootstrapper and validator keys


#1

So one thing that I didn’t have a chance to ask about during the Summit was
regarding the validator keys. I understand what their role is during
automated client registration; that part makes perfect sense to me (and is
one reason we went with Chef over Puppet for AWS nodes). However, what I
don’t understand is their role in a workstation setup. I know that it’s
standard to require the validator config as part of the knife
configuration; is that solely for the purpose of supporting knife
bootstrap, or is it used for API calls to the Chef server as well?

This came up because I was looking at bootstrapper, and that was one of the
selling points of the project, that it allowed you to bootstrap nodes
without dealing with the anonymous validator key, which down the line will
lead to better auditing to see who bootstrapped a node, etc.

Also regarding bootstrapper, I had tried it earlier and even though I set
the node name using “–node-name=blah.tld”, the client and node that were
created were listed based on the date instead of the node name. It also
doesn’t seem to support bootstrap proxies, unless that support is solely
done through creating a definition file? Ideally this is the tool I would
use, but I wasn’t able to get it to function as intended and went back to
using knife bootstrap the other day.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


#2

On Sat, Nov 16, 2013 at 7:57 PM, Morgan Blackthorne
stormerider@gmail.com wrote:

So one thing that I didn’t have a chance to ask about during the Summit was
regarding the validator keys. I understand what their role is during
automated client registration; that part makes perfect sense to me (and is
one reason we went with Chef over Puppet for AWS nodes). However, what I
don’t understand is their role in a workstation setup. I know that it’s
standard to require the validator config as part of the knife configuration;
is that solely for the purpose of supporting knife bootstrap, or is it used
for API calls to the Chef server as well?

It is solely used for bootstrapping targets and used for the initial
communication between the target and the Chef server. After the first
run (once the target has its own client key) the validator key is no
longer required.

I’d stick with using the existing “knife bootstrap” procedure for now
and not use the experimental “bootstrapper” yet (unless you want to
work on it & send patches :slight_smile: )

  • Julian


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]