Can a node be shared across multiple Chef organizations?


#1

We are getting the below errors when trying to run knife winrm chef-client --manual-list on nodes we’ve already successfully bootstrapped and run knife winrm chef-client --manual-list before.

The only thing that has changed is that another team at our company bootstrapped our nodes to a different organization within the same Chef server so they could deploy their own cookbooks/recipes.

Errors:

Authentication Error:
Failed to authenticate to the chef server (http 401).
Server Response:
Invalid signature for user or client <nodename>
If these settings are correct, your client_key may be invalid, or you may have a chef user with the same client name as this node.

BTW: we did copy the client.pem and client.rb from our org to one of the impacted servers and that seemed to have worked for one of the nodes, but other nodes are still getting the above errors.

What needs to be done to fix this? Do the impacted nodes need to be deleted from the other org so there are no conflicts? I’m assuming a node can’t be registered under two different Chef orgs, right?

Thanks in advance!
Keith


#2

I’m going to answer my own question here. We need to be in the same Chef organization as other teams at our company if we plan to share nodes. It does not seem that sharing nodes across multiple Chef orgs is possible.


#3

Probably too late to be helpful, but the only way we’ve found to share nodes across organizations is to set up separate client.rb and client.pem files per organization. So organization A would have a client-A.rb and client-A.pem while organization B would have a client-B.rb and client-B.pem. The configuration inside each of the client.rb files would have the URL for the appropriate organization.

~Khaled