Create deployment package for chef-client?


I’m new here. I work as a system administrator, mainly with OS X workstation.

I try to use chef to complete my toolbox for OS X management. I use MDM for OS X Settings, Munki for software deployment and I want to use chef for all UNIX related settings.

I’ve deployed last chef server version and setup a first workstation following the documentation and it really fit my needs.

Now I look for industrialized deployment. Workstation are deployed automatically in my setup thanks to imaging and customization tools like DeployStudio.

That mean I just boot computers in mass on the network and a default workflow to deploy a factory system on computers and run scripts to customize the system (install package, enroll to AD, enroll to MDM, set munki, etc.).

So, now I need to add proper integration to chef. Installing chef isn’t a problem, the OS X Package can be deployed easily.

My main problem is regarding the chef server enrollment.

The documentation available do a massive usage of knife bootstrap who allow us to convert an existing setup to a chef based management.

But’s that’s not my use case here.

So here’s my question. How a workstation (with chef already installed) can enroll itself to a chefserver without any user interaction?

Best regards

knife bootstrap just does a few things:

  1. Install a chef-client package
  2. copy the client key or validator key to the target machine
  3. write out the config file and first boot JSON file
  4. run chef-client

All of those steps can be done by hand or automated with a script.

The trickiest part is probably setting up the authentication (step #2). If you need a truly unattended install, that’s what the validator key is for, it allows chef-client to create its own client object (think of this as an API account) on the server.

Daniel DeLeo

I’m sorry, I forgot to send back my conclusion.

I’ve used provided info to create a package with the validator key on the client during the install, generate the JSON file and start chef-client.

It works well.

Security on this case is done by limiting access to the deployment tools and payload to a subset of users.

Not perfect but fit my needs