Custom node attribute discovery


#1

Hi everyone

I’m in the process of developing a cookbook for managing ssl certificates
on Windows.
So far, it only contains a lwrp responsible for installing a certificate in
the Windows cert store and managing permissions on private keys.

Other cookbooks however need to be able to look up certain attributes on
certificates in the store.
For example, some_cookbook might need to find the certificate thumbprint
for the certificate with the subject name “foo.bar.baz”.

In a some_cookbook recipe I might have:

windows_certificate “foo.bar.baz” do
action :install
source "foo.bar.baz.pfx"
password "foobar"
end

I would then like to be able to look up the thumbprint for a certificate:

cert_thumbprint = node[:windows_certificate][:foo.bar.baz][:thumbprint]
something_that_needs_thumbprint cert_thumbprint …

So my question is - what is the best practice for populating custom node
attributes like these?
I could simply make my lwrp call node.set for each certificate installed -
is that kosher?
Should this rather be an ohai plugin? Is there another approach that I’m
missing?

With many thanks & regards,
Sölvi Páll Á.


#2

Hi,

Our latest approach uses an explicit act of publishing by the providing
node and equivalent lookup by the client node. This way if we changed the
implementation of the node, the clients won’t break. This approach also
made it possible to use data bags to publish data from unmanaged nodes but
still access it through a uniform api. See [1]

in provider node

Chef::Service.register(node, ‘mysrvicekey’, :port => 99)

in client node

Chef::Service.register(node, ‘mysrvicekey’)[‘port’]

[1]

On Thursday, July 11, 2013, Sölvi Páll Ásgeirsson wrote:

Hi everyone

I’m in the process of developing a cookbook for managing ssl certificates
on Windows.
So far, it only contains a lwrp responsible for installing a certificate
in the Windows cert store and managing permissions on private keys.

Other cookbooks however need to be able to look up certain attributes on
certificates in the store.
For example, some_cookbook might need to find the certificate thumbprint
for the certificate with the subject name “foo.bar.baz”.

In a some_cookbook recipe I might have:

windows_certificate “foo.bar.baz” do
action :install
source "foo.bar.baz.pfx"
password "foobar"
end

I would then like to be able to look up the thumbprint for a certificate:

cert_thumbprint = node[:windows_certificate][:foo.bar.baz][:thumbprint]
something_that_needs_thumbprint cert_thumbprint …

So my question is - what is the best practice for populating custom node
attributes like these?
I could simply make my lwrp call node.set for each certificate installed -
is that kosher?
Should this rather be an ohai plugin? Is there another approach that I’m
missing?

With many thanks & regards,
Sölvi Páll Á.


Cheers,

Peter Donald


#3

Thanks alot Peter!

This approach looks clean.

regards,
Sölvi

On Fri, Jul 12, 2013 at 4:44 AM, Peter Donald peter@realityforge.orgwrote:

Hi,

Our latest approach uses an explicit act of publishing by the providing
node and equivalent lookup by the client node. This way if we changed the
implementation of the node, the clients won’t break. This approach also
made it possible to use data bags to publish data from unmanaged nodes but
still access it through a uniform api. See [1]

in provider node

Chef::Service.register(node, ‘mysrvicekey’, :port => 99)

in client node

Chef::Service.register(node, ‘mysrvicekey’)[‘port’]

[1]
https://github.com/realityforge/chef-cutlery/blob/master/libraries/services.rb

On Thursday, July 11, 2013, Sölvi Páll Ásgeirsson wrote:

Hi everyone

I’m in the process of developing a cookbook for managing ssl certificates
on Windows.
So far, it only contains a lwrp responsible for installing a certificate
in the Windows cert store and managing permissions on private keys.

Other cookbooks however need to be able to look up certain attributes on
certificates in the store.
For example, some_cookbook might need to find the certificate thumbprint
for the certificate with the subject name “foo.bar.baz”.

In a some_cookbook recipe I might have:

windows_certificate “foo.bar.baz” do
action :install
source "foo.bar.baz.pfx"
password "foobar"
end

I would then like to be able to look up the thumbprint for a certificate:

cert_thumbprint = node[:windows_certificate][:foo.bar.baz][:thumbprint]
something_that_needs_thumbprint cert_thumbprint …

So my question is - what is the best practice for populating custom node
attributes like these?
I could simply make my lwrp call node.set for each certificate installed

  • is that kosher?
    Should this rather be an ohai plugin? Is there another approach that I’m
    missing?

With many thanks & regards,
Sölvi Páll Á.


Cheers,

Peter Donald