I work at a big company with several different ops teams. For the most
part, each ops team maintains its own open-source Chef server.
I’m looking into the feasibility of mimicking the Hosted Chef style of
paths, e.g. /organizations/opsteam1. So, for a node list from knife, the
request would look like ‘GET /organizations/opsteam1/nodes’.
If I put this behind a proxy and rewrite the path to just ‘/nodes’, I get a
401. After looking at the auth page at http://docs.opscode.com/auth.html,
that makes sense, since the hashed path is part of the signed request.
In order for this to work, the client needs to sign the request with
’/nodes’ as the path, even if the target path differs.
I know I’ll likely need to override
in both knife and chef-client to achieve what I’m looking for. I don’t
mind requiring that folks install a knife plugin or a gem for this to work.
Could you give me direction on how to best achieve this?
I know I could probably just setup some nginx rewrites on the Chef server,
but I’d like for the server to be as vanilla as can be.
P.S. This is just a high-level example of what I’m trying to achieve. I’m
mainly looking to find out how to proxy a request that updates values used
in the signature, without the proxy having to be the signer. Sending the
correctly-signed payload from the client is ideal.