Installing admin client key into chef-server


#1

is there a way to provide chef-server (opensource) a client certificate
that it should trust as an admin?

Basically, I’m integrating an app that talks to chef-server. I want a
simple way to bootstrap an authentication scheme between this app and
chef-server, with minimal manual interactions required.


#2

not directly. the api does not support adding predefined public keys.

which version you are running? If you are using couch you can use the chef
apiclient lib to handcraft a apiclient object and invoke cdb_save directly.
Note that since couch is normally bound to local interface , you have to
run the script in the same instance where couch is running.

I had a requirement to use the same pki system across openvpn, chef and
ssh, as part of which i used this strategy. But i dont recommend this, as
this wont work on chef 11 (and its dirty way to achieve this).

On Wed, Jan 2, 2013 at 2:23 PM, andi abes andi.abes@gmail.com wrote:

is there a way to provide chef-server (opensource) a client certificate
that it should trust as an admin?

Basically, I’m integrating an app that talks to chef-server. I want a
simple way to bootstrap an authentication scheme between this app and
chef-server, with minimal manual interactions required.


#3

On Jan 2, 2013, at 3:08 PM, Ranjib Dey wrote:

On Wed, Jan 2, 2013 at 2:23 PM, andi abes andi.abes@gmail.com wrote:
is there a way to provide chef-server (opensource) a client certificate that it should trust as an admin?

In the Chef 11 Server, an admin client or user can create admin clients. In addition, in Chef 11, you can set the public_key for a client as part of the create request. So if an integrating app provided a public_key, a server admin could create an admin client that the app could use to authenticate with. Not sure if that’s what you’re looking for or not.

  • seth

#4

more or less… but I’m looking for it on chef 10 :wink:

On Mon, Jan 7, 2013 at 12:11 AM, Seth Falcon seth@opscode.com wrote:

On Jan 2, 2013, at 3:08 PM, Ranjib Dey wrote:

On Wed, Jan 2, 2013 at 2:23 PM, andi abes andi.abes@gmail.com wrote:
is there a way to provide chef-server (opensource) a client certificate
that it should trust as an admin?

In the Chef 11 Server, an admin client or user can create admin clients.
In addition, in Chef 11, you can set the public_key for a client as part of
the create request. So if an integrating app provided a public_key, a
server admin could create an admin client that the app could use to
authenticate with. Not sure if that’s what you’re looking for or not.

  • seth

#5

On Tuesday, January 8, 2013 at 8:42 AM, andi abes wrote:

more or less… but I’m looking for it on chef 10 :wink:

Is there a reason you’re tied to this particular certificate? Even in the Chef 11 case you need to create the client from another admin user/client account, so that’s either a manual step or you need another admin client key around to do the create operation.


Daniel DeLeo

On Mon, Jan 7, 2013 at 12:11 AM, Seth Falcon <seth@opscode.com (mailto:seth@opscode.com)> wrote:

On Jan 2, 2013, at 3:08 PM, Ranjib Dey wrote:

On Wed, Jan 2, 2013 at 2:23 PM, andi abes <andi.abes@gmail.com (mailto:andi.abes@gmail.com)> wrote:
is there a way to provide chef-server (opensource) a client certificate that it should trust as an admin?

In the Chef 11 Server, an admin client or user can create admin clients. In addition, in Chef 11, you can set the public_key for a client as part of the create request. So if an integrating app provided a public_key, a server admin could create an admin client that the app could use to authenticate with. Not sure if that’s what you’re looking for or not.

  • seth