Validation.pem distribution question


#1

Folks,

please share how do you distribute validation.pem. It looks this is
sensitive piece of data since anybody having it can register new client.
So it seems it is bad idea to make it available, for example, via http.
But how it can be provided for new client installation?

Thanks,
Kirill.


#2

If you’re creating nodes using knife bootstrap (or another plugin like knife ec2 or vsphere) the templates handle that for you.

(
cat <<‘EOP’
<%= validation_key %>
EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem

https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/centos5-gems.erb

On Wednesday, December 19, 2012 at 4:40 PM, Kirill Timofeev wrote:

Folks,

please share how do you distribute validation.pem. It looks this is
sensitive piece of data since anybody having it can register new client.
So it seems it is bad idea to make it available, for example, via http.
But how it can be provided for new client installation?

Thanks,
Kirill.


#3

I’m not using knife, I want to install chef-client using binary package.

On 12/19/2012 01:43 PM, Daniel Condomitti wrote:

If you’re creating nodes using knife bootstrap (or another plugin like
knife ec2 or vsphere) the templates handle that for you.
(
cat <<‘EOP’
<%= validation_key %>
EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem

https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/centos5-gems.erb

On Wednesday, December 19, 2012 at 4:40 PM, Kirill Timofeev wrote:

Folks,

please share how do you distribute validation.pem. It looks this is
sensitive piece of data since anybody having it can register new client.
So it seems it is bad idea to make it available, for example, via http.
But how it can be provided for new client installation?

Thanks,
Kirill.


#4

For hypervisors we distribute it via cobbler.

John

On Wednesday, December 19, 2012 at 1:43 PM, Daniel Condomitti wrote:

If you’re creating nodes using knife bootstrap (or another plugin like knife ec2 or vsphere) the templates handle that for you.

(
cat <<‘EOP’
<%= validation_key %>
EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem

https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/centos5-gems.erb

On Wednesday, December 19, 2012 at 4:40 PM, Kirill Timofeev wrote:

Folks,

please share how do you distribute validation.pem. It looks this is
sensitive piece of data since anybody having it can register new client.
So it seems it is bad idea to make it available, for example, via http.
But how it can be provided for new client installation?

Thanks,
Kirill.