Reputation: 53
Best practice for distributing chef validation key
I am using Enteprise Chef. There is just one validation key per organisation. That means that once I download it for my workstation, other devops people in team can't have it => they can't bootstrap nodes from workstation. If I automate process of bootstraping, for instance if I put the key on S3, then I also will have to think about keeping my workstation validation key and S3 key in sync (and all other devops people in team).
So question is:
What are the best practices for distributing this single validation key across nodes and workstations?
Upvotes: 1
Views: 364
Answers (1)
Reputation: 15784
My best bet on this:
Use chef on your workstations to manage the distribution of the
validation.pemfile.Another way is to set it on a shared place (cifs or nfs share) for all your team.
According to this blog post this will become unneeded with chef 12.2.
For the record, the validation key is only necessary for the node to register itself and create it's own client.pem file at first run, it should (must if you're security aware) be deleted from the node after this first run.
The chef_client cookbook can take care of cleaning the validator key and will help manage nodes configuration.
Upvotes: 2
Related Questions
- Chef clients and validators
- OpsWorks for Chef Automate and Chef validator-key
- Chef: Generate a self-signed CA
- Chef chef-validator.pem security
- How to distribute ssh keys with chef 12
- ssl validation error coming while doing chef client setup
- Add authorize keys for users via chef
- Chef and Knife to bootstrap ec2 - OpenSSL::PKey::RSAError: private key needed.: no start line
- Is there a non-interactive way to regenerate OSS chef 11 validator key?
- bootstrapping an ubuntu ec2 instance using chef and knife