Chef: can a node be shared across multiple organizations?

Question

Can a node (server) be shared across more than one organization? I'm assuming no. I'm asking because we bootstrapped multiple servers to our Chef org so we can deploy and run our cookbooks/recipes on them. However, recently another team at our company bootstrapped these same nodes to their own Chef org so they can run their own cookbooks on these servers. This broke us! Now we are unable to run our cookbooks on these nodes.

What is the best way to fix this? Do we need the other team to delete the nodes/clients from their Chef org? Is there anything else we can do?

Answer 1

Short answer nothing: a node belong to one org only.
You may tweak the config file used and key used but that's likely you'll get a conflict between teams on one file someday (for example)

FWIW my position is that multiple organization is likely to become a pain very quickly if there's no well defined workflow around them to tell which node belong to which organization.

To answer the comment under the question:

Not sure if this is an actual design flaw in Chef. Might be a good idea to allow multiple teams at a company to have their own separate Chef orgs where they can manage their own nodes and custom cookbooks that they can use across shared servers.

It is not a flaw of Chef design and allowing this would result on crazy things, let's say:

• Team A has specific needs for X11 forwarding through ssh and makes it's cookbook to configure sshd this way
• Team B has specific need to enforce mfa use on ssh, and part of hardening disallow X11 forwarding.

Share the server, then each chef run on org A or org B will reconfigure SSH, never being compliant for both team.