Bootstrapping a Chef Server headlessly
2016 April 2
The steps for installing a standalone Chef server1 involves downloading the admin and validation private keys to complete the setup. This means that you need some file transfer mechanism from your server like SSH. I will show below how to skip these steps and use existing private keys that is already installed in your Chef workstation instead. The advantage of this approach is that you only have a single key for all your Chef server deployments including a Hosted Chef server account.
We assume that you already have your workstation’s client.pem and validation.pem downloaded. Obtain their public keys and save them for later
$ openssl rsa -in ~/.chef/client.pem -pubout > client.pub $ openssl rsa -in ~/.chef/validation.pem -pubout > validation.pub
For truly loginless setups, you can safely paste these public keys in the startup scripts/ user data field on your Cloud provider.
After following steps 1-42, use the following steps instead:
Setup the user
Create the admin user but redirect the private key destination to
/dev/null. We don’t need it at all
$ chef-server-ctl user-create username FirstName LastName \ email@domain password -f /dev/null
Delete the use client key.
$ chef-server-ctl delete-user-key username default
Finally, add a default user key again with the
client.pubstring we generated earlier.
$ chef-server-ctl add-user-key username --key-name default \ --pub-key-path client.pub
Setup the organization
We will use a similar approach for the organization’s validation key.
Create the organization and send its private key to
$ chef-server-ctl org-create orgname OrgFullName -a username -f /dev/null
Delete the validation client key. By default the name of the validation client is
$ chef-server-ctl delete-client-key orgname orgname-validator default
Add the validation public key we extracted earlier.
$ chef-server-ctl add-client-key orgname orgname-validator \ --key-name default --pub-key-path validation.pub