The supermarket project doesn't have, AFAIK, useful walk-throughs. I hope to provide that here.
You don't want to do a manual install. Unless you're someone who wants to look under the covers before turning everything over to a cookbook.
Some assumptions:
- The GCE project
is my cloud, so FQDNs reflect this - I've hacked my /etc/hosts to use
as the hostnames
Install and configure api_fqdn:
apt-get update
curl | bash
apt-get update
apt-get install chef-server-core
echo "api_fqdn \"\"" >> /etc/opscode/chef-server.rb
chef-server-ctl reconfigure
Add orgs/user:
chef-server-ctl user-create pdb Peter Burkholder [email protected] TestPassword -f pdb.pem
chef-server-ctl user-create demo Fname Lname [email protected] DemoPassword -f demo.pem
chef-server-ctl org-create demo_org demo_org -f demo_org.pem -a demo
echo "oc_id['administrators'] = ['demo']" >> /etc/opscode/chef-server.rb
chef-server-ctl reconfigure
Configure oc-id
- Navigate to https://chefserver/id
- Click the New Application button and fill in the application name and Redirect url
- Name: supermarket
- Redirect uri: https:///auth/chef_oauth2/callback
- After you click Submit you will be shown the Application Id and Secret strings which you must supply to Supermarket. Copy these down, but don’t worry about losing them. You can always retrieve them from the /id/oauth/applications URL of your Chef server.
apt-get update
curl | curl
apt-get install supermarket
supermarket-ctl reconfigure
Configure /etc/supermarket/supermarket.rb
, with the app_id and secret from above:
default['supermarket']['chef_oauth2_app_id'] = '1fcce03a...67b822d1196'
default['supermarket']['chef_oauth2_secret'] = '9836e5f7d65....b10178ac0d'
default['supermarket']['chef_oauth2_url'] = ''
default['supermarket']['chef_oauth2_verify_ssl'] = false
supermarket-ctl reconfigure
You'll be redirected to the oc-id
service on chef-server. Sign-in with the credentials you used above, then accept the request to 'Authorize Supermarket to use your Chef account'
You should be in.
Even with ssl.verify off, berks install
or berks vendor
will fail when supermarket is using a self-signed certificate. So, how do we get around that?
Got /var/opt/supermarket/ssl/cacert.pem into local cacert.pem.
knife ssl fetch
# concatenate all your pems
cd ....chef/trusted_certs
cat &star.crt > cacert.pem
Cert verify with openssl
openssl s_client -CAfile cacert.pem -connect -verify 0
But curl doesn't matter, since Berkshelf uses Faraday, so let's try with that:
require 'faraday'
print "Trying with no ssl options:\n"
connection = 'https://supermarket-0.c.cheffian-supermarket.internal'
p connection.get '/universe'
p "WORKED\n\n\n"
rescue Exception => e
print e.message, "\n\n\n"
print "Trying with ssl ca_file options:\n"
connection = 'https://supermarket-0.c.cheffian-supermarket.internal', :ssl => { :ca_file => './cacert.pem' }
p connection.get '/universe'
p "WORKED\n\n\n"
rescue Exception => e
print e.message, "\n\n\n"
However, Berks doesn't have any options for specifying CA_file. Hmmmm. Good news, the above script works when:
export SSL_CERT_FILE=cacert.pem
Now attempts to use berks
with the same SSL_CERT_FILE path set will work.
berks vendor
should work.
Add this to your Berskfile:
ENV['SSL_CERT_FILE'] = '/some/path/to/cacert.pem'
I can't get curl to work with self-signed cert, so don't count on Curl for helping you here. You'd think the following would work:
curl -v --cacert cacert.pem
But it doesn't. It would seem that since self-signed certs don't assert themselves as CAs that curl won't be happy (and probably berks neither). That is, that
openssl x509 -in cacert.pem -inform pem -text -out certdata
won't contain:
X509v3 Basic Constraints:
X509v3 Key Usage:
Certificate Sign, CRL Sign
These are all the Callback URLs that I authorized above:
Becomes /etc/supermarket/supermarket.rb
So, after you install omnibus-supermarket, you'll want a cookbook to use the modify supermarket.rb
Wrap, wrap, baby???
The things to address are:
- ssl cert
- features -- currybot?