Showing posts with label Chef. Show all posts
Showing posts with label Chef. Show all posts

Tuesday, 15 July 2014

Pattern to Deliver Different Automation Templates per server group

The Problem: 
I have 3 groups servers that utilize different settings like LDAP, Apache config, Splunk. Each group has around 30 servers. Each of the configuration file for LDAP, Apache and Splunk does NOT have the same format, so a general automation Ruby template cannot be used for all three groups of servers. 

For example I cannot have a Splunk authentication.conf.erb for all groups like:

[Corporate AD]
bindDN = <%= @node['splunk']['ldap-bindDN'] %>
charset = utf8
bindDNpassword = <%= @node['splunk']['ldap-bindDNpassword'] %>
SSLEnabled = 0
port = 389
userBaseDN =  <%= @node['splunk']['ldap-userBaseDN'] %>
host =  <%= @node['splunk']['ldap-binddn'] %>

authType = LDAP
authSettings = <%= @node['splunk']['ldap-authSettings'] %>

# Here the splunk Stanga is always different for all 4 group of servers!!!
admin = wewvffsf3f
myreporting = 0110052012E
power = 0110052012E;0110052012E;0110052012E;0110052012E;

How to apply automation for all four server groups by having templates of different formats ?

 I give each server group a group id as an attribute:
node['splunk']['group-id'] = groupA or groupB or groupC 

Then in my Chef project I organize my templates folder as follows:

Contents of  my-chef-project/templates/default
  • groupA-authentication.conf.erb : describes LDAP settings for Group A
  • groupA-authorization.conf.erb : describes Splunk Authorization settings for Group A
  • groupB-authentication.conf.erb : describes LDAP settings for Group B
  • groupB-authorization.conf.erb : describes Splunk Authorization settings for Group B
  • groupC-authentication.conf.erb : describes LDAP settings for Group C
  • groupC-authorization.conf.erb : describes Splunk Authorization settings for Group C
Each of those templates is bare simple text without any parameters or anything else except perhaps node IP, hostname... See an example groupA-authentication.conf.erb :

[Corporate Settings]
bindDN = CN=splunk,OU=Services,OU=Company Page,OU=Resources,DC=illumine,DC=gr
SSLEnabled = 1
port = 437
host =
client =  <%= @node['ip'] %>

authType = LDAP
authSettings = Corporate Settings

[roleMap_Corporate kl]
admin = nottellingya
blog = 0110341333450057252012E
puser = 0110003532234123412342012E;0110003532234123412342012E;0110003532234122412342012E

In my automated delivery chef recipe for any type of those templates I do something like the following chef ruby illustrates:

  template "/opt/splunk/etc/system/local/authentication.conf" do
    source "#{node['splunk']['group-id']}_authentication.conf.erb"
    owner 'splunk'
    group 'splunk'
    mode 0600
    ignore_failure true

Note that:

  • The template that is sourced is bound to the server´s group ID. 
  • Any server is the group will take the same group template. 
  • The parameter ignore_failure true denotes that if a template is not found for this group-id then no configuration is delivered and Chef automation will continue without brake.