This Azure Quickstart provides an 'unmanaged' full installation of Chef Server configured for high availability mode and a separate instance of Chef Automate.
Whilst the template is fully functional, it is expected that some customization may be required for your particular environment. It is aimed at experienced administrators of Chef.
This template uses Azure Key Vault to securely store and transfer secrets between VMs in the solution.
NOTE: This is a fork of one sub-directory called "chef-automate-ha" from Microsoft's own github repository https://github.com/Azure/azure-quickstart-templates.git with a HEAD commit at:
commit f7d7bf4817d5f170543a71c4556e6f33d14749bd
Author: Brian Moore <bmoore@microsoft.com>
Date: Tue Jun 12 14:16:14 2018 -0500
Update mainTemplateTests.js
After deploying this template into your subscription, you will have deployed the reference Chef HA architecture, similar tohttps://docs.chef.io/install_server_ha.html:
- 3x Chef Server frontend VMs behind a load balancer
- 3x Chef Server backend VMs
- 1x Chef Automate VM
- 1x Key Vault
Frontend and Backend will be configured with individual Availability Sets and Premium storage. All servers use Managed Disk and have configurable VM sizes. Chef Server will automatically be configured to send run data to Chef Automate.
- a local azure client should be installed, either the CLI or Powershell client variations. To install the the Azure CLI see these instructions or to install the Azure Powershell client see these instructions
- The AD identity running this installation should have the Owner role on the required Subscription.
- jq should be installed to allow easy parsing of JSON output. See installation instructions here
The template shares information like private keys and passwords between the servers with a Key Vault Resource. Using an existing service principal credential the template deployment process creates the key vault. Only a process (or user) using this same service principal can read or write to this key vault.
If a valid service principal already exists, then skip to the next section; otherwise create a service principal.
Using the CLI:
stuart@Azure:~$ az ad sp create-for-rbac
Retrying role assignment creation: 1/36
{
"appId": "a530c3a0-YOUR-GUID-HERE-21e3d7ede80c",
"displayName": "azure-cli-2017-05-23-15-28-34",
"name": "http://azure-cli-2017-05-23-15-28-34",
"password": "an autogenerated password will appear here",
"tenant": "a2b2d6bc-YOUR-GUID-HERE-f97a7ac416d7"
}Use the appId to retrieve further details required via the az ad sp show --id [appId] command:
stuart@Azure:~$ az ad sp show --id a530c3a0-YOUR-GUID-HERE-21e3d7ede80c
{
"appId": "a530c3a0-YOUR-GUID-HERE-21e3d7ede80c",
"displayName": "azure-cli-2017-05-23-15-28-34",
"objectId": "1a439c30-YOUR-GUID-HERE-9df19f9b1c89",
"objectType": "ServicePrincipal",
"servicePrincipalNames": [
"http://azure-cli-2017-05-23-15-28-34",
"a530c3a0-YOUR-GUID-HERE-21e3d7ede80c"
]
}Using the Powershell:
The following powershell script will create a new service principle. Ensure that:
- $password is strong.
- $uniqueAdApplicationUriIdentifier is unique on the azure system
$password = "YOUR SECURE PASSWORD"
# Create a new Application in Active Directory
Write-Output "Creating AAD application..."
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$uniqueAdApplicationUriIdentifier = "http://my.unique.uri.002"
$azureAdApplication = New-AzureRmADApplication -DisplayName "My New Application" -IdentifierUris $uniqueAdApplicationUriIdentifier -Password $securePassword
$azureAdApplication
# Create the Service Principal
Write-Output "Creating service principal..."
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
$servicePrincipalThis will produce output something like:
Once the service principal exists, note the following values for later use and keep them safe and secure:
- If using the CLI, then note the values of appId, objectId and password.
- If using the Powershell, then note the values of ApplicationId, ObjectId and the $password you defined.
Update appId, password, objectId, firstname, lastname, emailid and organization name and any other required parameters in the azuredeploy.parameters.json file. To get a full list of all available parameters that you can override, see the "parameters" section in the azuredeploy.json. One of the parameters is the sshKeyData which, if set with your own public key, will allow you to log onto all VMs with public-key authentication.
Ensure that you are logged onto azure using the service principle created above, then use either the CLI or the Powershell to create a new Resource Group
Using the CLI:
Use the az group create command to create a Resource Group in your region, e.g:
az group create -n chef-automate-ha -l westusUsing the Powershell:
New-AzureRmResourceGroup -Name chef-automate-ha -Location westusNote:
- Deploy the ARM template using the azure client, either CLI or Powershell. Deployment may take between 30-60 minutes depending on deployment size.
- Use the azure client to check the "provisioningState" of the deployment as it progressess from "Running" to "Succeeded" (or "Failed")
- After a successful deployment, use the azure client to collect the following "output" values:
adminusername,chefServerUrl,chefServerFqdn,keyvaultName,chefServerWebLoginUserName,chefServerWebLoginPassword,chefAutomateUrl,chefAutomateUsername,chefAutomatePasswordandchefAutomateFqdnfor Chef Server, Chef Backend and Chef Automate in the deployment output section of your Resource Group.
Using the CLI:
Deploy the ARM template use the az group deployment create command. By default the command line will wait until the completion or failure of the deploymet; however, add the "--no-wait" flag to immediately return control to the command line.
- open a terminal and cd into the chef-automate-ha directory.
- run the deployment and do not wait for the output to return:
az group deployment create --resource-group <NAME-OF-RESOURCE-GROUP> --template-file 'azuredeploy.json' --parameters 'azuredeploy.parameters.json' --no-wait- get the "provisioninState" of the deployment like "Failed", "Succeeded", "Running", etc, run the following command:
az group deployment show --resource-group <NAME-OF-RESOURCE-GROUP> --name azuredeploy --query properties | jq '.provisioningState'- get the "output" of the deployment, run the following command:
az group deployment show --resource-group <NAME_OF_RESOURCE_GROUP> --name azuredeploy --query properties.outputsUsing the Powershell:
$resourceGroup = "YOUR_RESOURCE_GROUP_NAME"
$templateDirectory = "/full/path/to/template/directory"
New-AzureRmResourceGroupDeployment `
-ResourceGroupName $resourceGroup `
-TemplateFile $templateDirectory/azuredeploy.json `
-TemplateParameterFile $templateDirectory/azuredeploy.parameters.json `
-AsJobThis will run the deployment as a background process and immediately return. At any time to get the status of the deployment and the outputs, if the deployment succeeded, run the following:
$resourceGroup = "YOUR_RESOURCE_GROUP_NAME"
Get-AzureRmResourceGroupDeployment -ResourceGroupName $resourceGroupIf the deployment is successful, something like the following will return:
If the deployment fails, then:
If deployment has failed, for some reason:
- check the output from the "az group deployment create..."
- ssh onto one or all of the servers and check the log file in the /tmp directory. For example, the log file for the automate server will be /tmp/chef-automate-install.sh.log, for the backend /tmp/chef-backend-install.sh.log, for the frontend /tmp/chef-frontend-install.sh.log
If the deployment has succeeded, then you should be able:
- to SSH to the chef server via the
chefServerFqdn - to view the chef server front page at
chefServerUrlwith the usernamechefServerWebLoginUserNameand passwordchefServerWebLoginPassword - to view the chef automate front page at
chefAutomateUrlwith the usernamechefAutomateUsernameand passwordchefAutomatePassword
For more information and to perform additional configuration and customization see all the options available at https://docs.chef.io/install_server_ha.html
- To learn more about Chef, visit learn.chef.io
- To learn more about Azure's Cloud Shell visit the azure documentation here and here
- To learn more about how to get output from an azure deployment, visit the azure documentation.
New users may try the features of this template (including Chef Automate and Chef Backend components) using a trial license for up to 30 days. Contact us at azuremktplcsales@chef.io to obtain a full license.
Contact the Partner Engineering team at Chef for queries relating to thie template.
(c) 2018 Chef Software, Inc.