diff --git a/content/360/saas/get_started/enroll_nodes.md b/content/360/saas/get_started/enroll_nodes.md index 6d7a380a5c..d165cb5c31 100644 --- a/content/360/saas/get_started/enroll_nodes.md +++ b/content/360/saas/get_started/enroll_nodes.md @@ -120,9 +120,9 @@ To enroll a Windows node, follow these steps: ## Cookbook-based enrollment -With cookbook-based enrollment, you enroll nodes from the client side by uploading a [cookbook](https://docs.chef.io/cookbooks/) with enrollment settings to Chef Infra Server and then Chef Infra Client enrolls the node with Chef 360 SaaS. +With cookbook-based enrollment, you enroll nodes from the client side by uploading a [cookbook](/cookbooks/) with enrollment settings to Chef Infra Server and then Chef Infra Client enrolls the node with Chef 360 SaaS. -### Enroll nodes +### Enroll nodes with a cookbook The `chef-cookbook-enroll` cookbook uses the `node_management_enroll` custom resource and a [wrapper cookbook](https://www.chef.io/blog/writing-wrapper-cookbooks) to define enrollment settings. @@ -144,23 +144,82 @@ To configure the cookbooks and define enrollment settings, follow these steps: chef generate cookbook ``` - In the [`metadata.rb` file](https://docs.chef.io/config_rb_metadata/) of your wrapper cookbook, add the following dependency to include the `chef-cookbook-enroll` cookbook: + In the [`metadata.rb` file](/config_rb_metadata/) of your wrapper cookbook, add the following dependency to include the `chef-cookbook-enroll` cookbook: ```ruby depends 'chef360-node-enroll', '~> 1.0.0' ``` +1. Copy of the Chef 360 SaaS public key and add it to your wrapper cookbook: + + ```plaintext + -----BEGIN CERTIFICATE----- + MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4 + GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbF + NpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwM + zE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzET + MBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQY + JKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2Ec + WtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUh + hB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL + 0gRgykmmKPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65 + TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rU + AVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCA + wEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNv + AUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8 + dEe3jgr25sbwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw + 8lo/s7awlOqzJCK6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0 + 095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVE + TI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02 + JQZR7rkpeDMdmztcpHWD9f + -----END CERTIFICATE----- + ``` + + This public key expires on March 18, 2029. + +1. Generate an access key and secret key: + + ```bash + chef-platform-auth-cli user-account self create-token --body '{"expiration": "", "name": ""}' --profile + ``` + + Replace: + + - `` with a date and time in ISO 8601 format (for example, `2027-12-31T11:42:23-05:00`). + - `` with a meaningful token name for easy identification. + - `` with a profile that has the node-manager role assigned to it. + + The response includes an access key and secret key and is similar to the following: + + ```json + { + "item": { + "accessKey": "6QIUKP4WIXD4RVAF0BQ3", + "expiration": "2027-12-31T11:42:23-05:00", + "id": "bcba5b7a-fb0b-4a62-b442-7ba7bda5e05a", + "name": "CI-CD Token", + "role": { + "id": "5fcb0235-1e56-4ece-8857-404a5d39a290", + "name": "tenant-admin" + }, + "secretKey": "x6aCg1NckQoLsQnere26fmGgD0RiWOrf4RNXBhlg" + } + } + ``` + 1. Define the `node_management_enroll` resource in your wrapper cookbook's recipe: ```ruby node_management_enroll 'Enroll Node' do chef_platform_url '' enroll_type '' - api_port '' + api_port '443' access_key '' secret_key '' cohort_id '' hab_builder_url '' + root_ca working_dir_path '' upgrade_skills end @@ -170,30 +229,30 @@ To configure the cookbooks and define enrollment settings, follow these steps: - `` with the fully qualified domain name (FQDN) for your Chef 360 SaaS deployment. - `` with either `full` or `partial` depending on the form of enrollment. Use `full` unless you must `partial`. - - `` with the API port configured in Chef 360 SaaS. The default value is `31000`. - - `` with an access key for secure communication with Chef 360 SaaS. Store securely using an [encrypted Chef data bag](https://docs.chef.io/data_bags/) or a [secrets manager](https://docs.chef.io/infra_language/secrets/). - - `` with a secret key for secure communication with Chef 360 SaaS. Store securely using an [encrypted Chef data bag](https://docs.chef.io/data_bags/) or a [secrets manager](https://docs.chef.io/infra_language/secrets/). + - `` with the access key for secure communication with Chef 360 SaaS. This should be stored using an [encrypted Chef data bag](/data_bags/) or [secrets manager](/infra_language/secrets/). + - `` with the secret key for secure communication with Chef 360 SaaS. This should be stored using an [encrypted Chef data bag](/data_bags/) or [secrets manager](/infra_language/secrets/). - `` with a valid cohort UUID. The cohort defines all skills and settings installed on the node. - `` with the URL of the Chef Habitat Builder used by your organization. Default value: `https://bldr.habitat.sh` + - `` if TLS is enabled, with the root CA public key. For example, `node['enroll']['root_ca']`. - `` with a temporary working directory where all required builds are downloaded. Specify a valid path based on the OS. Default value: `/tmp`. - `` with `true` or `false`. If `true`, Chef 360 SaaS checks for the latest skill versions and installs them if found. Default value: `false`. 1. Push the wrapper cookbook or policy to the Chef Infra Server. - 1. If you're using a role, [upload](https://docs.chef.io/workstation/knife_cookbook/#upload) the wrapper cookbook to the Chef Infra Server: + 1. If you're using a role, [upload](/workstation/knife_cookbook/#upload) the wrapper cookbook to the Chef Infra Server: ```bash knife cookbook upload --cookbook-path ``` - 1. If you're using a Policyfile, [create `Policyfile.lock.json` file](https://docs.chef.io/workstation/ctl_chef/#chef-install) and [push](https://docs.chef.io/workstation/ctl_chef/#chef-push) the Policyfile to Chef Infra Server: + 1. If you're using a Policyfile, [create `Policyfile.lock.json` file](/workstation/ctl_chef/#chef-install) and [push](/workstation/ctl_chef/#chef-push) the Policyfile to Chef Infra Server: ```bash chef install chef push ``` -1. Include the wrapper cookbook in your node's run-list by adding it to a role or Policyfile. See the [run-list](https://docs.chef.io/run_lists/) and [role](https://docs.chef.io/roles/#manage-roles) documentation for more information. +1. Include the wrapper cookbook in your node's run-list by adding it to a role or Policyfile. See the [run-list](/run_lists/) and [role](/roles/#manage-roles) documentation for more information. The next time Chef Infra Client runs, it executes the `node_management_enroll` resource and the node is enrolled with Chef 360 SaaS.