Skip to main content

On-premise Deployment with Chef Managed Database

Note

Chef Automate 4.10.1 released on 6th September 2023 includes improvements to the deployment and installation experience of Automate HA. Please read the blog to learn more about key improvements. Refer to the pre-requisites page (On-Premises, AWS) and plan your usage with your customer success manager or account manager.

This section will discuss deploying Chef Automate HA on-premise machines with chef managed database. Please see the On-Premises Prerequisites page and move ahead with the following sections of this page.

Warning

  • PLEASE DO NOT MODIFY THE WORKSPACE PATH; it should always be “/hab/a2_deploy_workspace”.
  • We currently don’t support AD managed users in nodes. We only support local Linux users.
  • If you have configured a sudo password for the user, you must create an environment variable sudo_password and set the password as the variable’s value. Example: export sudo_password=<password>. And then, run all sudo commands with the sudo -E or --preserve-env option. Example: sudo -E ./chef-automate deploy config.toml --airgap-bundle automate.aib. This is required for the chef-automate CLI to run the commands with sudo privileges. Please refer this for details.
  • If SELinux is enabled, deployment with configure it to permissive (Usually in case of RHEL SELinux is enabled)

Steps to run on Bastion Host Machine

  1. Run the below commands to download the latest Automate CLI and Airgapped Bundle:

    #Run commands as sudo.
sudo -- sh -c "
#Download Chef Automate CLI.
curl https://packages.chef.io/files/current/latest/chef-automate-cli/chef-automate_linux_amd64.zip \
| gunzip - > chef-automate && chmod +x chef-automate \
| cp -f chef-automate /usr/bin/chef-automate
#Download the latest Airgapped Bundle.
#To download specific version bundle, example version: 4.2.59 then replace latest.aib with 4.2.59.aib
curl https://packages.chef.io/airgap_bundle/current/automate/latest.aib -o automate.aib
"

    Note

    Chef Automate bundles are available for 365 days from the release of a version. However, the milestone release bundles are available for download forever.

    Note

    If the Airgapped Bastion machine differs, transfer the Bundle file (latest.aib) and Chef Automate CLI binary (chef-automate) to the Airgapped Bastion Machine using the scp command.

    After transferring, in Airgapped Bastion, run the below commands:

    #Run commands as sudo.
sudo -- sh -c "
#Move the Chef Automate CLI to `/usr/bin`.
cp -f chef-automate /usr/bin/chef-automate
"

Steps to Generate Config

  1. Generate config using the below command:
sudo chef-automate config gen config.toml

Click here to know more about generating config.

You can also view the Sample Config.

Note

You can also generate config using init config and then generate init config for existing infrastructure. The command is as shown below:

chef-automate init-config-ha existing_infra

Config Verify

  1. We verify the above config using the below command :

    sudo chef-automate verify -c config.toml

    To know more about config verify you can check Config Verify Doc page.

    Once the verification is successfully completed, then proceed with deployment, In case of failure please fix the issue and re-run the verify command.

Steps to Deploy

  1. The following command will run the deployment. The deploy command will run the verify command internally, to skip a verification process during deploy command use --skip-verify flag

    chef-automate deploy config.toml --airgap-bundle automate.aib

    To skip verification in the deploy command, use --skip-verify flag

     chef-automate deploy config.toml --airgap-bundle automate.aib --skip-verify

Verify Deployment

  1. Once the deployment is successful, Get the consolidate status of the cluster

     chef-automate status summary

  2. Get the service status from each node

     chef-automate status

  3. Post Deployment, you can run the verification command

     chef-automate verfiy

  4. Get the cluster Info

     chef-automate info

    Check if Chef Automate UI is accessible by going to (Domain used for Chef Automate) https://chefautomate.example.com. After successful deployment, proceed with following…

    1. Create user and orgs, Click here to learn more about user and org creation
    2. Workstation setup, Click here to learn more about workstation setup
    3. Node bootstrapping, Click here to learn more about node bootstrapping.

Backup/Restore

A shared file system is always required to create OpenSearch snapshots. To register the snapshot repository using OpenSearch, it is necessary to mount the same shared filesystem to the exact location on all master and data nodes. To know more about the backup and restore configuration, see On-Premise Deployment using Filesystem or using Object Storage.

Add/Remove Nodes

The Chef Automate commands require some arguments so that it can determine which types of nodes you want to add or remove to/from your HA setup from your bastion host. To know more see Add Nodes to the Deployment to add nodes and Remove Single Node from Cluster to remove nodes.

Patch Configs

The bastion server can patch new configurations in all nodes. To know more see Patch Configuration section.

Sample Config

Note

  • Assuming 10+1 nodes (1 bastion, 2 for automate UI, 2 for Chef-server, 3 for Postgresql, 3 for OpenSearch).
  • The following config will, by default, leave the backup configuration empty.
  • To provide multiline certificates use triple quotes like """ multiline certificate contents""".
[architecture]
  [architecture.existing_infra]
    ssh_user = "ec2-user"
    ssh_group_name = "ec2-user"
    ssh_key_file = "~/.ssh/my-key.pem"
    ssh_port = "22"
    secrets_key_file = "/hab/a2_deploy_workspace/secrets.key"
    secrets_store_file = "/hab/a2_deploy_workspace/secrets.json"
    architecture = "existing_nodes"
    workspace_path = "/hab/a2_deploy_workspace"
    backup_mount = "/mnt/automate_backups"
    backup_config = "file_system"
[automate]
  [automate.config]
    admin_password = "Progress@123"
    fqdn = "chefautomate.example.com"
    config_file = "configs/automate.toml"
    root_ca = "-----BEGIN CERTIFICATE-----
    <Certificates>
    -----END CERTIFICATE-----"
    instance_count = "2"
[chef_server]
  [chef_server.config]
    fqdn = "chefinfraserver.example.com"
    lb_root_ca = "-----BEGIN CERTIFICATE-----
    <Certificates>
    -----END CERTIFICATE-----"
    instance_count = "2"
[opensearch]
  [opensearch.config]
    instance_count = "3"
[postgresql]
  [postgresql.config]
    instance_count = "3"
[existing_infra]
  [existing_infra.config]
    automate_private_ips = ["192.0.0.1", "192.0.0.2"]
    chef_server_private_ips = ["192.0.0.3", "192.0.0.4"]
    opensearch_private_ips = ["192.0.0.5", "192.0.0.6", "192.0.0.7"]
    postgresql_private_ips = ["192.0.0.8", "192.0.0.9", "192.0.0.10"]

Uninstall Chef Automate HA

To uninstall Chef Automate HA instances after unsuccessful deployment, run the below command in your bastion host.

    chef-automate cleanup --onprem-deployment
Edit this page on GitHub

Thank you for your feedback!

×









Search Results