Automate Infra Views [read-only]

[btm]

Automate Infra Views

(Chef Manage in Automate)

Automate is the observability platform for Chef Infra, but only provides the outcome of Chef Infra client runs. If there was a failure, I currently need to leave Automate and use other tools to find the contents of the Policy to understand the failure.

To be able to retrieve Policy information, Automate will need to know address information and credentials for one or more Chef Infra Servers. By creating an API that proxies to Chef Infra servers, we can separate the different Chef Infra Server authn/authz design from the Automate authn/authz design. We also retain the option to allow Automate to control the API going forward.

Motivation

As a System Administrator,
I want to have Chef Infra Policy information in Automate,
so that I can quickly understand the cause of Chef Infra client failures.

Specification

This initiative covers read-only access and views to the Chef Infra Server only, and excepts for later a few cases such as viewing nodes, policyfile information, and users.

chef-infra-proxy component

/infra/servers

get - returns list of known Chef Infra servers
post - add a Chef Infra server record
patch - update a Chef Infra server record
delete - remove a Chef Infra server record

fields: ID, name, fqdn/ip

/infra/servers/ID/orgs

get - returns list of configured organizations
post - configure an organization
patch - update an organization
delete - remove an organization

fields: id, name, admin_user, admin_key (secrets-service)

/infra/servers/ID/api

proxies requests to the identified server using the stored credentials for the organization
e.g. /infra/servers/ID/api/organizations/ORG_ID/cookbooks

Automate Infra Server Views (UI)

• Feature Flag (Chef Infra Server Views)

Pages

• Manage connected Infra Server organizations
• Manage connected Infra Servers
• View Cookbooks # Phase 2
• View Roles # Phase 2
• View Environments # Phase 3
• View Data Bags # Phase 3
• View Clients # # Phase 4 - Stretch goal

APIs

• Manage connected Infra Server organizations API
• Manage connected Infra Servers API
• Cookbooks API
• Affetecd nodes API(cookbooks, roles, environments, policyfiles)
• Roles API
• Environments API
• Data Bags API
• Policyfiles API
• Clients API

IAM

• Limit adding/removing Infra Servers and organizations to Editors
• Allow associating an organization to one or more projects
• Limit viewing policy (cookbooks, roles, etc) if the user lacks access (including filtered by project)

Note in both cases the relevant information should not be viewable in the UI if you lack permissions. For example, a normal user could see the list of Chef Servers, but the "Add Chef Server" button would not be visible.

UI Mock Ups

[FEB 27 2020 ] https://chef.invisionapp.com/share/EYW6R099CGH#/401258846_V0_-_Client_Runs_-_Cookbooks_-_Details_-_Description

Aha! Link: https://chef.aha.io/epics/SH-E-746

[stevendanna]

/infra/servers
...
patch - update a Chef Infra server record
delete - remove a Chef Infra server record

It might make more sense for these to be on an endpoint with /infra/servers/ID similarly for the same methods on orgs.

[kalroy]

This EPIC and all the issues are addressed in the build 20210217163248

[btm]

This was shipped long, closing this epic.