chef · kalroy · Jul 24, 2023 · Jun 28, 2023 · Jun 28, 2023 · Jun 28, 2023
@@ -381,6 +381,15 @@ Uncomment and change settings as needed, and then run `chef-automate config patc
 # run_time_limit = 0.5
 ```
 
+#### Encrypt Cookies with Custom Secret Key in OC-ID Service
+
+Now, you can configure and integrate an existing private Supermarket with Chef Automate. `secret_key_base` is an attribute introduced as optional setting in OC-ID service of Automate which will be used to encrypt the cookies and other information. By default a unique `secret_key_base` gets generated internally for the OC-ID service running as part of Chef Automate. If you want to set it to something custom you can assign it a random string which will be used by OC-ID as the `secret_key_base`. Below is the syntax to set the configuration for the OC-ID service.
+
+```toml
+[ocid.v1.sys.ocid]
+ secret_key_base = ""
+```
+
 #### Configure Inflight Data Collector Request Maximum
 
 You can specify the maximum number of inflight data collector requests. The default value is sixty times the number of the machine's available CPUs.

@@ -261,7 +261,7 @@ To know more about the AWS deployment disaster recovery, visit our [Disaster Rec
 | ----------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------ | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chef Automate | [Standalone](/automate/install/) | Automate 2020XXXXXX | | To migrate to Managed OpenSearch Automate HA cluster, the current standalone Chef Automate version should be at most 4.3.0. |
 | Chef Backend | [Chef Backend Cluster](/server/install_server_ha/) | Backend 2.X and Infra Server 14.X | Chef Infra Server 15.4.0 | Chef Backend using PostgreSQL storage for Cookbooks should only migrate to Automate HA. |
-| Chef Infra Server | [Standalone](/server/install_server/#standalone)<br />[Tiered](/server/install_server_tiered/) | Infra server 14.XXX | Chef Infra Server 15.4.0 | Chef Manage, or Private Chef Supermarket with Chef Backend should not migrate to Automate HA. Automate HA does not support supermarket authentication with chef-server user credentials. <br />Chef Infra Server using PostgreSQL storage for Cookbooks should only migrate to Automate HA. |
+| Chef Infra Server | [Standalone](/server/install_server/#standalone)<br />[Tiered](/server/install_server_tiered/) | Infra server 14.XXX | Chef Infra Server 15.4.0 | Chef Infra Server using PostgreSQL storage for Cookbooks should only migrate to Automate HA. |
 | A2HA | PS Lead A2HA On-Premise Deployment | Chef Automate version 20201230192246 | Chef Automate Version 20220223121207 | The A2HA cluster-mounted backup file system should also be attached to Automate HA cluster.<br />In case of In-Place migration, the volume having `/hab` should have more than 60% free space on each node. |
 
 {{< note >}}

@@ -16,9 +16,9 @@ gh_repo = "automate"
 
 {{< warning >}}
 
-- Customers using only **Standalone Chef Infra Server** or **Chef Backend** are advised to follow this migration guidance. Customers using **Chef Manage** or **Private Chef Supermarket** with Chef Backend should not migrate with this.
+- Customers using only **Standalone Chef Infra Server** or **Chef Backend** are advised to follow this migration guidance. Customers using **Chef Manage** with Chef Backend should not migrate with this.
+
 - Also, for the customers using a standalone Chef Infra Server, cookbooks should be in the database or S3 but not in the file system.
-- Automate HA does not support supermarket authentication with chef-server user credentials. Post migration to Automate HA those customer users will not be able to log in with chef-server user credentials to their Supermarket.
 
 {{< /warning >}}
 
@@ -309,4 +309,8 @@ Bootstrap the nodes to update the `chef_server_url` using the following steps:
 
 ## Use Automate HA for Chef-Backend User
 
-From the bastion host or a local machine, download and install [Chef Workstation](https://www.chef.io/downloads). See the [Chef Workstation documentation](/workstation/getting_started/#set-up-your-chef-repo) for information on setting up Workstation.
+Download and Install the [Chef Workstation](https://www.chef.io/downloads/tools/workstation) from the Bastion machine or local machine install chef-workstation. You can refer to the [Workstation page](https://docs.chef.io/workstation/getting_started/#set-up-your-chef-repo) to set up your Workstation.
+
+## Use Existing Private Supermarket with Automate HA
+
+If you are using private instance of Supermarket with Chef Backend, you can refer to [Supermarket with Automate HA](/automate/supermarket_with_automate_ha/) to ensure that your same private instance of Supermarket works with Automate HA cluster.
@@ -254,13 +254,11 @@ To know more about the on-premises deployment disaster recovery, visit our [Disa
 
 - Automate HA will always have Chef Automate and Chef Infra Server running in the cluster.
 
-- Chef Manage or Private Chef Supermarket customers should not migrate to Automate HA.
-
 | Existing System | Supported Setup Type | Minimum Eligible System Version | Maximum Eligible System Version | Pre-requisite Before Migration |
 |-----------------|----------------------|---------------------------------|-----------|------------------------------|
 | Chef Automate | [Standalone](/automate/install/) | Automate 2020XXXXXX | | To migrate to Managed OpenSearch Automate HA cluster, the current standalone Chef Automate version should be at most 4.3.0. |
 | Chef Backend | [Chef Backend Cluster](/server/install_server_ha/) | Backend 2.X and Infra Server 14.X | Chef Infra Server 15.4.0 | Chef Backend using PostgreSQL storage for Cookbooks should only migrate to Automate HA. | 
-| Chef Infra Server | [Standalone](/server/install_server/#standalone)<br />[Tiered](/server/install_server_tiered/) | Infra server 14.XXX | Chef Infra Server 15.4.0 | Chef Manage, or Private Chef Supermarket with Chef Backend should not migrate to Automate HA. Automate HA does not support supermarket authentication with chef-server user credentials. <br />Chef Infra Server using PostgreSQL storage for Cookbooks should only migrate to Automate HA. |
+| Chef Infra Server | [Standalone](/server/install_server/#standalone)<br />[Tiered](/server/install_server_tiered/) | Infra server 14.XXX | Chef Infra Server 15.4.0 | Chef Infra Server using PostgreSQL storage for Cookbooks should only migrate to Automate HA. |
 | A2HA | PS Lead A2HA On-Premises Deployment |Chef Automate version 20201230192246 | Chef Automate Version 20220223121207 | The A2HA cluster-mounted backup file system should also be attached to Automate HA cluster.<br />In case of In-Place migration, the volume having `/hab` should have more than 60% free space on each node. |
 
 {{< note >}}

@@ -0,0 +1,154 @@
++++
+title = "Supermarket Integration"
+weight = 20
+draft = false
+gh_repo = "automate"
+
+[menu]
+ [menu.automate]
+ title = "Supermarket Integration"
+ parent = "automate/install"
+ identifier = "automate/install/supermarket_integration_with_automate.md Supermarket Integration"
+ weight = 70
++++
+
+Chef Supermarket is the site for cookbooks. It provides a searchable cookbook repository and a friendly web UI. In this article, we will configure and integrate an existing private Supermarket with an Airgapped installation of Chef Automate.
+
+## Pre-requisites
+
+1. To start with the supermarket integration, firstly, use the `chef-automate` binary to create an **Airgap Installation Bundle (`.aib`)** for Automate on an internet-connected host. Refer to the [System Requirement](/automate/system_requirements/) page for the hardware and software requirements. Refer to the [Airgapped Installation](/automate/airgapped_installation/) page for the complete steps of airgapped installation. Once you are done with the deployment of Automate, following the steps below:
+
+1. Check the status of all the components using the following command:
+
+ ```bash
+ chef-automate status
+ ```
+
+1. Create a user using the following command:
+
+ ```bash
+ chef-server-ctl command
+ ```
+
+ N.B. For more help on how to create user using the `chef-server-ctl` utility, refer this [documentation](https://docs.chef.io/server/ctl_chef_server/#user-create).
+
+## Register Supermarket with Automate Embedded Chef Identity
+
+When you install Chef Automate, it bundles the Chef-Server OC-ID component as an Oauth provider. Users can use the Oauth provider to log in to another application (e.g. Supermarket) using their Chef-Server credentials. Follow the steps below to register the applications to use OC-ID as a medium to log in to the respective applications. Once you finish the registration, you will be authorized to use Chef-Server login credentials to login to the application.
+
+1. Create a file to list down the details of the application you want to register with OC-ID. In the file `ocid-apps.toml`, mention the application's **name** and the **redirect_uri**. The content of the created file should be in the following format:
+
+ ```cd
+ [ocid.v1.sys.ocid.oauth_application_config]
+ [[ocid.v1.sys.ocid.oauth_application_config.oauth_applications]]
+ name = ""
+ redirect_uri = ""
+ ```
+
+ Update the FQDN/Host Name of your supermarket website in the `redirect_uri`. Refer to the code below:
+
+ ```cd
+ [ocid.v1.sys.ocid.oauth_application_config]
+ [[ocid.v1.sys.ocid.oauth_application_config.oauth_applications]]
+ name = "supermarket"
+ redirect_uri = "https://<YOUR SUPERMARKET FQDN>/auth/chef_oauth2/callback"
+ ```
+
+ To add more than one application with the OC-ID service, keep repeating the above code in the file with the respective application details. For example:
+
+ ```cd
+ [ocid.v1.sys.ocid.oauth_application_config]
+ [[ocid.v1.sys.ocid.oauth_application_config.oauth_applications]]
+ name = "application-1"
+ redirect_uri = "https://application-1.com/auth/chef_oauth2/callback"
+ [[ocid.v1.sys.ocid.oauth_application_config.oauth_applications]]
+ name = "application-2"
+ redirect_uri = "https://application-2.com/auth/chef_oauth2/callback"
+ ```
+
+ Using the above snippet, you can register two applications to the OC-ID.
+
+1. Now, patch the above configuration by running the below command:
+
+ ```bash
+ chef-automate config patch ocid-apps.toml
+ ```
+
+ Once the patch is successfully applied, the new application will get registered with Chef Identity.
+
+1. Verify whether the new configuration has been applied or not by running the following command:
+
+ ```bash
+ chef-automate config show
+ ```
+
+ The output of the above command should contain the values from the file you patched.
+
+1. Run the following `ctl` command to get the details of the applications registered with OC-ID.
+
+ ```cd
+ chef-automate config oc-id-show-app
+ ```
+
+ The output of the above command is as shown below:
+
+ ```cd
+ supermarket:
+ - name: supermarket
+ redirect_uri: https://example-supermarket.com/auth/chef_oauth2/callback
+ uid: 735c44e423787134839ce1bdb6b2ab8bd9eca5b656f0f4e69df3641ea494cdda
+ secret: 4c371ceb46465b162c0b4a670573d80ac1d6adeebaa2638db53bb9f94d432340
+ id:
+ ```
+
+## Supermarket Configuration
+
+To configure the supermarket in Chef Automate, follow the steps given below:
+
+1. SSH into the ec2 instance where the supermarket is installed. Then run the following commands:
+
+ ```bash
+ sudo su
+ cd /etc/supermarket
+ ```
+
+1. Update the `supermarket.rb` file in the `/etc/supermarket` directory with the application details retrieved from the automate instance after registering supermarket as an oauth application with OC-ID:
+
+ ```cd
+ default['supermarket']['chef_oauth2_app_id'] = "<uid>"
+ default['supermarket']['chef_oauth2_secret'] = "<secret>"
+ default['supermarket']['chef_oauth2_url'] = "<automate_url>"
+ default['supermarket']['chef_oauth2_verify_ssl'] = false
+ ```
+
+ The flag `chef_oauth2_verify_ssl` value is boolean and should be based on whether you have a valid(non self-signed certificate) certificate for automate. If you have a valid certificate, set it as `true`, or else set it as `false`.
+
+1. Now, run the following `reconfigure` command to reflect the above changes in the running supermarket application:
+
+ ```bash
+ supermarket-ctl reconfigure
+ ```
+
+1. Once reconfiguring is completed, visit the supermarket website on the browser. Refer to the image below:
+
+ {{< figure src="/images/automate/standalone_supemarket_landing_page.png" alt="Supermarket Landing Page">}}
+
+1. Hit the supermarket URL and select Sign In. You will be redirected to the Chef Identity page running inside Automate. Refer to the image below:
+
+ {{< figure src="/images/automate/standalone_supermaket_sign-in.png" alt="Supermarket Sign In Page">}}
+
+1. Sign in with the already created user credentials to authorize the supermarket app. Refer to the image below:
+
+ {{< figure src="/images/automate/standalone_supermarket_credentials_signin.png" alt="Supermarket Credentials">}}
+
+1. Authorize the supermarket to use your Chef account. Refer to the image below:
+
+ {{< figure src="/images/automate/standalone_supermaket_authorization.png" alt="Supermarket Authorization Page">}}
+
+1. Once the supermarket application is successfully authorized, the screen looks like as shown in the below image:
+
+ {{< figure src="/images/automate/standalone_supermarket_app_board.png" alt="Supermarket Board">}}
+
+You have successfully logged in to the supermarket using the credentials of `chef-server` through the **Chef Identity** service running as part of Airgapped Automate.
+
+Refer to the [Configuration](/automate/configuration/#encrypt-cookies-with-custom-secret-key-in-oc-id-service) page, to check the optional settings for integration of private Supermarket in Chef Automate.
@@ -0,0 +1,47 @@
++++
+title = "Supermarket with Automate HA"
+draft = false
+gh_repo = "automate"
+[menu]
+
+ [menu.automate]
+ title = "Supermarket with Automate HA"
+ parent = "automate/deploy_high_availability"
+ identifier = "automate/deploy_high_availability/supermarket_with_automate_ha.md Supermarket with Automate HA"
+ weight = 85
++++
+
+This page will discuss the integration of Supermarket with Automate HA setup. The page will guide you to register an existing private Supermarket with [on-premises deployment](/automate/ha_onprim_deployment_procedure/) of Automate HA.
+
+Before starting this page, refer to the [Supermarket Integration](/automate/supermarket_integration_with_automate/) page with Automate for basic understanding.
+
+## Register Supermarket with Automate HA
+
+The overall steps to register an existing private instance of Supermarket with Automate HA is same as the steps to register it with [Standalone](/automate/supermarket_integration_with_automate/#register-supermarket-with-automate-embedded-chef-identity) Automate. The only difference is in the way we patch the `.toml` file in Automate HA.
+
+Follow the steps to register supermarket with Automate HA:
+
+1. Register your existing supermarket with [Automate embedded Chef identity](/automate/supermarket_integration_with_automate/#register-supermarket-with-automate-embedded-chef-identity).
+
+1. Now, patch the configuration on all the frontend nodes from the Bastion node using the command below:
+
+ ```bash
+ // Frontend Nodes
+ chef-automate config patch ocid-apps.toml -f
+ ```
+
+ Once the patch is completed, the new application should be registered with OC-ID as part of Automate embedded chef-server.
+
+1. You can get the details of the registered applications from the bastion node by running the following command:
+
+ ```bash
+ chef-automate config oc-id-show-app
+ ```
+
+ The output of the above command looks like as shown below:
+
+ {{< figure src="/images/automate/ha_output_ocid_app.png" alt="OC-ID Application Output">}}
+
+1. The configuration of supermarket in Chef Automate HA can be done in the same way as Standalone Automate. Refer to the [Supermarket Integration](/automate/supermarket_integration_with_automate/#supermarket-configuration) page to view the configuration steps.
+
+Refer to the [Configuration](/automate/configuration/#encrypt-cookies-with-custom-secret-key-in-oc-id-service) page, to check the optional settings for integration of private Supermarket in Chef Automate.