[chef] Suggested patch to chef to enable passing the data bag secret to a node, bypassing storage on the server

[Peter Norton < >]

These patches are all reversed (sorry, I'm just patching gems right now, I haven't fixed anything in git).  I'm sending this way because, well, for the moment this mailing list is my revision control.

GOAL:

Using encrypted databags are nice, but if we want fully automated installation then there needs to be a way to get encrypted keys from a server which may not be trusted (e.g. hosted chef) to a client. Encrypted databags make this possible, but this only works if the client can decrypt the values that they need.

This allows the knife config file on the client to contain a new variable: "data_bag_keyfile".  If this is defined, then it will be read used in the same way as "validation_key".  Its pathname will be expanded, and when this config is referenced it will write out the contents of the data_bag_keyfile.  Example usage (in this case, in ubuntu10.04-basic.erb):

# The below relies on the config parameter "data_bag_keyfile" existing in the 

# knife config.  This allows secrets to be stored on a less trusted server.

echo -e "`date` \n\n**** \n**** Knifing in the chef data bag secret file:\n****\n"

(

cat <<'EOP'

<%= data_bag_keyfile %>

EOP

) > /tmp/encrypted_data_bag_secret

awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret 

rm /tmp/encrypted_data_bag_secret

chmod 600 /etc/chef/encrypted_data_bag_secret 

As-is, this patch will probably break when knifing a server if the path referred to isn't present. Since this is a new config this is not ideal, but it's a proof of concept and working for me at the moment.

--- /Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/core/bootstrap_context.rb   2011-11-07 15:09:55.000000000 -0500

+++ /Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/core/bootstrap_context.rb~  2011-09-27 18:13:42.000000000 -0400

@@ -50,10 +50,6 @@

           IO.read(@chef_config[:validation_key])

         end

 

-        def data_bag_keyfile

-          IO.read(@chef_config[:data_bag_keyfile])

-        end

-

         def config_content

           client_rb = <<-CONFIG

 log_level        :info

and:

--- /Users/pn/gems/gems/chef-0.10.4/lib/chef/config.rb  2011-11-07 16:17:46.000000000 -0500

+++ /Users/pn/gems/gems/chef-0.10.4/lib/chef/config.rb~ 2011-09-27 18:13:42.000000000 -0400

@@ -203,7 +203,6 @@

     client_key "/etc/chef/client.pem"

     validation_key "/etc/chef/validation.pem"

     validation_client_name "chef-validator"

-    data_bag_keyfile "/etc/chef/encrypted_data_bag_secret"

     web_ui_client_name "chef-webui"

     web_ui_key "/etc/chef/webui.pem"

     web_ui_admin_user_name  "admin"

and (reversed)

--- /Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/configure.rb        2011-11-07 17:26:25.000000000 -0500

+++ /Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/configure.rb~       2011-09-27 18:13:42.000000000 -0400

@@ -23,7 +23,6 @@

     class Configure < Knife

       attr_reader :chef_server, :new_client_name, :admin_client_name, :admin_client_key

       attr_reader :chef_repo, :new_client_key, :validation_client_name, :validation_key

-      attr_reader :data_bag_keyfile

 

       deps do

         require 'ohai'