[chef] Re: RE: Re: RE: Re: RE: Re: Managing passwords on multiple webapp/users creation

["steve ." < >]

Hi Philippe,

At the risk of sounding like a broken record (or, worse yet, some kind of spambot), I think you might actually find something useful in the knife plugin link I just posted as potentially being useful for Chef 10 -> 11 migration (in which they're changing the encrypted data bag format).

https://github.com/leftathome/knife-databag-upgrade/blob/master/data_bag_upgrade.rb

The code worked in November, although the GitHub version is currently nerfed so that it doesn't *actually*  push the re-encrypted data bag back up to the server.

As you can see from the example, an encrypted data bag item is actually just the payload of a regular data bag item.  At least, that's what it is in Chef 10...

I hope this helps with your situation.  Keep in mind that, if you find encrypted data bags to be an imperfect solution for your particular environment, you can implement just about anything else you want by writing your own resource/provider.

On Mon, Jan 7, 2013 at 7:10 AM, Philippe Bérard < " target="_blank"> > wrote:

Yes, I’ve adresses both points to have a robust deployment solution. BTW, this link doesn’t address writing to an encrypted databag, only a “regular” one.

 

Regards,

 

-- Philippe Bérard

 

De : Jeremiah Snapp [mailto: " target="_blank"> ]
Envoyé : lundi 7 janvier 2013 15:59
À : " target="_blank">
Objet : [chef] Re: RE: Re: RE: Re: Managing passwords on multiple webapp/users creation

 

The following link discusses databag editing from within a recipe. Be aware that it does come with two warnings.

1. Unexpected data loss if multiple nodes edit the same databag.
2. Open source chef requires the node's API client to have admin rights.

http://docs.opscode.com/essentials_data_bags_use_recipe.html#creating-and-editing-data-bag-within-a-recipe

On Jan 7, 2013 8:26 AM, "Philippe Bérard" < " target="_blank"> > wrote:

OK, thanks AJ for pointing this out. Still no clue for writing to encrypted databags, though, I’ll see if there’s any chance to have a working Chef::EncryptedDataBagItem.save

 

Regards,

 

-- Philippe Bérard

 

De : AJ Christensen [mailto: " target="_blank"> ]
Envoyé : lundi 7 janvier 2013 11:46
À : " target="_blank">
Objet : [chef] Re: RE: Re: Managing passwords on multiple webapp/users creation

 

That blog post an ancient and isn't even the Chef encrypted data bags. It was John's approach before encrypted data bags were made.

 

http://docs.opscode.com/essentials_data_bags_encrypt.html

 

Cheers,

 

AJ

 

On 7 January 2013 23:44, Philippe Bérard < " target="_blank"> > wrote:

Hello Seth and thanks for your answer,

I've tried, maybe the wrong way, to write to encrypted databags, with no
success.

I'll follow the instructions found here
(http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.h
tml) , though, and publish my findings if anyone's interested.

Regards,

-- Philippe Bérard


-----Message d'origine-----
De : Seth Falcon [mailto: " target="_blank"> ]
Envoyé : lundi 7 janvier 2013 06:03
À : < " target="_blank"> >
Objet : [chef] Re: Managing passwords on multiple webapp/users creation

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:
> I’ve tried to use encrypted databags but this kind of databag can’t be
written by a recipe, only read.

I'm not sure that's true. Encrypted data bags are regular data bags that the
client treats specially to decrypt with a shared secret. If you have the
shared secret, you can update/add entries and make the API call to save the
data bag item.

So if the simple shared secret approach that encrypted data bags provides
will work for you, I think you can teach your recipes to updates encrypted
data bags.