|
Now i write cookbook bacula for setup bacula server and clients. I have multiple recipes: database - for setup mysql db, server for setup bacula-director and storage and client for setup bacula-fd on clients. I write next code for load passwords for encrypted data bags: encrypted_data_bag_secret_path = "#{node['chef']['encrypted_data_bag_secret_path']}/encrypted_data_bag_secret" bacula_secret = Chef::EncryptedDataBagItem.load_secret("#{encrypted_data_bag_secret_path}") # ------- Setup mysql service users passwords used in cookbook for succesful installation of MYSQL item = Chef::EncryptedDataBagItem.load("bacula","mysql_root", bacula_secret) node.set['mysql']['server_root_password'] = item['password'] node.set['mysql']['server_repl_password'] = item['password'] node.set['mysql']['server_debian_password'] = item['password'] # ------- Setup mysql user "bacula" item = Chef::EncryptedDataBagItem.load("bacula","mysql_bacula", bacula_secret) node.set['bacula']['mysql']['name'] = item['name'] node.set['bacula']['mysql']['password'] = item['password'] # ------- Setup bacula passwords used at director and storage machine item = Chef::EncryptedDataBagItem.load("bacula","director", bacula_secret) node.set['bacula']['director']['password'] = item['password'] item = Chef::EncryptedDataBagItem.load("bacula","monitor", bacula_secret) node.set['bacula']['monitor']['password'] = item['password'] item = Chef::EncryptedDataBagItem.load("bacula","storage", bacula_secret) node.set['bacula']['storage']['password'] = item['password'] item = Chef::EncryptedDataBagItem.load("bacula","root", bacula_secret) node.set['bacula']['root']['password'] = item['password'] As we can see this single recipe set node parametrs, which later used in my other recipes. I think that this is not best practice. Because: 1. This code place in /recipes/_loaddatabags.rb And this recipe run with include_recipe in several recipes for example in database, server and storage recipe. I think it's code must run once. This is a main problem. 2. This code setup node vars. What happens after the recipe is executed ? Where traces remain with our passwords in an open way. Except of course the configuration files ? 3. I think that should be a funtion or lwrp for this entitys. But I cannot represent to self how can i do it. Chef examples on site is very small. 4. As my small practice I cannot represent how can i architect/design this in best way? 5. Where better to define these variables (['mysql']['server_root_password'], ['bacula']['director']['password']) ? In what part of cookbook ? What do you think ? 6. I use chef 10.x version. Maybe there are other more elegant ways to work with data bag's 7. I plan to lay out your cookbook on opscode in the future. And I would like it to be ideologically correct. 8. I have not seen in cookbooks from opscode use of data bags. Why ? Thank you very much. -- Best regards, CVision Lab System Administrator Vladmir Skubriev |
Archive powered by MHonArc 2.6.16.