General discussion about Chef

[chef] Re: Re: question about data bags - best practice


Chronological Thread 
  • From: Daniel DeLeo < >
  • To:
  • Subject: [chef] Re: Re: question about data bags - best practice
  • Date: Tue, 6 Aug 2013 08:01:22 -0700
On Tuesday, August 6, 2013 at 7:37 AM, Moser, Kevin wrote:
Take a look at chef-vault (https://github.com/nordstrom/chef-vault) Keeps the data encrypted using the private key of the client itself.

You are right however that setting the value into a node attribute persists that data, in a chef-client run, back to the chef server at the end of a successful run. You don't want to decrypt your passwords and then put them in an attribute. You want to decrypt and use that value to define a resource at compile time. At the end of convergence that resource leaves memory and your decrypted values go away.

Kevin

There is a hash on the node object you can use for per-run state info. It is not persisted to the server. To access it:

  node.run_state[:my_key] = "my value"

HTH,

-- 
Daniel DeLeo



Archive powered by MHonArc 2.6.16.

§