i dont think encrypted data bag in itself is a code smell. Depending upon the context they may be. The fact that we need to store secrets in raw text files is smell (in one extreme). Tools (like s3cmd, knife , aws command line tools etc) that expect un encrypted secrets can be run against ephemeral configuration files. But thats another extreme. Between them there are myriad of options, encrypted data bag is one of them. if you plan to take snapshot of your entire chef infra, you'll need to backup and store the databags too, and if they hold secrets its better to store them encrypted in the restore/backup tapes. Albeit chef-valult is a better option, but it requires more house keeping. You'll be storing multiple encrypted copies of same data, each corresponding to one client. these things comes with great deal of network traffic cost as well.So yes, they can be smell, but it depends,
On Mon, Sep 16, 2013 at 11:54 AM, Booker Bense < " target="_blank"> > wrote:
I'm finally catching up with my backlog of Food Fight episodes and the one on secrets got me thinking a bit and I wrote up my thoughts here.The more I think about it, the more I think encrypted data bags aren't the solution.- Booker C. Bense
Archive powered by MHonArc 2.6.16.