- From: Tony Burns <
>
- To:
- Subject: [chef] Re: Encrypted databag local management
- Date: Mon, 16 Dec 2013 16:10:38 -0500
I’ve been using this for awhile now https://gist.github.com/tabolario/6512068
Essentially it let’s you use a rake task (I called it chef:data_bags:encrypted) to edit encrypted data bags locally so you can commit them to your repo. There’s a couple downsides I’ve found when working with the rest of the team on this. Obviously you still need to remember to run knife data bag from file after you edit one of these, and you also need to be aware of other people working on the same data bag since the files can’t be merged.
On Dec 15, 2013, at 11:23 AM, Morgan Blackthorne <
">
> wrote: So at my day job, we're making an effort to pull passwords out of the source code and CI environment and centralize them into encrypted data bags which are then translated into config files for the various scripts and services we use.
I was wondering if there is a local-only workflow for this which does not involve knife talking to a Chef server. Basically, where knife edit would provide a decryption piece for the file contents and then encrypt them when the editor is closed. I'm thinking this because I want to ensure that the JSON files are the authoritative source being pushed into the Chef server, not random knife clients talking to Chef, and also so that the users shouldn't even need to configure Knife to talk to a Chef server in the first place.
Any thoughts about how best to handle this kind of scenario? I can elaborate as needed on any unclear points. -- ~*~ StormeRider ~*~ "Every world needs its heroes [...] They inspire us to be better than we are. And they protect from the darkness that's just around the corner."
(from Smallville Season 6x1: "Zod")
|
Archive powered by MHonArc 2.6.16.