chef - [chef] Re: Database Secrets

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Database Secrets

From: Sean OMeara < >
To: " " < >
Subject: [chef] Re: Database Secrets
Date: Mon, 22 Sep 2014 10:58:32 -0400

Storing secrets are a hard problem, since you're always pushing your
peas around your plate.

You're looking to manage them "out of band" of Chef, (or at least out
of band of Chef's SCM).

1) You can bootstrap them onto the machines with jumpstart/whatever
2) Use something like Chef Vault to store them on Chef Server
3) Use an external database or directory service

Gather your secrets during recipe compilation, then pass them into the
mysql_service resource in your recipe.

Chef Vault example:

vault_ssl = ChefVault::Item.load('secrets', 'www.widgetco.biz.pem')
my_secret =  vault_ssl['www.widgetco.biz.pem']

mysql_service 'default' do
  server_root_password vault_ssl['www.widgetco.biz.pem']
  action :create
end

On Mon, Sep 22, 2014 at 12:34 AM, Angus Buchanan
< >
wrote:
> What ways have people used to maintain database secrets?  I'm thinking
> specifically of the mysql root password which is just an attribute in the
> mysql cookbook, and passwords for production databases?
>
> I don't want to be checking passwords into Git.
>
> What strategies have you successfully used?
>
> -aob

[chef] Re: Database Secrets, (continued)
- [chef] Re: Database Secrets, Marco Betti, 09/21/2014
  - [chef] Re: Re: Database Secrets, Lamont Granquist, 09/22/2014
    - [chef] Re: Re: Re: Database Secrets, Bryan Berry, 09/22/2014
      - [chef] Re: Re: Re: Re: Database Secrets, Lamont Granquist, 09/22/2014
- [chef] Re: Database Secrets, AJ Christensen, 09/21/2014
  - [chef] Re: Re: Database Secrets, Brian Pitts, 09/22/2014
- [chef] Re: Database Secrets, Sean OMeara, 09/22/2014
  - [chef] Re: Database Secrets, Sean OMeara, 09/22/2014