- From: Sean OMeara <
>
- To: "
" <
>
- Subject: [chef] Re: Database Secrets
- Date: Mon, 22 Sep 2014 11:00:33 -0400
that was supposed to read:
server_root_password my_secret
On Mon, Sep 22, 2014 at 10:58 AM, Sean OMeara
<
>
wrote:
>
Storing secrets are a hard problem, since you're always pushing your
>
peas around your plate.
>
>
You're looking to manage them "out of band" of Chef, (or at least out
>
of band of Chef's SCM).
>
>
1) You can bootstrap them onto the machines with jumpstart/whatever
>
2) Use something like Chef Vault to store them on Chef Server
>
3) Use an external database or directory service
>
>
Gather your secrets during recipe compilation, then pass them into the
>
mysql_service resource in your recipe.
>
>
Chef Vault example:
>
>
vault_ssl = ChefVault::Item.load('secrets', 'www.widgetco.biz.pem')
>
my_secret = vault_ssl['www.widgetco.biz.pem']
>
>
mysql_service 'default' do
>
server_root_password vault_ssl['www.widgetco.biz.pem']
>
action :create
>
end
>
>
>
>
On Mon, Sep 22, 2014 at 12:34 AM, Angus Buchanan
>
<
>
>
wrote:
>
> What ways have people used to maintain database secrets? I'm thinking
>
> specifically of the mysql root password which is just an attribute in the
>
> mysql cookbook, and passwords for production databases?
>
>
>
> I don't want to be checking passwords into Git.
>
>
>
> What strategies have you successfully used?
>
>
>
> -aob
- [chef] Re: Re: Database Secrets, (continued)
Archive powered by MHonArc 2.6.16.