- From: Tyler <
>
- To:
- Subject: [chef] Re: Encrypted data bag fixtures in cookbooks
- Date: Mon, 1 Dec 2014 09:16:06 -0800
Hey Roland - what version of Chef client are you using? In Chef 12 we added
a `--encrypt` flag like you describe below.
Data bags are encrypted/unencrypted on the client side. I haven’t tested
this specifically, but the data stored by chef zero should be encrypted.
Could you try this test again with the latest version of Chef client and see
if you still have issues?
-T
>
On Nov 28, 2014, at 1:29 PM, Roland Moriz
>
<
>
>
wrote:
>
>
Hi,
>
>
I've two questions regarding data bag handling in the case of fixtures for
>
cookbook development:
>
>
1.) fixture data bag management in cookbooks
>
>
Some of our company cookbooks are using encrypted data bags. As we use
>
test-kitchen (and ChefSpec) we also have some plain-json and encrypted data
>
bag fixtures:
>
>
E.g.
>
>
```
>
example_cookbook/test/fixtures/data_bags/certificates/website.json
>
example_cookbook/test/fixtures/data_bags/users/alice.json
>
example_cookbook/test/fixtures/data_bags/users/bob.json
>
>
# with an example secret in:
>
example-cookbook/test/integration/encrypted_data_bag_secret
>
```
>
>
>
But it’s very cumbersome to manage these encrypted data bags, so we
>
currently use https://github.com/thbishop/knife-solo_data_bag for that:
>
>
```
>
knife solo data bag edit --secret-file
>
./test/integration/encrypted_data_bag_secret --data-bag-path
>
./test/fixtures/data_bags users bob
>
```
>
>
However, I’m aware of the --local-mode/-z switch of the regular „knife data
>
bag create“ command and the general movement towards "chef-zero".
>
Unfortunately I could not find a way to specify the data bag path, and my
>
knife.rb settings seems to be ignored:
>
>
example_cookbook/.chef/knife.rb:
>
>
```
>
knife[:secret_file] =
>
File.expand_path('../../test/integration/encrypted_data_bag_secret',
>
__FILE__)
>
knife[:data_bag_path] = File.expand_path('../../test/fixtures/data_bags',
>
__FILE__)
>
```
>
>
Created data bags will always go to:
>
>
```
>
example_cookbook/data_bags/<bag>/<item>.json
>
```
>
>
Shouldn't knife in chef-zero/local-mode consider the knife[:data_bag_path]
>
option?
>
>
>
2.) case by case encryption
>
>
Gladly knife[:secret_file] will be honored in both cases and *every* data
>
bag item will be encrypted. That's nice but usually we don't want to.
>
I guess there is a missing switch to enable/disable encryption. Using
>
"--secret-file ./test/integration/encrypted_data_bag_secret" and remove the
>
default option isn’t very convenient.
>
>
>
>
thanks in advance
>
Roland
>
>
>
- [chef] Re: Encrypted data bag fixtures in cookbooks, Tyler, 12/01/2014
Archive powered by MHonArc 2.6.16.