[chef] Re: Chef Client 12.0.0 Release

[Tyler Ball < >]

Search for `data_bag_item` in 
http://docs.getchef.com/release/12-0/release_notes.html to see the detailed ;
release notes on this feature.

If you use Knife to interact with data bags, we also improved that 
experience.  You can provide a secret to Knife in 1 of 4 ways.  They are, in 
order of descending preference:
1. Provide the secret on the command line of knife data bag and knife 
bootstrap commands with --secret
2. Provide the location of a file containing the secret on the command line 
of knife data bag and knife bootstrap commands with --secret-file
3. Add the secret to your workstation config with knife[:secret] = ...
4. Add the location of a file containing the secret to your workstation 
config with knife[:secret-file] = ...

When adding the secret information to your workstation config, it will not be 
used for writeable operations unless --encrypt is also passed on the command 
line. Data bag read-only operations (`knife data bag show` and `knife 
bootstrap`) do not require --encrypt to be passed, and will attempt to use an 
available secret for decryption. Unencrypted data bags will not attempt to be 
unencrypted, even if a secret is provided. Trying to view an encrypted data 
bag without providing a secret will issue a warning and show the encrypted 
contents. Trying to edit or create an encrypted data bag without providing a 
secret will fail.

Here are some example scenarios:

 # Providing `knife[:secret_file] = ...` in knife.rb will create and encrypt 
the data bag
 knife data bag create BAG_NAME ITEM_NAME --encrypt

 # The same command ran with --secret will use the command line secret 
instead of the knife.rb secret
 knife data bag create ANOTHER_BAG ITEM_NAME --encrypt --secret 
'ANOTHER_SECRET'

 # The next two commands will fail, because they are using the wrong secret
 knife data bag edit BAG_NAME --secret 'ANOTHER_SECRET'
 knife data bag edit ANOTHER_BAG --encrypt

 # The next command will unencrypt the data and show it using the 
`knife[:secret_file]` without passing the --encrypt flag
 knife data bag show BAG_NAME

 # To create an unencrypted data bag, simply do not provide `--secret`, 
`--secret-file` or `--encrypt`
 knife data bag create UNENCRYPTED_BAG

 # If a secret is available from any of the 4 possible entries, it will be 
copied to a bootstrapped node, even if `--encrypt` is not present
 knife bootstrap FQDN

http://docs.getchef.com/knife_data_bag.html is the documentation for the ;
Knife features.

-T

> On Dec 6, 2014, at 6:45 PM, Julian C. Dunn 
> <
 >
>  wrote:
> 
> On Sat, Dec 6, 2014 at 7:50 AM, Tiago Cruz 
> <
 >
>  wrote:
> 
>> Can you please detail a little bit more this feature:
>> 
>> Auto magical encryption / decryption of encrypted data bags in recipes and
>> via knife.
> 
> In Chef < 12 you had to use Chef::EncryptedDataBagItem.load to load
> encrypted data bag items, and the data_bag_item DSL to load
> unencrypted data bag items.
> 
> In Chef >= 12, you can use the data_bag_item for both, and it will
> auto-detect whether a bag item is encrypted or not.
> 
> - Julian
> 
> -- 
> [ Julian C. Dunn 
> <
 >
>           * Sorry, I'm    ]
> [ WWW: http://www.aquezada.com/staff/julian    * only Web 1.0  ;]
> [ gopher://sdf.org/1/users/keymaker/           * compliant!    ;]
> [ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9       ]