- From: "Fouts, Chris" <
>
- To: "
" <
>
- Subject: [chef] RE: Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?
- Date: Thu, 22 Jan 2015 19:55:27 +0000
- Accept-language: en-US
Like I said, I have this in my knife.rb file.
…….
validation_key "#{current_dir}/validator.pem"
encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”
.....
My knife.rb, validator.pem, encrypted_data_bag_secret, are all on my
<some_dir>/.chef directory. If it works for the validation_key property, why
not the encrypted_data_bag_secret property? I did a puts and, you're correct,
it's not expanding the <%= encrypted_data_bag_secret %>, but why?
Chris
-----Original Message-----
From: AJ Christensen
[mailto:
Sent: Wednesday, January 21, 2015 5:28 PM
To:
Subject: [chef] Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?
It looks like your knife config is wrong. Can you puts the value of the
encrypted_data_bag_secret after setting it? does that path expand properly?
"#{home_dir}/.chef/encrypted_data_bag_secret"
do you have a local variable called "home_dir" in your knife.rb ? this ruby
string expansion relies on it. if nil, the path is probably borked.
chuck `puts encrypted_data_bag_secret` in you config and see what it reckons
cheers,
--aj
On Thu, Jan 22, 2015 at 10:26 AM, Fouts, Chris
<
>
wrote:
>
Thanks, but I was under the impression that the bootstrap (even the
>
default
>
template) will do this for me, using the same process it does to copy
>
the validator.pem locally to the node. I see this in the chef-full.erb
>
file
>
>
>
>
<% if encrypted_data_bag_secret -%>
>
>
cat > /etc/chef/encrypted_data_bag_secret <<'EOP'
>
>
<%= encrypted_data_bag_secret %>
>
>
EOP
>
>
chmod 0600 /etc/chef/encrypted_data_bag_secret
>
>
<% end -%>
>
>
>
>
Chris
>
>
From: Tiago Cruz
>
[mailto:
>
Sent: Wednesday, January 21, 2015 3:27 PM
>
To:
>
>
Subject: [chef] Re: RE: Re: Using encrypted data bags in cookbooks?
>
>
>
>
You need to scp the file to your node at
>
/etc/chef/encrypted_data_bag_secret
>
>
>
>
On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris
>
<
>
>
wrote:
>
>
I have this in my knife.rb file
>
>
>
>
…….
>
>
validation_key "#{current_dir}/validator.pem"
>
>
encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”
>
>
…….
>
>
>
>
The knife.rb, validator.pem, and encrypted_data_bag_secret files are
>
in <some_path>/.chef directory.
>
>
>
>
Chris
>
>
>
>
>
>
>
>
>
>
From: Daniel Condomitti
>
[mailto:
>
Sent: Wednesday, January 21, 2015 2:45 PM
>
To:
>
>
Subject: [chef] Re: Using encrypted data bags in cookbooks?
>
>
>
>
Are you using a custom bootstrap template? Check your template to
>
ensure that your template includes the encrypted_data_bag_secret logic
>
https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/c
>
hef-full.erb#L46
>
>
>
>
Is the correct path being used in your knife config?
>
>
On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:
>
>
Client: v12.0.3
>
>
Server: Chef 12 Enterprise
>
>
>
>
I’m encrypting my data bags, but now of course would want to use them
>
when I run my cookbooks in my nodes. This means that I’ll need to
>
decrypt my data bag, which in turn means I’ll need the key. One
>
solution I’ve been reading is to copy the key file in the node’s
>
/etc/chef/* directory during the bootstrap process. I read this
>
http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which ;
>
shows adding this line in the knife.rb file
>
>
>
>
encrypted_data_bag_secret "#{home_dir}/.chef/encrypted_data_bag_secret"
>
>
>
>
…which will then automagically copy the file over to the node.
>
However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped
>
node.
>
>
>
>
What am I missing?
>
>
>
>
Chris
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
-- Tiago Cruz
Archive powered by MHonArc 2.6.16.