[chef] RE: Re: RE: Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?


Chronological Thread 
  • From: "Fouts, Chris" < >
  • To: " " < >
  • Subject: [chef] RE: Re: RE: Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?
  • Date: Thu, 22 Jan 2015 21:03:29 +0000
  • Accept-language: en-US

Thanks you, that work!

 

Chris

 

From: Fabien Delpierre [mailto:
Sent: Thursday, January 22, 2015 3:07 PM
To:
Subject: [chef] Re: RE: Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?

 

My knife.rb says:
knife[:secret_file] = "#{current_dir}/encrypted_data_bag_secret"

Try that.

 

On Thu, Jan 22, 2015 at 2:55 PM, Fouts, Chris < " target="_blank"> > wrote:

Like I said, I have this in my knife.rb file.
 …….
validation_key           "#{current_dir}/validator.pem"
encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”
.....

My knife.rb, validator.pem, encrypted_data_bag_secret, are all on my <some_dir>/.chef directory. If it works for the validation_key property, why not the encrypted_data_bag_secret property? I did a puts and, you're correct, it's not expanding the <%= encrypted_data_bag_secret %>, but why?

Chris

-----Original Message-----
From: AJ Christensen [mailto: "> ]
Sent: Wednesday, January 21, 2015 5:28 PM
To: ">
Subject: [chef] Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?

It looks like your knife config is wrong. Can you puts the value of the encrypted_data_bag_secret after setting it? does that path expand properly?

"#{home_dir}/.chef/encrypted_data_bag_secret"

do you have a local variable called "home_dir" in your knife.rb ? this ruby string expansion relies on it. if nil, the path is probably borked.

chuck `puts encrypted_data_bag_secret` in you config and see what it reckons

cheers,

--aj

On Thu, Jan 22, 2015 at 10:26 AM, Fouts, Chris < "> > wrote:
> Thanks, but I was under the impression that the bootstrap (even the
> default
> template) will do this for me, using the same process it does to copy
> the validator.pem locally to the node. I see this in the chef-full.erb
> file
>
>
>
> <% if encrypted_data_bag_secret -%>
>
> cat > /etc/chef/encrypted_data_bag_secret <<'EOP'
>
> <%= encrypted_data_bag_secret %>
>
> EOP
>
> chmod 0600 /etc/chef/encrypted_data_bag_secret
>
> <% end -%>
>
>
>
> Chris
>
> From: Tiago Cruz [mailto: "> ]
> Sent: Wednesday, January 21, 2015 3:27 PM
> To: ">
> Subject: [chef] Re: RE: Re: Using encrypted data bags in cookbooks?
>
>
>
> You need to scp the file to your node at
> /etc/chef/encrypted_data_bag_secret
>
>
>
> On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris < "> >
> wrote:
>
> I have this in my knife.rb file
>
>
>
> …….
>
> validation_key           "#{current_dir}/validator.pem"
>
> encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”
>
> …….
>
>
>
> The knife.rb, validator.pem, and encrypted_data_bag_secret files are
> in <some_path>/.chef directory.
>
>
>
> Chris
>
>
>
>
>
>
>
>
>
> From: Daniel Condomitti [mailto: "> ]
> Sent: Wednesday, January 21, 2015 2:45 PM
> To: ">
> Subject: [chef] Re: Using encrypted data bags in cookbooks?
>
>
>
> Are you using a custom bootstrap template? Check your template to
> ensure that your template includes the encrypted_data_bag_secret logic
> https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/c
> hef-full.erb#L46
>
>
>
> Is the correct path being used in your knife config?
>
> On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:
>
> Client: v12.0.3
>
> Server: Chef 12 Enterprise
>
>
>
> I’m encrypting my data bags, but now of course would want to use them
> when I run my cookbooks in my nodes. This means that I’ll need to
> decrypt my data bag, which in turn means I’ll need the key. One
> solution I’ve been reading is to copy the key file in the node’s
> /etc/chef/* directory during the bootstrap process. I read this
> http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which
> shows adding this line in the knife.rb file
>
>
>
> encrypted_data_bag_secret "#{home_dir}/.chef/encrypted_data_bag_secret"
>
>
>
> …which will then automagically copy the file over to the node.
> However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.
>
>
>
> What am I missing?
>
>
>
> Chris
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
>
> -- Tiago Cruz

 




Archive powered by MHonArc 2.6.16.

§