[chef] RE: Re: Using chef solo to aws distribute keys

[Nico Kadel-Garcia < >]

I've taken a look at the various solutions. None of them work: many are 
dependent on an available chef server to hold encrypted data, unlocked by a 
local key, and I'm using chef-solo extensively, not a chef-server/chef-client 
setup. Also, frankly, many cookbooks such as the "nagios" and "mysql" and 
"users" cookbooks have no structure in place for managing encrypted data that 
must be stored on individual nodes in locally unencrypted format, such as 
MySQL  passwords, Nagios stored credentials for remote service checks, or 
private SSH keys.

It's possible to write individual customized wrapper cookbooks for each of 
these, but it's awkward and fragile to have to keep wrapping this material. 
And if you use a git or other source control for such information, it means 
that anyone who has access to that repository has the relevant passwords or 
private keys unless you ignore the built-in tools and write your own wrappers 
or updates to fix this. This is especially true for SSH private keys for 
individual accounts in the "users" cookbook, and for initial "root" access 
for MySQL, Postgresql, and other databases.

Nico Kadel-Garcia
Lead DevOps Engineer

 


> -----Original Message-----
> From: Noah Kantrowitz 
> [mailto:
 
> Sent: Thursday, December 18, 2014 10:48 PM
> To: 
> 
 
> Subject: [chef] Re: Using chef solo to aws distribute keys
> 
> 
> On Dec 18, 2014, at 3:24 PM, Nico Kadel-Garcia
> <
 >
>  wrote:
> 
> > I was referring more to MySQL  database password. This especially applies 
> > to
> MySQL modules in various web servers and backup systems for databases: these
> tend to rely on passwords stored locally in clear text, but I certainly 
> don't want
> them in my role or environment attributes in clear text.
> >
> > I've done this with actual chef servers, but am only learning 'chef-solo' 
> > now.
> I'd welcome a walkthrough or insights.
> >
> 
> https://coderanger.net/chef-secrets/ goes over your options.
> 
> --Noah