I've taken a look at the various solutions. None of them work: many are dependent on an available chef server to hold encrypted data, unlocked by a local key, and I'm using chef-solo extensively, not a chef-server/chef-client setup. Also, frankly, many cookbooks such as the "nagios" and "mysql" and "users" cookbooks have no structure in place for managing encrypted data that must be stored on individual nodes in locally unencrypted format, such as MySQL passwords, Nagios stored credentials for remote service checks, or private SSH keys.
It's possible to write individual customized wrapper cookbooks for each of these, but it's awkward and fragile to have to keep wrapping this material. And if you use a git or other source control for such information, it means that anyone who has access to that repository has the relevant passwords or private keys unless you ignore the built-in tools and write your own wrappers or updates to fix this. This is especially true for SSH private keys for individual accounts in the "users" cookbook, and for initial "root" access for MySQL, Postgresql, and other databases.
Nico Kadel-Garcia
Lead DevOps Engineer
">
> -----Original Message-----
> From: Noah Kantrowitz [mailto: "> ]
> Sent: Thursday, December 18, 2014 10:48 PM
> To: ">
> Subject: [chef] Re: Using chef solo to aws distribute keys
>
>
> On Dec 18, 2014, at 3:24 PM, Nico Kadel-Garcia
> < "> > wrote:
>
> > I was referring more to MySQL database password. This especially applies to
> MySQL modules in various web servers and backup systems for databases: these
> tend to rely on passwords stored locally in clear text, but I certainly don't want
> them in my role or environment attributes in clear text.
> >
> > I've done this with actual chef servers, but am only learning 'chef-solo' now.
> I'd welcome a walkthrough or insights.
> >
>
> https://coderanger.net/chef-secrets/ goes over your options.
>
> --Noah
Archive powered by MHonArc 2.6.16.