Menu
I have a full Chef configuration set of roles, cookbooks, databags, etc., in a private git repository.
I see that I can use the --secret-file option to encrypt a databag when it's uploaded to the Chef server.
But I want to store those databags encrypted in the git repository as well.
The only thing that comes to mind is making a plaintext json file locally, uploading it to Chef with encryption, then taking the encrypted JSON from the Chef web page and pasting it into my repository copy.
Has anyone else solved this problem?
464
Chef ClientDownload and install Workstation. Verify the installation in your terminal with the command. Upload your data bag item to the Chef Server. The data will be encrypted as it is being transferred to the Chef server.
Benefits: on test environment you can use unencrypted data. One doesn't store shared secret as a plain text. One may grant access only few out their servers to read and write some databags.
Data bag is a named collection of structure data entries. One needs to define data entry and call the data bag item in JSON file. One can also search for data bag item from within the recipes to use the data stored in the data bags. We created a data bag called hooks.
I have a following bash (called encrypted-databag.sh) in my chef working directory:
#!/bin/bash -e
knife data bag $1 $2 $3 --secret-file ~/.chef/encrypted_data_bag_secret
if [ "$1" == "edit" ] ; then
knife data bag show $2 $3 -Fj > "./data_bags/$2/$3.json"
fi
It saves me typing every time I knife to show me the encrypted data bag. And it automatically updates/saves it into repository, when I edit it.
Updated on 30.08.2013
The drawback of the script above is that you edit your data bag straight on chef-server. But there is a problem when you are still working on some cookbook and haven't uploaded it, but the data bag already there and is used by the older version of the cookbook. This way when chef-client is run on some node, it may lead to some errors.
So I was thinking about editing the encrypted data bag locally, without chef-server and then upload the new version of it together with new version of cookbook (after the tests have passed). So here is the rake task I use now to edit encrypted data bags.
namespace 'databag' do
desc 'Edit encrypted databag item.'
task :edit, [:databag, :item, :secret_file] do |t, args|
args.with_defaults :secret_file => "#{ENV['HOME']}/.chef/encrypted_data_bag_secret"
secret = Chef::EncryptedDataBagItem.load_secret args.secret_file
item_file = "data_bags/#{args.databag}/#{args.item}.json"
tmp_item_file = "/tmp/#{args.databag}_#{args.item}.json"
begin
#decrypt data bag into tmp file
raw_hash = Chef::JSONCompat.from_json IO.read item_file
databag_item = Chef::EncryptedDataBagItem.new raw_hash, secret
IO.write tmp_item_file, Chef::JSONCompat.to_json_pretty( databag_item.to_hash )
#edit tmp file
sh "#{ENV['EDITOR']} #{tmp_item_file}"
#encrypt tmp file data bag into original file
raw_hash = Chef::JSONCompat.from_json IO.read tmp_item_file
databag_item = Chef::EncryptedDataBagItem.encrypt_data_bag_item raw_hash, secret
IO.write item_file, Chef::JSONCompat.to_json_pretty( databag_item )
ensure
::File.delete tmp_item_file #ensure tmp file deleted.
end
end
end
Now to edit encrypted data bag I use:
rake databag:edit[my_databag,item_in_databag]
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
