I also told chef-vault that my user can decrypt this. I need to use the knife plugin to do so:. As you can see, the password is that which was generated from the mkpasswd command earlier.
But what nodes have access to decrypt this password? As we can see, I have two nodes that are API clients with access to decrypt the data bag items. First, I created a cookbook named vault , and added it to the base role. It contains the following recipe:. Then, I require it like any other Ruby library. This is where the decryption happens. If I do this under a chef-shell , I can see:.
It returns a data bag item. Then in the user resource , I use the password:. When Chef runs, it will look like this:. Suppose this vaultuser is to be used for deploying code by cloning a repository. Get the SHA checksum of the private key. First, load the item from the encrypted data bag like we did before.
Next, make sure that the vaultuser has an. Finally, manage the content of the private key file with a file resource and the content resource attribute. Note the content checksum, a This will match the checksum of the source file from earlier scroll up! What happens if we need to update a secret? For example, if an administrator leaves the organization, we will want to change the vaultuser password and SSH private key.
So, I need to use encrypt update. Suppose we have a system that we need to take offline for some reason, so we want to disable its access to a secret. Or, perhaps we have a user who has left the organization that was an admin. We can do that in a few ways. The most straightforward way to manage access to an item is to use the update or remove sub-commands. If the node has run Chef and is indexed on the Chef Server already, simply rerun the update command with the search:. A solution here is to create the node with an empty run list, allowing it to register with the Chef Server, and then use knife bootstrap to rerun Chef with the proper run list.
This is annoying, but no one claimed that chef-vault would solve all problems with shared secret management The admins argument takes a list. Earlier, I only had my userid as an admin. To remove the bofh user, use the encrypt remove subcommand. In this case, the --admins argument is the list of admins to remove, rather than add. As above, I just pass a comma-separated string, "jtimberman,mandi" to the --admins argument. For example, of my nodes, say I want to remove os :.
I need to run something like So obviously the command is not quite right. I need help figuring out the syntax Ultimately I want to change some values, but getting the unencrypted values would be a good place to start : thanks!
The json file can indeed be encrypted and the content can be decrypted with knife. I think you are confusing the knife data bag show and knife data bag from file commands. The former is for displaying data from the server, the latter is for uploading it. You have both on the command line. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams?
Collectives on Stack Overflow. Learn more. Encrypted chef data bag json file, how to decrypt and show contents? Ask Question. Asked 5 years, 11 months ago. Active 5 years, 11 months ago.
Data bags are the perfect solution for this problem because the list of users is global data that we want to share between nodes. Use the chef-playground directory you created in Chapter Use the same dual command prompt setup you used there. Start the chef-zero server on an open port in one window. We will be using port in the examples in this chapter:.
Then, in the other window, make the chef-playground directory the current working directory. Make sure the chef-playground directory is the current working directory:. Also, create a new data bag called users. Similar to what we did in Chapter 11 to create node data, create some items in your data bag by creating a. In this case, we want to create data bags for a user named alice and a user named bob. Create the files alice.
The data bag item contains key-value pairs with data relevant to a Unix user. Example To search data bags, use the name of the data bag in the index parameter to knife search. The following command will search for the list of users we created in a data bag:.
You can add specific key-value pairs in the query part of the knife search command line. The same search query variants we used in Chapter 12 for nodes also apply to data bags. The query fields are just slightly different as they are no longer node attributes. For example, the following query would return the items where the id is alice OR bob :. Just as we covered in Chapter 12 , search results can be filtered with the -a parameter. For example, -a shell returns the value only for the users shell:.
We have to escape the " here within the search string. Chef Development Kit:. Chef Client:. Edit the. In production, data bags are populated with data that is not packaged with the cookbook itself. In other words, any data used for cookbook testing is normally located outside the main cookbook directory structure. You can use the search method to perform the data bag query, just like you did for nodes in Chapter Plus, you can make use of the Chef user resource to create a user based on the information contained in the data bag.
The user statement within the search block is a Chef resource. The user resource creates a local user on the node. It takes the following attributes:. Run kitchen converge. If all goes well, Test Kitchen should upload the cookbook code to the sandbox environment and create the data bag entries in a chef-zero instance. It should then run the cookbook code that performs a query for our user data bag items and creates corresponding users with the user resource:.
Verify Users. Log in to the sandbox environment, and run getent password to verify that our users exist. Then make sure you exit back out to the host command prompt:. Local users alice and bob should now be created with the appropriate user data. You can also add a new item to the users data bag collection. Make your users recipe the current working directory. Run kitchen converge and then kitchen login to check to see if the new user account got created.
Make sure you exit back out to the host prompt when you are done. You should notice that an account for eve got created. Your recipe is data driven, based on the list of users maintained in the users databag.
Whenever that list changes, a node will pick up the change on its next scheduled Chef run.
0コメント