Secure data bag items with chef solo
How to generate encrypted data bag item with knife and chef-solo
This post is mostly a memo to myself, because I often forget how to how to create encrypted data bag items..
Here is the deal. We know how to generate regular data bag items with knife:
knife data bag create DATA_BAG_NAME DATA_BAG_ITEM ( for those who didn’t know ).
And secure / encrypted version
knife data bag create pass test --secret /path/to/data_bag_key.
Knife command is awesome and I use it quite a lot, but it might be a little annoying, especially when you deal with data bags. For example like many knife commands it creates data ( data bag item in our case ) directly on the chef server and I’m almost positive you were thinking to store it in the repo, so you could share it with coworkers (just one example).
Fortunately there is an easy workaround:
knife data bag show pass test --format json > data_bags/folder/item.json (notice –format json)
Now you have it and can commit to the repo. Here some more info about data bags
How do we do the same with chef-solo, when we don’t have chef server?
Yes, good question! Initially I was using different custom scripts, which would work almost like
knife data bag create where it would open data bag item in the editor and create encrypted version on save. When Chef 11 came out, it introduced data bag item format change and as the result some of the scripts I was using for data bag items creation stopped working. I could fix them of course, but at the same time I thought “there should be a better way..”. And I found it!
We need to install two little gems:
gem install knife-solo (knife-solo adds a handful of Knife commands that aim to make working with chef-solo as powerful as chef-server.)
gem install knife-solo_data_bag (A knife plugin to make working with data bags easier in a chef solo environment.)
GOTCHA - Depending on your chef installation method, don’t be surprised if you wont find
knife solo available after those gems installation. If you run
knife solo and it exists - stop reading and move on! If you installed chef with installer from Opscode, the chances are it’s installed under /opt/chef and it provides it’s own ruby and gems binaries. Depending on the OS it my link those binaries into regular locations like /usr/bin but don’t expect that. Basically if you installed above gems and still missing
knife solo command, try to use chef embedded gem wrapper - instead of
gem install you would use
/opt/chef/embedded/bin/gem install. You can use this method to install other chef related gems as well.
Here I’m assuming you got both gems installed and
knife solo works. Now you can create data bag items very easily:
knife solo data bag create pass mysql --secret-file .chef/encrypted_data_bag_secret -c .chef/solo.rb
two things to mention –secret-file - path to your data_bag_secret_key and -c .chef/solo.rb path to your solo/knife confige. You can actually use encrypted_data_bag_secret directive inside solo.rb, so you don’t need to specify path to the secret key!
Couple more command:
knife solo data bag show pass mysql
knife solo data bag edit pass mysql
I think you should be good at this point, go create some secure data bag items!
Some popular ones
- Story behind X-Forwarded-For and X-Real-IP headers (23 Apr 2014)
- Internal redirect to another domain with proxy_pass and Nginx (14 Oct 2013)
- Secure data bag items with chef solo (04 Aug 2013)
My books recommendations
Great book for operations people. Helped me to design and build solid deployment pipelines. Awesome advices on automated testing as well. The author advocates against feature branches, every commit goes to master! Scary? I know, but it actually makes sense once you get the idea. Read the book to find out more.
One of those rare books where every word counts!
Classics from John Allspaw who is SVP of Infrastructure and Operations at Etsy (and used to work for Flickr). The book covers very important topics like metrics collection, continuous deployment, monitoring, dealing with unexpected traffic spikes, dev and ops collaboration and much more. Def recommend if you are starting out in the operations field or been doing it for a while ( in latter case you probably read this book already :).
This book is must read for every software engineer, no matter which language you use! It will change your perspective on writing code. I was amazed by the quality of material - very detailed and up to the point.
"The only way to make the deadline -- the only way to go fast -- is to keep the code as clean as possible at all times."
blog comments powered by Disqus