Auto copy encrypted_data_bag_secret on the node not working


#1

Ohai Chefs!

In my chef-repo’s knife.rb file, I’ve the following config for encrypted_data_bag_secret

......
# Encrypted data bag secret file
knife[:encrypted_data_bag_secret] = "/Users/millisami/.chef/encrypted_data_bag_secret"
......

And this is the snippet of the default chef-full distro:

<% if @chef_config[:encrypted_data_bag_secret] -%>
(
cat <<'EOP'
<%= encrypted_data_bag_secret %>
EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
<% end -%>

But when bootstrapping, the file is not created on the node. Debugging around when I print the value of @chef_config[:encrypted_data_bag_secret] is nil and so does the <%= encrypted_data_bag_secret %> erb call.

Then I changed the config var to knife_config[:encrypted_data_bag_secret] and the File.read.. and the file location and the contents is also set properly.

<% if knife_config[:encrypted_data_bag_secret] -%>
(
cat <<'EOP'
<%= File.read(knife_config[:encrypted_data_bag_secret]) %>
EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
<% end -%>

But still when issuing the bootstrap command, the file is not getting created at node’s /etc/chef/encrypted_data_bag_secret ?

What might be the cause?


@millisami
~ Sachin Sagar Rai
Ruby on Rails Developer
http://tfm.com.np
http://nepalonrails.com (http://nepalonrails.tumblr.com)
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)


#2

On Tue, Jan 29, 2013 at 8:31 AM, Sachin Sagar Rai millisami@gmail.com wrote:

In my chef-repo’s knife.rb file, I’ve the following config for
encrypted_data_bag_secret

......
# Encrypted data bag secret file
knife[:encrypted_data_bag_secret] =

“/Users/millisami/.chef/encrypted_data_bag_secret”

This should be just:
encrypted_data_bag_secret “/Users/millisami/.chef/encrypted_data_bag_secret”

And this is the snippet of the default chef-full distro:

<% if @chef_config[:encrypted_data_bag_secret] -%>
(
cat <<'EOP'
<%= encrypted_data_bag_secret %>
EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret >

/etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
<% end -%>

Btw, the version in the latest releases is a bit simpler and avoids
the hardcoded (and thus insecure) /tmp paths.


Cheers,

  • Teemu