Chef Client 12.0.0 Release


#1

Ohai chefs,

Last night with a lot of excitement we’ve released Chef Client 12.0.0:

Wohoooo!

Even though this is a major version bump for Chef Client, we have put in a
lot of effort to keep backwards compatibility and to decrease the friction
to upgrade to this release. And even though we have put in a lot of effort,
we’re expecting some corner cases to be issues during migration. But as
always we are here to help and ready to fix things that are impacting you
during your migration.

Our blog post has a section in the end that talks about the currently known
issues for migration. Soon we will get them added to our official
documentation and keep them up to date.

Thank you all for your contributions to this release and helping us work
through the issues to make Chef better for everyone.

– Serdar


#2

Ohai!

Can you please detail a little bit more this feature:

Auto magical encryption / decryption of encrypted data bags in recipes and
via knife.

Thanks a lot!

On Fri, Dec 5, 2014 at 6:34 PM, Serdar Sutay serdar@getchef.com wrote:

Ohai chefs,

Last night with a lot of excitement we’ve released Chef Client 12.0.0:

https://www.chef.io/blog/2014/12/05/release-chef-client-12-0-0/

Wohoooo!

Even though this is a major version bump for Chef Client, we have put in a
lot of effort to keep backwards compatibility and to decrease the friction
to upgrade to this release. And even though we have put in a lot of effort,
we’re expecting some corner cases to be issues during migration. But as
always we are here to help and ready to fix things that are impacting you
during your migration.

Our blog post has a section in the end that talks about the currently
known issues for migration. Soon we will get them added to our official
documentation and keep them up to date.

Thank you all for your contributions to this release and helping us work
through the issues to make Chef better for everyone.

– Serdar


– Tiago Cruz


#3

On Sat, Dec 6, 2014 at 7:50 AM, Tiago Cruz tiago.tuxkiller@gmail.com wrote:

Can you please detail a little bit more this feature:

Auto magical encryption / decryption of encrypted data bags in recipes and
via knife.

In Chef < 12 you had to use Chef::EncryptedDataBagItem.load to load
encrypted data bag items, and the data_bag_item DSL to load
unencrypted data bag items.

In Chef >= 12, you can use the data_bag_item for both, and it will
auto-detect whether a bag item is encrypted or not.

  • Julian


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#4

Search for data_bag_item in http://docs.getchef.com/release/12-0/release_notes.html to see the detailed release notes on this feature.

If you use Knife to interact with data bags, we also improved that experience. You can provide a secret to Knife in 1 of 4 ways. They are, in order of descending preference:

  1. Provide the secret on the command line of knife data bag and knife bootstrap commands with --secret
  2. Provide the location of a file containing the secret on the command line of knife data bag and knife bootstrap commands with --secret-file
  3. Add the secret to your workstation config with knife[:secret] = …
  4. Add the location of a file containing the secret to your workstation config with knife[:secret-file] = …

When adding the secret information to your workstation config, it will not be used for writeable operations unless --encrypt is also passed on the command line. Data bag read-only operations (knife data bag show and knife bootstrap) do not require --encrypt to be passed, and will attempt to use an available secret for decryption. Unencrypted data bags will not attempt to be unencrypted, even if a secret is provided. Trying to view an encrypted data bag without providing a secret will issue a warning and show the encrypted contents. Trying to edit or create an encrypted data bag without providing a secret will fail.

Here are some example scenarios:

Providing knife[:secret_file] = ... in knife.rb will create and encrypt the data bag

knife data bag create BAG_NAME ITEM_NAME --encrypt

The same command ran with --secret will use the command line secret instead of the knife.rb secret

knife data bag create ANOTHER_BAG ITEM_NAME --encrypt --secret ‘ANOTHER_SECRET’

The next two commands will fail, because they are using the wrong secret

knife data bag edit BAG_NAME --secret 'ANOTHER_SECRET’
knife data bag edit ANOTHER_BAG --encrypt

The next command will unencrypt the data and show it using the knife[:secret_file] without passing the --encrypt flag

knife data bag show BAG_NAME

To create an unencrypted data bag, simply do not provide --secret, --secret-file or --encrypt

knife data bag create UNENCRYPTED_BAG

If a secret is available from any of the 4 possible entries, it will be copied to a bootstrapped node, even if --encrypt is not present

knife bootstrap FQDN

http://docs.getchef.com/knife_data_bag.html is the documentation for the Knife features.

-T

On Dec 6, 2014, at 6:45 PM, Julian C. Dunn jdunn@aquezada.com wrote:

On Sat, Dec 6, 2014 at 7:50 AM, Tiago Cruz tiago.tuxkiller@gmail.com wrote:

Can you please detail a little bit more this feature:

Auto magical encryption / decryption of encrypted data bags in recipes and
via knife.

In Chef < 12 you had to use Chef::EncryptedDataBagItem.load to load
encrypted data bag items, and the data_bag_item DSL to load
unencrypted data bag items.

In Chef >= 12, you can use the data_bag_item for both, and it will
auto-detect whether a bag item is encrypted or not.

  • Julian


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]