Chef Server 12.14.0 Released

Ohai Chefs!

We’re excited to announce the release Chef Server 12.14. Full release notes[1] and changelog[2]
are available as usual. The package is now available for download from the Chef
Downloads page[3].

Please read the upgrade and compatibility notes below before upgrading.

Release Highlights

This release improves credentials proliferation by reducing the number of files which contain plaintext passwords. Effective with this release, no passwords are rendered outside of /etc/opscode in Chef server’s default configuration. More information can be found in the Credentials Management[4] section of the documentation.

This release also introduces new chef-server-ctl commands for managing secrets. See the documentation for chef-server-ctl around password management[5] for details.

Upgrade Notes

Follow the normal upgrade instructions for your Chef server topology.

Existing add-ons will continue to run, but to take full advantage of the new password consolidation, we recommend upgrading to the latest stable versions.

When you are also ready to upgrade the add-ons, follow the steps below:

  1. Upgrade Chef server as documented.
  2. Upgrade your installed add-ons to the following minimum versions in any order:
  • Reporting: 1.7.0
  • Chef Manage: 2.5.0
  • Push Jobs Server: 2.2.0
  1. If you are using the Analytics add-on, your upgrade is now complete.

If you are not using the Analytics add-on, perform the following additional steps:

  1. Add the following entry to /etc/opscode/chef-server.rb on your chef-server(s):

insecure_addon_compat_mode false

  1. run sudo chef-server-ctl reconfigure

Add-On Compatibility Notes

  • Important: The add-on versions above are not backwards-compatible with Chef server 12.13.0 and earlier. Do not upgrade to any add-ons to the versions above or higher until after you have upgraded to Chef server 12.14.0+.
  • Chef server 12.14.0 defaults to compatibility mode, which ensures that your existing add-ons will continue to work without requiring an immediate upgrade.
  • Analytics requires compatibility mode to remain enabled. Do not follow steps 4-5 above if you are using the Analytics add-on.
  • Compatibility mode is less effective at limiting the spread of plaintext passwords. If you are not using the Analytics add-on, please upgrade to the minimum add-on versions provided above and perform the additional step to disable compatibility mode.