Hi,
I’ve two questions regarding data bag handling in the case of fixtures for cookbook development:
1.) fixture data bag management in cookbooks
Some of our company cookbooks are using encrypted data bags. As we use test-kitchen (and ChefSpec) we also have some plain-json and encrypted data bag fixtures:
E.g.
example_cookbook/test/fixtures/data_bags/certificates/website.json
example_cookbook/test/fixtures/data_bags/users/alice.json
example_cookbook/test/fixtures/data_bags/users/bob.json
# with an example secret in:
example-cookbook/test/integration/encrypted_data_bag_secret
But it’s very cumbersome to manage these encrypted data bags, so we currently use https://github.com/thbishop/knife-solo_data_bag for that:
knife solo data bag edit --secret-file ./test/integration/encrypted_data_bag_secret --data-bag-path ./test/fixtures/data_bags users bob
However, I’m aware of the --local-mode/-z switch of the regular „knife data bag create“ command and the general movement towards “chef-zero”.
Unfortunately I could not find a way to specify the data bag path, and my knife.rb settings seems to be ignored:
example_cookbook/.chef/knife.rb:
knife[:secret_file] = File.expand_path('../../test/integration/encrypted_data_bag_secret', __FILE__)
knife[:data_bag_path] = File.expand_path('../../test/fixtures/data_bags', __FILE__)
Created data bags will always go to:
example_cookbook/data_bags/<bag>/<item>.json
Shouldn’t knife in chef-zero/local-mode consider the knife[:data_bag_path] option?
2.) case by case encryption
Gladly knife[:secret_file] will be honored in both cases and every data bag item will be encrypted. That’s nice but usually we don’t want to.
I guess there is a missing switch to enable/disable encryption. Using “–secret-file ./test/integration/encrypted_data_bag_secret” and remove the
default option isn’t very convenient.
thanks in advance
Roland