Encrypted data bag fixtures in cookbooks


#1

Hi,

I’ve two questions regarding data bag handling in the case of fixtures for cookbook development:

1.) fixture data bag management in cookbooks

Some of our company cookbooks are using encrypted data bags. As we use test-kitchen (and ChefSpec) we also have some plain-json and encrypted data bag fixtures:

E.g.

example_cookbook/test/fixtures/data_bags/certificates/website.json
example_cookbook/test/fixtures/data_bags/users/alice.json
example_cookbook/test/fixtures/data_bags/users/bob.json

# with an example secret in:
example-cookbook/test/integration/encrypted_data_bag_secret

But it’s very cumbersome to manage these encrypted data bags, so we currently use https://github.com/thbishop/knife-solo_data_bag for that:

knife solo data bag edit --secret-file ./test/integration/encrypted_data_bag_secret --data-bag-path ./test/fixtures/data_bags users bob

However, I’m aware of the --local-mode/-z switch of the regular „knife data bag create“ command and the general movement towards “chef-zero”.
Unfortunately I could not find a way to specify the data bag path, and my knife.rb settings seems to be ignored:

example_cookbook/.chef/knife.rb:

knife[:secret_file]   = File.expand_path('../../test/integration/encrypted_data_bag_secret', __FILE__)
knife[:data_bag_path] = File.expand_path('../../test/fixtures/data_bags', __FILE__)

Created data bags will always go to:

example_cookbook/data_bags/<bag>/<item>.json

Shouldn’t knife in chef-zero/local-mode consider the knife[:data_bag_path] option?

2.) case by case encryption

Gladly knife[:secret_file] will be honored in both cases and every data bag item will be encrypted. That’s nice but usually we don’t want to.
I guess there is a missing switch to enable/disable encryption. Using “–secret-file ./test/integration/encrypted_data_bag_secret” and remove the
default option isn’t very convenient.

thanks in advance
Roland


#2

Hey Roland - what version of Chef client are you using? In Chef 12 we added a --encrypt flag like you describe below.

Data bags are encrypted/unencrypted on the client side. I haven’t tested this specifically, but the data stored by chef zero should be encrypted. Could you try this test again with the latest version of Chef client and see if you still have issues?

-T

On Nov 28, 2014, at 1:29 PM, Roland Moriz rmoriz@gmail.com wrote:

Hi,

I’ve two questions regarding data bag handling in the case of fixtures for cookbook development:

1.) fixture data bag management in cookbooks

Some of our company cookbooks are using encrypted data bags. As we use test-kitchen (and ChefSpec) we also have some plain-json and encrypted data bag fixtures:

E.g.

example_cookbook/test/fixtures/data_bags/certificates/website.json
example_cookbook/test/fixtures/data_bags/users/alice.json
example_cookbook/test/fixtures/data_bags/users/bob.json

# with an example secret in:
example-cookbook/test/integration/encrypted_data_bag_secret

But it’s very cumbersome to manage these encrypted data bags, so we currently use https://github.com/thbishop/knife-solo_data_bag for that:

knife solo data bag edit --secret-file ./test/integration/encrypted_data_bag_secret --data-bag-path ./test/fixtures/data_bags users bob

However, I’m aware of the --local-mode/-z switch of the regular „knife data bag create“ command and the general movement towards “chef-zero”.
Unfortunately I could not find a way to specify the data bag path, and my knife.rb settings seems to be ignored:

example_cookbook/.chef/knife.rb:

knife[:secret_file]   = File.expand_path('../../test/integration/encrypted_data_bag_secret', __FILE__)
knife[:data_bag_path] = File.expand_path('../../test/fixtures/data_bags', __FILE__)

Created data bags will always go to:

example_cookbook/data_bags/<bag>/<item>.json

Shouldn’t knife in chef-zero/local-mode consider the knife[:data_bag_path] option?

2.) case by case encryption

Gladly knife[:secret_file] will be honored in both cases and every data bag item will be encrypted. That’s nice but usually we don’t want to.
I guess there is a missing switch to enable/disable encryption. Using “–secret-file ./test/integration/encrypted_data_bag_secret” and remove the
default option isn’t very convenient.

thanks in advance
Roland