Hmm - so if we had several of these secret keys, we'd have to have several
of these bootstrap files?
Not sure how much I like that either - especially since they're locked at
the distribution level (they have to match the -d option).
I tried creating a ~/.chef/bootstrap/.erb file - but
it's not being used - in our case we have a :
-d ubuntu12.04-gems
so I created a ubuntu12.04-gems.erb file in ~/.chef/bootstrap.
thoughts?
On Mon, Jul 16, 2012 at 4:50 PM, Daniel Condomitti daniel@condomitti.comwrote:
If you use your own custom bootstrap, yes. Look at the source for the
bootstraps:
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/chef-full.erb#L37-45 You'll
most likely need to customize the client.rb that gets dropped on the node
as well to reflect the new name. Why do you want to use something other
than /etc/chef/encrypted_data_bag_secret?
On Monday, July 16, 2012 at 1:47 PM, Maven User wrote:
I see this:
As of 0.10.6, knife bootstrap supports the 'encrypted_data_bag_secret'
setting in knife.rb. You will want to add this line to your knife.rb:
encrypted_data_bag_secret '/path/to/your/data_bag_key'
And change '/path/to/your/data_bag_key' to the location of where the data
bag key is located. When you run knife bootstrap afterwards it
automatically adds this line to the client.rb for the node you are
bootstrapping and copies the key over.
But, the issue is it transfers the key as "encrypted_data_bag_secret". Is
there anyway to control the NAME of the key on the target system?
On Mon, Jul 16, 2012 at 3:32 PM, Matthew Moretti werebus@gmail.comwrote:
Yeah, if you have a line in your workstation's knife.rb to the effect of
encrypted_data_bag_secret '/path/to/your/data_bag_key'
then the bootstrap process will upload the secret to
/etc/chef/encrypted_data_bag_secret which is the default location.
http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags
-Matt Moretti
On Mon, Jul 16, 2012 at 3:05 PM, Maven User maven.2.user@gmail.com
wrote:
Are there any other details about this technique somewhere?
And is this file only living on the place where you're launching knife
from?
On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti <
daniel@condomitti.com> wrote:
On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:
Hi all -
We're contemplating storing the values of some ssl keys and
certificates in an encrypted databag, but I have a couple of questions:
1 - Is there a way to have "local" encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn't that
work?
2 - What is the standard way to get the key for decrypting databag
values on a machine? We're trying to do this in an automated fashion and
haven't found a place that best suits automated bootstrapping - what are
people doing?
3 - Some of the crt and key values are escape characters - is it
possible to escape them without screwing up the actual values?
Thanks a million :-/
We write the databag secret to disk as part of our custom bootstrap
template. It's built into the default bootstraps though (
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42)
as long as you have the encrypted secret configured in client.rb on the
machine initiating the bootstrap. As far as the certificates themselves go,
what format are your certificates in? I would look into storing them in PEM
format since they'd be base64 encoded and you wouldn't have to worry about
escaping anything.
Dan