File format change after cookbook upload

elikatz · January 30, 2019, 1:45am

Hello everyone,
We are running chef on centos 7, nodes are various of windows and centos 7.
While working on a centos recipe i noticed the following:
We are using encrypted data bags and use chef recipe to copy the secret key - it looks like the key that was uploaded through the cookbook is different then the original which causes issue with decryption.
Any idea what's going on? Why would cookbook upload break the formatting? The original file on my local repo is fine.
Thanks!

nkadel · January 30, 2019, 2:28am

"The key that was uploaded". Did you use the encryption key to actually do the upload of that file?

There's also something quite incestuously dangerous about using chef to copy around the encryption. Since anyone on a local machine can manually select to run any chef cookbook with any options they care to pass to it, you may have just exposed your encryption key to anyone who can run chef on any client. Passing private keys around in chef requires real thought and real caution.

elikatz · January 30, 2019, 3:41am

How would you recommend using encrypted data bags?
We didn't use the key to upload the file, we dropped it inside the cookbook and use cookbook file to copy it - but the problem is between my local repo and the chef server, not the chef server and the node.
Thanks!

elikatz · January 30, 2019, 4:10pm

Going to try chef vault which looks more secure and more robust then just encrypted data bags.

elikatz · February 7, 2019, 9:12pm

Got a follow up question regarding chef_vault.
We are trying to put values from the vault in a variable so we can use in a few times in the recipe but for some reason it doesn't like it.
We tried something like that:
include_recipe ‘chef-vault’
vault = chef_vault_item('credentials', 'database')
password = #{vault['password']}

We also tried adding single and/or double quotes around it which didn't work.

Using it without the variable work fine - vault['password']

Is it possible to do it the way we want?

ccrebolder · February 7, 2019, 9:31pm

include_recipe ‘chef-vault’
vault = chef_vault_item('credentials', 'database')
password = vault['password']

this should work... I removed the string interpolation bits from around vault['password'], see https://docs.chef.io/ruby.html#interpolation. If it doesn't, make sure there is actually a key called 'password' in your vault and that the node you are running this on is in the list of clients for the vault.

Topic		Replies	Views
Chef-Vault examples of encrypting in recipes? Chef Infra (archive)	0	237	January 16, 2014
[SOLVED] Encrypted data bag in recipe key not found Chef Infra (archive)	2	977	January 5, 2018
Chef-vault cookbook v1.1.0^H2 Chef Infra (archive)	1	301	June 13, 2014
Working with encrypted password in Chef recipe Chef Infra (archive)	1	439	September 14, 2018
Databags vs library cookbook Chef Infra (archive)	2	297	December 22, 2014

File format change after cookbook upload

Related Topics