Suggested patch to chef to enable passing the data bag secret to a node, bypassing storage on the server


#1

These patches are all reversed (sorry, I’m just patching gems right now, I
haven’t fixed anything in git). I’m sending this way because, well, for
the moment this mailing list is my revision control.

GOAL:

Using encrypted databags are nice, but if we want fully automated
installation then there needs to be a way to get encrypted keys from a
server which may not be trusted (e.g. hosted chef) to a client. Encrypted
databags make this possible, but this only works if the client can decrypt
the values that they need.

This allows the knife config file on the client to contain a new variable:
“data_bag_keyfile”. If this is defined, then it will be read used in the
same way as “validation_key”. Its pathname will be expanded, and when this
config is referenced it will write out the contents of the
data_bag_keyfile. Example usage (in this case, in ubuntu10.04-basic.erb):

The below relies on the config parameter “data_bag_keyfile” existing in

the

knife config. This allows secrets to be stored on a less trusted server.

echo -e "date \n\n**** \n**** Knifing in the chef data bag secret
file:\n****\n"
(
cat <<‘EOP’
<%= data_bag_keyfile %>
EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 600 /etc/chef/encrypted_data_bag_secret

As-is, this patch will probably break when knifing a server if the path
referred to isn’t present. Since this is a new config this is not ideal,
but it’s a proof of concept and working for me at the moment.


/Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/core/bootstrap_context.rb
2011-11-07 15:09:55.000000000 -0500
+++
/Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/core/bootstrap_context.rb~
2011-09-27 18:13:42.000000000 -0400
@@ -50,10 +50,6 @@
IO.read(@chef_config[:validation_key])
end

  •    def data_bag_keyfile
    
  •      IO.read(@chef_config[:data_bag_keyfile])
    
  •    end
    
  •    def config_content
         client_rb = <<-CONFIG
    

log_level :info

and:

— /Users/pn/gems/gems/chef-0.10.4/lib/chef/config.rb 2011-11-07
16:17:46.000000000 -0500
+++ /Users/pn/gems/gems/chef-0.10.4/lib/chef/config.rb~ 2011-09-27
18:13:42.000000000 -0400
@@ -203,7 +203,6 @@
client_key "/etc/chef/client.pem"
validation_key "/etc/chef/validation.pem"
validation_client_name “chef-validator”

  • data_bag_keyfile "/etc/chef/encrypted_data_bag_secret"
    web_ui_client_name "chef-webui"
    web_ui_key "/etc/chef/webui.pem"
    web_ui_admin_user_name “admin”

and (reversed)

— /Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/configure.rb
2011-11-07 17:26:25.000000000 -0500
+++ /Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/configure.rb~
2011-09-27 18:13:42.000000000 -0400
@@ -23,7 +23,6 @@
class Configure < Knife
attr_reader :chef_server, :new_client_name, :admin_client_name,
:admin_client_key
attr_reader :chef_repo, :new_client_key, :validation_client_name,
:validation_key

  •  attr_reader :data_bag_keyfile
    
     deps do
       require 'ohai'