Using libraries in attributes file to fetch values from a service


#1

Hi,

I’m in an environment where secrets (i.e. passwords) are stored encrypted
in an external service.

I’d like to be able to pull those values in and have them used by Chef.

I can write some nasty code in my attributes file to do it but I’d have to
place that code in each attributes file since I understand that libraries
are not available to attributes files.

Is there a better or right way to share some code for fetching and decoding
these attributes?

Or does anyone have any other bright ideas? Alas I’m not at liberty to use
encrypted data bags or chef server so this is all via chef-solo.

Thanks

Tom


#2

What makes you think that? Libraries are loaded first - so go nuts! :slight_smile:

Love,
Adam
On Aug 22, 2014 5:14 AM, “Tom Duckering” tduckeri@thoughtworks.com wrote:

Hi,

I’m in an environment where secrets (i.e. passwords) are stored encrypted
in an external service.

I’d like to be able to pull those values in and have them used by Chef.

I can write some nasty code in my attributes file to do it but I’d have to
place that code in each attributes file since I understand that libraries
are not available to attributes files.

Is there a better or right way to share some code for fetching and
decoding these attributes?

Or does anyone have any other bright ideas? Alas I’m not at liberty to use
encrypted data bags or chef server so this is all via chef-solo.

Thanks

Tom


#3

Is anyone aware of a way to load libraries from another cookbook without requiring a recipe from it? A depends statement isn’t enough in metadata.rb to make them available in my experience. I usually just dump an empty recipe in the cookbook containing the library I want to use. Is this expected / designed behavior or should I fix it?

Dan

Sent from my iPhone

On Aug 22, 2014, at 8:35 AM, Adam Jacob adam@getchef.com wrote:

What makes you think that? Libraries are loaded first - so go nuts! :slight_smile:

Love,
Adam

On Aug 22, 2014 5:14 AM, “Tom Duckering” tduckeri@thoughtworks.com wrote:
Hi,

I’m in an environment where secrets (i.e. passwords) are stored encrypted in an external service.

I’d like to be able to pull those values in and have them used by Chef.

I can write some nasty code in my attributes file to do it but I’d have to place that code in each attributes file since I understand that libraries are not available to attributes files.

Is there a better or right way to share some code for fetching and decoding these attributes?

Or does anyone have any other bright ideas? Alas I’m not at liberty to use encrypted data bags or chef server so this is all via chef-solo.

Thanks

Tom


#4

On Friday, August 22, 2014 at 7:14 AM, Daniel Condomitti wrote:

Is anyone aware of a way to load libraries from another cookbook without requiring a recipe from it? A depends statement isn’t enough in metadata.rb to make them available in my experience. I usually just dump an empty recipe in the cookbook containing the library I want to use. Is this expected / designed behavior or should I fix it?

Dan
depends ought to do it. If it didn’t then you couldn’t include_recipe from another cookbook and all sorts of things wouldn’t be working. Can you come up with a reproduction case that demonstrates the behavior you’re seeing?


Daniel DeLeo


#5

Yeah I’ll try to put one together. Now that I think about it we’re on 11.6.0 but I started using that workaround/haven’t tested since 10.16.

On Friday, August 22, 2014 at 10:27 AM, Daniel DeLeo wrote:

On Friday, August 22, 2014 at 7:14 AM, Daniel Condomitti wrote:

Is anyone aware of a way to load libraries from another cookbook without requiring a recipe from it? A depends statement isn’t enough in metadata.rb to make them available in my experience. I usually just dump an empty recipe in the cookbook containing the library I want to use. Is this expected / designed behavior or should I fix it?

Dan

depends ought to do it. If it didn’t then you couldn’t include_recipe from another cookbook and all sorts of things wouldn’t be working. Can you come up with a reproduction case that demonstrates the behavior you’re seeing?


Daniel DeLeo


#6

Hi,

isn’t this what I’ve been asking for here?

If yes, then my experience is that this isn’t working.

Yours
Steffen

On 22/08/14 16:30, Daniel Condomitti wrote:

Yeah I’ll try to put one together. Now that I think about it we’re on 11.6.0 but I started using that workaround/haven’t tested since 10.16.

On Friday, August 22, 2014 at 10:27 AM, Daniel DeLeo wrote:

On Friday, August 22, 2014 at 7:14 AM, Daniel Condomitti wrote:

Is anyone aware of a way to load libraries from another cookbook without requiring a recipe from it? A depends statement isn’t enough in metadata.rb to make them available in my experience. I usually just dump an empty recipe in the cookbook containing the library I want to use. Is this expected / designed behavior or should I fix it?

Dan

depends ought to do it. If it didn’t then you couldn’t include_recipe from another cookbook and all sorts of things wouldn’t be working. Can you come up with a reproduction case that demonstrates the behavior you’re seeing?


Daniel DeLeo


#7

On Monday, August 25, 2014 at 8:18 AM, Steffen Gebert wrote:

Hi,

isn’t this what I’ve been asking for here?
http://stackoverflow.com/questions/22844080/chef-use-library-function-in-attributes

If yes, then my experience is that this isn’t working.

Yours
Steffen

Attribute files are eval’d in the context of the Chef::Node object, not Chef::Node::Attribute. In any case, when you include your helper, your code is basically the same as node.node[“gerrit”][“version”], which is why you get the NoMethodError.


Daniel DeLeo


#8

Out of curiosity, what kind of external service are you using to store
these secrets, something home grown?

-Ben Bytheway

On Fri, Aug 22, 2014 at 6:14 AM, Tom Duckering tduckeri@thoughtworks.com
wrote:

Hi,

I’m in an environment where secrets (i.e. passwords) are stored encrypted
in an external service.

I’d like to be able to pull those values in and have them used by Chef.

I can write some nasty code in my attributes file to do it but I’d have to
place that code in each attributes file since I understand that libraries
are not available to attributes files.

Is there a better or right way to share some code for fetching and
decoding these attributes?

Or does anyone have any other bright ideas? Alas I’m not at liberty to use
encrypted data bags or chef server so this is all via chef-solo.

Thanks

Tom


#9

Yes - it’s home grown. Asymmetrically encrypted secrets served over HTTP.
Private key given to you at deploy time.

Various problems with it but it’s been built by others.

On 25 August 2014 16:29, Benjamin Bytheway bbytheway@gmail.com wrote:

Out of curiosity, what kind of external service are you using to store
these secrets, something home grown?

-Ben Bytheway

On Fri, Aug 22, 2014 at 6:14 AM, Tom Duckering tduckeri@thoughtworks.com
wrote:

Hi,

I’m in an environment where secrets (i.e. passwords) are stored encrypted
in an external service.

I’d like to be able to pull those values in and have them used by Chef.

I can write some nasty code in my attributes file to do it but I’d have
to place that code in each attributes file since I understand that
libraries are not available to attributes files.

Is there a better or right way to share some code for fetching and
decoding these attributes?

Or does anyone have any other bright ideas? Alas I’m not at liberty to
use encrypted data bags or chef server so this is all via chef-solo.

Thanks

Tom


Tom Duckering
ThoughtWorks UK

phone:07811 393 010
mailto:tduckeri@thoughtworks.com
skype:tomduckering