ChefEncryptedDataBags: Difference between revisions
Jump to navigation
Jump to search
(Created page with "Raw notes, needs formatting, context... <syntaxhighlight> $ openssl rand -base64 512 | tr -d '\r\n' > ~/encrypted_data_bag_secret $ knife data bag create --editor /usr/bi...") |
(fix syntax highlight for ChefEncryptedDataBags) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
Raw notes, needs formatting, context... | Raw notes, needs formatting, context... | ||
<syntaxhighlight> | =Create data bag= | ||
<syntaxhighlight lang=bash> | |||
$ openssl rand -base64 512 | tr -d '\r\n' > ~/encrypted_data_bag_secret | $ openssl rand -base64 512 | tr -d '\r\n' > ~/encrypted_data_bag_secret | ||
$ knife data bag create --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords | $ knife data bag create --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords | ||
$ knife data bag edit --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords # do not mix up -s and --secret-file | $ knife data bag edit --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords # do not mix up -s and --secret-file | ||
</syntaxhighlight> | |||
=Copy encrytped data bag to client= | |||
copy encrypted_data_bag_secret to chef-client:/etc/chef/encrypted_data_bag_secret | copy encrypted_data_bag_secret to chef-client:/etc/chef/encrypted_data_bag_secret | ||
=Example JSON contents= | |||
<syntaxhighlight lang=json> | |||
{ | { | ||
"jenkins_invadelabs":{ | "jenkins_invadelabs":{ | ||
Line 17: | Line 22: | ||
} | } | ||
} | } | ||
</syntaxhighlight> | |||
=Create / edit data bags= | |||
<syntaxhighlight lang=bash> | |||
knife data bag create --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords | knife data bag create --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords | ||
knife data bag edit --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords | knife data bag edit --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords | ||
[2016-08-21T21:41:00-07:00] INFO: template[/ | [2016-08-21T21:41:00-07:00] INFO: template[/var/lib/jenkins/hudson.plugins.sonar.SonarGlobalConfiguration.xml] sending restart action to service[jenkins] (delayed) | ||
Recipe: jenkins::_master_package | Recipe: jenkins::_master_package | ||
* service[jenkins] action restart[2016-08-21T21:41:00-07:00] INFO: Processing service[jenkins] action restart (jenkins::_master_package line 74) | * service[jenkins] action restart[2016-08-21T21:41:00-07:00] INFO: Processing service[jenkins] action restart (jenkins::_master_package line 74) | ||
Line 28: | Line 36: | ||
[2016-08-21T21:41:00-07:00] DEBUG: service[jenkins] supports status, running | [2016-08-21T21:41:00-07:00] DEBUG: service[jenkins] supports status, running | ||
jenkins (pid 21599) is running... | jenkins (pid 21599) is running... | ||
</syntaxhighlight> | |||
=Add a private key to a databag= | |||
<syntaxhighlight lang=bash> | |||
/usr/local/Cellar/gnu-sed/4.2.2/bin/gsed ':a;N;$!ba;s/\n/\\n/g' jenkins_is_rsa | |||
copy output to knife data bag create <some data bag> | |||
flatten json file | |||
cat inhouse_release_perms.erb | /usr/local/Cellar/gnu-sed/4.2.2/bin/gsed ':a;N;$!ba;s/\n//g' | |||
no more than one space | |||
/usr/local/Cellar/gnu-sed/4.2.2/bin/gsed ':a;N;$!ba;s/\n//g' | sed 's/ */ /g' | |||
replace " with \" | |||
/usr/local/Cellar/gnu-sed/4.2.2/bin/gsed ':a;N;$!ba;s/\n//g' | sed 's/ */ /g' | sed 's/"/\\"/g' | |||
</syntaxhighlight> | </syntaxhighlight> |
Latest revision as of 22:52, 24 January 2018
Raw notes, needs formatting, context...
Create data bag
$ openssl rand -base64 512 | tr -d '\r\n' > ~/encrypted_data_bag_secret
$ knife data bag create --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords
$ knife data bag edit --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords # do not mix up -s and --secret-file
Copy encrytped data bag to client
copy encrypted_data_bag_secret to chef-client:/etc/chef/encrypted_data_bag_secret
Example JSON contents
{
"jenkins_invadelabs":{
"install_plugins":{
"plugins_list":[
"git"
]
}
}
}
Create / edit data bags
knife data bag create --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords
knife data bag edit --editor /usr/bin/vi --secret-file ./encrypted_data_bag_secret jenkins passwords
[2016-08-21T21:41:00-07:00] INFO: template[/var/lib/jenkins/hudson.plugins.sonar.SonarGlobalConfiguration.xml] sending restart action to service[jenkins] (delayed)
Recipe: jenkins::_master_package
* service[jenkins] action restart[2016-08-21T21:41:00-07:00] INFO: Processing service[jenkins] action restart (jenkins::_master_package line 74)
[2016-08-21T21:41:00-07:00] DEBUG: Providers for generic service resource enabled on node include: [Chef::Provider::Service::Redhat, Chef::Provider::Service::Init]
[2016-08-21T21:41:00-07:00] DEBUG: Provider for action restart on resource service[jenkins] is Chef::Provider::Service::Redhat
[2016-08-21T21:41:00-07:00] DEBUG: service[jenkins] supports status, running
jenkins (pid 21599) is running...
Add a private key to a databag
/usr/local/Cellar/gnu-sed/4.2.2/bin/gsed ':a;N;$!ba;s/\n/\\n/g' jenkins_is_rsa
copy output to knife data bag create <some data bag>
flatten json file
cat inhouse_release_perms.erb | /usr/local/Cellar/gnu-sed/4.2.2/bin/gsed ':a;N;$!ba;s/\n//g'
no more than one space
/usr/local/Cellar/gnu-sed/4.2.2/bin/gsed ':a;N;$!ba;s/\n//g' | sed 's/ */ /g'
replace " with \"
/usr/local/Cellar/gnu-sed/4.2.2/bin/gsed ':a;N;$!ba;s/\n//g' | sed 's/ */ /g' | sed 's/"/\\"/g'