Chef data bags
A data bag is a global variable that is stored in JSON data and accessible from the chef server. A data bag is indexed for searching and can be loaded by a recipe or accessed during a search.
Types of data stored in a data bag:
*Users to be added to a system Admins to be added to a system
*API/DB credential (more secure and better than environment attributes for credentials) Much more
Create an encrypt/decrypt key
#openssl rand -base64 512 > /opt/chef-repo/.chef/encrypted_data_bag_secret
Create New “data bag” Named “data”
# knife data bag create data
Created data_bag[data]
Create a New Json With Information That we Want Encrypted
This will be stored inside the “data bag” named “data”
This will use the “key” you created earlier to encrypt
We will store this as “pass.json”
#knife data bag create data pass.json --secret-file /opt/chef-repo/.chef/encrypted_data_bag_secret
* This will prompt open an editor to add items to json
{ "id": "pass.json",
"user": "zippy"
"password": "password123"
}
Created data_bag_item[pass.json]
Confirm that the pass.json file was created
It should output pass.json. To ensure that is it encrypted, run
# knife data bag show data pass.json
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted
data.
id: pass.json
password:
auth_tag: vi+6WNJ3JREZkGbcYXEi6Q==
cipher: aes-256-gcm
encrypted_data: 8y2zC5h9uqe0cpfMSFID3ncBPn/Lxdt8LMqHkEfs
iv: Ni/HeSuuwnmoDuOq
version: 3
user:
auth_tag: W0birb2FwJOZI6EaCRD+WQ==
cipher: aes-256-gcm
encrypted_data: 0WdOZSf28XJptddBgBY+ANkuwg4TinAx
iv: SOLoBHS1xgnWExxb
version: 3
Now Create a Cookbook And Simple Recipe And Template File That Will Utilize This Encrypted “Data Bag”
Generate a cookbook for databag
# chef generate cookbook databag_sample
Generating cookbook databag_sample
- Ensuring correct cookbook file content
- Ensuring delivery configuration
- Ensuring correct delivery build cookbook content
Your cookbook is ready. Type `cd databag_sample` to enter it.
There are several commands you can run to get started locally developing and testing your cookbook.
Type `delivery local --help` to see a full list.
Why not start by writing a test? Tests for the default recipe are stored at:
test/integration/default/default_test.rb
If you'd prefer to dive right in, the default recipe can be found at:
recipes/default.rb
#ls
Berksfile CHANGELOG.md chefignore LICENSE metadata.rb README.md recipes spec test
Create a template databag.erb in the cookbook
# chef generate template databag
Recipe: code_generator::template
* directory[/opt/chef-repo/cookbooks/databag_sample/templates] action create
- create new directory /opt/chef-repo/cookbooks/databag_sample/templates
* template[/opt/chef-repo/cookbooks/databag_sample/templates/databag.erb] action create
- create new file /opt/chef-repo/cookbooks/databag_sample/templates/databag.erb
- update content in file /opt/chef-repo/cookbooks/databag_sample/templates/databag.erb from
none to e3b0c4
(diff output suppressed by config)
Create a simple receipe
#vi recipes/default.rb
# Cookbook:: databag_sample
# Recipe:: default
#
# Copyright:: 2019, The Authors, All Rights Reserved.
# This is where you will store a copy of your key on the chef-client
secret = Chef::EncryptedDataBagItem.load_secret("/etc/chef/encrypted_data_bag_secret")
# This decrypts the data bag contents of "mysecrets->marioworld" and uses the key defined at
variable "secret"
zippy_keys = Chef::EncryptedDataBagItem.load("data", "pass.json", secret)
template "/tmp/databag" do
variables(:mypass => zippy_keys['password'],:myuser => zippy_keys['user'])
owner "root"
mode "0644"
source "databag.erb"
end
Create the template databag.erb
# vi databag.erb
Username: <%= @myuser %>
Password: <%= @mypass %>
COPY YOUR “KEY” TO THE NODE
# scp /opt/chef-repo/.chef/encrypted_data_bag_secret
[email protected]:/etc/chef/
[email protected]'s password:
encrypted_data_bag_secret
UPLOAD THE COOKBOOK AND ADD THE RECIPE TO A NODE AND RUN CHEF-CLIENT
#knife cookbook upload databag_sample
Uploading databag_sample [0.1.0]
Uploaded 1 cookbook.
[root@chefserver cookbooks]# knife node run_list add node1.zippyops.com "recipe[databag_sample]"
node1.zippyops.com:
run_list:
recipe[databag_sample]
#chef-client
Starting Chef Client, version 14.14.25
resolving cookbooks for run list: ["databag_sample"]
Synchronizing Cookbooks:
- databag_sample (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 1 resources
Recipe: databag_sample::default
* template[/tmp/databag] action create
- create new file /tmp/databag
- update content in file /tmp/databag from none to 63256a
--- /tmp/databag 2019-10-22 08:59:44.587759378 -0400
+++ /tmp/.chef-databag20191022-24202-1dpgsxx 2019-10-22 08:59:44.587759378 -0400
@@ -1 +1,3 @@
+Username: zippy
+Password: password123
- change mode from '' to '0644'
- change owner from '' to 'root'
Running handlers:
Running handlers complete
Chef Client finished, 1/1 resources updated in 06 seconds
Verify The Contents Of The New File Created At /tmp/databag in Node
# cat /tmp/databag
Username: zippy
Password: password123
Relevant Blogs:
Recent Comments
No comments
Leave a Comment
We will be happy to hear what you think about this post