Chef data bags

A data bag is a global variable that is stored in JSON data and accessible from the chef server. A data bag is indexed for searching and can be loaded by a recipe or accessed during a search.

Types of data stored in a data bag:

*Users to be added to a system Admins to be added to a system

*API/DB credential (more secure and better than environment attributes for credentials) Much more

Create an encrypt/decrypt key

#openssl rand -base64 512 > /opt/chef-repo/.chef/encrypted_data_bag_secret

Create New “data bag” Named “data”

# knife data bag create data

Created data_bag[data]

Create a New Json With Information That we Want Encrypted

This will be stored inside the “data bag” named “data”

This will use the “key” you created earlier to encrypt

We will store this as “pass.json”

#knife data bag create data pass.json --secret-file /opt/chef-repo/.chef/encrypted_data_bag_secret

* This will prompt open an editor to add items to json

{ "id": "pass.json",

"user": "zippy"

"password": "password123"

}

Created data_bag_item[pass.json]

Confirm that the pass.json file was created

It should output pass.json. To ensure that is it encrypted, run

# knife data bag show data pass.json

WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted 

data.

id: pass.json

password:

 auth_tag: vi+6WNJ3JREZkGbcYXEi6Q==

 cipher: aes-256-gcm

 encrypted_data: 8y2zC5h9uqe0cpfMSFID3ncBPn/Lxdt8LMqHkEfs

 iv: Ni/HeSuuwnmoDuOq

 version: 3

user:

 auth_tag: W0birb2FwJOZI6EaCRD+WQ==

 cipher: aes-256-gcm

 encrypted_data: 0WdOZSf28XJptddBgBY+ANkuwg4TinAx

 iv: SOLoBHS1xgnWExxb

 version: 3

Now Create a Cookbook And Simple Recipe And Template File That Will Utilize This Encrypted “Data Bag”

Generate a cookbook for databag

# chef generate cookbook databag_sample

Generating cookbook databag_sample

- Ensuring correct cookbook file content

- Ensuring delivery configuration

- Ensuring correct delivery build cookbook content

Your cookbook is ready. Type `cd databag_sample` to enter it.

There are several commands you can run to get started locally developing and testing your cookbook.

Type `delivery local --help` to see a full list.

Why not start by writing a test? Tests for the default recipe are stored at:

test/integration/default/default_test.rb

If you'd prefer to dive right in, the default recipe can be found at:

recipes/default.rb

#ls

Berksfile CHANGELOG.md chefignore LICENSE metadata.rb README.md recipes spec test

Create a template databag.erb in the cookbook

# chef generate template databag

Recipe: code_generator::template

 * directory[/opt/chef-repo/cookbooks/databag_sample/templates] action create

 - create new directory /opt/chef-repo/cookbooks/databag_sample/templates

 * template[/opt/chef-repo/cookbooks/databag_sample/templates/databag.erb] action create

 - create new file /opt/chef-repo/cookbooks/databag_sample/templates/databag.erb

 - update content in file /opt/chef-repo/cookbooks/databag_sample/templates/databag.erb from 

none to e3b0c4

 (diff output suppressed by config)

Create a simple receipe

#vi recipes/default.rb

# Cookbook:: databag_sample

# Recipe:: default

#

# Copyright:: 2019, The Authors, All Rights Reserved.

# This is where you will store a copy of your key on the chef-client

secret = Chef::EncryptedDataBagItem.load_secret("/etc/chef/encrypted_data_bag_secret")

# This decrypts the data bag contents of "mysecrets->marioworld" and uses the key defined at 

variable "secret"

zippy_keys = Chef::EncryptedDataBagItem.load("data", "pass.json", secret)

template "/tmp/databag" do

 variables(:mypass => zippy_keys['password'],:myuser => zippy_keys['user'])

 owner "root"

 mode "0644"

 source "databag.erb"

end

Create the template databag.erb

# vi databag.erb

Username: <%= @myuser %>

Password: <%= @mypass %>

COPY YOUR “KEY” TO THE NODE

# scp /opt/chef-repo/.chef/encrypted_data_bag_secret 

[email protected]'s password:

encrypted_data_bag_secret 


UPLOAD THE COOKBOOK AND ADD THE RECIPE TO A NODE AND RUN CHEF-CLIENT

#knife cookbook upload databag_sample

Uploading databag_sample [0.1.0]

Uploaded 1 cookbook.

[root@chefserver cookbooks]# knife node run_list add node1.zippyops.com "recipe[databag_sample]"

node1.zippyops.com:

 run_list:

 recipe[databag_sample]

#chef-client

Starting Chef Client, version 14.14.25

resolving cookbooks for run list: ["databag_sample"]

Synchronizing Cookbooks:

 - databag_sample (0.1.0)

Installing Cookbook Gems:

Compiling Cookbooks...

Converging 1 resources

Recipe: databag_sample::default

 * template[/tmp/databag] action create

 - create new file /tmp/databag

 - update content in file /tmp/databag from none to 63256a

 --- /tmp/databag 2019-10-22 08:59:44.587759378 -0400

 +++ /tmp/.chef-databag20191022-24202-1dpgsxx 2019-10-22 08:59:44.587759378 -0400

 @@ -1 +1,3 @@

 +Username: zippy

 +Password: password123

 - change mode from '' to '0644'

 - change owner from '' to 'root'

Running handlers:

Running handlers complete

Chef Client finished, 1/1 resources updated in 06 seconds

Verify The Contents Of The New File Created At /tmp/databag in Node 

# cat /tmp/databag

Username: zippy

Recent Comments

No comments

Leave a Comment