数据包加密在Chef服务器上加密，但是如何加密本地副本？ [英] Data bag encryption encrypts on Chef server, but how to encrypt local copy?

问题描述

我在私有git存储库中拥有完整的Chef配置角色，食谱，数据袋等设置。

I have a full Chef configuration set of roles, cookbooks, databags, etc., in a private git repository.

我看到我可以使用-

但是我也想将加密的那些数据包也存储在git存储库中。

But I want to store those databags encrypted in the git repository as well.

唯一想到的是在本地制作一个纯文本json文件，将其加密上传到Chef，然后从Chef网页获取加密的JSON并将其粘贴到我的存储库副本中。

The only thing that comes to mind is making a plaintext json file locally, uploading it to Chef with encryption, then taking the encrypted JSON from the Chef web page and pasting it into my repository copy.

还有其他人解决了这个问题吗？

Has anyone else solved this problem?

推荐答案

我有在我的厨师工作目录中，出现了以下bash（称为 encrypted-databag.sh）：

I have a following bash (called encrypted-databag.sh) in my chef working directory:

#!/bin/bash -e

knife data bag $1 $2 $3 --secret-file ~/.chef/encrypted_data_bag_secret
if [ "$1" == "edit" ] ; then
    knife data bag show $2 $3 -Fj > "./data_bags/$2/$3.json"
fi

这样可以避免我每次输入一次我用刀给我看加密数据包。当我编辑它时，它会自动将其更新/保存到存储库中。

It saves me typing every time I knife to show me the encrypted data bag. And it automatically updates/saves it into repository, when I edit it.

2013年8月30日更新

上面脚本的缺点是您直接在Chef-server上编辑数据包。但是，当您仍在研究某些食谱并且尚未上载该食谱时会出现问题，但是该数据包已经存在并且已被较旧版本的食谱使用。这样，当Chef-client在某个节点上运行时，可能会导致一些错误。

The drawback of the script above is that you edit your data bag straight on chef-server. But there is a problem when you are still working on some cookbook and haven't uploaded it, but the data bag already there and is used by the older version of the cookbook. This way when chef-client is run on some node, it may lead to some errors.

所以我当时在考虑本地编辑加密数据包，而无需Chef-server。然后将其新版本与新版本的Cookbook一起上传（在测试通过之后）。这就是我现在用来编辑加密数据包的 rake 任务。

So I was thinking about editing the encrypted data bag locally, without chef-server and then upload the new version of it together with new version of cookbook (after the tests have passed). So here is the rake task I use now to edit encrypted data bags.

namespace 'databag' do
  desc 'Edit encrypted databag item.'
  task :edit, [:databag, :item, :secret_file] do |t, args|
    args.with_defaults :secret_file => "#{ENV['HOME']}/.chef/encrypted_data_bag_secret"
    secret = Chef::EncryptedDataBagItem.load_secret args.secret_file
    item_file = "data_bags/#{args.databag}/#{args.item}.json"
    tmp_item_file = "/tmp/#{args.databag}_#{args.item}.json"
    begin
      #decrypt data bag into tmp file
      raw_hash = Chef::JSONCompat.from_json IO.read item_file
      databag_item = Chef::EncryptedDataBagItem.new raw_hash, secret
      IO.write tmp_item_file, Chef::JSONCompat.to_json_pretty( databag_item.to_hash )
      #edit tmp file
      sh "#{ENV['EDITOR']} #{tmp_item_file}"
      #encrypt tmp file data bag into original file
      raw_hash = Chef::JSONCompat.from_json IO.read tmp_item_file
      databag_item = Chef::EncryptedDataBagItem.encrypt_data_bag_item raw_hash, secret
      IO.write item_file, Chef::JSONCompat.to_json_pretty( databag_item )
    ensure
      ::File.delete tmp_item_file #ensure tmp file deleted.
    end
  end
end

现在可以编辑加密的数据包我使用：

Now to edit encrypted data bag I use:

rake databag:edit[my_databag,item_in_databag]

这篇关于数据包加密在Chef服务器上加密，但是如何加密本地副本？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！