In order to use data bags with Chef Solo there is a requirement to use the knife-solo_data_bag plugin maintained by Tommy Bishop which allows you to work withchef-solo and data bags. Once we have obtained the plugin, we will need to install the rubygem in our existing envrionment and configure the knife-solo plugin.
gem install knife-solo_data_bag
Once installed we can confirm we have a list of available knife solo command options available, as below:
In this example, the chef-solo repository is located on a Windows operating system, so we will create the knife-solo (~/.chef/knife.rb) configuration file and include the application (Notepad++) to be used as the knife editor when creating encrypted data bag items.
Finally, we will update our chef-solo configuration file with location of the data bag path to complete the configuration.
mkdir C:\chef-solo\.chef mkdir C:\chef-solo\data_bags echo "knife[:editor] = '"C:\Program Files (x86)\Notepad++\notepad++.exe" -nosession -multiInst'" > C:/chef-solo/.chef/knife.rb echo data_bag_path File.join(chefsolo, 'data_bags') >> C:\chef-solo\solo.rb
In order to create an encrypted data bag we need to generate a shared secret or a secret key, in this example I will generate a secret key using OpenSSL and output the content to a file (secret_key).
openssl rand -base64 512 | tr -d '\r\n' > secret_key
Now that we have our secret key we can now create an encrypted data bag, by invoking the following command to create the data bag ‘databag1’ with a item list of ‘databag1_passwords’.
knife solo data bag create databag1 databag1_passwords --secret-file secret_key -c C:\chef\.chef\knife.rb
The application to which you configured to be the knife editor will now generate and open a JSON file
{
"id": "data_bag1_passwords"
}
We can now modify this file to include items we wish to store in the data bag, in my example a password value for both ‘service_account_1’ and ‘service_account_2’.
{
"id": "data_bag1_passwords",
"service_account_1": "ds879HBKJHBJH!*£",
"service_account_2": "dasw87698KJBHB£*"
}
Once we have added the to list of items and saved the file, close your text editor to which the the knife-solo plugin should now return a success code similar to ‘Created data_bag_item[data_bag1_passwords]’ to confirm the data bag item has been successful created. Now lets check the content of the data bag item created in the chef-solo repository:
{
"id": "data_bag1_passwords",
"service_account_1": {
"encrypted_data": "PCo7jiL8D4T+0EC5M1GvzqvNAIoVHtLF4i5M4VGtZjQYoV2KvFU6Qz3DgD1o\nvgug\n",
"iv": "V8e9FY6EPlbMGSfBCkJgVQ==\n",
"version": 1,
"cipher": "aes-256-cbc"
},
"service_account_2": {
"encrypted_data": "Eh2NdqY/tPNbEBe+Du1LQmz8LTvGjj0zAv6aWYUp60RCOA7jkDb0NV7DgL84\nCSpY\n",
"iv": "11PLeX4rvTyotGUgYQhYRA==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}
So once we have created the encrypted data bag how do we leverage this information, we can load the secret key and items using the Chef::EncryptedDataBagItem class and declare a variable for the item we require to use.
secret_key = Chef::EncryptedDataBagItem.load_secret("C:\chef-solo\_secret_key")
passwords = Chef::EncryptedDataBagItem.load('databag1', 'databag1_passwords', secret_key)
service_account_1_password = passwords['service_account_1']
All that now is required is to specify the variable in your attribute or recipie, as follows:
#{service_account_1_password}
Deans Blog 