cloud-init-dev team mailing list archive
-
cloud-init-dev team
-
Mailing list archive
-
Message #06041
[Merge] ~eric-canonical/cloud-init:encrypted-data-bag-secret-chef into cloud-init:master
Eric Williams has proposed merging ~eric-canonical/cloud-init:encrypted-data-bag-secret-chef into cloud-init:master.
Commit message:
Enable encrypted_data_bag_secret support for Chef
(Resubmitting after failed test)
Encrypted data bags require a secrets file to be present to decrypt,
and the location of the file must be configured the Chef client configuration
file, client.rb.
This update enables cloud-init's chef module to update that setting in client.rb.
LP:1817082
Requested reviews:
cloud-init commiters (cloud-init-dev)
For more details, see:
https://code.launchpad.net/~eric-canonical/cloud-init/+git/cloud-init/+merge/363567
--
Your team cloud-init commiters is requested to review the proposed merge of ~eric-canonical/cloud-init:encrypted-data-bag-secret-chef into cloud-init:master.
diff --git a/cloudinit/config/cc_chef.py b/cloudinit/config/cc_chef.py
index 46abedd..a624030 100644
--- a/cloudinit/config/cc_chef.py
+++ b/cloudinit/config/cc_chef.py
@@ -51,6 +51,7 @@ file).
chef:
client_key:
+ encrypted_data_bag_secret:
environment:
file_backup_path:
file_cache_path:
@@ -114,6 +115,7 @@ CHEF_RB_TPL_DEFAULTS = {
'file_backup_path': "/var/backups/chef",
'pid_file': "/var/run/chef/client.pid",
'show_time': True,
+ 'encrypted_data_bag_secret': None,
}
CHEF_RB_TPL_BOOL_KEYS = frozenset(['show_time'])
CHEF_RB_TPL_PATH_KEYS = frozenset([
@@ -124,6 +126,7 @@ CHEF_RB_TPL_PATH_KEYS = frozenset([
'json_attribs',
'file_cache_path',
'pid_file',
+ 'encrypted_data_bag_secret',
])
CHEF_RB_TPL_KEYS = list(CHEF_RB_TPL_DEFAULTS.keys())
CHEF_RB_TPL_KEYS.extend(CHEF_RB_TPL_BOOL_KEYS)
diff --git a/doc/examples/cloud-config-chef.txt b/doc/examples/cloud-config-chef.txt
index defc5a5..2320e01 100644
--- a/doc/examples/cloud-config-chef.txt
+++ b/doc/examples/cloud-config-chef.txt
@@ -98,6 +98,9 @@ chef:
# to the install script
omnibus_version: "12.3.0"
+ # If encrypted data bags are used, the client needs to have a secrets file
+ # configured to decrypt them
+ encrypted_data_bag_secret: "/etc/chef/encrypted_data_bag_secret"
# Capture all subprocess output into a logfile
# Useful for troubleshooting cloud-init issues
diff --git a/templates/chef_client.rb.tmpl b/templates/chef_client.rb.tmpl
index cbb6b15..99978d3 100644
--- a/templates/chef_client.rb.tmpl
+++ b/templates/chef_client.rb.tmpl
@@ -1,6 +1,6 @@
## template:jinja
{#
-This file is only utilized if the module 'cc_chef' is enabled in
+This file is only utilized if the module 'cc_chef' is enabled in
cloud-config. Specifically, in order to enable it
you need to add the following to config:
chef:
@@ -56,3 +56,6 @@ pid_file "{{pid_file}}"
{% if show_time %}
Chef::Log::Formatter.show_time = true
{% endif %}
+{% if encrypted_data_bag_secret %}
+encrypted_data_bag_secret "{{encrypted_data_bag_secret}}"
+{% endif %}
diff --git a/tests/unittests/test_handler/test_handler_chef.py b/tests/unittests/test_handler/test_handler_chef.py
index b16532e..f431126 100644
--- a/tests/unittests/test_handler/test_handler_chef.py
+++ b/tests/unittests/test_handler/test_handler_chef.py
@@ -145,6 +145,7 @@ class TestChef(FilesystemMockingTestCase):
file_backup_path "/var/backups/chef"
pid_file "/var/run/chef/client.pid"
Chef::Log::Formatter.show_time = true
+ encrypted_data_bag_secret "/etc/chef/encrypted_data_bag_secret"
"""
tpl_file = util.load_file('templates/chef_client.rb.tmpl')
self.patchUtils(self.tmp)
@@ -157,6 +158,8 @@ class TestChef(FilesystemMockingTestCase):
'validation_name': 'bob',
'validation_key': "/etc/chef/vkey.pem",
'validation_cert': "this is my cert",
+ 'encrypted_data_bag_secret':
+ '/etc/chef/encrypted_data_bag_secret'
},
}
cc_chef.handle('chef', cfg, self.fetch_cloud('ubuntu'), LOG, [])