private data in kitchen
18 views
Skip to first unread message
Scott Cytacki
Jun 1, 2012, 1:12:21 PM6/1/12
to littl...@googlegroups.com
Hi all,
Littlechef is great. We are using it to store our server configuration in git so we can track its changes which I like better than chef server.
I'm curious what others do about private data. For example we are deploying servers to AWS and using their smtp service. It is recommended that our credentials for that service be kept private. So far we've been using a public github repo to hold our kitchen.
I'm considering 2 options for handling this:
- start storing our kitchen in a private github repo
- make a littlechef plugin to do some variable substitutions in the node and/or role definitions, and then have "deployers" store the secrets in a config file in their home folders.
Am I missing something? What do other people do?
I can see pluses and minuses for both options. I'm currently leaning towards the private repo to keep things simple. But that will make it harder to share our setup with other people.
Scott
Miquel Torres
Jun 1, 2012, 2:59:56 PM6/1/12
to littl...@googlegroups.com
Hi Scott,
the problem you have is bound to hit most chef repositories sooner or
later. We keep ours in a private Github repository, but even there it
is not always desirable to have all DB passwords in plaintext, for
example.
The normal Chef way of doing it are usually encrypted data bags. Chef
Solo supports it, but we would need to add support to LittleChef
itself.
I have created an issue for that so that anyone interested can follow
its development:
https://github.com/tobami/littlechef/issues/96
It should be quite easy. If nobody implements it in the next weeks we
intend to do that for use at edelight.
I think that would be the best solution for you, as it would allow you
to keep your kitchen repo open and still commit passwords and other
sensitive information to it. What do you think?
Cheers,
Miquel
2012/6/1 Scott Cytacki <scyt...@concord.org>:
the problem you have is bound to hit most chef repositories sooner or
later. We keep ours in a private Github repository, but even there it
is not always desirable to have all DB passwords in plaintext, for
example.
The normal Chef way of doing it are usually encrypted data bags. Chef
Solo supports it, but we would need to add support to LittleChef
itself.
I have created an issue for that so that anyone interested can follow
its development:
https://github.com/tobami/littlechef/issues/96
It should be quite easy. If nobody implements it in the next weeks we
intend to do that for use at edelight.
I think that would be the best solution for you, as it would allow you
to keep your kitchen repo open and still commit passwords and other
sensitive information to it. What do you think?
Cheers,
Miquel
2012/6/1 Scott Cytacki <scyt...@concord.org>:
Scott Cytacki
Jun 8, 2012, 10:05:07 AM6/8/12
to littl...@googlegroups.com
Thanks for the response.
I've ended up making a private github repo just for our data_bags folder, and then including that as a submodule. So far this seems to be working out. If encrypted databags get added I might switch but it seems like it will add more overhead to the development process, so I might not.
Scott
Reply all
Reply to author
Forward
0 new messages