Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KNIFE-494 add options for secret and secret_file to support encrypted data bags #113

Merged
merged 2 commits into from
Jun 24, 2014
Merged

KNIFE-494 add options for secret and secret_file to support encrypted data bags #113

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ae1f374
KNIFE-494 add options for secret and secret_file to support encrypted…
May 30, 2014
758f310
Fix misspelling
Jun 23, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions lib/chef/knife/openstack_server_create.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,16 @@ class OpenstackServerCreate < Knife
:boolean => true,
:default => false

option :secret,
:long => "--secret SECRET",
:description => "The secret key to use to encrypt data bag item values",
:proc => Proc.new { |s| Chef::Config[:knife][:secret] = s }

option :secret_file,
:long => "--secret-file SECRET_FILE",
:description => "A file containing the secret key to use to encrypt data bag item values",
:proc => Proc.new { |sf| Chef::Config[:knife][:secret_file] = sf }

option :ssh_key_name,
:short => "-S KEY",
:long => "--ssh-key KEY",
Expand Down Expand Up @@ -249,6 +259,7 @@ def run
$stdout.sync = true

validate!
warn_chef_config_secret_key
if locate_config_value(:bootstrap_protocol) == 'winrm'
load_winrm_deps
else
Expand Down Expand Up @@ -437,6 +448,8 @@ def bootstrap_common_params(bootstrap, server_name)
bootstrap.config[:environment] = config[:environment]
bootstrap.config[:encrypted_data_bag_secret] = config[:encrypted_data_bag_secret]
bootstrap.config[:encrypted_data_bag_secret_file] = config[:encrypted_data_bag_secret_file]
bootstrap.config[:secret] = config[:secret]
bootstrap.config[:secret_file] = config[:secret_file]
# let ohai know we're using OpenStack
Chef::Config[:knife][:hints] ||= {}
Chef::Config[:knife][:hints]['openstack'] ||= {}
Expand Down Expand Up @@ -512,6 +525,29 @@ def get_node_name(chef_node_name)
# lazy uuids
chef_node_name = "os-" + rand.to_s.split('.')[1]
end

# warn on using secret_key in knife.rb
def warn_chef_config_secret_key
unless Chef::Config[:encrypted_data_bag_secret].nil?
ui.warn "* " * 40
ui.warn(<<-WARNING)
Specifying the encrypted data bag secret key using an 'encrypted_data_bag_secret'
entry in 'knife.rb' is deprecated. Please see CHEF-4011 for more details. You
can suppress this warning and still distribute the secret key to all bootstrapped
machines by adding the following to your 'knife.rb' file:

knife[:secret_file] = "/path/to/your/secret"

If you would like to selectively distribute a secret key during bootstrap
please use the '--secret' or '--secret-file' options of this command instead.

#{ui.color('IMPORTANT:', :red, :bold)} In a future version of Chef, this
behavior will be removed and any 'encrypted_data_bag_secret' entries in
'knife.rb' will be ignored completely.
WARNING
ui.warn "* " * 40
end
end
end
end
end