Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gossip/TLS encryption node attributes still requires consul data_bag, encrypt item, secret #151

Closed
gwilton opened this Issue Mar 21, 2015 · 2 comments

Comments

Projects
None yet
3 participants
@gwilton
Copy link

gwilton commented Mar 21, 2015

Setting the following consul attributes fails.

          "encrypt_enabled": true,
          "encrypt": "{{user `consul_encrypt`}}",
          "ca_file": "/etc/consul.d/ssl/ca.cert",
          "cert_file": "/etc/consul.d/ssl/consul.cert",
          "key_file": "/etc/consul.d/ssl/consul.key",
          "verify_incoming": true,
          "verify_outgoing": true,   

Chef::Exceptions::ValidationFailed

Data Bag Items must contain a Hash or Mash!

ArgumentError

No secret specified and no secret found at /etc/chef/encrypted_data_bag_secret

I had to create a "consul" databag with a "encrypt" item.

cat data_bags/consul/encrypt.json 
{
  "id": "encrypt"
}

Also had to provide the secret file. Which is kinda weird. The reason for using attributes is so i don't have to create a databag. However, it seems one is required regardless. People might think that this type of data should be encrypted in a databag. However, if i am using chef-solo from a packer template to create a image then I can provide all this data from environment variables to packer.

@logankoester

This comment has been minimized.

Copy link
Contributor

logankoester commented Apr 9, 2015

I'm doing almost the same thing, and didn't have to create any data bags. The only difference is instead of setting the values of "ca_file", "cert_file" and "key_file" attributes to filesystem paths, I have set them to the contents of those files (as a string).

@johnbellone

This comment has been minimized.

Copy link
Contributor

johnbellone commented Jun 16, 2015

I am closing this out because of impeding #126 landing on master. This will still require a chef-vault data bag for seeding the initial secrets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.