Gossip/TLS encryption node attributes still requires consul data_bag, encrypt item, secret

[gwilton]

Setting the following consul attributes fails.

          "encrypt_enabled": true,
          "encrypt": "{{user `consul_encrypt`}}",
          "ca_file": "/etc/consul.d/ssl/ca.cert",
          "cert_file": "/etc/consul.d/ssl/consul.cert",
          "key_file": "/etc/consul.d/ssl/consul.key",
          "verify_incoming": true,
          "verify_outgoing": true,   

Chef::Exceptions::ValidationFailed

Data Bag Items must contain a Hash or Mash!

ArgumentError

No secret specified and no secret found at /etc/chef/encrypted_data_bag_secret

I had to create a "consul" databag with a "encrypt" item.

cat data_bags/consul/encrypt.json 
{
  "id": "encrypt"
}

Also had to provide the secret file. Which is kinda weird. The reason for using attributes is so i don't have to create a databag. However, it seems one is required regardless. People might think that this type of data should be encrypted in a databag. However, if i am using chef-solo from a packer template to create a image then I can provide all this data from environment variables to packer.

[logankoester]

I'm doing almost the same thing, and didn't have to create any data bags. The only difference is instead of setting the values of "ca_file", "cert_file" and "key_file" attributes to filesystem paths, I have set them to the contents of those files (as a string).

[johnbellone]

I am closing this out because of impeding #126 landing on master. This will still require a chef-vault data bag for seeding the initial secrets.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.