Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
add remove_data_bags
  • Loading branch information
halida committed Apr 2, 2015
1 parent 22b0f80 commit 7c76ad7
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 0 deletions.
8 changes: 8 additions & 0 deletions README.md
Expand Up @@ -203,6 +203,14 @@ This will put the encrypted_data_bag_secret in `/etc/chef/encrypted_data_bag_sec
Chef-solo will automatically use it wherever you use `Chef::EncryptedDataBagItem.load` in your recipes.
It will also remove the `/etc/chef/encrypted_data_bag_secret` file from the node at the end of the run.

If you are not comfortable about leaving data bags in the remote node, which will leak sensitive information, you can tell littlechef to delete them all at the end of the run:

```ini
[userinfo]
remove_data_bags=true
```


```ini
[kitchen]
autodeploy_chef=true
Expand Down
7 changes: 7 additions & 0 deletions littlechef/chef.py
Expand Up @@ -394,11 +394,18 @@ def _remove_remote_node_data_bag():
if exists(node_data_bag_path):
sudo("rm -rf {0}".format(node_data_bag_path))

def _remove_remote_data_bags():
"""Remove remote data bags, so it won't leak any sensitive information"""
data_bags_path = os.path.join(env.node_work_path, 'data_bags')
if exists(data_bags_path):
sudo("rm -rf {0}".format(data_bags_path))

def _node_cleanup():
if env.loglevel is not "debug":
with hide('running', 'stdout'):
_remove_remote_node_data_bag()
if env.remove_data_bags:
_remove_remote_data_bags()
with settings(warn_only=True):
sudo("rm '/etc/chef/node.json'")
if env.encrypted_data_bag_secret:
Expand Down
5 changes: 5 additions & 0 deletions littlechef/runner.py
Expand Up @@ -444,6 +444,11 @@ def _readconfig():
except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):
env.https_proxy = None

try:
env.remove_data_bags = config.get('userinfo', 'remove_data_bags')
except ConfigParser.NoOptionError:
env.remove_data_bags = None

# Check for an encrypted_data_bag_secret file and set the env option
try:
env.encrypted_data_bag_secret = config.get('userinfo',
Expand Down

0 comments on commit 7c76ad7

Please sign in to comment.