robbkidd
commented
9 years ago Good points. We'll add it to the triage.
Closed vinyar closed 8 years ago
robbkidd
commented
9 years ago Good points. We'll add it to the triage.
irvingpop
commented
9 years ago hey @vinyar the recent refactor of this cookbook into a resource/provider ( https://github.com/chef-cookbooks/supermarket-omnibus-cookbook/pull/22 ) was done with the intention of preventing the scenario you described.
Without trying to be opinionated about which secrets management tool is used, what else would you want this cookbook to do?
vinyar
commented
9 years ago I was thinking of simply adding a supermarket['secret key'] or supermarket['vault_bag'] or something similar. If attribute is defined use that to obtain a secret, if not proceed as is.
A simple mechanism that wont force users down a specific path the way timbermans chef-server cookbook does :trollface:
agperson
commented
8 years ago I quite like the move towards "bring your own secrets providers" approaches using resources. Encrypted data bags and/or chef-vault are not the solution for everyone, but it would be impractical to also build in support for, say, Keywhiz, etcd, and Hashicorp Vault, not to mention whatever new secret management tool is announced tomorrow.
nellshamrell
commented
8 years ago Closing this for now, feel free to re-open if you feel further discussion is required.
Note: I understand that supermarket is still alpha
Bug: With github / source control underpinning and chef-server history retention, checking in a wrapper cookbook with secrets as node attributes is not the best practice.
Solution: Add chef-vault or encrypted db support as an option