I’ve been using Chef for a bit now and generally a huge fan of the new Chef workflow.
We are working hard to attain true continuous delivery and test driven development with Chef. The devil is in the details now.
One small wrinkle in our effort has been marrying encrypted data_bags with our chef-repo in GitHub.
I don’t want to type the optional argument --secret-file ~/.chef/encrypted_data_bag_secret
everytime I interact with a data bag. So, I added this option to my ~/.chef/knife.rb
file.
1
|
|
However, this precludes me from easily exporting the edited file to disk. The export will always be my secret plaintext, not the encrypted ciphertext. Not exactly what you want to commit to GitHub.
1 2 3 |
|
So, I decided to create a bash alias to temporarily disable the knife.rb setting and export the data bag to a file:
My ~/.bash_profile
file contains this alias:
1 2 3 4 5 6 |
|
This bash function comments out the secret file option in knife.rb using sed’s in-place editing.
Now I can commit the data bag in its encrypted format:
1 2 3 |
|
Happing cooking!