Ingest S3 access key id/secret for bookshelf #1137
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 tasks
srenatus
force-pushed
the
ssd-sr/ingest-s3-creds
branch
from
f91a7ad to
66f87e6
Compare
stevendanna
approved these changes
Mar 13, 2017
srenatus
force-pushed
the
ssd-sr/ingest-s3-creds
branch
2 times, most recently
from
d708e77 to
38fdce5
Compare
marcparadise
approved these changes
Mar 13, 2017
| @@ -22,6 +22,16 @@ | |||
| set_secret("data_collector", "token", password) | |||
| end | |||
|
|
|||
| add_command_under_category "set-s3-access-key-id", "Secrets Management", "Set or change the S3 access key id", 2 do | |||
There was a problem hiding this comment.
I'm starting to wonder if it wouldn't be a better UX to have something like:
chef-server-ctl set-secret NAME VALUE
And validate the names/provide a list of available names.
There was a problem hiding this comment.
👍 Working on it -- either as part of this PR or the next 😃
srenatus
force-pushed
the
ssd-sr/ingest-s3-creds
branch
2 times, most recently
from
f9d390a to
1117ccf
Compare
marcparadise
requested changes
Mar 13, 2017
| @@ -42,16 +51,15 @@ def confirm_continue!(message) | |||
| end | |||
| end | |||
|
|
|||
| def set_secret(group, key, secret) | |||
| def set(group, key, secret) | |||
There was a problem hiding this comment.
The only thing to keep in mind is that these all get evald into the ChefServerCtl class - so set will become a member function of the class.
If there's any chance of another command (there are none) or existing function of the same name (I'm less sure about this without looking closer), odd things will happen without clear indication of what went wrong.
This one is generic enough that we're probably better off keeping it as set_secret, even if only to prevent accidental future collisions.
There was a problem hiding this comment.
set_secret did indeed clash with this :D
srenatus
force-pushed
the
ssd-sr/ingest-s3-creds
branch
2 times, most recently
from
9b14901 to
3527a59
Compare
Now, if for example chef-server.rb contains
redis_lb['password'] = 'foo'
This would
1. be ingested in the secret store
2. trigger a warning if the value in the secret store is different from
the one in the config
3. trigger a warning that it's in plain in chef-server.rb and should
rather be taken from the secret store (i.e., removed from the config)
and could be set interactively via
chef-server-ctl set-secret redis_lb password
or from the environment via
REDIS_LB_PASSWORD=foobar chef-server-ctl set-secret redis_lb password
Replaces old ctl-commands by calls to set-secrets; with a whitelist.
Without the whitelisting, it would be quite easy to mistype the name of
a secret, and thus store it under the wrong key. Now, only anticipated
group/name combinations are allowed.
Note that the non-generic secret ingestion commands, i.e. those with
extra warnings and confirmations,
- postgresql/db_superuser_password
- rabbitmq/actions_password
are not retired, since `set-secret` does not support extras.
Signed-off-by: Stephan Renatus <[email protected]>
Signed-off-by: Steven Danna <[email protected]>
This adds a simple show-secrets command. It does no validation since this is a command meant for debugging. Signed-off-by: Steven Danna <[email protected]>
srenatus
force-pushed
the
ssd-sr/ingest-s3-creds
branch
from
dd68055 to
aa6421f
Compare
marcparadise
approved these changes
Mar 13, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now, if for example chef-server.rb contains
This would
the one in the config
rather be taken from the secret store (i.e., removed from the config)
and could be set interactively via
or from the environment via
Replaces old ctl-commands by calls to set-secrets; with a whitelist.
Without the whitelisting, it would be quite easy to mistype the name of
a secret, and thus store it under the wrong key. Now, only anticipated
group/name combinations are allowed.
Note that the non-generic secret ingestion commands, i.e. those with
extra warnings and confirmations,
are not retired, since
set-secretdoes not support extras.