From 29c99c469e4e08f4aae92a3829e5038d7a84e660 Mon Sep 17 00:00:00 2001 From: nilsver Date: Thu, 13 Nov 2025 11:23:49 +0000 Subject: [PATCH 1/6] first version --- resources/bin/rb_configure_leader.sh | 15 +++++++-------- resources/bin/rb_create_rsa.sh | 4 ++-- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/resources/bin/rb_configure_leader.sh b/resources/bin/rb_configure_leader.sh index 1bb5f218..7a95bb29 100755 --- a/resources/bin/rb_configure_leader.sh +++ b/resources/bin/rb_configure_leader.sh @@ -122,13 +122,13 @@ function configure_dataBags(){ HASH_FUNCTION="SHA256" ## Data bags ## - mkdir -p /var/chef/data/data_bag/passwords/ + mkdir -p /var/chef/data/data_bag_encrypted/passwords/ mkdir -p /var/chef/data/data_bag/rBglobal/ mkdir -p /var/chef/data/data_bag/certs/ mkdir -p /var/chef/data/data_bag/backend/ ## DB opscode (chef) passwords - cat > /var/chef/data/data_bag/passwords/db_opscode_chef.json <<-_RBEOF_ + cat > /var/chef/data/data_bag_encrypted/passwords/db_opscode_chef.json <<-_RBEOF_ { "id": "db_opscode_chef", "username": "opscode_chef", @@ -176,7 +176,7 @@ _RBEOF_ _RBEOF_ # S3 passwords - cat > /var/chef/data/data_bag/passwords/s3.json <<-_RBEOF_ + cat > /var/chef/data/data_bag_encrypted/passwords/s3.json <<-_RBEOF_ { "id": "s3", "s3_access_key_id": "$S3KEY", @@ -188,7 +188,6 @@ _RBEOF_ } _RBEOF_ - mkdir -p /var/chef/data/data_bag_encrypted/passwords/ cat > /var/chef/data/data_bag_encrypted/passwords/vrrp.json <<-_RBEOF_ { "id": "vrrp", @@ -199,7 +198,7 @@ _RBEOF_ _RBEOF_ # DB druid passwords - cat > /var/chef/data/data_bag/passwords/db_druid.json <<-_RBEOF_ + cat > /var/chef/data/data_bag_encrypted/passwords/db_druid.json <<-_RBEOF_ { "id": "db_druid", "username": "druid", @@ -211,7 +210,7 @@ _RBEOF_ _RBEOF_ # DB redborder passwords - cat > /var/chef/data/data_bag/passwords/db_redborder.json <<-_RBEOF_ + cat > /var/chef/data/data_bag_encrypted/passwords/db_redborder.json <<-_RBEOF_ { "id": "db_redborder", "username": "redborder", @@ -223,7 +222,7 @@ _RBEOF_ _RBEOF_ # DB radius passwords - cat > /var/chef/data/data_bag/passwords/db_radius.json <<- _RBEOF2_ + cat > /var/chef/data/data_bag_encrypted/passwords/db_radius.json <<- _RBEOF2_ { "id": "db_radius", "username": "radius", @@ -235,7 +234,7 @@ _RBEOF_ _RBEOF2_ # Vault passwords - cat > /var/chef/data/data_bag/passwords/vault.json <<-_RBEOF_ + cat > /var/chef/data/data_bag_encrypted/passwords/vault.json <<-_RBEOF_ { "id": "vault", "hash_key": "$HASH_KEY", diff --git a/resources/bin/rb_create_rsa.sh b/resources/bin/rb_create_rsa.sh index 2a2ef9f0..c728249a 100755 --- a/resources/bin/rb_create_rsa.sh +++ b/resources/bin/rb_create_rsa.sh @@ -41,11 +41,11 @@ if [ "x$OVR" == "xy" -o "x$OVR" == "xY" ]; then \"public_rsa\": \"`cat /var/www/rb-rails/config/rsa.pub`\" }" > $JSON - knife data bag from file passwords $JSON + knife data bag from file rBglobal $JSON rm -f $JSON echo "Checking NEW ssh rsa databag: " - knife data bag show passwords ssh + knife data bag show rBglobal ssh if [ $? -eq 0 ]; then UPLOAD=1 fi From 26f1e61c2644fc7c97efa7e6a0db63276d6dcfdb Mon Sep 17 00:00:00 2001 From: nilsver Date: Thu, 13 Nov 2025 11:57:55 +0000 Subject: [PATCH 2/6] add databags --- resources/bin/rb_configure_leader.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/resources/bin/rb_configure_leader.sh b/resources/bin/rb_configure_leader.sh index 7a95bb29..14e2048d 100755 --- a/resources/bin/rb_configure_leader.sh +++ b/resources/bin/rb_configure_leader.sh @@ -275,7 +275,7 @@ _RBEOF_ #webui secret token WEBISECRET="`< /dev/urandom tr -dc A-Za-z0-9 | head -c128 | sed 's/ //g'`" - cat > /var/chef/data/data_bag/passwords/webui_secret.json <<-_RBEOF_ + cat > /var/chef/data/data_bag_encrypted/passwords/webui_secret.json <<-_RBEOF_ { "id": "webui_secret", "secret": "$WEBISECRET" @@ -284,7 +284,7 @@ _RBEOF_ #redis password token REDIS_SECRET="`< /dev/urandom tr -dc A-Za-z0-9 | head -c128 | sed 's/ //g'`" - cat > /var/chef/data/data_bag/passwords/redis.json <<-_RBEOF_ + cat > /var/chef/data/data_bag_encrypted/passwords/redis.json <<-_RBEOF_ { "id": "redis", "pass": "$REDIS_SECRET" @@ -294,7 +294,7 @@ _RBEOF_ #airflow password token AIRFLOW_USER="airflow" AIRFLOW_SECRET="`< /dev/urandom tr -dc A-Za-z0-9 | head -c32 | sed 's/ //g'`" - cat > /var/chef/data/data_bag/passwords/db_airflow.json <<-_RBEOF_ + cat > /var/chef/data/data_bag_encrypted/passwords/db_airflow.json <<-_RBEOF_ { "id": "db_airflow", "user": "$AIRFLOW_USER", From bd08c7fa5f38c184e8d6b76e03fc8d4eaf11aa03 Mon Sep 17 00:00:00 2001 From: nilsver Date: Wed, 19 Nov 2025 09:00:31 +0000 Subject: [PATCH 3/6] unencrypt s3 password --- resources/bin/rb_configure_leader.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/bin/rb_configure_leader.sh b/resources/bin/rb_configure_leader.sh index 14e2048d..47bc6a68 100755 --- a/resources/bin/rb_configure_leader.sh +++ b/resources/bin/rb_configure_leader.sh @@ -123,6 +123,7 @@ function configure_dataBags(){ ## Data bags ## mkdir -p /var/chef/data/data_bag_encrypted/passwords/ + mkdir -p /var/chef/data/data_bag/passwords/ mkdir -p /var/chef/data/data_bag/rBglobal/ mkdir -p /var/chef/data/data_bag/certs/ mkdir -p /var/chef/data/data_bag/backend/ @@ -176,8 +177,7 @@ _RBEOF_ _RBEOF_ # S3 passwords - cat > /var/chef/data/data_bag_encrypted/passwords/s3.json <<-_RBEOF_ -{ + cat > /var/chef/data/data_bag/passwords/s3.json <<-_RBEOF_{ "id": "s3", "s3_access_key_id": "$S3KEY", "s3_secret_key_id": "$S3SECRET", From 4d04b946035c4aeccc245f8fce72619650d0baba Mon Sep 17 00:00:00 2001 From: nilsver Date: Wed, 19 Nov 2025 09:20:31 +0000 Subject: [PATCH 4/6] syntax error --- resources/bin/rb_configure_leader.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/bin/rb_configure_leader.sh b/resources/bin/rb_configure_leader.sh index 47bc6a68..bda38810 100755 --- a/resources/bin/rb_configure_leader.sh +++ b/resources/bin/rb_configure_leader.sh @@ -177,7 +177,7 @@ _RBEOF_ _RBEOF_ # S3 passwords - cat > /var/chef/data/data_bag/passwords/s3.json <<-_RBEOF_{ + cat > /var/chef/data/data_bag/passwords/s3.json <<-_RBEOF_ "id": "s3", "s3_access_key_id": "$S3KEY", "s3_secret_key_id": "$S3SECRET", From bf4ca44fde5547aaf9c8d657ff307427f4f074e5 Mon Sep 17 00:00:00 2001 From: nilsver Date: Wed, 19 Nov 2025 10:31:40 +0000 Subject: [PATCH 5/6] make verbose --- resources/bin/rb_configure_leader.sh | 1 + resources/bin/rb_upload_chef_data.sh | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/resources/bin/rb_configure_leader.sh b/resources/bin/rb_configure_leader.sh index bda38810..e5c9e9e2 100755 --- a/resources/bin/rb_configure_leader.sh +++ b/resources/bin/rb_configure_leader.sh @@ -178,6 +178,7 @@ _RBEOF_ # S3 passwords cat > /var/chef/data/data_bag/passwords/s3.json <<-_RBEOF_ +{ "id": "s3", "s3_access_key_id": "$S3KEY", "s3_secret_key_id": "$S3SECRET", diff --git a/resources/bin/rb_upload_chef_data.sh b/resources/bin/rb_upload_chef_data.sh index f78d2bf0..90f88f17 100755 --- a/resources/bin/rb_upload_chef_data.sh +++ b/resources/bin/rb_upload_chef_data.sh @@ -55,7 +55,7 @@ function upload_data_bag(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n2 | sed "s|/var/chef/data/||") attempt ($retry/$max_retries)" - knife data bag -c /root/.chef/knife.rb from file $n1 $n2 --secret-file $key &>/dev/null + knife data bag -c /root/.chef/knife.rb from file $n1 $n2 --secret-file $key RET=$? if [ $RET -eq 0 ]; then rm -f $n2 @@ -77,7 +77,7 @@ function upload_data_bag(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n2 | sed "s|/var/chef/data/||") attempt ($retry/$max_retries)" - knife data bag -c /root/.chef/knife.rb from file $n1 $n2 &>/dev/null + knife data bag -c /root/.chef/knife.rb from file $n1 $n2 RET=$? if [ $RET -eq 0 ]; then print_result $RET @@ -107,7 +107,7 @@ function upload_data_bag(){ for ((retry = 1; retry <= max_retries; retry++)); do echo -n " > Uploading \"$n1\" data bag: attempt ($retry/$max_retries)" [ "x$key" != "x" ] && echo -n " encrypted" - knife data bag -c /root/.chef/knife.rb create $n1 --secret-file $key &>/dev/null + knife data bag -c /root/.chef/knife.rb create $n1 --secret-file $key RET=$? if [ $RET -eq 0 ]; then print_result $RET @@ -129,7 +129,7 @@ function upload_data_bag(){ for ((retry = 1; retry <= max_retries; retry++)); do echo -n " > Uploading \"$n1\" data bag: attempt ($retry/$max_retries)" [ "x$key" != "x" ] && echo -n " encrypted" - knife data bag -c /root/.chef/knife.rb create $n1 &>/dev/null + knife data bag -c /root/.chef/knife.rb create $n1 RET=$? if [ $RET -eq 0 ]; then print_result $RET @@ -162,7 +162,7 @@ function upload_data_bag(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n2 | sed "s|${RBDIR}/var/chef/data/||") ($retry/$max_retries)" - knife data bag -c /root/.chef/knife.rb from file $n1 $n2 --secret-file $key &>/dev/null + knife data bag -c /root/.chef/knife.rb from file $n1 $n2 --secret-file $key RET=$? if [ $RET -eq 0 ]; then rm -f $n2 @@ -184,7 +184,7 @@ function upload_data_bag(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n2 | sed "s|${RBDIR}/var/chef/data/||") ($retry/$max_retries)" - knife data bag -c /root/.chef/knife.rb from file $n1 $n2 &>/dev/null + knife data bag -c /root/.chef/knife.rb from file $n1 $n2 RET=$? if [ $RET -eq 0 ]; then print_result $RET @@ -236,7 +236,7 @@ function upload_x(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n | sed "s|/var/chef/data/||") attempt ($retry/$max_retries)" - knife $X -c /root/.chef/knife.rb from file $n &>/dev/null + knife $X -c /root/.chef/knife.rb from file $n if [ $? -eq 0 ]; then print_result $? break From 871e2797ef4ff8a28cb77ebae81ceac6b223efbd Mon Sep 17 00:00:00 2001 From: nilsver Date: Wed, 19 Nov 2025 10:45:28 +0000 Subject: [PATCH 6/6] make unverbose again --- resources/bin/rb_upload_chef_data.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/resources/bin/rb_upload_chef_data.sh b/resources/bin/rb_upload_chef_data.sh index 90f88f17..f78d2bf0 100755 --- a/resources/bin/rb_upload_chef_data.sh +++ b/resources/bin/rb_upload_chef_data.sh @@ -55,7 +55,7 @@ function upload_data_bag(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n2 | sed "s|/var/chef/data/||") attempt ($retry/$max_retries)" - knife data bag -c /root/.chef/knife.rb from file $n1 $n2 --secret-file $key + knife data bag -c /root/.chef/knife.rb from file $n1 $n2 --secret-file $key &>/dev/null RET=$? if [ $RET -eq 0 ]; then rm -f $n2 @@ -77,7 +77,7 @@ function upload_data_bag(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n2 | sed "s|/var/chef/data/||") attempt ($retry/$max_retries)" - knife data bag -c /root/.chef/knife.rb from file $n1 $n2 + knife data bag -c /root/.chef/knife.rb from file $n1 $n2 &>/dev/null RET=$? if [ $RET -eq 0 ]; then print_result $RET @@ -107,7 +107,7 @@ function upload_data_bag(){ for ((retry = 1; retry <= max_retries; retry++)); do echo -n " > Uploading \"$n1\" data bag: attempt ($retry/$max_retries)" [ "x$key" != "x" ] && echo -n " encrypted" - knife data bag -c /root/.chef/knife.rb create $n1 --secret-file $key + knife data bag -c /root/.chef/knife.rb create $n1 --secret-file $key &>/dev/null RET=$? if [ $RET -eq 0 ]; then print_result $RET @@ -129,7 +129,7 @@ function upload_data_bag(){ for ((retry = 1; retry <= max_retries; retry++)); do echo -n " > Uploading \"$n1\" data bag: attempt ($retry/$max_retries)" [ "x$key" != "x" ] && echo -n " encrypted" - knife data bag -c /root/.chef/knife.rb create $n1 + knife data bag -c /root/.chef/knife.rb create $n1 &>/dev/null RET=$? if [ $RET -eq 0 ]; then print_result $RET @@ -162,7 +162,7 @@ function upload_data_bag(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n2 | sed "s|${RBDIR}/var/chef/data/||") ($retry/$max_retries)" - knife data bag -c /root/.chef/knife.rb from file $n1 $n2 --secret-file $key + knife data bag -c /root/.chef/knife.rb from file $n1 $n2 --secret-file $key &>/dev/null RET=$? if [ $RET -eq 0 ]; then rm -f $n2 @@ -184,7 +184,7 @@ function upload_data_bag(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n2 | sed "s|${RBDIR}/var/chef/data/||") ($retry/$max_retries)" - knife data bag -c /root/.chef/knife.rb from file $n1 $n2 + knife data bag -c /root/.chef/knife.rb from file $n1 $n2 &>/dev/null RET=$? if [ $RET -eq 0 ]; then print_result $RET @@ -236,7 +236,7 @@ function upload_x(){ retry_delay=5 for ((retry = 1; retry <= max_retries; retry++)); do echo -n " - $(echo $n | sed "s|/var/chef/data/||") attempt ($retry/$max_retries)" - knife $X -c /root/.chef/knife.rb from file $n + knife $X -c /root/.chef/knife.rb from file $n &>/dev/null if [ $? -eq 0 ]; then print_result $? break