I have already created a databag item which is existing on the chef server.
Now, I am trying to pass on that databag item secret value to a docker container.
I am creating the data bag as follows:
knife data bag create bag_secrets bag_masterkey --secret-file C:\path\data_bag_secret
I am retrieving value of that databag item in Chef recipe as follows:
secret = Chef::EncryptedDataBagItem.load_secret("#{node['secret']}")
masterkey = Chef::EncryptedDataBagItem.load("databag_secrets", "databag_masterkey", secret)
What logic do i need to add to pass on the data bag secret to a docker container?
I've said this like twice on different questions: DO NOT USE ENCRYPTED DATABAGS LIKE THIS IT IS NOT SAFE.
I think you fundamentally misunderstand the security model of encrypted bags, they exist only to allow for data where the Chef Server cannot read it. The cost is you must manage key distribution. For Docker this would probably be via sidecar containers or data volumes but running chef-client inside a container is relatively rare so you'll have to sort that out yourself. I would recommend working with a security/infosec engineer at your company to figure out the right security model for your usage.
来源:https://stackoverflow.com/questions/37338090/how-to-pass-chef-data-bag-secret-to-a-docker-container