在template.erb中设置chef vault变量

Question

I have a vault item defined as the following in my recipe

item = ChefVault::Item.load("user","password")

How do i call this this in my template.erb ? I tried the following which isn't working

ROOTPASSWORD= <%= @node["testcookbook"]["user"]["password"] %>

My vault item looks like this:

$ knife vault show user password
id:       password
pass: xxxxxxxxxx
username: chefuser

I generally do something like this within a recipe

ROOTPASSWORD #{item['pass']}

however I don't think that would work within a template.

Answer 1

There are two options to solve that problem though the second one should be preferred as that keeps your sensitive data private.

Suppose, if your vault look like this:

knife vault show user password
id:       password
pass: xxxxxxxxxx
username: chefuser

Then, you can approach like following:

Save as Node Attribute

First, if you want to set the password on node object and make it visible, then you can do something like below:

In recipe:

node.default["testcookbook"]["user"]["password"] = ChefVault::Item.load("user","password")['pass']

template '/tmp/template' do
  source 'template.erb'
  owner 'root'
  group 'root'
  mode '0644'
end

In Template:

ROOTPASSWORD= <%= node["testcookbook"]["user"]["password"] %>

Pass Data to the Template using variables

Second, if you don't want to set the password on node object and let it visible in chef run logs, then you can do something like below:-

template '/tmp/template' do
  source 'template.erb'
  owner 'root'
  group 'root'
  mode '0644'
  sensitive true
  variables( {:password => ChefVault::Item.load("user","password")['pass']})
end

In Template:

ROOTPASSWORD= <%= @password %>