I am still learning about chef. I have bootstrapped and uploaded my server-template to remote repository. But am wondering if its safe to add nodes directory to remote repository as it contains exact server passwords
Here is an example node
{
"environment":"production",
"authorization": {
"sudo": {
// The password for the depliy user is set in data_bags/users/deploy.json
// and should be generated using:
// openssl passwd -1 "plaintextpassword"
"users": ["deploy", "vagrant"]
}
},
"vagrant" : {
"exclusions" : [],
"name" : "rails-postgres-redis1",
"ip" : "192.168.50.4"
},
"rbenv":{
"rubies": [
"2.1.2"
],
"global" : "2.1.2",
"gems": {
"2.1.2" : [
{"name":"bundler"}
]
}
},
"monit": {
"notify_emails" : ["email@example.com"],
"enable_emails" : false,
"web_interface" : {
// the plaintext monit username and password
"allow" : ["your_username","your_password"]
},
"mailserver" : {
"host" : "mailserver.example.com",
"port" : "999",
"username" : "your_username",
"password" : "your_password",
"hostname" : "the_hostname"
}
},
"postgresql" : {
"password" : {
// this should be generated with:
// openssl passwd -1 "plaintextpassword"
// currently test
"postgres" : "$1$mMK9HNoN$r42n7Q8fKsZabbknlT1Zt1"
}
},
"run_list":
[
"role[server]",
"role[nginx-server]",
"role[postgres-server]",
"role[rails-app]",
"role[redis-server]",
]
}
As the passwords are visible is it safe to add like this?
If it should be in gitignore then at a later stage if we clone from the remote repo then we need to bootstrap the server from scratch as there is no node directory exists right?
Is there a better way or am I missing something here?
You do not need copy of node json files to bootstrap the node. Secure data should come from Chef Vault/Hashicorp Vault/any other secure storage. Non-confidential data can be part of recipe/wrapper recipe/role/environment/etc, which can be stored in the repository. If you really have data which are single node specific you can pass them using -j during the bootstrap process.