Habi-chef Pattern and runtime identity


We’ve been pushing the habi-chef pattern for some services that handle a divorce from system configuration in a really clean way. Our usual chef pattern for secret management is:

Chef runs with policy group X
Chef fetches secrets from Hashicorp Vault under namespace X
Chef compiles and launches.
Everything is awesome

As best I can tell I don’t have any way to set a habi-chef converge to assume a particular policy_group or send in any runtime attributes to identify the environment a node is converging in. Are these assumptions fact? Anyone have an approach here if not?


If I understood your case correctly, then:

There is open pull request on scaffolding chef improvement. It might help you: https://github.com/habitat-sh/core-plans/pull/1831/

It allows you to set policy_group.
Also there is https://bldr.habitat.sh/#/pkgs/jsirex/scaffolding-chef/latest - I’ve built it until pull get merged.

BTW, you can specify policy_name and policy_group via node attributes: override['policy_group'] = 'mygroup'

PS. This new scaffolding still under tests…


Awesome! I’ll check this out. thanks