chef-vault 1.2.0 → 1.2.1
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +161 -0
- data/lib/chef-vault/version.rb +1 -1
- data/lib/chef/knife/EncryptCert.rb +1 -1
- data/lib/chef/knife/EncryptPassword.rb +1 -1
- metadata +3 -3
- data/README.rdoc +0 -123
data/README.md
ADDED
@@ -0,0 +1,161 @@
|
|
1
|
+
# Chef-Vault
|
2
|
+
|
3
|
+
## DESCRIPTION:
|
4
|
+
|
5
|
+
Gem that allows you to encrypt passwords and certificates using the public keys of
|
6
|
+
a list of chef nodes. This allows only those chef nodes to decrypt the
|
7
|
+
password or certificate.
|
8
|
+
|
9
|
+
## INSTALLATION:
|
10
|
+
|
11
|
+
Be sure you are running the latest version Chef. Versions earlier than 0.10.0
|
12
|
+
don't support plugins:
|
13
|
+
|
14
|
+
gem install chef
|
15
|
+
|
16
|
+
This plugin is distributed as a Ruby Gem. To install it, run:
|
17
|
+
|
18
|
+
gem install chef-vault
|
19
|
+
|
20
|
+
Depending on your system's configuration, you may need to run this command with
|
21
|
+
root privileges.
|
22
|
+
|
23
|
+
## CONFIGURATION:
|
24
|
+
|
25
|
+
## KNIFE COMMANDS:
|
26
|
+
|
27
|
+
This plugin provides the following Knife subcommands.
|
28
|
+
Specific command options can be found by invoking the subcommand with a
|
29
|
+
<tt>--help</tt> flag
|
30
|
+
|
31
|
+
### knife encrypt password
|
32
|
+
|
33
|
+
Use this knife command to encrypt the username and password that you want to
|
34
|
+
protect. Only Chef nodes returned by the `--search` at the time of encryption
|
35
|
+
will be able to decrypt the password.
|
36
|
+
|
37
|
+
```bash
|
38
|
+
$ knife encrypt password --search SEARCH --username USERNAME --password PASSWORD
|
39
|
+
--admins ADMINS
|
40
|
+
```
|
41
|
+
|
42
|
+
In the example below, the `mysql_user`'s password will be encrypted using the
|
43
|
+
public keys of the nodes in the `web_server` role. In addition to the servers in
|
44
|
+
the `web_server` role, Chef users `alice`, `bob`, and `carol` will also be able
|
45
|
+
to decrypt the password, an encrypted data bag item.
|
46
|
+
|
47
|
+
```bash
|
48
|
+
$ knife encrypt password --search "role:web_server" --username mysql_user
|
49
|
+
--password "P@ssw0rd" --admins "alice,bob,carol"
|
50
|
+
```
|
51
|
+
|
52
|
+
### knife decrypt password
|
53
|
+
|
54
|
+
Use this knife command to decrypt the password that is protected. This is
|
55
|
+
currently hard-coded to look for an encrypted data bag named "passwords" on the
|
56
|
+
Chef server.
|
57
|
+
|
58
|
+
knife decrypt password --username USERNAME
|
59
|
+
|
60
|
+
### knife encrypt cert
|
61
|
+
|
62
|
+
Use this knife command to encrypt the contents of a certificate that you want to
|
63
|
+
protect. Only Chef nodes returned by the `--search` at the time of encryption
|
64
|
+
will be able to decrypt the certificate.
|
65
|
+
|
66
|
+
Typically you will decrypt the contents as part of a recipe and write them out
|
67
|
+
to a certificate on your Chef node.
|
68
|
+
|
69
|
+
```bash
|
70
|
+
$ knife encrypt cert --search SEARCH --cert CERT --password PASSWORD
|
71
|
+
--name NAME --admins ADMINS
|
72
|
+
```
|
73
|
+
|
74
|
+
In the example below, the `~/ssl/web_server_cert.pem` certificate will be
|
75
|
+
encrypted using the public keys of the nodes in the `web_server` role. You can
|
76
|
+
reference the name of the certificate (`web_public_key`) in a recipe when you
|
77
|
+
need to decrypt it. In addition to the servers in the `web_server` role, Chef
|
78
|
+
users `alice`, `bob`, and `carol` will also be able to decrypt the contents of
|
79
|
+
the certificate, an encrypted data bag item.
|
80
|
+
|
81
|
+
```bash
|
82
|
+
$ knife encrypt cert --search "role:web_server" --cert
|
83
|
+
~/ssl/web_server_cert.pem --name web_public_key --admins 'alice,bob,carol'
|
84
|
+
```
|
85
|
+
|
86
|
+
### knife decrypt cert
|
87
|
+
|
88
|
+
Use this knife command to decrypt the certificate that is protected. This is
|
89
|
+
currently hard-coded to look for an encrypted data bag named `certs` on the Chef
|
90
|
+
server.
|
91
|
+
|
92
|
+
knife decrypt cert --name NAME
|
93
|
+
|
94
|
+
## USAGE IN RECIPES
|
95
|
+
|
96
|
+
To use this gem in a recipe to decrypt data you must first install the gem
|
97
|
+
via a chef_gem resource. Once the gem is installed require the gem and then
|
98
|
+
you can create a new instance of ChefVault.
|
99
|
+
|
100
|
+
### Example Code (password)
|
101
|
+
|
102
|
+
```ruby
|
103
|
+
chef_gem "chef-vault"
|
104
|
+
|
105
|
+
require 'chef-vault'
|
106
|
+
|
107
|
+
vault = ChefVault.new("passwords")
|
108
|
+
user = vault.user("mysql_user")
|
109
|
+
password = user.decrypt_password
|
110
|
+
```
|
111
|
+
|
112
|
+
### Example Code (certificate)
|
113
|
+
|
114
|
+
```ruby
|
115
|
+
chef_gem "chef-vault"
|
116
|
+
|
117
|
+
require 'chef-vault'
|
118
|
+
|
119
|
+
vault = ChefVault.new("certs")
|
120
|
+
cert = vault.certificate("web_public_key")
|
121
|
+
contents = cert.decrypt_contents
|
122
|
+
```
|
123
|
+
|
124
|
+
## USAGE STAND ALONE
|
125
|
+
|
126
|
+
`chef-vault` can be used a stand alone binary to decrypt values stored in Chef.
|
127
|
+
It requires that Chef is installed on the system and that you have a valid
|
128
|
+
knife.rb. This is useful if you want to mix `chef-vault` into non-Chef recipe
|
129
|
+
code, for example some other script where you want to protect a password.
|
130
|
+
|
131
|
+
It does still require that the data bag has been encrypted for the user's or
|
132
|
+
client's pem and pushed to the Chef server. It mixes Chef into the gem and
|
133
|
+
uses it to go grab the data bag.
|
134
|
+
|
135
|
+
Do `chef-vault --help` for all available options
|
136
|
+
|
137
|
+
### Example usage (password)
|
138
|
+
|
139
|
+
chef-vault -u Administrator -k /etc/chef/knife.rb
|
140
|
+
|
141
|
+
### Example usage (certificate)
|
142
|
+
|
143
|
+
chef-vault -c wildcard_domain_com -k /etc/chef/knife.rb
|
144
|
+
|
145
|
+
## License and Author:
|
146
|
+
|
147
|
+
Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
|
148
|
+
Copyright:: Copyright (c) 2013 Nordstrom, Inc.
|
149
|
+
License:: Apache License, Version 2.0
|
150
|
+
|
151
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
152
|
+
you may not use this file except in compliance with the License.
|
153
|
+
You may obtain a copy of the License at
|
154
|
+
|
155
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
156
|
+
|
157
|
+
Unless required by applicable law or agreed to in writing, software
|
158
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
159
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
160
|
+
See the License for the specific language governing permissions and
|
161
|
+
limitations under the License.
|
data/lib/chef-vault/version.rb
CHANGED
@@ -89,7 +89,7 @@ class EncryptCert < Chef::Knife
|
|
89
89
|
end
|
90
90
|
|
91
91
|
# Get the public keys for the admin users, skipping users already in the data bag
|
92
|
-
public_keys << admins.split(
|
92
|
+
public_keys << admins.split(/[\s,]+/).map do |user|
|
93
93
|
begin
|
94
94
|
if current_dbi_keys[user]
|
95
95
|
puts("INFO: Skipping #{user} as it is already in the data bag")
|
@@ -87,7 +87,7 @@ class EncryptPassword < Chef::Knife
|
|
87
87
|
end
|
88
88
|
|
89
89
|
# Get the public keys for the admin users, skipping users already in the data bag
|
90
|
-
public_keys << admins.split(
|
90
|
+
public_keys << admins.split(/[\s,]+/).map do |user|
|
91
91
|
begin
|
92
92
|
if current_dbi_keys[user]
|
93
93
|
puts("INFO: Skipping #{user} as it is already in the data bag")
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chef-vault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.2.
|
4
|
+
version: 1.2.1
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-04-
|
12
|
+
date: 2013-04-23 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: chef
|
@@ -36,7 +36,7 @@ extensions: []
|
|
36
36
|
extra_rdoc_files: []
|
37
37
|
files:
|
38
38
|
- .gitignore
|
39
|
-
- README.
|
39
|
+
- README.md
|
40
40
|
- bin/chef-vault
|
41
41
|
- chef-vault.gemspec
|
42
42
|
- lib/chef-vault.rb
|
data/README.rdoc
DELETED
@@ -1,123 +0,0 @@
|
|
1
|
-
|
2
|
-
= Chef-Vault
|
3
|
-
|
4
|
-
= DESCRIPTION:
|
5
|
-
|
6
|
-
Gem that allows you to encrypt passwords & certificates using the public key of
|
7
|
-
a list of chef nodes. This allows only those chef nodes to decrypt the
|
8
|
-
password or certificate.
|
9
|
-
|
10
|
-
This is supported on both Chef 10 and Chef 11 API.
|
11
|
-
|
12
|
-
= INSTALLATION:
|
13
|
-
|
14
|
-
Be sure you are running the latest version Chef. Versions earlier than 0.10.0
|
15
|
-
don't support plugins:
|
16
|
-
|
17
|
-
gem install chef
|
18
|
-
|
19
|
-
This plugin is distributed as a Ruby Gem. To install it, run:
|
20
|
-
|
21
|
-
gem install chef-vault
|
22
|
-
|
23
|
-
Depending on your system's configuration, you may need to run this command with
|
24
|
-
root privileges.
|
25
|
-
|
26
|
-
= CONFIGURATION:
|
27
|
-
|
28
|
-
= KNIFE COMMANDS:
|
29
|
-
|
30
|
-
This plugin provides the following Knife subcommands.
|
31
|
-
Specific command options can be found by invoking the subcommand with a
|
32
|
-
<tt>--help</tt> flag
|
33
|
-
|
34
|
-
== knife encrypt password
|
35
|
-
|
36
|
-
Use this knife command to encrypt the username and password that you want to
|
37
|
-
protect.
|
38
|
-
|
39
|
-
knife encrypt password --search SEARCH --username USERNAME --password PASSWORD --admins ADMINS
|
40
|
-
|
41
|
-
== knife decrypt password
|
42
|
-
|
43
|
-
Use this knife command to dencrypt the password that is protected
|
44
|
-
|
45
|
-
knife decrypt password --username USERNAME
|
46
|
-
|
47
|
-
== knife encrypt cert
|
48
|
-
|
49
|
-
Use this knife command to encrypt the contents of a certificate that you want
|
50
|
-
to protect.
|
51
|
-
|
52
|
-
knife encrypt cert --search SEARCH --cert CERT --password PASSWORD --name NAME --admins ADMINS
|
53
|
-
|
54
|
-
== knife decrypt cert
|
55
|
-
|
56
|
-
Use this knife command to dencrypt the certificate that is protected
|
57
|
-
|
58
|
-
knife decrypt cert --name NAME
|
59
|
-
|
60
|
-
= USAGE IN RECIPES
|
61
|
-
|
62
|
-
To use this gem in a recipe to decrypt data you must first install the gem
|
63
|
-
via a chef_gem resource. Once the gem is installed require the gem and then
|
64
|
-
you can create a new instance of ChefVault.
|
65
|
-
|
66
|
-
== Example Code (password)
|
67
|
-
|
68
|
-
chef_gem "chef-vault"
|
69
|
-
|
70
|
-
require 'chef-vault'
|
71
|
-
|
72
|
-
vault = ChefVault.new("passwords")
|
73
|
-
user = vault.user("Administrator")
|
74
|
-
password = user.decrypt_password
|
75
|
-
|
76
|
-
== Example Code (certificate)
|
77
|
-
|
78
|
-
chef_gem "chef-vault"
|
79
|
-
|
80
|
-
require 'chef-vault'
|
81
|
-
|
82
|
-
vault = ChefVault.new("certs")
|
83
|
-
cert = vault.certificate("domain.com")
|
84
|
-
contents = cert.decrypt_contents
|
85
|
-
|
86
|
-
= USAGE STAND ALONE
|
87
|
-
|
88
|
-
chef-vault can be used a stand alone binary to decrypt values stored in chef.
|
89
|
-
It requires that chef is installed on the system and that you have a valid
|
90
|
-
knife.rb. This is useful if you want to mix chef-vault into non-chef recipe
|
91
|
-
code, for example some other script where you want to protect a password.
|
92
|
-
|
93
|
-
It does still require that the data bag has been encrypted for the user's or
|
94
|
-
client's pem and pushed to the chef server. It mixes chef into the gem and
|
95
|
-
uses it to go grab the data bag.
|
96
|
-
|
97
|
-
Do chef-vault --help for all available options
|
98
|
-
|
99
|
-
== Example usage (password)
|
100
|
-
|
101
|
-
chef-vault -u Administrator -k /etc/chef/knife.rb
|
102
|
-
|
103
|
-
== Example usage (certificate)
|
104
|
-
|
105
|
-
chef-vault -c wildcard_domain_com -k /etc/chef/knife.rb
|
106
|
-
|
107
|
-
= LICENSE:
|
108
|
-
|
109
|
-
Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
|
110
|
-
Copyright:: Copyright (c) 2013 Nordstrom, Inc.
|
111
|
-
License:: Apache License, Version 2.0
|
112
|
-
|
113
|
-
Licensed under the Apache License, Version 2.0 (the "License");
|
114
|
-
you may not use this file except in compliance with the License.
|
115
|
-
You may obtain a copy of the License at
|
116
|
-
|
117
|
-
http://www.apache.org/licenses/LICENSE-2.0
|
118
|
-
|
119
|
-
Unless required by applicable law or agreed to in writing, software
|
120
|
-
distributed under the License is distributed on an "AS IS" BASIS,
|
121
|
-
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
122
|
-
See the License for the specific language governing permissions and
|
123
|
-
limitations under the License.
|