chef-vault 1.2.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.md +161 -0
- data/lib/chef-vault/version.rb +1 -1
- data/lib/chef/knife/EncryptCert.rb +1 -1
- data/lib/chef/knife/EncryptPassword.rb +1 -1
- metadata +3 -3
- data/README.rdoc +0 -123
data/README.md
ADDED
@@ -0,0 +1,161 @@
|
|
1
|
+
# Chef-Vault
|
2
|
+
|
3
|
+
## DESCRIPTION:
|
4
|
+
|
5
|
+
Gem that allows you to encrypt passwords and certificates using the public keys of
|
6
|
+
a list of chef nodes. This allows only those chef nodes to decrypt the
|
7
|
+
password or certificate.
|
8
|
+
|
9
|
+
## INSTALLATION:
|
10
|
+
|
11
|
+
Be sure you are running the latest version Chef. Versions earlier than 0.10.0
|
12
|
+
don't support plugins:
|
13
|
+
|
14
|
+
gem install chef
|
15
|
+
|
16
|
+
This plugin is distributed as a Ruby Gem. To install it, run:
|
17
|
+
|
18
|
+
gem install chef-vault
|
19
|
+
|
20
|
+
Depending on your system's configuration, you may need to run this command with
|
21
|
+
root privileges.
|
22
|
+
|
23
|
+
## CONFIGURATION:
|
24
|
+
|
25
|
+
## KNIFE COMMANDS:
|
26
|
+
|
27
|
+
This plugin provides the following Knife subcommands.
|
28
|
+
Specific command options can be found by invoking the subcommand with a
|
29
|
+
<tt>--help</tt> flag
|
30
|
+
|
31
|
+
### knife encrypt password
|
32
|
+
|
33
|
+
Use this knife command to encrypt the username and password that you want to
|
34
|
+
protect. Only Chef nodes returned by the `--search` at the time of encryption
|
35
|
+
will be able to decrypt the password.
|
36
|
+
|
37
|
+
```bash
|
38
|
+
$ knife encrypt password --search SEARCH --username USERNAME --password PASSWORD
|
39
|
+
--admins ADMINS
|
40
|
+
```
|
41
|
+
|
42
|
+
In the example below, the `mysql_user`'s password will be encrypted using the
|
43
|
+
public keys of the nodes in the `web_server` role. In addition to the servers in
|
44
|
+
the `web_server` role, Chef users `alice`, `bob`, and `carol` will also be able
|
45
|
+
to decrypt the password, an encrypted data bag item.
|
46
|
+
|
47
|
+
```bash
|
48
|
+
$ knife encrypt password --search "role:web_server" --username mysql_user
|
49
|
+
--password "P@ssw0rd" --admins "alice,bob,carol"
|
50
|
+
```
|
51
|
+
|
52
|
+
### knife decrypt password
|
53
|
+
|
54
|
+
Use this knife command to decrypt the password that is protected. This is
|
55
|
+
currently hard-coded to look for an encrypted data bag named "passwords" on the
|
56
|
+
Chef server.
|
57
|
+
|
58
|
+
knife decrypt password --username USERNAME
|
59
|
+
|
60
|
+
### knife encrypt cert
|
61
|
+
|
62
|
+
Use this knife command to encrypt the contents of a certificate that you want to
|
63
|
+
protect. Only Chef nodes returned by the `--search` at the time of encryption
|
64
|
+
will be able to decrypt the certificate.
|
65
|
+
|
66
|
+
Typically you will decrypt the contents as part of a recipe and write them out
|
67
|
+
to a certificate on your Chef node.
|
68
|
+
|
69
|
+
```bash
|
70
|
+
$ knife encrypt cert --search SEARCH --cert CERT --password PASSWORD
|
71
|
+
--name NAME --admins ADMINS
|
72
|
+
```
|
73
|
+
|
74
|
+
In the example below, the `~/ssl/web_server_cert.pem` certificate will be
|
75
|
+
encrypted using the public keys of the nodes in the `web_server` role. You can
|
76
|
+
reference the name of the certificate (`web_public_key`) in a recipe when you
|
77
|
+
need to decrypt it. In addition to the servers in the `web_server` role, Chef
|
78
|
+
users `alice`, `bob`, and `carol` will also be able to decrypt the contents of
|
79
|
+
the certificate, an encrypted data bag item.
|
80
|
+
|
81
|
+
```bash
|
82
|
+
$ knife encrypt cert --search "role:web_server" --cert
|
83
|
+
~/ssl/web_server_cert.pem --name web_public_key --admins 'alice,bob,carol'
|
84
|
+
```
|
85
|
+
|
86
|
+
### knife decrypt cert
|
87
|
+
|
88
|
+
Use this knife command to decrypt the certificate that is protected. This is
|
89
|
+
currently hard-coded to look for an encrypted data bag named `certs` on the Chef
|
90
|
+
server.
|
91
|
+
|
92
|
+
knife decrypt cert --name NAME
|
93
|
+
|
94
|
+
## USAGE IN RECIPES
|
95
|
+
|
96
|
+
To use this gem in a recipe to decrypt data you must first install the gem
|
97
|
+
via a chef_gem resource. Once the gem is installed require the gem and then
|
98
|
+
you can create a new instance of ChefVault.
|
99
|
+
|
100
|
+
### Example Code (password)
|
101
|
+
|
102
|
+
```ruby
|
103
|
+
chef_gem "chef-vault"
|
104
|
+
|
105
|
+
require 'chef-vault'
|
106
|
+
|
107
|
+
vault = ChefVault.new("passwords")
|
108
|
+
user = vault.user("mysql_user")
|
109
|
+
password = user.decrypt_password
|
110
|
+
```
|
111
|
+
|
112
|
+
### Example Code (certificate)
|
113
|
+
|
114
|
+
```ruby
|
115
|
+
chef_gem "chef-vault"
|
116
|
+
|
117
|
+
require 'chef-vault'
|
118
|
+
|
119
|
+
vault = ChefVault.new("certs")
|
120
|
+
cert = vault.certificate("web_public_key")
|
121
|
+
contents = cert.decrypt_contents
|
122
|
+
```
|
123
|
+
|
124
|
+
## USAGE STAND ALONE
|
125
|
+
|
126
|
+
`chef-vault` can be used a stand alone binary to decrypt values stored in Chef.
|
127
|
+
It requires that Chef is installed on the system and that you have a valid
|
128
|
+
knife.rb. This is useful if you want to mix `chef-vault` into non-Chef recipe
|
129
|
+
code, for example some other script where you want to protect a password.
|
130
|
+
|
131
|
+
It does still require that the data bag has been encrypted for the user's or
|
132
|
+
client's pem and pushed to the Chef server. It mixes Chef into the gem and
|
133
|
+
uses it to go grab the data bag.
|
134
|
+
|
135
|
+
Do `chef-vault --help` for all available options
|
136
|
+
|
137
|
+
### Example usage (password)
|
138
|
+
|
139
|
+
chef-vault -u Administrator -k /etc/chef/knife.rb
|
140
|
+
|
141
|
+
### Example usage (certificate)
|
142
|
+
|
143
|
+
chef-vault -c wildcard_domain_com -k /etc/chef/knife.rb
|
144
|
+
|
145
|
+
## License and Author:
|
146
|
+
|
147
|
+
Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
|
148
|
+
Copyright:: Copyright (c) 2013 Nordstrom, Inc.
|
149
|
+
License:: Apache License, Version 2.0
|
150
|
+
|
151
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
152
|
+
you may not use this file except in compliance with the License.
|
153
|
+
You may obtain a copy of the License at
|
154
|
+
|
155
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
156
|
+
|
157
|
+
Unless required by applicable law or agreed to in writing, software
|
158
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
159
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
160
|
+
See the License for the specific language governing permissions and
|
161
|
+
limitations under the License.
|
data/lib/chef-vault/version.rb
CHANGED
@@ -89,7 +89,7 @@ class EncryptCert < Chef::Knife
|
|
89
89
|
end
|
90
90
|
|
91
91
|
# Get the public keys for the admin users, skipping users already in the data bag
|
92
|
-
public_keys << admins.split(
|
92
|
+
public_keys << admins.split(/[\s,]+/).map do |user|
|
93
93
|
begin
|
94
94
|
if current_dbi_keys[user]
|
95
95
|
puts("INFO: Skipping #{user} as it is already in the data bag")
|
@@ -87,7 +87,7 @@ class EncryptPassword < Chef::Knife
|
|
87
87
|
end
|
88
88
|
|
89
89
|
# Get the public keys for the admin users, skipping users already in the data bag
|
90
|
-
public_keys << admins.split(
|
90
|
+
public_keys << admins.split(/[\s,]+/).map do |user|
|
91
91
|
begin
|
92
92
|
if current_dbi_keys[user]
|
93
93
|
puts("INFO: Skipping #{user} as it is already in the data bag")
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chef-vault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.2.
|
4
|
+
version: 1.2.1
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-04-
|
12
|
+
date: 2013-04-23 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: chef
|
@@ -36,7 +36,7 @@ extensions: []
|
|
36
36
|
extra_rdoc_files: []
|
37
37
|
files:
|
38
38
|
- .gitignore
|
39
|
-
- README.
|
39
|
+
- README.md
|
40
40
|
- bin/chef-vault
|
41
41
|
- chef-vault.gemspec
|
42
42
|
- lib/chef-vault.rb
|
data/README.rdoc
DELETED
@@ -1,123 +0,0 @@
|
|
1
|
-
|
2
|
-
= Chef-Vault
|
3
|
-
|
4
|
-
= DESCRIPTION:
|
5
|
-
|
6
|
-
Gem that allows you to encrypt passwords & certificates using the public key of
|
7
|
-
a list of chef nodes. This allows only those chef nodes to decrypt the
|
8
|
-
password or certificate.
|
9
|
-
|
10
|
-
This is supported on both Chef 10 and Chef 11 API.
|
11
|
-
|
12
|
-
= INSTALLATION:
|
13
|
-
|
14
|
-
Be sure you are running the latest version Chef. Versions earlier than 0.10.0
|
15
|
-
don't support plugins:
|
16
|
-
|
17
|
-
gem install chef
|
18
|
-
|
19
|
-
This plugin is distributed as a Ruby Gem. To install it, run:
|
20
|
-
|
21
|
-
gem install chef-vault
|
22
|
-
|
23
|
-
Depending on your system's configuration, you may need to run this command with
|
24
|
-
root privileges.
|
25
|
-
|
26
|
-
= CONFIGURATION:
|
27
|
-
|
28
|
-
= KNIFE COMMANDS:
|
29
|
-
|
30
|
-
This plugin provides the following Knife subcommands.
|
31
|
-
Specific command options can be found by invoking the subcommand with a
|
32
|
-
<tt>--help</tt> flag
|
33
|
-
|
34
|
-
== knife encrypt password
|
35
|
-
|
36
|
-
Use this knife command to encrypt the username and password that you want to
|
37
|
-
protect.
|
38
|
-
|
39
|
-
knife encrypt password --search SEARCH --username USERNAME --password PASSWORD --admins ADMINS
|
40
|
-
|
41
|
-
== knife decrypt password
|
42
|
-
|
43
|
-
Use this knife command to dencrypt the password that is protected
|
44
|
-
|
45
|
-
knife decrypt password --username USERNAME
|
46
|
-
|
47
|
-
== knife encrypt cert
|
48
|
-
|
49
|
-
Use this knife command to encrypt the contents of a certificate that you want
|
50
|
-
to protect.
|
51
|
-
|
52
|
-
knife encrypt cert --search SEARCH --cert CERT --password PASSWORD --name NAME --admins ADMINS
|
53
|
-
|
54
|
-
== knife decrypt cert
|
55
|
-
|
56
|
-
Use this knife command to dencrypt the certificate that is protected
|
57
|
-
|
58
|
-
knife decrypt cert --name NAME
|
59
|
-
|
60
|
-
= USAGE IN RECIPES
|
61
|
-
|
62
|
-
To use this gem in a recipe to decrypt data you must first install the gem
|
63
|
-
via a chef_gem resource. Once the gem is installed require the gem and then
|
64
|
-
you can create a new instance of ChefVault.
|
65
|
-
|
66
|
-
== Example Code (password)
|
67
|
-
|
68
|
-
chef_gem "chef-vault"
|
69
|
-
|
70
|
-
require 'chef-vault'
|
71
|
-
|
72
|
-
vault = ChefVault.new("passwords")
|
73
|
-
user = vault.user("Administrator")
|
74
|
-
password = user.decrypt_password
|
75
|
-
|
76
|
-
== Example Code (certificate)
|
77
|
-
|
78
|
-
chef_gem "chef-vault"
|
79
|
-
|
80
|
-
require 'chef-vault'
|
81
|
-
|
82
|
-
vault = ChefVault.new("certs")
|
83
|
-
cert = vault.certificate("domain.com")
|
84
|
-
contents = cert.decrypt_contents
|
85
|
-
|
86
|
-
= USAGE STAND ALONE
|
87
|
-
|
88
|
-
chef-vault can be used a stand alone binary to decrypt values stored in chef.
|
89
|
-
It requires that chef is installed on the system and that you have a valid
|
90
|
-
knife.rb. This is useful if you want to mix chef-vault into non-chef recipe
|
91
|
-
code, for example some other script where you want to protect a password.
|
92
|
-
|
93
|
-
It does still require that the data bag has been encrypted for the user's or
|
94
|
-
client's pem and pushed to the chef server. It mixes chef into the gem and
|
95
|
-
uses it to go grab the data bag.
|
96
|
-
|
97
|
-
Do chef-vault --help for all available options
|
98
|
-
|
99
|
-
== Example usage (password)
|
100
|
-
|
101
|
-
chef-vault -u Administrator -k /etc/chef/knife.rb
|
102
|
-
|
103
|
-
== Example usage (certificate)
|
104
|
-
|
105
|
-
chef-vault -c wildcard_domain_com -k /etc/chef/knife.rb
|
106
|
-
|
107
|
-
= LICENSE:
|
108
|
-
|
109
|
-
Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
|
110
|
-
Copyright:: Copyright (c) 2013 Nordstrom, Inc.
|
111
|
-
License:: Apache License, Version 2.0
|
112
|
-
|
113
|
-
Licensed under the Apache License, Version 2.0 (the "License");
|
114
|
-
you may not use this file except in compliance with the License.
|
115
|
-
You may obtain a copy of the License at
|
116
|
-
|
117
|
-
http://www.apache.org/licenses/LICENSE-2.0
|
118
|
-
|
119
|
-
Unless required by applicable law or agreed to in writing, software
|
120
|
-
distributed under the License is distributed on an "AS IS" BASIS,
|
121
|
-
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
122
|
-
See the License for the specific language governing permissions and
|
123
|
-
limitations under the License.
|