chef-vault 3.4.1 → 3.4.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +307 -0
- data/chef-vault.gemspec +40 -0
- data/lib/chef-vault/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ae942cd10e48bec9d688f5c91e12853ebd257a2664768444d3f9f472e391dcc3
|
4
|
+
data.tar.gz: 04dc8c57516c24949b014cbb7e2e259dea2f9e7458505bccb87b6ab0698db1f4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6dad5ce4503b40fe2866c9c89d34ab45e56c8cbbac9bc98a4a2716584b1898277e4d2b177ff133b4959b7fee722d9a6b22fcd318c39d0703eb54bd657fa0f637
|
7
|
+
data.tar.gz: 18706d51d76afd1929e09a79a618b9a174604b37b22e778bed552620061f8826919d239ecf47a63b03ef729495b558fc0002640dac19e37d8d74c2cbd4d3c4b3
|
data/README.md
ADDED
@@ -0,0 +1,307 @@
|
|
1
|
+
# Chef-Vault
|
2
|
+
|
3
|
+
[![Gem Version](https://badge.fury.io/rb/chef-vault.svg)](http://badge.fury.io/rb/chef-vault)
|
4
|
+
|
5
|
+
[![Build Status](https://travis-ci.org/chef/chef-vault.svg?branch=master)](https://travis-ci.org/chef/chef-vault)
|
6
|
+
|
7
|
+
[![Inline docs](http://inch-ci.org/github/chef/chef-vault.svg?branch=master)](http://inch-ci.org/github/chef/chef-vault)
|
8
|
+
|
9
|
+
[![Code Climate](https://codeclimate.com/github/chef/chef-vault/badges/gpa.svg)](https://codeclimate.com/github/chef/chef-vault)
|
10
|
+
|
11
|
+
## DESCRIPTION:
|
12
|
+
|
13
|
+
Gem that allows you to encrypt a Chef Data Bag Item using the public keys of
|
14
|
+
a list of chef nodes. This allows only those chef nodes to decrypt the
|
15
|
+
encrypted values.
|
16
|
+
|
17
|
+
For a more detailed explanation of how chef-vault works, please refer to this blog post [Chef Vault – what is it and what can it do for you?](https://www.chef.io/blog/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/) by Nell Shamrell-Harrington.
|
18
|
+
|
19
|
+
## INSTALLATION:
|
20
|
+
|
21
|
+
Be sure you are running the latest version Chef. Versions earlier than
|
22
|
+
0.10.0 don't support plugins:
|
23
|
+
|
24
|
+
gem install chef
|
25
|
+
|
26
|
+
This plugin is distributed as a Ruby Gem. To install it, run:
|
27
|
+
|
28
|
+
gem install chef-vault
|
29
|
+
|
30
|
+
Depending on your system's configuration, you may need to run this command
|
31
|
+
with root privileges.
|
32
|
+
|
33
|
+
## DEVELOPMENT:
|
34
|
+
|
35
|
+
### Git Hooks
|
36
|
+
|
37
|
+
There is a git pre-commit hook to help you keep your chefstyle up to date.
|
38
|
+
If you wish to use it, simply:
|
39
|
+
|
40
|
+
```
|
41
|
+
mv hooks/pre-commit .git/hooks/
|
42
|
+
chmod +x .git/hooks/pre-commit
|
43
|
+
```
|
44
|
+
|
45
|
+
### Running Your Changes
|
46
|
+
|
47
|
+
To run your changes locally:
|
48
|
+
|
49
|
+
```
|
50
|
+
bundle install
|
51
|
+
bundle exec knife vault
|
52
|
+
```
|
53
|
+
|
54
|
+
### Testing
|
55
|
+
|
56
|
+
#### Rspec Tests
|
57
|
+
|
58
|
+
There are some unit tests that can be run with:
|
59
|
+
|
60
|
+
```
|
61
|
+
bundle exec rspec spec/
|
62
|
+
```
|
63
|
+
|
64
|
+
#### Cucumber Testing
|
65
|
+
|
66
|
+
There are cucumber tests. Run the whole suite with:
|
67
|
+
|
68
|
+
```
|
69
|
+
bundle exec rake features
|
70
|
+
```
|
71
|
+
|
72
|
+
If you get any failures, you can run the specific feature that failed with:
|
73
|
+
|
74
|
+
```
|
75
|
+
bundle exec cucumber features/<failed>.feature
|
76
|
+
```
|
77
|
+
|
78
|
+
If you want to test things out directly, after a failure you can go into the test
|
79
|
+
directory and try out the commands that failed:
|
80
|
+
|
81
|
+
```
|
82
|
+
cd tmp/aruba
|
83
|
+
bundle exec knife <your command that failed from test with -c knife.rb>
|
84
|
+
```
|
85
|
+
|
86
|
+
Optionally add `-VV` to the above to get a full stacktrace.
|
87
|
+
|
88
|
+
### Rubocop Errors
|
89
|
+
|
90
|
+
If you are seeing rubocop errors in travis for your pull request, run:
|
91
|
+
|
92
|
+
`bundle exec chefstyle -a`
|
93
|
+
|
94
|
+
This will fix up your rubocop errors automatically, and warn you about any it can't.
|
95
|
+
|
96
|
+
## KNIFE COMMANDS:
|
97
|
+
|
98
|
+
See KNIFE_EXAMPLES.md for examples of commands
|
99
|
+
|
100
|
+
### knife.rb
|
101
|
+
|
102
|
+
To set 'client' as the default mode, add the following line to the knife.rb file.
|
103
|
+
|
104
|
+
knife[:vault_mode] = 'client'
|
105
|
+
|
106
|
+
To set the default list of admins for creating and updating vaults, add the
|
107
|
+
following line to the knife.rb file.
|
108
|
+
|
109
|
+
knife[:vault_admins] = [ 'example-alice', 'example-bob', 'example-carol' ]
|
110
|
+
|
111
|
+
(These values can be overridden on the command line by using -A)
|
112
|
+
|
113
|
+
NOTE: chef-vault 1.0 knife commands are not supported! Please use chef-vault
|
114
|
+
2.0 commands.
|
115
|
+
|
116
|
+
### Vault
|
117
|
+
|
118
|
+
knife vault create VAULT ITEM VALUES
|
119
|
+
knife vault edit VAULT ITEM
|
120
|
+
knife vault refresh VAULT ITEM
|
121
|
+
knife vault update VAULT ITEM VALUES [--clean]
|
122
|
+
knife vault remove VAULT ITEM VALUES
|
123
|
+
knife vault delete VAULT ITEM
|
124
|
+
knife vault rotate keys VAULT ITEM
|
125
|
+
knife vault rotate all keys
|
126
|
+
knife vault show VAULT [ITEM] [VALUES]
|
127
|
+
knife vault download VAULT ITEM PATH
|
128
|
+
knife vault isvault VAULT ITEM
|
129
|
+
knife vault itemtype VAULT ITEM
|
130
|
+
|
131
|
+
#### Global Options
|
132
|
+
|
133
|
+
Short | Long | Description | Default | Valid Values | Sub-Commands
|
134
|
+
------|------|-------------|---------|--------------|-------------
|
135
|
+
-M MODE | --mode MODE | Chef mode to run in. Can be set in knife.rb | solo | solo, client | all
|
136
|
+
-S SEARCH | --search SEARCH | Chef Server SOLR Search Of Nodes | | | create, remove , update
|
137
|
+
-C CLIENTS | --clients CLIENTS | Chef clients to be added as clients, can be comma list | | | create, remove , update
|
138
|
+
-A ADMINS | --admins ADMINS | Chef clients or users to be vault admins, can be comma list | | | create, remove, update
|
139
|
+
-J FILE | --json FILE | JSON file to be used for values, will be merged with VALUES if VALUES is passed | | | create, update
|
140
|
+
| --file FILE | File that chef-vault should encrypt. It adds "file-content" & "file-name" keys to the vault item | | | create, update
|
141
|
+
-p DATA | --print DATA | Print extra vault data | | search, clients, admins, all | show
|
142
|
+
-F FORMAT | --format FORMAT | Format for decrypted output | summary | summary, json, yaml, pp | show
|
143
|
+
| --clean-unknown-clients | Remove unknown clients during key rotation | | | refresh, remove, rotate
|
144
|
+
| --clean | Clean clients list before performing search | | | refresh, update
|
145
|
+
|
146
|
+
## USAGE IN RECIPES
|
147
|
+
|
148
|
+
To use this gem in a recipe to decrypt data you must first install the gem
|
149
|
+
via a chef_gem resource. Once the gem is installed require the gem and then
|
150
|
+
you can create a new instance of ChefVault.
|
151
|
+
|
152
|
+
NOTE: chef-vault 1.0 style decryption is supported, however it has been
|
153
|
+
deprecated and chef-vault 2.0 decryption should be used instead
|
154
|
+
|
155
|
+
### Example Code
|
156
|
+
|
157
|
+
chef_gem 'chef-vault' do
|
158
|
+
compile_time true if respond_to?(:compile_time)
|
159
|
+
end
|
160
|
+
|
161
|
+
require 'chef-vault'
|
162
|
+
|
163
|
+
item = ChefVault::Item.load("passwords", "root")
|
164
|
+
item["password"]
|
165
|
+
|
166
|
+
Note that in this case, the gem needs to be installed at compile time
|
167
|
+
because the require statement is at the top-level of the recipe. If
|
168
|
+
you move the require of chef-vault and the call to `::load` to
|
169
|
+
library or provider code, you can install the gem in the converge phase
|
170
|
+
instead.
|
171
|
+
|
172
|
+
### Specifying an alternate node name or client key path
|
173
|
+
|
174
|
+
Normally, the value of `Chef::Config[:node_name]` is used to find the
|
175
|
+
per-node encrypted secret in the keys data bag item, and the value of
|
176
|
+
`Chef::Config[:client_key]` is used to locate the private key to decrypt
|
177
|
+
this secret.
|
178
|
+
|
179
|
+
These can be overridden by passing a hash with the keys `:node_name` or
|
180
|
+
`:client_key_path` to `ChefVault::Item.load`:
|
181
|
+
|
182
|
+
item = ChefVault::Item.load(
|
183
|
+
'passwords', 'root',
|
184
|
+
node_name: 'service_foo',
|
185
|
+
client_key_path: '/secure/place/service_foo.pem'
|
186
|
+
)
|
187
|
+
item['password']
|
188
|
+
|
189
|
+
The above example assumes that you have transferred
|
190
|
+
`/secure/place/service_foo.pem` to your system via a secure channel.
|
191
|
+
|
192
|
+
This usage allows you to decrypt a vault using a key shared among several
|
193
|
+
nodes, which can be helpful when working in cloud environments or other
|
194
|
+
configurations where nodes are created dynamically.
|
195
|
+
|
196
|
+
### chef_vault_item helper
|
197
|
+
|
198
|
+
The [chef-vault cookbook](https://supermarket.chef.io/cookbooks/chef-vault)
|
199
|
+
contains a recipe to install the chef-vault gem and a helper method
|
200
|
+
`chef_vault_helper` which makes it easier to test cookbooks that use
|
201
|
+
chef-vault using Test Kitchen.
|
202
|
+
|
203
|
+
## DETERMINING IF AN ITEM IS A VAULT
|
204
|
+
|
205
|
+
ChefVault provides a helper method to determine if a data bag item is a vault,
|
206
|
+
which can be helpful if you produce a recipe for community consumption and want
|
207
|
+
to support both normal data bags and vaults:
|
208
|
+
|
209
|
+
if ChefVault::Item.vault?('passwords', 'root')
|
210
|
+
item = ChefVault::Item.load('passwords', 'root')
|
211
|
+
else
|
212
|
+
item = Chef::DataBagItem.load('passwords', 'root')
|
213
|
+
end
|
214
|
+
|
215
|
+
This functionality is also available from the command line as `knife vault isvault VAULT ITEM`.
|
216
|
+
|
217
|
+
## DETERMINING THE TYPE OF A DATA BAG ITEM
|
218
|
+
|
219
|
+
ChefVault provides a helper method to determine the type of a data bag item.
|
220
|
+
It returns one of the symbols :normal, :encrypted or :vault
|
221
|
+
|
222
|
+
case ChefVault::Item.data_bag_item_type('passwords', 'root')
|
223
|
+
when :normal
|
224
|
+
...
|
225
|
+
when :encrypted
|
226
|
+
...
|
227
|
+
when :vault
|
228
|
+
...
|
229
|
+
end
|
230
|
+
|
231
|
+
This functionality is also available from the command line as `knife vault itemtype VAULT ITEM`.
|
232
|
+
|
233
|
+
## USAGE STAND ALONE
|
234
|
+
|
235
|
+
`chef-vault` can be used as a stand alone binary to decrypt values stored in
|
236
|
+
Chef. It requires that Chef is installed on the system and that you have a
|
237
|
+
valid knife.rb. This is useful if you want to mix `chef-vault` into non-Chef
|
238
|
+
recipe code, for example some other script where you want to protect a
|
239
|
+
password.
|
240
|
+
|
241
|
+
It does still require that the data bag has been encrypted for the user's or
|
242
|
+
client's pem and pushed to the Chef server. It mixes Chef into the gem and
|
243
|
+
uses it to go grab the data bag.
|
244
|
+
|
245
|
+
Use `chef-vault --help` to see all all available options
|
246
|
+
|
247
|
+
### Example usage (password)
|
248
|
+
|
249
|
+
chef-vault -v passwords -i root -a password -k /etc/chef/knife.rb
|
250
|
+
|
251
|
+
## TESTING
|
252
|
+
|
253
|
+
To use Chef Vault in Test Kitchen, ensure that the `chef-vault` recipe
|
254
|
+
is in your `run_list`, and then add the following to your
|
255
|
+
suite in `.kitchen.yml`:
|
256
|
+
|
257
|
+
```yaml
|
258
|
+
data_bags_path: 'path/to/data_bags'
|
259
|
+
attributes:
|
260
|
+
chef_vault:
|
261
|
+
databags_fallback: true
|
262
|
+
```
|
263
|
+
|
264
|
+
You can then use the `chef_vault_item` helper in the aforementioned chef-vault cookbook.
|
265
|
+
|
266
|
+
To stub vault items in ChefSpec, use the
|
267
|
+
[chef-vault-testfixtures](https://rubygems.org/gems/chef-vault-testfixtures)
|
268
|
+
gem.
|
269
|
+
|
270
|
+
## Contributing
|
271
|
+
|
272
|
+
For information on contributing to this project see <https://github.com/chef/chef/blob/master/CONTRIBUTING.md>
|
273
|
+
|
274
|
+
## Authors
|
275
|
+
|
276
|
+
Author:: Kevin Moser - @moserke<br>
|
277
|
+
Author:: Eli Klein - @eliklein<br>
|
278
|
+
Author:: Joey Geiger - @jgeiger<br>
|
279
|
+
Author:: Joshua Timberman - @jtimberman<br>
|
280
|
+
Author:: James FitzGibbon - @jf647<br>
|
281
|
+
Author:: Thom May - @thommay<br>
|
282
|
+
|
283
|
+
## Contributors
|
284
|
+
|
285
|
+
Contributor:: Matt Brimstone - @brimstone<br>
|
286
|
+
Contributor:: Thomas Gschwind - @thg65<br>
|
287
|
+
Contributor:: Reto Hermann<br>
|
288
|
+
|
289
|
+
## License
|
290
|
+
|
291
|
+
Copyright:: Copyright (c) 2013-15 Nordstrom, Inc.<br>
|
292
|
+
Copyright:: Copyright (c) 2016 Chef Software, Inc.<br>
|
293
|
+
License:: Apache License, Version 2.0
|
294
|
+
|
295
|
+
```text
|
296
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
297
|
+
you may not use this file except in compliance with the License.
|
298
|
+
You may obtain a copy of the License at
|
299
|
+
|
300
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
301
|
+
|
302
|
+
Unless required by applicable law or agreed to in writing, software
|
303
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
304
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
305
|
+
See the License for the specific language governing permissions and
|
306
|
+
limitations under the License.
|
307
|
+
```
|
data/chef-vault.gemspec
ADDED
@@ -0,0 +1,40 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
# Chef-Vault Gemspec file
|
3
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
4
|
+
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
$:.push File.expand_path("../lib", __FILE__)
|
18
|
+
require "chef-vault/version"
|
19
|
+
|
20
|
+
def self.prerelease?
|
21
|
+
!ENV["TRAVIS_TAG"] || ENV["TRAVIS_TAG"].empty?
|
22
|
+
end
|
23
|
+
|
24
|
+
Gem::Specification.new do |s|
|
25
|
+
s.name = "chef-vault"
|
26
|
+
s.version = ChefVault::VERSION
|
27
|
+
s.version = "#{s.version}-pre#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV["TRAVIS"]
|
28
|
+
s.authors = ["Thom May"]
|
29
|
+
s.email = ["thom@chef.io"]
|
30
|
+
s.summary = "Data encryption support for Chef using data bags"
|
31
|
+
s.description = s.summary
|
32
|
+
s.homepage = "https://github.com/chef/chef-vault"
|
33
|
+
s.license = "Apache-2.0"
|
34
|
+
s.files = %w{LICENSE README.md Gemfile} + Dir.glob("*.gemspec") + `git ls-files`.split("\n").select { |f| f =~ %r{^(?:bin/|lib/)}i }
|
35
|
+
s.require_paths = ["lib"]
|
36
|
+
s.bindir = "bin"
|
37
|
+
s.executables = %w{ chef-vault }
|
38
|
+
|
39
|
+
s.required_ruby_version = ">= 2.2.0"
|
40
|
+
end
|
data/lib/chef-vault/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chef-vault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.4.
|
4
|
+
version: 3.4.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Thom May
|
@@ -20,7 +20,9 @@ extra_rdoc_files: []
|
|
20
20
|
files:
|
21
21
|
- Gemfile
|
22
22
|
- LICENSE
|
23
|
+
- README.md
|
23
24
|
- bin/chef-vault
|
25
|
+
- chef-vault.gemspec
|
24
26
|
- lib/chef-vault.rb
|
25
27
|
- lib/chef-vault/actor.rb
|
26
28
|
- lib/chef-vault/certificate.rb
|
@@ -50,7 +52,7 @@ files:
|
|
50
52
|
- lib/chef/knife/vault_update.rb
|
51
53
|
homepage: https://github.com/chef/chef-vault
|
52
54
|
licenses:
|
53
|
-
- Apache
|
55
|
+
- Apache-2.0
|
54
56
|
metadata: {}
|
55
57
|
post_install_message:
|
56
58
|
rdoc_options: []
|