cloud-mu 1.9.0.pre.beta

data/cookbooks/mu-php54/metadata.rb

@@ -0,0 +1,21 @@
+name 'mu-php54'
+maintainer 'Mu'
+maintainer_email 'mu-developers@googlegroups.com'
+license 'BSD-3-Clause'
+
+description 'Installs/Configures php'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+source_url 'https://github.com/cloudamatic/mu'
+issues_url 'https://github.com/cloudamatic/mu/issues'
+chef_version '>= 14.0' if respond_to?(:chef_version)
+version '0.3.0'
+
+%w( centos ubuntu ).each do |os|
+	supports os
+end
+
+depends 'mu-utility'
+depends 'simple_iptables', '~> 0.8.0'
+depends 'apache2', '< 4.0'
+depends 'mysql', '~> 8.5.1'
+depends 'yum-epel', '~> 3.2.0'

data/cookbooks/mu-php54/recipes/default.rb

@@ -0,0 +1,97 @@
+#
+# Cookbook Name:: php5-apache
+# Recipe:: default
+#
+# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+include_recipe "apache2"
+
+build_essential 'name' do
+  compile_time  True
+end
+
+case node['platform']
+
+  when "centos"
+    include_recipe "yum-epel"
+    include_recipe "mu-utility::remi"
+
+    # PHP, from Remi (for 5.4)
+    ["mysql-client", "mysql-libs", "mysql-devel", "compat-mysql51", "compat-mysql51-devel", "php", "php-cli"].each { |pkg|
+      package pkg do
+        options "--enablerepo=remi"
+        action :install
+      end
+    }
+
+    # What we really mean is "chef_gem" but that insists on running
+    # at compile time, before any of its dependencies are ready.
+    gem_package "mysql"
+
+    # Sundry libraries for PHP
+    ["libmcrypt", "libmcrypt-devel", "php-devel", "php-pdo", "php-mysql", "php-pgsql", "php-gd", "php-pspell", "php-snmp", "php-xmlrpc", "php-xml", "php-mbstring", "php-mcrypt", "php-pear"].each { |pkg|
+      package pkg do
+        options "--enablerepo=remi"
+        action :install
+      end
+    }
+    # PECL modules
+    ["php-pecl-memcache", "php-pecl-mongo", "php-pecl-sqlite"].each { |pkg|
+      package pkg do
+        options "--enablerepo=remi"
+        action :install
+      end
+    }
+
+    bash "Allow http and https through iptables" do
+      user "root"
+      not_if "/sbin/iptables -nL | egrep '^ACCEPT.*dpt:(80|443)($| )'"
+      code <<-EOH
+    iptables -I INPUT -p tcp --dport 80 -j ACCEPT
+    iptables -I INPUT -p tcp --dport 443 -j ACCEPT
+    service iptables save
+      EOH
+    end
+
+  when "ubuntu"
+# XXX rewrite this: https://launchpad.net/~ondrej/+archive/php5-oldstable
+    bash "set default mysql passwords [bad]" do
+      user "root"
+      code <<-EOH
+				debconf-set-selections <<< 'mysql-server-5.5 mysql-server/root_password password root'
+				debconf-set-selections <<< 'mysql-server-5.5 mysql-server/root_password_again password root'
+      EOH
+    end
+    ["mysql-server", "php5", "php5-mysql", "libapache2-mod-php5", "php5-curl", "php5-gd", "php5-intl", "php-pear", "php5-imagick", "php5-imap", "php5-mcrypt", "php5-memcache", "php5-ming", "php5-ps", "php5-pspell", "php5-recode", "php5-snmp", "php5-sqlite", "php5-tidy", "php5-xmlrpc", "php5-xsl"].each { |pkg|
+      package pkg
+    }
+    bash "Allow http and https through iptables" do
+      user "root"
+      not_if "/sbin/iptables -nL | egrep '^ACCEPT.*dpt:(80|443)($| )'"
+      code <<-EOH
+    iptables -I INPUT -p tcp --dport 80 -j ACCEPT
+    iptables -I INPUT -p tcp --dport 443 -j ACCEPT
+      EOH
+    end
+
+  else
+    Chef::Log.info("Unsupported platform #{node['platform']}")
+
+end
+
+cookbook_file "/etc/php.ini" do
+  source "php.ini"
+  notifies :restart, "service[apache2]", :delayed
+end

data/cookbooks/mu-splunk/CHANGELOG.md

@@ -0,0 +1,37 @@
+splunk CHANGELOG
+================
+
+v1.3.0 (2014-10-24)
+-------------------
+
+- Implement dynamic inputs.conf and outputs.conf configuration based on attributes in client recipe.
+
+v1.2.2 (2014-08-25)
+-------------------
+
+- Implement capability to run Splunk as a non-root user
+- Allow web port to be specified
+
+v1.2.0 (2014-05-06)
+-------------------
+- [COOK-4621] - upgrade to Splunk 6.0.3 (for heartbleed)
+- add ubuntu 14.04 to test-kitchen
+
+v1.1.0 (2014-03-19)
+-------------------
+- [COOK-4450] - upgrade to Splunk 6.0.2
+- [COOK-4451] - unbreak test harness
+
+v1.0.4
+------
+- template sources should have .erb explicitly
+- don't show the password in the execute resource name
+
+v1.0.2
+------
+- Splunk init script supports status, use it in `stop` action for upgrade.
+
+v1.0.0
+-----
+- Initial release
+

data/cookbooks/mu-splunk/LICENSE

@@ -0,0 +1,37 @@
+Through accessing, reading, or utilizing this software in any manner whatsoever
+or through any means whatsoever, whether the access, reading or use is either
+solely looking at this software or this software has been integrated into any
+derivative work, the party accessing,  reading, or utilizing the software
+directly or indirectly agrees to abide by the following license. 
+
+The eGlobalTech Cloud Automation Platform is the Copyright (c) 2014 of Global
+Tech Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors
+may be used to endorse or promote products derived from this software without
+specific prior written permission.
+
+Global Tech, Inc. is the co-owner of any derivative works created with this
+software. 
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

data/cookbooks/mu-splunk/README.md

@@ -0,0 +1,451 @@
+splunk Cookbook
+===============
+
+This cookbook manages a Splunk Universal Forwarder (client) or a
+Splunk Enterprise (server) installation.
+
+The Splunk default user is admin and the password is changeme. See the
+`setup_auth` recipe below for more information about how to manage
+changing the password with Chef and Chef Vault.
+
+This recipe downloads packages from Splunk directly. There are
+attributes to set a URL to retrieve the packages, so if the packages
+are mirrored locally, supply the local URL instead. At this time the
+cookbook doesn't support installing from networked package managers
+(like apt or yum), since Splunk doesn't provide package repositories.
+
+## Requirements
+
+### Platforms
+
+This cookbook uses Test Kitchen to do cross-platform convergence and
+post-convergence tests. The tested platforms are considered supported.
+This cookbook may work on other platforms or platform versions with or
+without modification.
+
+* Debian 7
+* Ubuntu 10.04, 12.04
+* CentOS 6
+* OmniOS r151008
+
+### Cookbooks
+
+Used for managing secrets, see __Usage__:
+
+* chef-vault
+
+## Attributes
+
+Attributes have default values set in `attributes/default.rb`. Where
+possible or appropriate, the default values from Splunk Enterprise are
+used.
+
+General attributes:
+
+* `node['splunk']['accept_license']`: Whether to accept the Splunk
+  EULA. Default is false. This *must* be set to true for Splunk to be
+  functional with this cookbook, which means end users must read the
+  EULA and agree to the terms.
+* `node['splunk']['is_server']`: Set this to true if the node is a
+  splunk server, for example in a role. Default is false.
+* `node['splunk']['disabled']`: Disable the splunk agent by setting
+  this to true. Default is false.
+* `node['splunk']['receiver_port']`: The port that the receiver
+  (server) listens to. This is set to the Splunk Enterprise default,
+  9997.
+* `node['splunk']['web_port']`: The port that the splunkweb service
+  listens to. This is set to the default for HTTPS, 443, as it is
+  configured by the `setup_ssl` recipe.
+
+The two URL attributes below are selected by platform and architecture
+by default.
+
+* `node['splunk']['forwarder']['url']`: The URL to the Splunk
+  Universal Forwarder package file.
+* `node['splunk']['server']['url']`: The URL to the Splunk Enterprise
+  package file.
+
+Special attributes for managing the Splunk user:
+
+* `node['splunk']['user']`: A hash of attributes to set for the splunk
+  user resource in the `user` recipe. It's unlikely that someone would
+  need to change these, other than the UID, but just in case...
+
+- `username`: the username
+- `comment`: gecos field
+- `home`: the home directory, defaults to `/opt/splunkforwarder`, will
+  be set to `/opt/splunk` if `node['splunk']['is_server']` is true.
+- `shell`: the shell to use
+- `uid`: the numeric UID. The default, `396` is an integer arbitrarily
+  chosen and doesn't conflict with anything on the supported platforms
+  (see list above). It is within the `system` UID range on Linux
+  systems.
+
+* `node['splunk']['server']['runasroot']`: if runasroot is true (which is the splunk upstream package default) then the splunk server runs as root.  If runasroot is false modify the init script to run as the `node['splunk']['user']`.  This does not apply to the splunk client as they may need root permissions to read logfiles.  NOTE1: you may also need to change `node['splunk']['web_port']` on a splunk server to run on a port >1024 if you don't run as root (splunk user cannot bind to privelaged ports).  NOTE2: If you want to switch from root to the splunk user or vice versa on an existing install, please stop the splunk service first before changing the runasroot boolean value.
+
+The following attributes are related to setting up `splunkweb` with
+SSL in the `setup_ssl` recipe.
+
+* `node['splunk']['ssl_options']`: A hash of SSL options used in the
+  `setup_ssl` recipe
+* `node['splunk']['ssl_options']['enable_ssl']`: Whether to enable
+  SSL, must be set to `true` to use the `setup_ssl` recipe. Defaults
+  to `false`, must be set using a boolean literal `true` or `false`.
+* `node['splunk']['ssl_options']['data_bag']`: The data bag name to
+  load, defaults to `vault` (as chef-vault is used).
+* `node['splunk']['ssl_options']['data_bag_item']`: The data bag item
+  name that contains the keyfile and crtfile, defaults to
+  `splunk_ceritficates`.
+* `node['splunk']['ssl_options']['keyfile']`: The name of the SSL key
+  file, and the content will be written to
+  `etc/auth/splunkweb/KEYFILE`. Must be an element under `data` in the
+  data bag item. See __Usage__ for instructions. Defaults to
+  '`self-signed.example.com.key`', and should be changed to something
+  relevant for the local site before use, in a role or wrapper cookbook.
+* `node['splunk']['ssl_options']['crtfile']`: The name of the SSL cert
+  (crt) file, and the content will be written to
+  `/etc/auth/splunkweb/CRTFILE`. Must be an element under `data` in
+  the data bag item. See __Usage__ for instructions. Defaults to
+  '`self-signed.example.com.crt`', and should be changed to something
+  relevant for the local site before use, in a role or wrapper cookbook.
+
+The following attributes are related to setting up a splunk forwarder
+with the `client` recipe
+
+`node['splunk']['outputs_conf']` is a hash of configuration values that are used to dynamically populate the `outputs.conf` file's "`tcpout:splunk_indexers_PORT`" configuration section. Each key/value pair in the hash is used as configuration in the file. For example the `attributes/default.rb` has this:
+
+```ruby
+default['splunk']['outputs_conf'] = {
+  'forwardedindex.0.whitelist' => '.*',
+  'forwardedindex.1.blacklist' => '_.*',
+  'forwardedindex.2.whitelist' => '_audit',
+  'forwardedindex.filter.disable' => 'false'
+}
+```
+
+This will result in the following being rendered in `outputs.conf`:
+
+```
+[tcpout:splunk_indexers_9997]
+server=10.0.2.47:9997
+forwardedindex.0.whitelist = .*
+forwardedindex.1.blacklist = _.*
+forwardedindex.2.whitelist = _audit
+forwardedindex.filter.disable = false
+```
+
+The `tcpout:splunk_indexers_9997` section is defined by the search results for Splunk Servers, and the `server` directive is a comma-separated listed of server IPs and the ports. For example, to add an `sslCertPath` directive, define the attribute in your role, wrapper cookbook, etc:
+
+```
+node.default['splunk']['outputs_conf']['sslCertPath'] = '$SPLUNK_HOME/etc/certs/cert.pem'
+```
+
+`node['splunk']['inputs_conf']` is a hash of configuration values that are used to populate the `inputs.conf` file.
+
+* `node['splunk']['inputs_conf']['host']`: A string that specifies the
+default host name used in the inputs.conf file. The inputs.conf file
+is not overwritten if this is not set or is an empty string.
+* `node['splunk']['inputs_conf']['ports']`: An array of hashes that contain
+the input port configuration necessary to generate the inputs.conf
+file.
+
+For example:
+```
+node.default['splunk']['inputs_conf'][ports] = [
+  {
+    port_num => 123123,
+    config => {
+      'sourcetype' => 'syslog'
+    }
+  }
+]
+```
+
+The following attributes are related to upgrades in the `upgrade`
+recipe. **Note** The version is set to 4.3.7 and should be modified to
+suit in a role or wrapper, since we don't know what upgrade versions
+may be relevant. Enabling the upgrade and blindly using the default
+URLs may have undesirable consequences, hence this is not enabled, and
+must be set explicitly elsewhere on the node(s).
+
+* `node['splunk']['upgrade_enabled']`: Controls whether the upgrade is
+  enabled and the `attributes/upgrade.rb` file should be loaded. Set
+  this in a role or wrapper cookbook to perform an upgrade.
+* `node['splunk']['upgrade']`: Sets `server_url` and `forwarder_url`
+  attributes based on platform and architecture. These are only loaded
+  if `upgrade_enabled` is set.
+
+## Definitions
+
+### splunk_installer
+
+The Splunk Enterprise and Splunk Universal Forwarder package
+installation is the same save the name of the package and the URL to
+download. This definition abstracts the package installation to a
+common baseline. Any new platform installation support should be added
+by modifying the definition as appropriate. One goal of this
+definition is to have a single occurance of a `package` resource,
+using the appropriate "local package file" provider per platform. For
+example, on RHEL, we use `rpm` and on Debian we use `dpkg`.
+
+Package files will be downloaded to Chef's file cache path (e.g.,
+`file_cache_path` in `/etc/chef/client.rb`, `/var/chef/cache` by
+default).
+
+The definition has two parameters.
+
+* `name`: The name of the package (e.g., `splunk`).
+* `url`: The URL to the package file.
+
+#### Examples
+
+For example, if the nodes in the environment are all Debian-family,
+and the desired splunkforwarder package is provided locally as
+`splunkforwarder.deb` on an internal HTTP server:
+
+```ruby
+splunk_installer 'splunkforwarder' do
+  url 'https://www-int.example.com/splunk/splunkforwarder.deb'
+end
+```
+
+The `install_forwarder` and `install_server` recipes use the
+definition with the appropriate `url` attribute.
+
+## Recipes
+
+This cookbook has several composable recipes that can be used in a
+role, or a local "wrapper" cookbook. The `default`, `client`, and
+`server` recipes are intended to be used wholesale with all the
+assumptions they contain.
+
+The general default assumption is that a node including the `default`
+recipe will be a Splunk Universal Forwarder (client).
+
+### client
+
+This recipe encapsulates a completely configured "client" - a Splunk
+Universal Forwarder configured to talk to a node that is the splunk
+server (with node['splunk']['is_server'] true). The recipes can be
+used on their own composed in a wrapper cookbook or role. This recipe
+will include the `user`, `install_forwarder`, `service`, and
+`setup_auth` recipes.
+
+It will also search a Chef Server for a Splunk Enterprise (server)
+node with `splunk_is_server:true` in the same `chef_environment` and
+write out `etc/system/local/outputs.conf` with the server's IP and the
+`receiver_port` attribute in the Splunk install directory
+(`/opt/splunkforwarder`).
+
+Setting node['splunk']['tcpout_server_config_map'] with key value pairs
+updates the outputs.conf server configuration with those key value pairs.
+These key value pairs can be used to setup SSL encryption on messages
+forwarded through this client:
+
+```
+# Note that the ssl CA and certs must exist on the server.
+node['splunk']['tcpout_server_config_map'] = {
+  'sslCommonNameToCheck' => 'sslCommonName',
+  'sslCertPath' => '$SPLUNK_HOME/etc/certs/cert.pem',
+  'sslPassword' => 'password'
+  'sslRootCAPath' => '$SPLUNK_HOME/etc/certs/cacert.pem'
+  'sslVerifyServerCert' => false
+}
+```
+
+The inputs.conf file can also be managed through this recipe if you want to
+setup a splunk forwarder just set the  default host:
+
+```
+node['splunk']['inputs_conf']['host'] = 'myhost'
+```
+Then set up the port configuration for each input port:
+
+```
+node['splunk']['inputs_conf']['ports'] =
+[
+  {
+    port_num => 123123,
+    config => {
+      'sourcetype' => 'syslog',
+      ...
+    }
+  },
+  ...
+]
+```
+
+
+### default
+
+The default recipe will include the `disabled` recipe if
+`node['splunk']['disabled']` is true.
+
+It will include the `client` or `server` recipe depending on whether
+the `is_server` attribute is set.
+
+The attribute use allows users to control the included recipes by
+easily manipulating the attributes of a node, or a node's roles, or
+through a wrapper cookbook.
+
+### disabled
+
+In some cases it may be required to disable Splunk on a particular
+node. For example, it may be sending too much data to Splunk and
+exceed the local license capacity. To use the `disabled` recipe, set
+the `node['splunk']['disabled']` attribute to true, and include the
+recipe on the required node, or just use the `default` recipe.
+
+### install_forwarder
+
+This recipe uses the `splunk_installer` definition to install the
+splunkforwarder package from the specified URL (via the
+`node['splunk']['forwarder']['url']` attribute).
+
+### install_server
+
+This recipe uses the `splunk_installer` definition to install the
+splunk (Enterprise server) package from the specified URL (via the
+`node['splunk']['server']['url']` attribute).
+
+### server
+
+This recipe encapsulates a completely configured "server" - Splunk
+Enterprise configured to receive data from Splunk Universal Forwarder
+clients. The recipe sets the attribute `node['splunk']['is_server']`
+to true, and is included from the `default` recipe if the attribute is
+true as well. The recipes can be used on their own composed in a
+wrapper cookbook or role, too. This recipe will include the `user`,
+`install_server`, `service`, and `setup_auth` recipes.
+
+It will also enable Splunk Enterprise as an indexer, listening on the
+`node['splunk']['receiver_port']`.
+
+## service
+
+This recipe sets up the `splunk` service, and applies to both client
+and server use, since `splunk` is the same service for both
+deployments of Splunk.
+
+The attribute `node['splunk']['accept_license']` must be true in order
+to set up the boot script. If it's true, then the boot script gets put
+into place (`/etc/init.d/splunk` on Linux/Unix systems), with the
+license accepted. The service is managed using the Chef `init` service
+provider, which operates by using the `/etc/init.d/splunk` script for
+start, stop, restart, etc commands.
+
+## setup_auth
+
+This recipe loads an encrypted data bag with the Splunk user
+credentials as an `-auth` string, '`user:password`', using the
+[chef-vault cookbook](http://ckbk.it/chef-vault) helper method,
+`chef_vault_item`. See __Usage__ for how to set this up. The recipe
+will edit the specified user (assuming `admin`), and then write a
+state file to `etc/.setup_admin_password` to indicate in future Chef
+runs that it has set the password. If the password should be changed,
+then that file should be removed.
+
+## upgrade
+
+**Important** Read the upgrade documentation and release notes for any
+  particular Splunk version upgrades before performing an upgrade.
+  Also back up the Splunk directory, configuration, etc.
+
+This recipe can be used to upgrade a splunk installation, for example
+from an existing 4.2.1 to 4.3.7. The default recipe can be used for
+6.0.1 after upgrading earlier versions is completed. Note that the
+attributes file is only loaded w/ the URLs to the splunk packages to
+upgrade if the `node['splunk']['upgrade_enabled']` attribute is set to
+true. We recommend setting the actual URL attributes needed in a
+wrapper cookbook or role.
+
+## user
+
+This recipe manages the `splunk` user and group. On Linux systems, the
+user and group will be created with the `system` attribute; other
+platforms may not be aware of `system` users/groups (e.g.,
+illumos/solaris). Both resources will be created with the UID or GID
+of the `node['splunk']['user']['uid']` attribute. The default value is
+396, arbitrarily chosen to fall under the `system` UID/GID set by
+`/etc/login.defs` on both RHEL and Debian family Linux systems. If
+this is a conflicting UID/GID, then modify the attribute as required.
+
+## Usage
+
+### Data Bag Items
+
+#### Admin User Authentication
+
+Splunk admin user authentication information should be stored in a
+data bag item that is encrypted using Chef Vault. Create a data bag
+named `vault`, with an item `splunk_CHEF-ENVIRONMENT`, where
+`CHEF-ENVIRONMENT` is the `node.chef_environment` that the Splunk
+Enterprise server will be assigned. If environments are not used, use
+`_default`. For example in a Chef Repository (not in a cookbook):
+
+    % cat data_bags/vault/splunk__default.json
+    {
+      "id": "splunk__default",
+      "auth": "admin:notarealpassword"
+    }
+
+Or with an environment, '`production`':
+
+    % cat data_bags/vault/splunk_production.json
+    {
+      "id": "splunk_production",
+      "auth": "admin:notarealpassword"
+    }
+
+Then, upload the data bag item to the Chef Server using the
+`chef-vault` `knife encrypt` plugin (first example, `_default`
+environment):
+
+    knife encrypt create vault splunk__default \
+        --json data_bags/vault/splunk__default.json \
+        --search 'splunk:*' --admins 'yourusername' \
+        --mode client
+
+More information about Chef Vault is available on the
+[GitHub Project Page](https://github.com/Nordstrom/chef-vault).
+
+#### Web UI SSL
+
+A Splunk server should have the Web UI available via HTTPS. This can
+be set up using self-signed SSL certificates, or "real" SSL
+certificates. This loaded via a data bag item with chef-vault. Using
+the defaults from the attributes:
+
+    % cat data_bags/vault/splunk_certificates.json
+    {
+      "id": "splunk_certificates",
+      "data": {
+        "self-signed.example.com.crt": "-----BEGIN CERTIFICATE-----\n...SNIP",
+        "self-signed.example.com.key": "-----BEGIN RSA PRIVATE KEY-----\n...SNIP"
+      }
+    }
+
+Like the authentication credentials above, run the `knife encrypt`
+command. Note the search here is for the splunk server only:
+
+    knife encrypt create vault splunk_certificates \
+        --json data_bags/vault/splunk_certificates.json \
+        --search 'splunk_is_server:true' --admins 'yourusername' \
+        --mode client
+
+## License and Authors
+
+- Author: Joshua Timberman <joshua@getchef.com>
+- Copyright 2013, Chef Software, Inc <legal@getchef.com>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.