cookbook 'secrets_management', '~> 1.0.0'
secrets_management (1) Versions 1.0.0 Follow1
A resource provider for global secrets management
cookbook 'secrets_management', '~> 1.0.0', :supermarket
knife supermarket install secrets_management
knife supermarket download secrets_management
secrets_management
A Chef library for global secrets management
This cookbook provides a Ruby library helper to support management of Hashicorp Vault, Chef Vault, and Chef DataBag items. This cookbook does not include resources or recipes. The purpose of this project is to simplify the handling of secrets and data management by integrating a single method whereby Hashicorp Vault, Chef Vault, and Chef DataBag items can be managed.
Table of Contents generated with DocToc
- Requirements
- Usage
- Libraries
- Upload to Chef Server
- Upload to Private Chef Supermarket
- Cookbook Testing
- Contribute
- License & Authors
Requirements
Platforms
This resource should work on any Chef supported platform with a Chef Client meeting the minimum requirements.
Chef
- 12.5+
Cookbooks
- chef-vault, '~> 3.0'
Usage
To use the libraries, declare a dependency on this cookbook, and then use the libary as described in the section SecretsManagement::DSL.
default
This is an empty recipe and should not be modified.
Libraries
SecretsManagement::DSL
open_secret_item
The open_secret_item
method supports accessing existing Hashicorp Vault, Chef Vault, and Chef DataBag items. The method supports two possible models for getting the data - determine_bag_type
or find_<type>_item
. By default, the method will attempt to perform the lookup unless the attribute :type
is sent.
Properties:
Name | Description | Type | Mandatory |
---|---|---|---|
container | Path to Hashicorp Vault or the Name of the Chef Vault or DataBag | String | X |
item | Item name in Vault or Bag | String | X |
type | Supported values: vault (Hashicorp), chef_vault , or data_bag
|
String | |
vault | Hash of supported keys for accessing Hashicorp environment. Minimum required keys are address and token . |
Hash |
Note: When returning details from Hashicorp Vault, this library will normalize the key names as strings. By default, the keys will be returned as a symbol. To keep this output consistent across the ChefVault and DataBag models, the library converts the keys from symbols to strings.
Examples
# Open a secret item based on testing the options - vault, chef_vault, then data_bag bag = open_secret_item('secret', 'item') # Include a vault object to support looking into Hashicorp as part of the lookup bag = open_secret_item('secret', 'item', vault: { 'token' => '1234', 'address' => 'http://192.168.0.1:8200' })
# Look up a data_bag item bag = open_secret_item('simple', 'item', type: 'data_bag')
# Lookup a chef_vault item bag = open_secret_item('secrets', 'bacon', type: 'chef_vault')
# Lookup a chef_vault item and use the output to access a Hashicorp Vault item vault_hash = open_secret_item('vault', 'secret', type: 'chef_vault') bag = open_secret_item('secret/chef/os', 'windows', type: 'vault', vault: vault_hash)
Upload to Chef Server
This cookbook should be included in each organization of your CHEF environment. When importing, leverage Berkshelf:
berks upload --except test
NOTE: use the --no-ssl-verify switch if the CHEF server in question has a self-signed SSL certificate.
berks upload --no-ssl-verify --except test
Upload to Private Chef Supermarket
NOTE: You must set the following key knife[:supermarket_site] = 'https://<your-supermarket-server>'
.
This cookbook should be uploaded to the CHEF Supermarket server. When importing, leverage Berkshelf vendor command:
# From a Linux/Mac host via Bash berks vendor .bundle for i in `ls .bundle`; do knife cookbook site share $i "Other" -o .bundle; done
or
# From a Windows host via PowerShell berks vendor .bundle foreach ($i in (Get-ChildItem -Path .bundle) ){ knife cookbook site share $i "Other" -o .bundle }
Cookbook Testing
Before you begin
Setup your testing and ensure all dependencies are installed. Open a terminal windows and execute:
gem install bundler bundle install berks install
Data_bags for Test-Kitchen
This cookbook requires the use of a data_bag for setting certain values. Local JSON version need to be stored in the directory structure as indicated below:
├── chef-repo/
│ ├── cookbooks
│ │ ├── secrets_management
│ │ │ ├── .kitchen.yml
│ │ │ ├── test
│ │ │ │ ├── fixtures
│ │ │ │ │ ├── data_bags
│ │ │ │ │ │ ├── data_bag_name
│ │ │ │ │ │ │ ├── data_bag_item.json
Note: Storing local testing versions of the data_bags at the root of your repo is considered best practice. This ensures that you only need to maintain a single copy while protecting the cookbook from being accientally committed with the data_bag. However, since this cookbook contains no recipes, we have included the test data_bags for Kitchen purposes. If you must change this location, then update the following key in the .kitchen.yml file.
data_bags_path: "test/fixtures/data_bags/"
Rakefile and Tasks
This repo includes a Rakefile for common tasks
Task Command | Description |
---|---|
rake | Run Style, Foodcritic, Maintainers, and Unit Tests |
rake style | Run all style checks |
rake style:chef | Run Chef style checks |
rake style:ruby | Run Ruby style checks |
rake style:ruby:auto_correct | Auto-correct RuboCop offenses |
rake unit | Run ChefSpec examples |
rake integration | Run all kitchen suites |
rake maintainers:generate | Generate MarkDown version of MAINTAINERS file |
Chefspec and Test-Kitchen
bundle install
: Installs and pulls all ruby gems dependencies from the Gemfile.berks install
: Installs all cookbook dependencies based on the [Berksfile](Berksfile) and the [metadata.rb](metadata.rb)rake
: This will run all of the local tests - syntax, lint, unit, and maintainers file.rake integration
: This will run all of the kitchen tests
Test Cookbook (secrets_management_test)
a test cookbook for the available LWRPs
The cookbook secrets_management does not include any executable recipes as it is designed to be an utility cookbook and support other initiatives. For the purposes of testing and validating this code, we have included a test cookbook with pre-configured recipes.
Name | Description |
---|---|
Default | Roll-up recipe to test all of the functionality of the LWRP-specific recipes |
hashivault | Test gathering secrets from Hashicorp Vault environments. |
chef_vault | Test gathering secrets from ChefVault bags |
data_bag | Test gathering secrets from Chef DataBags |
Compliance Profile
Not included as this is a Resource only cookbook with no included recipes.
Contribute
- Fork it
- Create your feature branch (git checkout -b my-new-feature)
- Commit your changes (git commit -am 'Add some feature')
- Push to the branch (git push origin my-new-feature)
- Create new Pull Request
License & Authors
Author: Jeremy Goodrum (jeremy@exospheredata.com)
Copyright: 2017 Exosphere Data, LLC
Copyright 2017 Exosphere Data, LLC Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
Dependent cookbooks
chef-vault ~> 3.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
secrets_management Cookbook CHANGELOG
This file is used to list changes made in each version of the secrets_management cookbook.
v1.0.0
- Initial release with support for reading Hashicorp Vault, Chef-Vault, and Chef Data bag items
Collaborator Number Metric
1.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
1.0.0 passed this metric
Foodcritic Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 passed this metric
Version Tag Metric
1.0.0 passed this metric
1.0.0 failed this metric
1.0.0 passed this metric
Foodcritic Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 passed this metric
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 passed this metric
Testing File Metric
1.0.0 passed this metric
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 passed this metric