• Stars
    star
    407
  • Rank 106,183 (Top 3 %)
  • Language
    Ruby
  • License
    Apache License 2.0
  • Created over 11 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Securely manage passwords, certs, and other secrets in Chef

Chef-Vault

Gem Version

Build status

Inline docs

DESCRIPTION:

Gem that allows you to encrypt a Chef Data Bag Item using the public keys of a list of chef nodes. This allows only those chef nodes to decrypt the encrypted values.

For a more detailed explanation of how chef-vault works, please refer to this blog post Chef Vault – what is it and what can it do for you? by Nell Shamrell-Harrington.

INSTALLATION:

Be sure you are running the latest version Chef. Versions earlier than 0.10.0 don't support plugins:

gem install chef

This plugin is distributed as a Ruby Gem. To install it, run:

gem install chef-vault

Depending on your system's configuration, you may need to run this command with root privileges.

DEVELOPMENT:

Git Hooks

There is a git pre-commit hook to help you keep your chefstyle up to date. If you wish to use it, simply:

mv hooks/pre-commit .git/hooks/
chmod +x .git/hooks/pre-commit

Running Your Changes

To run your changes locally:

bundle install
bundle exec knife vault

Testing

Rspec Tests

There are some unit tests that can be run with:

bundle exec rspec spec/

Cucumber Testing

There are cucumber tests. Run the whole suite with:

bundle exec rake features

If you get any failures, you can run the specific feature that failed with:

bundle exec cucumber features/<failed>.feature

If you want to test things out directly, after a failure you can go into the test directory and try out the commands that failed:

cd tmp/aruba
bundle exec knife <your command that failed from test with -c config.rb>

Optionally add -VV to the above to get a full stacktrace.

Rubocop Errors

If you are seeing rubocop errors in travis for your pull request, run:

bundle exec chefstyle -a

This will fix up your rubocop errors automatically, and warn you about any it can't.

KNIFE COMMANDS:

See KNIFE_EXAMPLES.md for examples of commands

config.rb (aka knife.rb)

To set 'client' as the default mode, add the following line to the config.rb file.

knife[:vault_mode] = 'client'

To set the default list of admins for creating and updating vaults, add the following line to the config.rb file.

knife[:vault_admins] = [ 'example-alice', 'example-bob', 'example-carol' ]

(These values can be overridden on the command line by using -A)

NOTE: chef-vault 1.0 knife commands are not supported! Please use chef-vault 2.0 commands.

Vault

knife vault create VAULT ITEM VALUES
knife vault edit VAULT ITEM
knife vault refresh VAULT ITEM
knife vault update VAULT ITEM VALUES [--clean]
knife vault remove VAULT ITEM VALUES
knife vault delete VAULT ITEM
knife vault rotate keys VAULT ITEM
knife vault rotate all keys
knife vault show VAULT [ITEM] [VALUES]
knife vault download VAULT ITEM PATH
knife vault isvault VAULT ITEM
knife vault itemtype VAULT ITEM

Note: Creating a VAULT ITEM with an ITEM name ending in "_keys" causes the VAULT to treat it as an ordinary `data_bag` instead of as a vault.

Global Options

Short Long Description Default Valid Values Sub-Commands
-M MODE --mode MODE Chef mode to run in. Can be set in config.rb solo solo, client all
-S SEARCH --search SEARCH Chef Server SOLR Search Of Nodes create, remove , update
-C CLIENTS --clients CLIENTS Chef clients to be added as clients, can be comma list create, remove , update
-A ADMINS --admins ADMINS Chef clients or users to be vault admins, can be comma list create, remove, update
-J FILE --json FILE JSON file to be used for values, will be merged with VALUES if VALUES is passed create, update
--file FILE File that chef-vault should encrypt. It adds "file-content" & "file-name" keys to the vault item create, update
-p DATA --print DATA Print extra vault data search, clients, admins, all show
-F FORMAT --format FORMAT Format for decrypted output summary summary, json, yaml, pp show
--clean-unknown-clients Remove unknown clients during key rotation refresh, remove, rotate
--clean Clean clients list before performing search refresh, update
--keys-mode method to use to manage keys default default, sparse create

USAGE IN RECIPES

To use this gem in a recipe to decrypt data you must first install the gem via a chef_gem resource. Once the gem is installed require the gem and then you can create a new instance of ChefVault.

NOTE: chef-vault 1.0 style decryption is supported, however it has been deprecated and chef-vault 2.0 decryption should be used instead

Example Code

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end

require 'chef-vault'

item = ChefVault::Item.load("passwords", "root")
item["password"]

Note that in this case, the gem needs to be installed at compile time because the require statement is at the top-level of the recipe. If you move the require of chef-vault and the call to ::load to library or provider code, you can install the gem in the converge phase instead.

Specifying an alternate node name or client key path

Normally, the value of Chef::Config[:node_name] is used to find the per-node encrypted secret in the keys data bag item, and the value of Chef::Config[:client_key] is used to locate the private key to decrypt this secret. If Chef::Config[:client_key_contents] is defined, it takes precedence over the file path specified in Chef::Config[:client_key].

These can be overridden by passing a hash with the keys :node_name or :client_key_path to ChefVault::Item.load:

item = ChefVault::Item.load(
  'passwords', 'root',
  node_name: 'service_foo',
  client_key_path: '/secure/place/service_foo.pem'
)
item['password']

The above example assumes that you have transferred /secure/place/service_foo.pem to your system via a secure channel.

This usage allows you to decrypt a vault using a key shared among several nodes, which can be helpful when working in cloud environments or other configurations where nodes are created dynamically.

chef_vault_item helper

The chef-vault cookbook contains a recipe to install the chef-vault gem and a helper method chef_vault_helper which makes it easier to test cookbooks that use chef-vault using Test Kitchen.

DETERMINING IF AN ITEM IS A VAULT

ChefVault provides a helper method to determine if a data bag item is a vault, which can be helpful if you produce a recipe for community consumption and want to support both normal data bags and vaults:

if ChefVault::Item.vault?('passwords', 'root')
  item = ChefVault::Item.load('passwords', 'root')
else
  item = Chef::DataBagItem.load('passwords', 'root')
end

This functionality is also available from the command line as knife vault isvault VAULT ITEM.

DETERMINING THE TYPE OF A DATA BAG ITEM

ChefVault provides a helper method to determine the type of a data bag item. It returns one of the symbols :normal, :encrypted or :vault

case ChefVault::Item.data_bag_item_type('passwords', 'root')
when :normal
  ...
when :encrypted
  ...
when :vault
  ...
end

This functionality is also available from the command line as knife vault itemtype VAULT ITEM.

USAGE STAND ALONE

chef-vault can be used as a stand alone binary to decrypt values stored in Chef. It requires that Chef is installed on the system and that you have a valid config.rb. This is useful if you want to mix chef-vault into non-Chef recipe code, for example some other script where you want to protect a password.

It does still require that the data bag has been encrypted for the user's or client's pem and pushed to the Chef server. It mixes Chef into the gem and uses it to go grab the data bag.

Use chef-vault --help to see all all available options

Example usage (password)

chef-vault -v passwords -i root -a password -k /etc/chef/config.rb

SCALING

As more nodes use a shared key, some operations like refresh or update can execute more efficiently using sparse mode (see issue #237).

To create a vault item using sparse mode, pass the value sparse to the --keys-mode option to knife vault create.

TESTING

To use Chef Vault in Test Kitchen, ensure that the chef-vault recipe is in your run_list, and then add the following to your suite in .kitchen.yml:

data_bags_path: 'path/to/data_bags'
attributes:
  chef_vault:
    databags_fallback: true

You can then use the chef_vault_item helper in the aforementioned chef-vault cookbook.

To stub vault items in ChefSpec, use the chef-vault-testfixtures gem.

Contributing

For information on contributing to this project see https://github.com/chef/chef/blob/master/CONTRIBUTING.md

Authors

Author:: Kevin Moser - @moserke
Author:: Eli Klein - @eliklein
Author:: Joey Geiger - @jgeiger
Author:: Joshua Timberman - @jtimberman
Author:: James FitzGibbon - @jf647
Author:: Thom May - @thommay

Contributors

Contributor:: Matt Brimstone - @brimstone
Contributor:: Thomas Gschwind - @thg65
Contributor:: Reto Hermann

License

Copyright:: Copyright (c) 2013-15 Nordstrom, Inc.
Copyright:: Copyright (c) 2016 Chef Software, Inc.
License:: Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

More Repositories

1

chef

Chef Infra, a powerful automation platform that transforms infrastructure into code automating how infrastructure is configured, deployed and managed across any environment, at any scale
Ruby
7,596
star
2

bento

Packer templates for building minimal Vagrant baseboxes for multiple platforms
HCL
4,220
star
3

omnibus

Easily create full-stack installers for your project across a variety of platforms.
Ruby
1,269
star
4

ohai

Ohai profiles your system and emits JSON
Ruby
672
star
5

chef-zero

Simple, easy-run, fast-start in-memory Chef server for testing and solo purposes
Ruby
534
star
6

knife-ec2

Chef knife plug-in for AWS EC2
Ruby
403
star
7

chef-server

Chef Infra Server is a hub for configuration data; storing cookbooks, node policies and metadata of managed nodes.
Erlang
279
star
8

automate

Chef Automate provides a full suite of enterprise capabilities for maintaining continuous visibility into application, infrastructure, and security automation.
Go
227
star
9

supermarket

Chef's community platform
Ruby
214
star
10

knife-vsphere

Chef knife plug-in for VMware vSphere
Ruby
202
star
11

knife-windows

Plugin for Chef's knife tool for working with Windows nodes
Ruby
151
star
12

omnibus-software

Open Source Software for use in Omnibus built packages
Ruby
133
star
13

chef-workstation

Chef Workstation gives you everything you need to get started with Chef, so you can automate how you audit, configure, and manage applications end environments.
Go
133
star
14

mixlib-shellout

mixin library for subprocess management, output collection
Ruby
132
star
15

chef-web-docs

All The Documentation
HTML
127
star
16

mixlib-cli

A mixin for creating command line applications - gives an easy DSL for argument specification and processing
Ruby
123
star
17

knife-openstack

Chef Infra knife plug-in for OpenStack
Ruby
120
star
18

cookstyle

A linting tool that helps you to write better Chef Infra cookbooks and InSpec profiles by detecting and automatically correcting style, syntax, and logic mistakes in your code.
Ruby
109
star
19

os_release

A repo containing the /etc/os-release file from various Linux distros
81
star
20

chef-oss-practices

Documentation and Practices for Open Source Development at Chef
Ruby
81
star
21

knife-azure

Chef knife plug-in for Microsoft Azure
Ruby
72
star
22

artifactory-client

A simple, lightweight Ruby client for interacting with the Artifactory API.
Ruby
68
star
23

knife-google

Chef knife plug-in for Google Compute
Ruby
67
star
24

win32-service

A Ruby library that allows users to inspect, control or create services on MS Windows
Ruby
65
star
25

mixer

Mix in functions from other modules
Erlang
64
star
26

concrete

Concrete enhances your rebar based Erlang project by providing a common Makefile wrapper, a dialyzer make target that caches PLT analysis of your project's dependencies, and a mechanism to specify development only dependencies.
Erlang
56
star
27

mixlib-config

A simple class based Config mechanism, similar to the one found in Chef
Ruby
51
star
28

sqerl

General purpose RDBMS abstraction layer
Erlang
42
star
29

vscode-chef

Chef Infra Extension for Visual Studio Code
TypeScript
39
star
30

cheffish

Resources and tools for testing and interacting with Chef and Chef Server.
Ruby
39
star
31

knife-tidy

Report on stale Chef Server nodes/cookbooks, clean those up and additionally clean data integrity issues from a knife-ec-backup object based backup!
Ruby
37
star
32

homebrew-chef

A homebrew tap for ChefDK, Workstation, and InSpec
Ruby
36
star
33

mixlib-log

A simple class based Log mechanism, similar to Merb and Chef, that you can mix in to your project.
Ruby
34
star
34

effortless

Automated best practices for Chef Infra and Chef InSpec
Shell
33
star
35

chef-load

chef-load - a tool for simulating load on a Chef Infra Server and/or a Chef Automate server
Roff
32
star
36

knife-ec-backup

Backup and restore Chef Infra Server in a repository-compatible format
Ruby
31
star
37

mini_s3

Minimal AWS S3 client for Erlang
Erlang
28
star
38

okta_aws

Tool for accessing the AWS API for an account you normally access via okta
Python
27
star
39

dep-selector

Fast Dependency Solver for Ruby using Gecode
Ruby
25
star
40

omnitruck

Web service to automate the release of Omnibus artifacts
Ruby
25
star
41

win32-process

A Ruby library that adds or redefines several methods for the Process module
Ruby
25
star
42

kitchen-vcenter

A test-kitchen driver for vCenter REST API
Ruby
25
star
43

omnibus-ctl

Provides service control for omnibus packages
Ruby
23
star
44

mixlib-authentication

AuthN signing and verification. Appears in both the client and server
Ruby
22
star
45

knife-cloud

Library for Chef knife cloud plugins
Ruby
18
star
46

win32-taskscheduler

A Ruby interface for the task scheduler on MS Windows
Ruby
17
star
47

mixlib-versioning

General purpose Ruby library that allows you to parse, compare, and manipulate version strings in multiple formats.
Ruby
17
star
48

win32-eventlog

The win32-eventlog library provides a Ruby interface for reading from and writing to the Windows Event Log
Ruby
17
star
49

chefstyle

Version Pinned RuboCop with Chef approved Cop list for linting software - NOT FOR COOKBOOKS
Ruby
15
star
50

chef-cli

The 'chef' command line tool included in Chef Workstation
Ruby
14
star
51

win32-file

Extra methods, and redefined methods, for the File class on MS Windows
Ruby
14
star
52

anka-buildkite-plugin

Run Buildkite steps inside Veertu Anka Virtual Machines
Shell
14
star
53

appbundler

Generate locked binstubs for ruby applications
Ruby
14
star
54

stats_hero

General purpose stats collection
Erlang
13
star
55

wmi-lite

Lightweight, low-dependency wrapper for basic WMI functionality on Windows.
Ruby
13
star
56

knife-vrealize

Plugin for Chef's knife tool to interact with VMware vRealize products
Ruby
13
star
57

chef-apply

The ad-hoc execution tool for the Chef ecosystem.
Ruby
13
star
58

ffi-libarchive

A Ruby FFI binding to libarchive.
Ruby
13
star
59

mixlib-install

A library for interacting with Chef Software Inc's software distribution systems.
Ruby
12
star
60

chef_authn

Erlang API request authentication signing and verification for Chef
Erlang
11
star
61

ffi-yajl

Ruby FFI gem wrapper around yajl2 library
Ruby
11
star
62

corefoundation

FFI based Ruby bindings for the CoreFoundation frameworks
Ruby
11
star
63

fixie

Low level manipulation tool for chef in sql
Ruby
10
star
64

dep-selector-libgecode

Bundled Gecode Libraries for dep-selector
Ruby
10
star
65

win32-certstore

Ruby library for accessing the certificate store on Windows
Ruby
10
star
66

chef-workstation-app

The Chef Workstation desktop application.
TypeScript
10
star
67

win32-security

A Ruby interface for security aspects of MS Windows
Ruby
9
star
68

knife-vcenter

Chef knife plug-in for VMware REST API
Ruby
9
star
69

architecture-center

Ruby
9
star
70

win32-dir

A series of constants, and extra or redefined methods, for the Dir class on Windows
Ruby
8
star
71

chef_backup

A library to backup an Chef server
Ruby
8
star
72

chef-vault-testfixtures

provides an RSpec shared context for testing Chef cookbooks that use chef-vault
Ruby
7
star
73

opscoderl_httpc

Opscode helper application for being an HTTP client
Erlang
7
star
74

license-acceptance

Chef Software libraries for accepting usage license
Ruby
7
star
75

rubydistros

Dockerfiles for Ruby on various Linux distros
Dockerfile
7
star
76

win32-mmap

A Ruby interface for memory mapped files on MS Windows
Ruby
7
star
77

chef-analyze

A CLI to analyze artifacts from a Chef Infra Server
Go
6
star
78

win32-event

A Ruby interface to Event objects on MS Windows
Ruby
6
star
79

license_scout

Discovers license information of the dependencies of a project.
Ruby
6
star
80

.github

.github files that are inherited by all org repos unless specifically included in a repo
6
star
81

cookbook-omnifetch

Fetch Chef Cookbooks from Various Sources to a Local Cache
Ruby
6
star
82

win32-ipc

A Ruby abstract base class for synchronization objects on MS Windows
Ruby
5
star
83

github-workflows

Github Actions Workflows
5
star
84

appbundle-updater

A little help when you want to update an appbundled project inside of a Chef/ChefDK omnibus package
Ruby
5
star
85

ci-studio-common

Shared helpers for use inside CIs (like Travis) and a Habitat Studio
Go
5
star
86

omnibus-toolchain

Omnibus packaging for Omnibus toolchain
Ruby
5
star
87

chef-web-core

Shared resources for Chef web properties
Ruby
5
star
88

gatherlogs-reporter

Inspec profiles for examining gatherlog output from chef-products for support.
Ruby
5
star
89

chocolatey-packages

PowerShell
4
star
90

compliance-workshop-environment

Ruby
4
star
91

inspec-extra-resources

Ruby
4
star
92

folsom_graphite

Send data from folsom automatically to graphite
Erlang
4
star
93

chef-powershell-shim

.NET 4.0/COM wrapper around PowerShell host
Ruby
4
star
94

cookstylist

Cookstyle GitHub app
Ruby
4
star
95

automate-liveness-agent

Agent that sends "keep alive" messages to Chef Automate
Ruby
4
star
96

community_cookbook_releaser

A simple script to aid in version bumps and changelog generation for Chef managed community cookbooks
Ruby
4
star
97

habitat_exporter

Go
4
star
98

mixlib-archive

A very simple gem to create and extract archives.
Ruby
4
star
99

win32-mutex

A Ruby interface for mutexes on MS Windows
Ruby
3
star
100

chef_dictionary

A dictionary file of words in the Chef ecosystem
Ruby
3
star