Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

gce_vault_client (1) Versions 1.0.0

Installs/Configures vault_client for Google Compute Engine

Policyfile
Berkshelf
Knife
cookbook 'gce_vault_client', '~> 1.0.0', :supermarket
cookbook 'gce_vault_client', '~> 1.0.0'
knife supermarket install gce_vault_client
knife supermarket download gce_vault_client
README
Dependencies
Changelog
Quality 33%

vault_client

Cookbook used to retrieve secrets from Vault using the GCP Auth Backend that are then discarded at the end of a Chef run as to not retain them on a server.

Usage

Add this cookbook as a dependency in metadata.rb and in the Berksfile.

You can then use the vault_secret resource in your cookbook.

In order to retrieve secrets from vault, the service account attached to the instance must be allowed to read from the secret path specified.

Resources

vault_secret

Properties

  • :path, String, Path to the secret that you are trying to read.
  • :vault_url, String, URL of the Vault service
  • :vault_role, String, Vault Role that gives the GCE IAM Service account rights to authenticate to Vault using GCP Auth

Actions

  • :read, currently this is the only supported action.

Note: As this block needs to be evaluated at compile time it is necessary to use end.run_action(:read) at the end of the resource block as opposed to action :read.

For example:

vault_secret 'test' do

path 'bakery/secret/test'

end.run_action(:read)

Returns

Returns a hash of the secret keys to node.run_state['path'] where path is the value of the :path property.

To access the values stored in the hash map, do so like this: node.run_state['example/path'][:example_key]

Libraries

Contains a helper library for authenticating the vault.

helper.rb

helper.rb contains a module that authenticates with the vault server provided in attributes.rb using the gce JWT token. Note that this requires the service account attached to the GCE instance to have permission to authenticate with vault and to access the path specified.

Tests

In order to run the integration tests, the url and secret path specified in [test.rb](recipes/test.rb) must be reachable from kitchen, and contain the following secret greg=turkington

It also requires the GCP Auth backend enabled on the Vault service and a policy/role created to allow the GCE service account used for kitchen to have read rights on the above secret

To create this, you can use the following:
```bash
vault auth enable gcp
vault write "auth/gcp/role/chef" \
type="gce" \
project_id="REPLACE_WITH_{GCP_PROJECT_ID}" \
bound_service_accounts="REPLACE_WITH_{GCP_SERVICE_ACCOUNT_EMAIL}" \
policies="chef"

vault policy write chef -<<EOF
path "secret/*" {
capabilities = ["read"]
}
EOF

vault write scret/cheftest gregg=turkington
```

You will also need to generate an SSH key in the root of the repo called kitchen

ssh-keygen -t ed25519 -f kitchen -C kitchen
export USER=kitchen
export SSH_KEY=./kitchen

kitchen prereqs - TODO - add to a Gemfile for bundler

chef gem install kitchen-google inspec rbnacl:'< 5.0' rbnacl-libsodium bcrypt_pbkdf

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

vault_client CHANGELOG

This file is used to list changes made in each version of the vault_client cookbook.

0.1.0

Initial development.

1.0.2

First working version of cookbook created.

  • Reads basic key values from a specified Vault path.

Collaborator Number Metric
            

1.0.0 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

1.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

1.0.0 passed this metric

No Binaries Metric
            

1.0.0 passed this metric

Testing File Metric
            

1.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

1.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number