Menu

Chef Supermarket

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

View our collection of guides, documentation, and articles

Cookbooks
Advanced Options

Select Badges

Select Supported Platforms

RSS

ssl-key-vault (10) Versions 0.1.2

SSL key & certificate storage in chef-vault

Berkshelf
Policyfile
Knife 
cookbook 'ssl-key-vault', '= 0.1.2'
cookbook 'ssl-key-vault', '= 0.1.2', :supermarket
knife cookbook site install ssl-key-vault
knife cookbook site download ssl-key-vault
README
Dependencies
Quality -%

ssl-key-vault cookbook

This cookbook manages OpenSSL key pairs, using chef-vault to share and store private keys.

This cookbook's home is at https://github.com/3ofcoins/ssl-key-vault/

Requirements

Usage

  1. Generate a self-signed key or a secret key and certificate.

  2. Store the private key in chef-vault. The name should be set to ssl-key-key.name.:

    $ knife encrypt cert \ --search 'QUERY' --admins '' \ --name ssl-key-example.com \ --cert /path/to/example.com.key $ knife upload data_bags/certs

Either add Chef server's admin API users to the --admins, or make the key otherwise accessible to yourself in future (e.g. with knife-briefcase).

  1. Add the certificate to node's ssl_certificates attribute (key is key's name, and value is full certificate):
example_com_cert = <<EOF
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF

default_attributes :ssl_certificates => {
  'example.com' => example_com_cert
}

If you don't want to clutter your role definition, you can read the certificate from file in the chef repo:

default_attributes :ssl_certificates => {
  'example.com' => Pathname.new(__FILE__).dirname.join('../config/certificates/example.com.crt').read
}
  1. Add recipe[ssl-key-vault] to node's run list.

The key will be stored in /etc/ssl/private/key.name.key, and certificate in /etc/ssl/certs/key.name.pem.

Multiple certificate files

If you need to store certificate and chain separately, or store public part in multiple files for any other reason, the ssl_certificates entry can also be a dictionary, where key is extension of the file in /etc/ssl/certs, and value is the file's content.

certificates = Pathname.new(__FILE__).dirname.join('../config/certificates')
default_attributes :ssl_certificates => {
  'example.com' => {
    'crt' => certificates.join('example.com.crt').read,
    'chain.pem' => certificates.join('example.com.chain.pem).read,
  }
}

In this example, files /etc/ssl/certs/example.com.crt and /etc/ssl/certs/example.com.chain.pem will be created.

TODOs & questions

Maybe we should store certificate somewhere else than in attributes? knife-vault supports only one value, and certificate is public, so it shouldn't be encrypted. Creating a separate data bag seems to create a lot of clutter, and is not easy to describe in Usage section, as it needs to be encoded in JSON. Adding it to cookbook's files/ is also kind of messy.

Maybe the answer would be to script adding a new key. A knife plugin or at least a Thor task definition may be helpful here.

I don't have much of idea currently how to add tests, with chef-vault, encrypted data bags, and such.

Author

Author:: Maciej Pasternacki maciej@3ofcoins.net

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

No quality metric results found


Maciej Pasternacki Maciej Pasternacki
Marta Paciorkowska

Details

View Source View Issues

Updated Created on June 24, 2013

Platforms

  • ubuntu >= 0.0.0

License

MIT

Download Cookbook