Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

RSS

ssl-vault (10) Versions 1.1.15

SSL key & certificate storage in chef-vault.

Berkshelf/Librarian
Policyfile
Knife
cookbook 'ssl-vault', '~> 1.1.15'
cookbook 'ssl-vault', '~> 1.1.15', :supermarket
knife cookbook site install ssl-vault
knife cookbook site download ssl-vault
README
Dependencies
Quality 44%

ssl-vault

Manages SSL Keys, Certs and Chains using the chef-vault Cookbook, itself a wrapper for the chef-vault Gem.

SSL Keys, Certs and Chains are stored in Chef Encrypted Data Bags using Chef Vault and are only accessible to clients using their existing public keys.

More information on the Chef Vault security model can be found on Justin Timberman's Blog or Andrew Jaquith's Blog.

This Cookbook is derived from Maciej Pasternacki's ssl-key-vault Cookbook.

Requirements

  1. chef-vault plugin for Knife, available as a Ruby Gem: gem install chef-vault
  2. A SSL certificate and private key.

Attributes

  • node['ssl-vault']['certificates'] - List of certificates to install, as determined by the IDs of Encrypted Data Bag Items. i.e. ['example.com', 'www.example.com'] Can be set per Node, so as to limit vectors.

The following Attributes are set or unset by default, and are available for customization by you, the user: - ['ssl-vault']['certificate_directory'] - String name of directory into which to deposit the certificate(s) [and chain file(s)]. - ['ssl-vault']['private_key_directory'] - String name of directory into which to deposit the private key(s) [and PEM file(s)]. - ['ssl-vault']['private_key_file'] - String name of private key file. - ['ssl-vault']['data_bag_key_rex'] - Regular Expression of Data Bag Key ID(s). - ['ssl-vault']['data_bag_key_replacement_str'] - String replacement character for IDs that don't match data_bag_key_rex. - ['ssl-vault']['private_key_file'] - String name of private key file. - ['ssl-vault']['certificate_file'] - String name of certificate file. - ['ssl-vault']['pem_file'] - String name of PEM file. - ['ssl-vault']['combined_chain_file'] - String name of combined chain file. - ['ssl-vault']['combined_chain_pem_file'] - String name of combined chain PEM file.

The following Attribute overrides ['chef-vault']['version']'s Attribute: - ['chef-vault']['version'] - String version of chef-vault Gem to install.

Data Bag Structure

  • The encrypted data bag must be named ssl-vault.

  • The item name should be the CN of the certificate with the configured replacements applied (default replacement: underscores for dots, www_example_com).

  • The value should be a json hash with the following keys:

    • certificate: the certificate in pem format
    • key: the key in pem format
    • chain_certificates: array of intermediate ca certificates [optional]

Recipes

This Cookbook provides several Recipes:

  • default.rb - Use this Recipe. Includes remaining Recipes and chef-vault Cookbook.
  • certificate_directory.rb - Creates certificate (and chain) directory.
  • certificate_file.rb - Creates certificate file.
  • combined_chain_file.rb - Creates combined chain file.
  • combined_chain_pem_file.rb - Creates combined chain PEM file.
  • pem_file.rb - Creates PEM file.
  • private_key_directory.rb - Creates private key (and PEM) directory.
  • private_key_file.rb - Creates private key file.

Usage

Include this Cookbook in your Node's Run List, along with setting the Node Attributes for the certificates and keys you wish to install, and encrypting those certificates and keys.

Overview

  1. Aquire an SSL certificate and private key file.
  2. Store the SSL certificate and private key file in an Encrypted Data Bag.
  3. Encrypt the SSL certificate and private key using Chef Vault.
  4. Include the certificate's Common Name (CN) in a Node's Attributes.

Example

Given the SSL certificate and key file for example.com:

  1. Create a Data Bag Item containing the SSL certificate and private key:

    ruby -rjson -e 'puts JSON[Hash[Hash[*ARGV].map { |k,v| [k, File.read(v)] }]]' -- \
        certificate example.com.cert \
        key example.com.key \
        > example.com.json
    
  2. Encrypt the new Data Bag Item using the Client's public key:

    knife vault create ssl-vault example_com --mode client \
        --search 'QUERY' --admins '' \
        --json example.com.json
    

    Either add Chef server's admin API users to the --admins, or make the key otherwise accessible to yourself in future (e.g. with knife-briefcase).

  3. Add example.com to a Node's ['ssl-vault']['certificates'] Attribute:

    node['ssl-vault']['certificates'] = ['example.com']
    
  4. Add recipe[ssl-vault] to Node's Run List.

  5. The key will be stored in /etc/ssl/private/example.com.key, and certificate in /etc/ssl/certs/example.com.cert.

Author

Copyright

Copyright 2014 OnBeep, Inc. Portions Copyright (C) 2013 Maciej Pasternacki maciej@3ofcoins.net

License

The MIT License (MIT)

Source

https://github.com/onbeep-cookbooks/ssl-vault

Dependent cookbooks

chef-vault >= 1.0.4

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

Collaborator Number Metric
            

1.1.15 failed this metric

Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

1.1.15 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

1.1.15 failed this metric

FC064: Ensure issues_url is set in metadata: ssl-vault/metadata.rb:1
FC065: Ensure source_url is set in metadata: ssl-vault/metadata.rb:1
FC066: Ensure chef_version is set in metadata: ssl-vault/metadata.rb:1
FC069: Ensure standardized license defined in metadata: ssl-vault/metadata.rb:1
Run with Foodcritic Version 12.2.1 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

License Metric
            

1.1.15 failed this metric

ssl-vault does not have a valid open source license.
Acceptable licenses include Apache-2.0, apachev2, Apache 2.0, MIT, mit, GPL-2.0, gplv2, GNU Public License 2.0, GPL-3.0, gplv3, GNU Public License 3.0.

No Binaries Metric
            

1.1.15 passed this metric

Publish Metric
            

1.1.15 passed this metric

Supported Platforms Metric
            

1.1.15 passed this metric

Testing File Metric
            

1.1.15 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

1.1.15 passed this metric