Menu

Chef Supermarket

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

View our collection of guides, documentation, and articles

Cookbooks
Advanced Options

Select Badges

Select Supported Platforms

Select Status

RSS

ssl-vault (10) Versions 1.1.15

SSL key & certificate storage in chef-vault.

Policyfile
Berkshelf
Knife 
cookbook 'ssl-vault', '~> 1.1.15', :supermarket
cookbook 'ssl-vault', '~> 1.1.15'
knife supermarket install ssl-vault
knife supermarket download ssl-vault
README
Dependencies
Quality 17%

ssl-vault

Manages SSL Keys, Certs and Chains using the
chef-vault Cookbook, itself
a wrapper for the chef-vault Gem.

SSL Keys, Certs and Chains are stored in Chef Encrypted Data Bags using Chef
Vault and are only accessible to clients using their existing public keys.

More information on the Chef Vault security model can be found on Justin Timberman's Blog or Andrew Jaquith's Blog.

This Cookbook is derived from Maciej Pasternacki's ssl-key-vault Cookbook.

Requirements

  1. chef-vault plugin for Knife, available as a Ruby Gem: gem install chef-vault
  2. A SSL certificate and private key.

Attributes

  • node['ssl-vault']['certificates'] - List of certificates to install, as determined by the IDs of Encrypted Data Bag Items. i.e. ['example.com', 'www.example.com'] Can be set per Node, so as to limit vectors.

The following Attributes are set or unset by default, and are available for
customization by you, the user:
- ['ssl-vault']['certificate_directory'] - String name of directory into
which to deposit the certificate(s) [and chain file(s)].
- ['ssl-vault']['private_key_directory'] - String name of directory into
which to deposit the private key(s) [and PEM file(s)].
- ['ssl-vault']['private_key_file'] - String name of private key file.
- ['ssl-vault']['data_bag_key_rex'] - Regular Expression of Data Bag Key
ID(s).
- ['ssl-vault']['data_bag_key_replacement_str'] - String replacement
character for IDs that don't match data_bag_key_rex.
- ['ssl-vault']['private_key_file'] - String name of private key file.
- ['ssl-vault']['certificate_file'] - String name of certificate file.
- ['ssl-vault']['pem_file'] - String name of PEM file.
- ['ssl-vault']['combined_chain_file'] - String name of combined chain file.
- ['ssl-vault']['combined_chain_pem_file'] - String name of combined chain
PEM file.

The following Attribute overrides ['chef-vault']['version']'s Attribute:
- ['chef-vault']['version'] - String version of chef-vault Gem to install.

Data Bag Structure

  • The encrypted data bag must be named ssl-vault.

  • The item name should be the CN of the certificate with the configured
    replacements applied
    (default replacement: underscores for dots, www_example_com).

  • The value should be a json hash with the following keys:

    • certificate: the certificate in pem format
    • key: the key in pem format
    • chain_certificates: array of intermediate ca certificates [optional]

Recipes

This Cookbook provides several Recipes:

  • default.rb - Use this Recipe. Includes remaining Recipes and chef-vault Cookbook.
  • certificate_directory.rb - Creates certificate (and chain) directory.
  • certificate_file.rb - Creates certificate file.
  • combined_chain_file.rb - Creates combined chain file.
  • combined_chain_pem_file.rb - Creates combined chain PEM file.
  • pem_file.rb - Creates PEM file.
  • private_key_directory.rb - Creates private key (and PEM) directory.
  • private_key_file.rb - Creates private key file.

Usage

Include this Cookbook in your Node's Run List, along with setting the Node
Attributes for the certificates and keys you wish to install, and encrypting
those certificates and keys.

Overview

  1. Aquire an SSL certificate and private key file.
  2. Store the SSL certificate and private key file in an Encrypted Data Bag.
  3. Encrypt the SSL certificate and private key using Chef Vault.
  4. Include the certificate's Common Name (CN) in a Node's Attributes.

Example

Given the SSL certificate and key file for example.com:

  1. Create a Data Bag Item containing the SSL certificate and private key:

    ruby -rjson -e 'puts JSON[Hash[Hash[*ARGV].map { |k,v| [k, File.read(v)] }]]' -- \
    certificate example.com.cert \
    key example.com.key \
    > example.com.json

  2. Encrypt the new Data Bag Item using the Client's public key:

    knife vault create ssl-vault example_com --mode client \
    --search 'QUERY' --admins '' \
    --json example.com.json

    Either add Chef server's admin API users to the --admins, or make
    the key otherwise accessible to yourself in future (e.g. with
    knife-briefcase).

  3. Add example.com to a Node's ['ssl-vault']['certificates'] Attribute:

    node['ssl-vault']['certificates'] = ['example.com']

  4. Add recipe[ssl-vault] to Node's Run List.

  5. The key will be stored in /etc/ssl/private/example.com.key, and
    certificate in /etc/ssl/certs/example.com.cert.

Author

Copyright

Copyright 2014 OnBeep, Inc.
Portions Copyright (C) 2013 Maciej Pasternacki maciej@3ofcoins.net

License

The MIT License (MIT)

Source

https://github.com/onbeep-cookbooks/ssl-vault

Dependent cookbooks

chef-vault >= 1.0.4

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

Collaborator Number Metric 
            
1.1.15 failed this metric
Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric 
            
1.1.15 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric 
            
1.1.15 failed this metric
FC064: Ensure issues_url is set in metadata: ssl-vault/metadata.rb:1
FC065: Ensure source_url is set in metadata: ssl-vault/metadata.rb:1
FC066: Ensure chef_version is set in metadata: ssl-vault/metadata.rb:1
FC069: Ensure standardized license defined in metadata: ssl-vault/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

No Binaries Metric 
            
1.1.15 passed this metric

Testing File Metric 
            
1.1.15 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric 
            
1.1.15 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number

Greg Albrecht Greg Albrecht
OnBeep CI

Details

View Source View Issues

Updated October 26, 2015 Created on

Supported Platforms

  • ubuntu >= 0.0.0

License

The MIT License (MIT)

Download Cookbook