Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

ssl_cert (13) Versions 0.3.5

Sets up private keys and certificates for PKI from Chef Vault.

Policyfile
Berkshelf
Knife
cookbook 'ssl_cert', '= 0.3.5', :supermarket
cookbook 'ssl_cert', '= 0.3.5'
knife supermarket install ssl_cert
knife supermarket download ssl_cert
README
Dependencies
Changelog
Quality 67%

ssl_cert Cookbook

This cookbook deploys CA certificates, SSL server keys and/or certificates from Chef Vault items.

Contents

Requirements

packages

  • none.

Attributes

ssl_cert::default

Key Type Description, example Default
['ssl_cert']['ca_names'] Array deployed CA certificates from chef-vault empty
['ssl_cert']['ca_pubkey_names'] Array deployed CA public keys from chef-vault (0.2.0 or later) empty
['ssl_cert']['ssh_ca_krl_name'] String deployed SSH-CA KRL (Key Revocation List) from chef-vault (0.3.0 or later) nil
['ssl_cert']['common_names'] Array deployed server keys and/or certificates from chef-vault empty
['ssl_cert']['debian']['key_access_mode'] Private key file mode (ver. 0.3.4 or later). 0640
['ssl_cert']['rhel']['key_access_mode'] Private key file mode (ver. 0.3.4 or later). 0400
['ssl_cert']['rhel']['key_access_group'] String RHEL family's key access group (ver. 0.1.5 or later) 'ssl-cert'
['ssl_cert']['chef_gem']['clear_sources'] Boolean chef_gem resource's clear_sources property. false
['ssl_cert']['chef_gem']['source'] String chef_gem resource's source property. nil
['ssl_cert']['chef_gem']['options'] String chef_gem resource's options property. nil
['ssl_cert']['chef-vault']['version'] String chef-vault installation version. '~> 2.6'
['ssl_cert']['env_context'] String node's environment or nil/empty. node.chef_environment
['ssl_cert']['vault_item_suffix'] String vault item name's suffix. ".#{node['ssl_cert']['env_context']}"
['ssl_cert']['ca_cert_vault'] String CA certificate stored vault name. 'ca_certs'
['ssl_cert']['ca_cert_vault_item_key'] String CA certificate stored vault item key name. (single key or nested hash key path delimited by slash) 'public'
['ssl_cert']['ca_cert_file_prefix'] String CA certificate file name's prefix. ''
['ssl_cert']['ca_cert_file_extension'] String CA certificate file name's extension. (0.3.0 or later) 'crt'
['ssl_cert']['ca_pubkey_vault'] String CA public key stored vault name. (0.2.0 or later) 'ca_pubkeys'
['ssl_cert']['ca_pubkey_vault_item_key'] String CA public key stored vault item key name. (single key or nested hash key path delimited by slash. 0.2.0 or later) 'public'
['ssl_cert']['ca_pubkey_file_prefix'] String CA public key file name's prefix. (0.2.0 or later) ''
['ssl_cert']['ca_pubkey_file_extension'] String CA public key file name's extension. (0.3.0 or later) 'pub'
['ssl_cert']['ssh_ca_krl_vault'] String SSH-CA KRL stored vault name. (0.3.0 or later) 'ssh_ca_krls'
['ssl_cert']['ssh_ca_krl_vault_item_key'] String SSH-CA KRL stored vault item key name. (single key or nested hash key path delimited by slash. 0.3.0 or later) 'public'
['ssl_cert']['ssh_ca_krl_file_prefix'] String SSH-CA KRL file name's prefix. (0.3.0 or later) ''
['ssl_cert']['ssh_ca_krl_file_extension'] String SSH-CA KRL file name's extension. (0.3.0 or later) 'krl'
['ssl_cert']['server_key_vault'] String SSL server key stored vault name. 'ssl_server_keys'
['ssl_cert']['server_key_vault_item_key'] String SSL server key stored vault item key name. (single key or nested hash key path delimited by slash) 'private'
['ssl_cert']['server_key_file_prefix'] String SSL server key file name's prefix. ''
['ssl_cert']['server_key_file_extension'] String SSL server key file name's extension. (0.3.0 or later) 'key'
['ssl_cert']['server_cert_vault'] String SSL server certificate stored vault name. 'ssl_server_certs'
['ssl_cert']['server_cert_vault_item_key'] String SSL server certificate stored vault item key name. (single key or nested hash key path delimited by slash) 'public'
['ssl_cert']['server_cert_file_prefix'] String SSL server certificate file name's prefix. ''
['ssl_cert']['server_cert_file_extension'] String SSL server certificate file name's extension. (0.3.0 or later) 'crt'
['ssl_cert']["#{ca}_cert_src_path"] String CA certificate source file path. (0.3.3 or later) "#{node['ssl_cert']['certs_src_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.#{node['ssl_cert']['ca_cert_file_extension']}"
['ssl_cert']["#{ca}_cert_path"] String deployed CA certificate file path. "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.#{node['ssl_cert']['ca_cert_file_extension']}"
['ssl_cert']["#{ca}_pubkey_path"] String deployed CA public key file path. (0.2.0 or later) "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.#{node['ssl_cert']['ca_pubkey_file_extension']}"
['ssl_cert']["#{undotted_cn}_key_path"] String deployed SSL server key file path. "#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{undotted_cn}.#{node['ssl_cert']['server_key_file_extension']}"
['ssl_cert']["#{undotted_cn}_cert_path"] String deployed SSL server certificate file path. "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{undotted_cn}.#{node['ssl_cert']['server_cert_file_extension']}"

Usage

recipes

  • ssl_cert::default - deploys CA certificates, SSL server keys and/or certificates.
  • ssl_cert::ca_certs - deploys CA certificates.
  • ssl_cert::ca_pubkeys - deploys CA public keys for SSH-CA, ... (0.2.0 or later)
  • ssl_cert::ssh_ca_krl - deploys a SSH-CA KRL (Key Revocation List) file. (0.3.0 or later)
  • ssl_cert::server_key_pairs - deploys SSL server keys and certificates.
  • ssl_cert::server_keys - deploys SSL server keys.
  • ssl_cert::server_certs - deploys SSL server certificates.

Vault items creation and cookbook attribute settings (with default attributes)

CA certificates

  • create vault items.
$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ca.prod.crt")})' \
> > ~/tmp/grid_ca.prod.crt.json

$ knife vault create ca_certs grid_ca.prod \
> --json ~/tmp/grid_ca.prod.crt.json
  • add cookbook attributes.
override_attributes(
  'ssl_cert' => {
    'ca_names' => [
      'grid_ca',
      # ...
    ],
  },
)

CA public keys (0.2.0 or later)

  • create vault items.
$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.pub")})' \
> > ~/tmp/grid_ssh_ca.prod.pub.json

$ knife vault create ca_pubkeys grid_ssh_ca.prod \
> --json ~/tmp/grid_ssh_ca.prod.pub.json
  • add cookbook attributes.
override_attributes(
  'ssl_cert' => {
    'ca_pubkey_names' => [
      'grid_ssh_ca',
      # ...
    ],
  },
)

SSH-CA KRL (0.3.0 or later)

  • create vault items.
$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.krl")})' \
> > ~/tmp/grid_ssh_ca.prod.krl.json

$ knife vault create ssh_ca_krls grid_ssh_ca.prod \
> --json ~/tmp/grid_ssh_ca.prod.krl.json
  • add cookbook attributes.
override_attributes(
  'ssl_cert' => {
    'ssh_ca_krl_name' => 'grid_ssh_ca',
  },
)

SSL server keys and certificates

  • create vault items.
$ ruby -rjson -e 'puts JSON.generate({"private" => File.read("node_example_com.prod.key")})' \
> > ~/tmp/node_example_com.prod.key.json

$ knife vault create ssl_server_keys node.example.com.prod \
> --json ~/tmp/node_example_com.prod.key.json

$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("node_example_com.prod.crt")})' \
> > ~/tmp/node_example_com.prod.crt.json

$ knife vault create ssl_server_certs node.example.com.prod \
> --json ~/tmp/node_example_com.prod.crt.json
  • add cookbook attributes
override_attributes(
  'ssl_cert' => {
    'common_names' => [
      'node.example.com',
      # ...
    ],
  },
)

References of deployed key and certificate file paths (with default attributes)

  • node['ssl_cert']["#{ca}_cert_path"] - e.g. node['ssl_cert']['grid_ca_cert_path']
  • node['ssl_cert']["#{ca}_pubkey_path"] - e.g. node['ssl_cert']['grid_ssh_ca_pubkey_path']
  • node['ssl_cert']["#{ca}_krl_path"] - e.g. node['ssl_cert']['grid_ssh_ca_krl_path']
  • node['ssl_cert']["#{undotted_cn}_key_path"] - e.g. node['ssl_cert']['node_example_com_key_path']
  • node['ssl_cert']["#{undotted_cn}_cert_path"] - e.g. node['ssl_cert']['node_example_com_cert_path']

License and Authors

  • Author:: whitestar at osdn.jp
Copyright 2016, whitestar

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

apt_utils Applicable Versions
athenz Applicable Versions
chef_utils Applicable Versions
concourse-ci Applicable Versions
docker-grid Applicable Versions
gitlab-grid Applicable Versions
hc-vault Applicable Versions
jenkins-grid Applicable Versions
lxcs Applicable Versions
minio-grid Applicable Versions
nexus-grid Applicable Versions
openldap-grid Applicable Versions
screwdriver Applicable Versions
spinnaker Applicable Versions
supermarket-omnibus-ya Applicable Versions
ups_utils Applicable Versions

ssl_cert CHANGELOG

0.3.5

  • bug fix: key access group modification.
  • adds SSLCert::Helper.append_members_to_key_access_group method.

0.3.4

  • adds the ['ssl_cert']['debian']['key_access_mode'] attribute.
  • adds the ['ssl_cert']['rhel']['key_access_mode'] attribute.

0.3.3

  • bug fix: adds CA certificate update sequece for system level.
  • adds the ['ssl_cert']['certs_src_dir'] attribute.
  • refactoring.

0.3.2

  • refactoring.

0.3.1

  • Cleanup for FoodCritic and RuboCop.

0.3.0

  • add ssh_ca_krl recipe for SSH-CA
  • add deployed filename extension attributes.

0.2.0

  • add ca_pubkeys recipe for SSH-CA, ...

0.1.5

  • add ['ssl_cert']['rhel']['key_access_group'] attribute.

0.1.4

  • improvement for vault item key setting (add nested hash key path format delimited by slash)

0.1.3

  • add {ca_cert,server_key,server_cert}_file_prefix attributes.

0.1.2

  • add some attributes.

0.1.1

  • a little modified.

0.1.0

  • Initial release of ssl_cert

Collaborator Number Metric
            

0.3.5 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Foodcritic Metric
            

0.3.5 passed this metric

License Metric
            

0.3.5 passed this metric