Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

vlt (5) Versions 0.2.2

Chef helper lib to read secrets from HashiCorp's Vault

Policyfile
Berkshelf
Knife
cookbook 'vlt', '~> 0.2.2', :supermarket
cookbook 'vlt', '~> 0.2.2'
knife supermarket install vlt
knife supermarket download vlt
README
Dependencies
Changelog
Quality 33%

vlt cookbook

Chef cookbook
license

Chef helper lib to read secrets from HashiCorp's Vault

Concept

This cookbook provides a set of utilities to obtain secrets stored in Vault's K/V version 2 secret engine. Each Chef node is authenticated with an AppRole method. Credentials are supposed to be stored on a Chef node in a JSON file at /etc/vault.json:

{
  "address": "https://vault.acme.corp:8200",
  "token": "s.a9fgfdgg....",
  "approle": "database"
}

Usage

vlt = ::Vlt::Client.new(::Vlt.file_auth_provider)

template '/etc/myapp' do
  source 'myapp.conf.erb'
  ...
  templates lazy {
    {
      db_user: vlt.read('production/app_credentials', prefix: 'postgres', key: 'user'),
      db_password: vlt.read('production/app_credentials', prefix: 'postgres', key: 'password')
    }
  }
end

The sample above will do the following:
1. Read credentials stored in etc/vault.json file.
2. Authenticate on the Vault server at <address> using <token> and claim a Vault-defined role <approle>.
3. Read a secret at postgres/data/production/app_credentials and obtain 2 keys, namely user and password, from it.

Advanced

list secrets

Secrets can be listed within a specific path:

vlt.list('certificate', prefix: 'tls')

The sample above will list secret names at tls/metadata/certificate.

default prefix

One can specify a default prefix in ::Vlt::Client constructor:

vlt = ::Vlt::Client.new(::Vlt.file_auth_provider, 'postgres')

exception handling

By default, read and list calls throw an exception if the specified path does not exist or the policy associated with the claimed <approle> provides insufficient permissions. This behaviour may not be suitable for every use case and can be overriden with raise_err option:

vlt.read('certificate/app', prefix: 'tls', raise_err: false)  # returns nil is the secret does not exist

store & obtain credentials

Default ::Vlt::file_auth_provider is a Ruby lambda function which reads JSON at /etc/vault.json and returns a tuple (<address>, <token>, <approle>). One may use their own scheme to store credentials and provide a function to obtain them:

def custom_vault_auth
  lambda do
    # do something to obtain Vault credentials
    return <address>, <token>, <approle>
  end
end

vlt = ::Vlt::Client.new(custom_vault_auth)

renew token

Renew token on every chef-client run:

vlt = ::Vlt::Client.new(::Vlt::file_auth_provider)

ruby_block 'renew Vault token lease' do
  block do
    vlt.renew_lease
  end
  action :run
end

License

MIT @ Alexander Pyatkin

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog
and this project adheres to Semantic Versioning.

[0.2.2] - 2020-12-09

  • Add ::Vlt::Client.renew_lease method.

[0.2.1] - 2020-09-28

Added

  • Add shields to README file.

Fixed

  • Fix documentation.

[0.2.0] - 2020-09-28

Added

  • Add ::Vlt::Client.list method.
  • Add README file.

[0.1.1] - 2020-09-25

Added

  • Add CHANGELOG and CONTRIBUTING files.

Changed

  • Include chef_version and supports to cookbook metadata.

[0.1.0] - 2020-09-25

First appearance in public.

Added

Collaborator Number Metric
            

0.2.2 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

0.2.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

0.2.2 passed this metric

No Binaries Metric
            

0.2.2 passed this metric

Testing File Metric
            

0.2.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

0.2.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number