Shortly after my first blush of sucess with Chef, it become clear I needed to understand how to securely distribute credentials and file content such as SSL certificates. Off I went in search of the solution with old friend Google….
A bit later, having come to the conclusion that the chef-vault gem (open-sourced by Nordstrum and bundled into the Chefdk omnibus) was the answer I then went in seach of the real question “How do I actually use this?”. The answers were few and far between and only one blog really ran through the process when it came to file contents. @jttimberman’s post “Managing Secrets with Chef Vault” was the closest thing I came across that walked through the process. Unfortunately it was nearly two years out of date and in the world of OSS that’s an eternity.
Distributing passwords was simple enough but tackling a PEM SSL cert meant I ran into a bunch of baffling errors, especially with encoding the file content into a JSON format. After a lot of trial and error I found a way forward and considering the lack of info on the web and the very likely chance I’ll forget how I did it, I’ve posted the process below. I haven’t gone into detail on explaining what each step does and why it’s necessary; @jtimberman’s post still explains that well along with the official GitHub repo for reference.
This is the step by step updated procedure for distributing sensitive file contents via chef and chef-vault, as I figured it out. It’s valid as of the following versions
- chef-dk 0.4.0
- chef-vault 2.5
- Chef client 12.0.2
1) Update the Chef-Vault gem (From what I can tell the omnibus doesn’t have this latest version which seems to have a number of fixes in it).
2) Update knife.rb with chef-vault settings.
knife[:vault_mode] = ‘client’ (If you are using Chef Server)
3) Upload the file contents using knife.
knife vault create <databag name> <item name> –file <full path to file to encrypt> –search ‘role:<role- names(s)>
4) Update your recipe to load the chef-vault gem and decrypt the file contents.
chef_gem “chef-vault”
require “chef-vault”
vault = ChefVault::Item.load(‘<vault name>’,'<item name>’)
file “<path and name of file>” do
content vault[‘file-content’]
action :create
sensitive true
end
References:
Github Chef-Vault repo
24 by 7, 3 6 5 