This cookbook aims to ease chef-vault interaction by providing additional helpers, and testing the functionality on a Linux and Windows box.
More info about chef-vault: https://github.com/chef-cookbooks/chef-vault
Let us say you are using a cookbook that requires you to set a password in an attribute. This attribute is usually set in a wrapper cookbook which includes the original cookbook. By including this cookbook as well, you can set the attribute in the wrapper cookbook's attribute file like this:
secret['cookbook']['password'] = chef_vault_item_or_default('vault', 'item')This will set the attribute default['cookbook']['password'] to the item from the vault. It will also set the attribute to SECRET at the end of the Chef run, therefore ensuring that the Chef Server will not contain the password in plaintext. If the item in the vault does not exist it will fail.
If you would like to default to a value in a testing environment, you can use the chef_secrets attributes namespace:
default['chef_secrets']['vaultX']['itemY'] = 'fake_secret'
secret['cookbook']['password'] = chef_vault_item('vaultX', 'itemY')
# use it anywhere with node['cookbook']['password']['key']Secret attributes are node attributes that are available only during the Chef run, but set to SECRET when saved and uploaded to the Chef Server. These attributes are actually default node attributes set through a helper method, so you may access them as you would access any default node attribute.
Set a secret in cookbook attributes:
secret['cookbook']['password'] = 'SuperSecretPassword'Read it anywhere like a default node attribute:
Chef::Log.info("This is my password: #{node['cookbook']['password']}")Note: Please don't accidentally save your secrets in the Chef log file :)
When called with this syntax
secret['cookbook']['password'] = 'SuperSecretPassword'actually calls
chef_secret_attribute_set(['cookbook', 'password'], 'SuperSecretPassword')which in turn sets
default['cookbook']['password'] = 'SuperSecretPassword'and will be cleared at the end by
chef_secret_attribute_clear(['cookbook', 'password'])which sets
default['cookbook']['password'] = 'SECRET'Get an item from the vault, or default to value if if the vault or item does not exist. If the default value is not specified, it will fail the Chef run.
chef_vault_item_or_default('vault', 'item', 'default') Note: A chef-vault item will always be a hash, so it may be better to set the default value to a similar hash as well.
Return true if item is a vault item. Note that unlike ChefVault::Item.vault?, this method returns false if the data bag does not exist.
chef_vault_item_is_vault?('vault', 'item')Vault items are encrypted data-bags, to ease their testing in Test-kitchen and ChefSpec, you can define mock values via the chef_secrets attributes.
default['chef_secrets']['fake']['secret'] = ::Mash.new(user: 'password')
secret['user']['password'] = chef_vault_item('fake', 'secret')For Test-Kitchen it's better to setup the vault attribute in the kitchem.yml.
provisioner:
name: chef_zero
platforms:
- name: centos-7
suites:
- name: default
run_list:
- recipe[XXX]
attributes:
chef_secrets:
fake:
secret:
user: password