cookbook 'encrypted_attributes', '~> 0.6.0'
encrypted_attributes (9) Versions 0.6.0 Follow1
Installs and enables chef-encrypted-attributes gem: Chef plugin to add Node encrypted attributes support using client keys.
cookbook 'encrypted_attributes', '~> 0.6.0', :supermarket
knife supermarket install encrypted_attributes
knife supermarket download encrypted_attributes
Description
Installs and enables chef-encrypted-attributes
gem: Chef plugin to add Node encrypted attributes support using client keys.
Requirements
Supported Platforms
This cookbook has been tested on the following platforms:
- Amazon Linux
- CentOS
- Debian
- Fedora
- FreeBSD
- openSUSE
- RedHat
- SUSE
- Ubuntu
Please, let us know if you use it successfully on any other platform.
Required Cookbooks
Required Applications
- Ruby
1.9.3
or higher.
See also the requirements of the chef-encrypted-attributes
gem.
Attributes
Attribute | Default | Description |
---|---|---|
node['encrypted_attributes']['version'] |
calculated | chef-encrypted-attributes gem version to install. The latest stable version is installed by default. |
node['encrypted_attributes']['mirror'] |
nil |
chef-encrypted-attributes mirror to download the gem from. For cases where you do not want to use RubyGems. |
node['encrypted_attributes']['data_bag']['name'] |
'global' |
chef-encrypted-attributes user keys, data bag name. |
node['encrypted_attributes']['data_bag']['item'] |
'chef_users' |
chef-encrypted-attributes user keys, data bag item name. |
node['dev_mode'] |
calculated | If this is true , the Chef::EncryptedAttributesHelpers library will work with unencrypted attributes instead of encrypted attributes. For testing purposes. |
Recipes
encrypted_attributes::default
Installs and loads the chef-encrypted-attributes
gem.
encrypted_attributes::expose_key
Exposes the Client Public Key in attributes. This is a workaround for the Chef Clients Limitation problem. Should be included by all nodes that need to have read privileges on the attributes.
encrypted_attributes::users_data_bag
Configures chef-encrypted-attributes
Chef User keys reading them from a data bag. This is a workaround for the Chef Users Limitation problem.
Helper Libraries
See the Chef::EncryptedAttributesHelpers documentation.
Usage Examples
Including in a Cookbook Recipe
You can simply include it in a recipe:
include_recipe 'encrypted_attributes'
Don't forget to include the encrypted_attributes
cookbook as a dependency in the metadata.
# metadata.rb # [...] depends 'encrypted_attributes'
Including in the Run List
Another alternative is to include the default recipe in your Run List:
{ "name": "ftp.onddo.com", "[...]": "[...]", "run_list": [ "recipe[encrypted_attributes]" ] }
encrypted_attributes::default Recipe Usage Example
include_recipe 'encrypted_attributes' # include the #secure_password method self.class.send(:include, Opscode::OpenSSL::Password) if Chef::EncryptedAttribute.exists?(node['myapp']['ftp_password']) # update with the new keys Chef::EncryptedAttribute.update(node.set['myapp']['ftp_password']) # read the password ftp_pass = Chef::EncryptedAttribute.load(node['myapp']['ftp_password']) else # create the password and save it ftp_pass = secure_password node.set['myapp']['ftp_password'] = Chef::EncryptedAttribute.create(ftp_pass) end # use `ftp_pass` for something here ... Chef::Log.debug("FTP password: #{ftp_pass}")
You can also use the Chef::EncryptedAttributesHelpers
helpers to simplify its use:
include_recipe 'encrypted_attributes' self.class.send(:include, Chef::EncryptedAttributesHelpers) ftp_pass = encrypted_attribute_write(%w(myapp ftp_password)) do self.class.send(:include, Opscode::OpenSSL::Password) secure_password end Chef::Log.debug("FTP password: #{ftp_pass}")
Note: This example requires the openssl cookbook.
See the chef-encrypted-attributes
gem Usage section for more examples.
encrypted_attributes::users_data_bag Recipe Usage Example
This recipe should be called before using the encrypted attributes. It sets the Chef::Config[:encrypted_attributes][:keys]
option reading the keys from a data bag.
Before using this recipe, you must create the required data bag:
$ knife data bag create global_data chef_users
You should create a data bag item with the following format:
{ "id": "chef_users", "bob": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFA...", "alice": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFA..." }
The keys can be set in array of strings format if you prefer:
{ "id": "chef_users", "bob": [ "-----BEGIN PUBLIC KEY-----", "MIIBIjANBgkqhkiG9w0BAQEFA...", "[...]" ], "alice": [ "-----BEGIN PUBLIC KEY-----", "MIIBIjANBgkqhkiG9w0BAQEFA...", "[...]" ] }
You can retrieve user public keys with knife user show USER -a public_key -f json
.
Then, you can use this data bag to configure the Chef::Config[:encrypted_attributes][:keys]
chef-encrypted-attributes
configuration only by calling the recipe:
node.default['encrypted_attributes']['data_bag']['name'] = 'global_data' include_recipe 'encrypted_attributes::users_data_bag' # if Chef::EncryptedAttribute.exist?(...) # Chef::EncryptedAttribute.update(...) # else # node.set[...][...] = Chef::EncryptedAttribute.create(...) # ...
Note: This data bag does not need to be encrypted, because it only stores public keys.
Using Chef::EncryptedAttributesHelpers to Encrypt MySQL Passwords
In the following example we use the official mysql cookbook and its mysql_service
resource to save the password encrypted in the following attribute:
node['myapp']['mysql']['server_root_password']
# Include the #secure_password method from the openssl cookbook self.class.send(:include, Opscode::OpenSSL::Password) # Install Encrypted Attributes gem include_recipe 'encrypted_attributes' # Include the Encrypted Attributes cookbook helpers self.class.send(:include, Chef::EncryptedAttributesHelpers) # We can use an attribute to enable or disable encryption # (recommended for tests) # self.encrypted_attributes_enabled = node['myapp']['encrypt_attributes'] # Encrypted Attributes will be generated randomly and saved in the # `node['myapp']['mysql']["server_#{user}_password"]` attribute encrypted. def generate_mysql_password(user) key = "server_#{user}_password" encrypted_attribute_write(['myapp', 'mysql', key]) { secure_password } end # Generate the encrypted root password mysql_root_password = generate_mysql_password('root') mysql_service 'default' do initial_root_password mysql_root_password # Some optional parameters: data_dir node['myapp']['mysql']['data_dir'] initial_root_password root_password bind_address '127.0.0.1' port node['myapp']['mysql']['port'] run_group node['myapp']['mysql']['run_group'] run_user node['myapp']['mysql']['run_user'] version node['myapp']['mysql']['version'] # [...] action [:create, :start] end
Note: This example is for the mysql
cookbook version ~> 6.0
.
Testing
See TESTING.md.
Contributing
Please do not hesitate to open an issue with any questions or problems.
See CONTRIBUTING.md.
TODO
See TODO.md.
License and Author
Author: | Xabier de Zuazo (xabier@onddo.com) |
Contributor: | Crystal Hsiung |
Contributor: | Lisa Danz |
Copyright: | Copyright (c) 2014-2015, Onddo Labs, SL. (www.onddo.com) |
License: | Apache License, Version 2.0 |
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
encrypted_attributes CHANGELOG
This file is used to list changes made in each version of the encrypted_attributes
cookbook.
v0.6.0 (2015-05-23)
New features:
- Improve
0.6.0
,0.7.0
gem version support (issue #2, thanks Lisa Danz). - Add SUSE as supported platform.
- Add
ChefGem#compile_time(true)
call to avoid Chef12.1
warning.
Tests:
- Refactor kitchen.yml file using ERB.
- Update RuboCop to version
0.31.0
.
Documentation:
- Update links to point to chef.io.
- README:
- Fix "chef users limitation" link.
- Fix all RuboCop offenses in examples.
- Update
mysql
cookbook example.
v0.5.1 (2015-04-01)
- Set
ffi_yajl
version to1.0.2
(issue #1, thanks @chhsiung). - Berksfile: Fix
my_cookbook
variable value. - Gemfile: update vagrant-wrapper to
2
.
v0.5.0 (2014-12-15)
- Add
::expose_key
recipe. - Update to work with
chef-encrypted-attributes
gem0.4.0
.- Use
build-essential
and install gem depends only when required. - Add
Chef::EncryptedAttributesRequirements
class. - Install gem dependencies explicitly.
- Use
- Fix gem specific and prerelease versions install.
- Fix integration tests for Chef
12.0.0
and12.0.1
. -
encrypted_attributes_test
: Save the attribute as normal. - kitchen: Add suites for previous gem, Chef
11.12
,11.16
and Chef12
. - Update to RuboCop
0.28.0
. - travis.yml: Use the new build env.
- Gemfile: Use fixed foodcritic and RuboCop versions.
- Add Ruby documentation, integrated with yard and inch.
- Move
Chef::EncryptedAttributesHelpers
documentation to gem docs.
- Move
- README: Add inch-ci documentation badge.
v0.4.0 (2014-11-08)
- Allow
Chef::EncryptedAttributesHelpers
to be used from LWRPs. - Enable apt compile time update, required by
build-essential
. - FreeBSD compiletime attribute changed to
compiletime_portsnap
. - Add more unit tests: coverage 100%.
- Integrate tests with coveralls.io.
- Integrate tests with
should_not
gem. - Fix new RuboCop offenses.
- Update to ChefSpec
4.1
. - Update .kitchen.cloud.yml file.
- TESTING.md:
- Add Guarfile requirements.
- Use DO access token and some titles changed.
v0.3.0 (2014-10-21)
- Add FreeBSD support
- Berksfile, Rakefile and Guarfile, generic templates copied
- Added
rubocop.yml
with AllCops:Include - README:
- Add an example to encrypt MySQL passwords
- Always include encrypted_attributes recipe to force compile time build-essentials
- Use single quotes in examples
- Use markdown for tables
- Add LICENSE file
- kitchen.yml: remove empty attributes key
- License headers homogenized
v0.2.2 (2014-10-02)
- Added platform support documentation
-
kitchen.yml
file updated - Rakefile: rubocop enabled
- Gemfile:
- Replaced vagrant by vagrant-wrapper
- Added vagrant-wrapper version with pessimistic operator
- Berkshelf updated to 3.1
- Guardfile added
- TODO: use checkboxes
v0.2.1 (2014-08-28)
- EncryptedAttributesHelpers bugfix: avoid
#node.save
on chef-solo - EncryptedAttributesHelpers: some code duplication removed
- README: added gemnasium and codeclimate badges
v0.2.0 (2014-08-26)
-
encrypted_attributes_test::default
:node#save
unless chef-solo - Gemfile:
- RSpec
~> 2.14.0
to avoiduninitialized constant RSpec::Matchers::BuiltIn::RaiseError::MatchAliases
error - Updates: ChefSpec
4
and foodcritic4
- Added chef-encrypted-attributes gem for unit tests
- Gemfile clean up
- RSpec
- README:
- README file split in multiple files
- Replace community links by Supermarket links
- Fixed
::users_data_bag
example using#exist?
instead of#exists_on_node?
- Added a link to
chef-encrypted-attributes
gem requirements - Multiple small fixes and improvements
-
::default
: avoid gem install error when no version is specified - Install
gcc
dependency (build-essential
cookbook) - Added
Chef::EncryptedAttributesHelpers
helper library- Added
EncryptedAttributesHelpers
unit tests
- Added
- Added RuboCop checking, all offenses fixed
- TODO: added verify gem task
- test/kitchen directory removed
v0.1.0 (2014-05-22)
- Initial release of
encrypted_attributes
Collaborator Number Metric
0.6.0 failed this metric
Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.6.0 failed this metric
FC064: Ensure issues_url is set in metadata: encrypted_attributes/metadata.rb:1
FC065: Ensure source_url is set in metadata: encrypted_attributes/metadata.rb:1
FC066: Ensure chef_version is set in metadata: encrypted_attributes/metadata.rb:1
FC069: Ensure standardized license defined in metadata: encrypted_attributes/metadata.rb:1
FC072: Metadata should not contain "attribute" keyword: encrypted_attributes/metadata.rb:1
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: encrypted_attributes/libraries/encrypted_attributes_helpers.rb:165
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: encrypted_attributes/recipes/expose_key.rb:29
FC121: Cookbook depends on cookbook made obsolete by Chef 14: encrypted_attributes/metadata.rb:1
FC122: Use the build_essential resource instead of the recipe: encrypted_attributes/recipes/default.rb:26
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
0.6.0 passed this metric
Testing File Metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.6.0 failed this metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.6.0 failed this metric
FC064: Ensure issues_url is set in metadata: encrypted_attributes/metadata.rb:1
FC065: Ensure source_url is set in metadata: encrypted_attributes/metadata.rb:1
FC066: Ensure chef_version is set in metadata: encrypted_attributes/metadata.rb:1
FC069: Ensure standardized license defined in metadata: encrypted_attributes/metadata.rb:1
FC072: Metadata should not contain "attribute" keyword: encrypted_attributes/metadata.rb:1
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: encrypted_attributes/libraries/encrypted_attributes_helpers.rb:165
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: encrypted_attributes/recipes/expose_key.rb:29
FC121: Cookbook depends on cookbook made obsolete by Chef 14: encrypted_attributes/metadata.rb:1
FC122: Use the build_essential resource instead of the recipe: encrypted_attributes/recipes/default.rb:26
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
0.6.0 passed this metric
Testing File Metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.6.0 failed this metric
FC065: Ensure source_url is set in metadata: encrypted_attributes/metadata.rb:1
FC066: Ensure chef_version is set in metadata: encrypted_attributes/metadata.rb:1
FC069: Ensure standardized license defined in metadata: encrypted_attributes/metadata.rb:1
FC072: Metadata should not contain "attribute" keyword: encrypted_attributes/metadata.rb:1
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: encrypted_attributes/libraries/encrypted_attributes_helpers.rb:165
FC075: Cookbook uses node.save to save partial node data to the chef-server mid-run: encrypted_attributes/recipes/expose_key.rb:29
FC121: Cookbook depends on cookbook made obsolete by Chef 14: encrypted_attributes/metadata.rb:1
FC122: Use the build_essential resource instead of the recipe: encrypted_attributes/recipes/default.rb:26
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
0.6.0 passed this metric
Testing File Metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.6.0 failed this metric
0.6.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number