Chef Infra Plugin
Prerequisites
- Chef Workstation installed. See https://docs.chef.io/workstation/install_workstation/ for installation help.
Note
Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets, you can find more information here
Chef Infra Plugin Configuration
-
Download the following Chef Infra cookbook from here https://github.com/exospheredata/secrets_management
-
Add the following recipe to your cookbook:
#
# Cookbook:: secrets_management_test
# Recipe:: akeyless-vault
#
vault_hash = {}
vault_hash[:token] = data_bag_item('vault-test', 'config')['token']
vault_hash[:address] = data_bag_item('vault-test', 'config')['addr']
vault = Vault::Client.new(vault_hash)
secret_name = 'chef/test_secret_1'
bag = open_secret_item('/secret/data/', secret_name, vault: vault_hash)
secret_value = bag['data'][secret_name.to_sym]
file '/tmp/hello_from_akeyless' do
content "Secret is: #{secret_value}\n"
end
- Upload the cookbook to your Chef Infra Server
- Create the following Data Bag:
{
"id": "config",
"addr": "https://hvp.akeyless.io",
"token": "<access-id>..<access-key>",
"chef-approle": "base"
}
- Test by running Chef Infra Client:
$ sudo chef-client
Starting Chef Infra Client, version 17.0.242
[2020-05-17T10:45:36+03:00] INFO: *** Chef Infra Client 17.0.242 ***
[2020-05-17T10:45:36+03:00] INFO: Platform: x86_64-darwin17
[2020-05-17T10:45:36+03:00] INFO: Chef-client pid: 19289
[2020-05-17T10:45:42+03:00] INFO: Run List is [role[base]]
[2020-05-17T10:45:42+03:00] INFO: Run List expands to [secrets_management_test]
[2020-05-17T10:45:42+03:00] INFO: Starting Chef Infra Client Run for Test
[2020-05-17T10:45:42+03:00] INFO: Running start handlers
[2020-05-17T10:45:42+03:00] INFO: Start handlers complete.
resolving cookbooks for run list: ["secrets_management_test"]
[2020-05-17T10:45:43+03:00] INFO: Loading cookbooks [[email protected], [email protected], [email protected], [email protected]]
Synchronizing Cookbooks:
- secrets_management_test (0.4.5)
- secrets_management (1.0.0)
- chef-vault (3.0.0)
- compat_resource (12.19.0)
Installing Cookbook Gems:
[2020-05-17T10:45:54+03:00] INFO: Dont run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching gem metadata from https://www.rubygems.org/...........
Fetching gem metadata from https://www.rubygems.org/.
Resolving dependencies...
Using aws-eventstream 1.1.0
Using aws-sigv4 1.1.3
Using bundler 1.17.2
Using chef-vault 4.0.1
Using vault 0.13.2
Bundle complete! 2 Gemfile dependencies, 5 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.
Compiling Cookbooks...
Converging 1 resources
Recipe: secrets_management_test::akeyless-vault
* file[/tmp/hello_from_akeyless] action create[2020-05-17T10:45:56+03:00] INFO: Processing file[/tmp/hello_from_akeyless] action create (secrets_management_test::akeyless-vault line 16)
[2020-05-17T10:45:56+03:00] INFO: file[/tmp/hello_from_akeyless] created file /tmp/hello_from_akeyless
- create new file /tmp/hello_from_akeyless[2020-05-17T10:45:56+03:00] INFO: file[/tmp/hello_from_akeyless] updated file contents /tmp/hello_from_akeyless
- update content in file /tmp/hello_from_akeyless from none to 6236c1
--- /tmp/hello_from_akeyless 2020-05-17 10:45:56.287670044 +0300
+++ /tmp/.chef-hello_from_akeyless20200517-19289-i3qenl 2020-05-17 10:45:56.287419909 +0300
@@ -1 +1,2 @@
+Secret is: [my chef secret value!]
[2020-05-17T10:45:56+03:00] INFO: Chef Infra Client Run complete in 13.45992 seconds
Running handlers:
[2020-05-17T10:45:56+03:00] INFO: Running report handlers
Running handlers complete
[2020-05-17T10:45:56+03:00] INFO: Report handlers complete
Chef Infra Client finished, 1/1 resources updated in 20 seconds
$ cat /tmp/hello_from_akeyless
Secret is: my chef secret value!
Info
Chef Plugin repo - https://github.com/exospheredata/secrets_management
Updated about 2 months ago