chef-vault?

[sethcohn]

Would it be possible (read: are others interested?) in tweaking this to support using chef-vault (https://github.com/Nordstrom/chef-vault) rather than the standard encrypted data bag?

Reasoning: the usual encrypted secret method of databags requires management of the key, placing it onto the various nodes, etc. Vault solves this seamlessly, using existing node keys (and allowing search based control of what key are allowed), and adding in admin access by user, among other improvements. So this would allow a much cleaner setup and rollout.

[davout]

I'd be interested

[sethcohn]

This turns out to be pretty trivial (and thus worthwhile) to implement:

in providers/manage.rb

-ssl_secret = Chef::EncryptedDataBagItem.load_secret(new_resource.data_bag_secret) -ssl_item = Chef::EncryptedDataBagItem.load(new_resource.data_bag, new_resource.search_id, ssl_secret)

+chef_gem "chef-vault" +require "chef-vault" +ssl_item = ChefVault::Item.load(new_resource.data_bag, new_resource.search_id)

Done. (you can remove the secret attribute reference elsewhere, for cleanup) Perhaps making the recipe support both options is the way to go (ie leave the current behavior, and add in an attribute to use chef-vault instead?

[tmatilai]

@sethcohn thanks for taking a look!

Definitely it should support the current way too, and chef-vault would be triggered by a resource attribute. Or maybe it could even default to a node attribute so it would be possible to switch on for all resources. Dunno.

[atomic-penguin]

I haven't used chef-vault, so someone else might best know how to implement.

Its my understanding that chef-vault re-encrypts the resource for each node. Some shared encrypted resource like a wildcard cert would need to be re-encrypted for each client with permission to access it. So perhaps, in a large enough environment, it might be preferable to have one encrypted resource for that shared resource.

In my opinion, I think it best to implement chef-vault while maintaining backwards compatibility.

[sethcohn]

@atomic-penguin, yes, that's correct. The trade-off is a shared encryption key (normal databag), versus no key needed (uses built in chef keys, on a per node basis). each has advantages and disadvantages. I'm working on a way to enable, giving you the ability to use either or even mix.

[atomic-penguin]

Sounds good, @sethcohn, looking forward to seeing the solution.

[avit]

Rough idea:

# providers/manage.rb

def bag_item
  return Chef::DataBagItem if node.dev_mode
  case new_resource.data_bag_provider
  when :chef_vault, ChefVault::Item then ChefVault::Item
  else Chef::EncryptedDataBagItem
  end
end

action :create do
  bag_item.load(new_resource.data_bag, "...")
  # ...
end

Use as:

certificate_manage "foo" do
  data_bag_provider :chef_vault
end

[yveslaroche]

I have been using this cookbook to get certificates from Chef-Vault https://github.com/onbeep-cookbooks/ssl-vault

[github-actions[bot]]

Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.

[github-actions[bot]]

Closing due to inactivity. If this is still an issue please reopen or open another issue. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.