Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

ssl_cert (13) Versions 0.5.0

Sets up private keys and certificates for PKI from Chef Vault.

Policyfile
Berkshelf
Knife
cookbook 'ssl_cert', '~> 0.5.0', :supermarket
cookbook 'ssl_cert', '~> 0.5.0'
knife supermarket install ssl_cert
knife supermarket download ssl_cert
README
Dependencies
Changelog
Quality 33%

ssl_cert Cookbook

This cookbook deploys CA certificates, SSL server keys and/or certificates from Chef Vault items.

Contents

Requirements

packages

  • none.

Attributes

ssl_cert::default

Key Type Description, example Default
['ssl_cert']['ca_names'] Array deployed CA certificates from chef-vault empty
['ssl_cert']['ca_name_symlinks'] Hash Key: ca_name, value: array of symbolic link names to the CA certificate file. empty
['ssl_cert']['ca_pubkey_names'] Array deployed CA public keys from chef-vault (0.2.0 or later) empty
['ssl_cert']['ssh_ca_krl_name'] String deployed SSH-CA KRL (Key Revocation List) from chef-vault (0.3.0 or later) nil
['ssl_cert']['common_names'] Array deployed server keys and/or certificates from chef-vault empty
['ssl_cert']['debian']['key_access_mode'] Private key file mode (ver. 0.3.4 or later). 0640
['ssl_cert']['rhel']['key_access_mode'] Private key file mode (ver. 0.3.4 or later). 0400
['ssl_cert']['rhel']['key_access_group'] String RHEL family's key access group (ver. 0.1.5 or later) 'ssl-cert'
['ssl_cert']['chef_gem']['clear_sources'] Boolean chef_gem resource's clear_sources property. false
['ssl_cert']['chef_gem']['source'] String chef_gem resource's source property. nil
['ssl_cert']['chef_gem']['options'] String chef_gem resource's options property. nil
['ssl_cert']['chef-vault']['version'] String chef-vault installation version. '~> 2.6'
['ssl_cert']['env_context'] String node's environment or nil/empty. node.chef_environment
['ssl_cert']['vault_item_suffix'] String vault item name's suffix. ".#{node['ssl_cert']['env_context']}"
['ssl_cert']['ca_cert_vault'] String CA certificate stored vault name. 'ca_certs'
['ssl_cert']['ca_cert_vault_item_key'] String CA certificate stored vault item key name. (single key or nested hash key path delimited by slash) 'public'
['ssl_cert']['ca_cert_file_prefix'] String CA certificate file name's prefix. ''
['ssl_cert']['ca_cert_file_extension'] String CA certificate file name's extension. (0.3.0 or later) 'crt'
['ssl_cert']['ca_pubkey_vault'] String CA public key stored vault name. (0.2.0 or later) 'ca_pubkeys'
['ssl_cert']['ca_pubkey_vault_item_key'] String CA public key stored vault item key name. (single key or nested hash key path delimited by slash. 0.2.0 or later) 'public'
['ssl_cert']['ca_pubkey_file_prefix'] String CA public key file name's prefix. (0.2.0 or later) ''
['ssl_cert']['ca_pubkey_file_extension'] String CA public key file name's extension. (0.3.0 or later) 'pub'
['ssl_cert']['ssh_ca_krl_vault'] String SSH-CA KRL stored vault name. (0.3.0 or later) 'ssh_ca_krls'
['ssl_cert']['ssh_ca_krl_vault_item_key'] String SSH-CA KRL stored vault item key name. (single key or nested hash key path delimited by slash. 0.3.0 or later) 'public'
['ssl_cert']['ssh_ca_krl_file_prefix'] String SSH-CA KRL file name's prefix. (0.3.0 or later) ''
['ssl_cert']['ssh_ca_krl_file_extension'] String SSH-CA KRL file name's extension. (0.3.0 or later) 'krl'
['ssl_cert']['server_key_vault'] String SSL server key stored vault name. 'ssl_server_keys'
['ssl_cert']['server_key_vault_item_key'] String SSL server key stored vault item key name. (single key or nested hash key path delimited by slash) 'private'
['ssl_cert']['server_key_file_prefix'] String SSL server key file name's prefix. ''
['ssl_cert']['server_key_file_extension'] String SSL server key file name's extension. (0.3.0 or later) 'key'
['ssl_cert']['server_cert_vault'] String SSL server certificate stored vault name. 'ssl_server_certs'
['ssl_cert']['server_cert_vault_item_key'] String SSL server certificate stored vault item key name. (single key or nested hash key path delimited by slash) 'public'
['ssl_cert']['server_cert_file_prefix'] String SSL server certificate file name's prefix. ''
['ssl_cert']['server_cert_file_extension'] String SSL server certificate file name's extension. (0.3.0 or later) 'crt'
['ssl_cert']['certs_src_dir'] String See attributes/default.rb.
['ssl_cert']['certs_dir'] String See attributes/default.rb.
['ssl_cert']['private_dir'] String See attributes/default.rb.
['ssl_cert']["#{ca}_cert_src_path"] String CA certificate source file path. (0.3.3 or later) See attributes/default.rb.
['ssl_cert']["#{ca}_cert_path"] String deployed CA certificate file path. See attributes/default.rb.
['ssl_cert']["#{ca}_pubkey_path"] String deployed CA public key file path. (0.2.0 or later) "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.#{node['ssl_cert']['ca_pubkey_file_extension']}"
['ssl_cert']["#{undotted_cn}_key_path"] String deployed SSL server key file path. "#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{undotted_cn}.#{node['ssl_cert']['server_key_file_extension']}"
['ssl_cert']["#{undotted_cn}_cert_path"] String deployed SSL server certificate file path. "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{undotted_cn}.#{node['ssl_cert']['server_cert_file_extension']}"

Usage

recipes

  • ssl_cert::default - deploys CA certificates, SSL server keys and/or certificates.
  • ssl_cert::ca_certs - deploys CA certificates.
  • ssl_cert::ca_pubkeys - deploys CA public keys for SSH-CA, ... (0.2.0 or later)
  • ssl_cert::ssh_ca_krl - deploys a SSH-CA KRL (Key Revocation List) file. (0.3.0 or later)
  • ssl_cert::server_key_pairs - deploys SSL server keys and certificates.
  • ssl_cert::server_keys - deploys SSL server keys.
  • ssl_cert::server_certs - deploys SSL server certificates.

Vault items creation and cookbook attribute settings (with default attributes)

CA certificates

  • create vault items.
$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ca.prod.crt")})' \
> > ~/tmp/grid_ca.prod.crt.json

$ cd $CHEF_REPO_PATH

$ knife vault create ca_certs grid_ca.prod \
> --json ~/tmp/grid_ca.prod.crt.json
  • grant reference permission to the appropriate nodes
$ knife vault update ca_certs grid_ca.prod -S 'name:*.example.com'
  • add cookbook attributes.
override_attributes(
  'ssl_cert' => {
    'ca_names' => [
      'grid_ca',
      # ...
    ],
  },
)

CA public keys (0.2.0 or later)

  • create vault items.
$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.pub")})' \
> > ~/tmp/grid_ssh_ca.prod.pub.json

$ cd $CHEF_REPO_PATH

$ knife vault create ca_pubkeys grid_ssh_ca.prod \
> --json ~/tmp/grid_ssh_ca.prod.pub.json
  • grant reference permission to the appropriate nodes
$ knife vault update ca_pubkeys grid_ssh_ca.prod -S 'name:*.example.com'
  • add cookbook attributes.
override_attributes(
  'ssl_cert' => {
    'ca_pubkey_names' => [
      'grid_ssh_ca',
      # ...
    ],
  },
)

SSH-CA KRL (0.3.0 or later)

  • create vault items.
$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.krl")})' \
> > ~/tmp/grid_ssh_ca.prod.krl.json

$ cd $CHEF_REPO_PATH

$ knife vault create ssh_ca_krls grid_ssh_ca.prod \
> --json ~/tmp/grid_ssh_ca.prod.krl.json
  • grant reference permission to the appropriate nodes
$ knife vault update ssh_ca_krls grid_ssh_ca.prod -S 'name:*.example.com'
  • add cookbook attributes.
override_attributes(
  'ssl_cert' => {
    'ssh_ca_krl_name' => 'grid_ssh_ca',
  },
)

SSL server keys and certificates

  • create vault items.
$ ruby -rjson -e 'puts JSON.generate({"private" => File.read("node_example_com.prod.key")})' \
> > ~/tmp/node_example_com.prod.key.json

$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("node_example_com.prod.crt")})' \
> > ~/tmp/node_example_com.prod.crt.json

$ cd $CHEF_REPO_PATH

$ knife vault create ssl_server_keys node.example.com.prod \
> --json ~/tmp/node_example_com.prod.key.json

$ knife vault create ssl_server_certs node.example.com.prod \
> --json ~/tmp/node_example_com.prod.crt.json

Note: You must translate wildcard character '*' of common name into '_', because Data Bag items must have an id matching /^[\.\-[:alnum:]_]+$/. e.g. '*.example.com' => '_.example.com'

  • grant reference permission to the appropriate nodes
$ knife vault update ssl_server_keys node.example.com.prod -S 'name:node.example.com'
$ knife vault update ssl_server_certs node.example.com.prod -S 'name:node.example.com'
  • add cookbook attributes
override_attributes(
  'ssl_cert' => {
    'common_names' => [
      'node.example.com',
      # ...
    ],
  },
)

References of deployed key and certificate file paths (with default attributes)

undotted_cn: '*' and '.' of common name are translated into '_'. e.g. '*.example.com' => '__example_com'

  • node['ssl_cert']["#{ca}_cert_path"]: e.g. node['ssl_cert']['grid_ca_cert_path']
  • node['ssl_cert']["#{ca}_pubkey_path"]: e.g. node['ssl_cert']['grid_ssh_ca_pubkey_path']
  • node['ssl_cert']["#{ca}_krl_path"]: e.g. node['ssl_cert']['grid_ssh_ca_krl_path']
  • node['ssl_cert']["#{undotted_cn}_key_path"]: e.g. node['ssl_cert']['node_example_com_key_path'], node['ssl_cert']['__example_com_key_path']
  • node['ssl_cert']["#{undotted_cn}_cert_path"]: e.g. node['ssl_cert']['node_example_com_cert_path'], node['ssl_cert']['__example_com_cert_path']

Helper methods

  • SSLCert::Helper.get_vault_item_value(vault, name): return vault item value string.
  • SSLCert::Helper.append_ca_name(ca_name): append CA name which certificate is deployed.
  • SSLCert::Helper.ca_cert_path(ca_name): return CA certificate file path string.
  • SSLCert::Helper.ca_pubkey_path(ca_name): return CA public key file path string.
  • SSLCert::Helper.ca_krl_path(ca_name): return CA KRL file path string.
  • SSLCert::Helper.append_server_ssl_cn(common_name): append server common name which key and certificate are deployed.
  • SSLCert::Helper.server_key_content(common_name): return server private key content string.
  • SSLCert::Helper.server_cert_content(common_name): return server certificate content string.
  • SSLCert::Helper.server_key_path(common_name): return server private key file path string.
  • SSLCert::Helper.server_cert_path(common_name): return server certificate file path string.
  • SSLCert::Helper.append_members_to_key_access_group(members_array): append members to the key access group (default: ssl-cert).
::Chef::Recipe.send(:include, SSLCert::Helper)

append_members_to_key_access_group(['openldap'])
grid_ca_cert_path = ca_cert_path('grid_ca')
ldap_key_path = server_key_path('ldap.grid.example.com')
ldap_cert_path = server_cert_path('ldap.grid.example.com')
wildcard_cn_key_path = server_key_path('*.grid.example.com')
wildcard_cn_cert_path = server_cert_path('*.grid.example.com')

License and Authors

  • Author:: whitestar at osdn.jp
Copyright 2016-2018, whitestar

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

apt_utils Applicable Versions
athenz Applicable Versions
chef_utils Applicable Versions
concourse-ci Applicable Versions
docker-grid Applicable Versions
gitlab-grid Applicable Versions
hc-vault Applicable Versions
jenkins-grid Applicable Versions
lxcs Applicable Versions
minio-grid Applicable Versions
nexus-grid Applicable Versions
openldap-grid Applicable Versions
screwdriver Applicable Versions
spinnaker Applicable Versions
supermarket-omnibus-ya Applicable Versions
ups_utils Applicable Versions

ssl_cert CHANGELOG

0.5.0

  • adds wildcard common name support. e.g. *.example.com

0.4.2

  • adds the ['ssl_cert']['ca_name_symlinks'] attribute.

0.4.1

  • adds SSLCert::Helper.append_ca_name method.
  • adds SSLCert::Helper.append_server_ssl_cn method.

0.4.0

  • adds SSLCert::Helper.server_{cert,key}_content method.

0.3.9

  • adds the Concourse pipeline configuration.
  • revises documents.

0.3.8

  • bug fix: follows Debian family's certificates symlink rule.
  • revises documents.

0.3.7

  • adds SSLCert::Helper.get_vault_item_value method.

0.3.6

  • refactoring.

0.3.5

  • bug fix: key access group modification.
  • adds SSLCert::Helper.append_members_to_key_access_group method.

0.3.4

  • adds the ['ssl_cert']['debian']['key_access_mode'] attribute.
  • adds the ['ssl_cert']['rhel']['key_access_mode'] attribute.

0.3.3

  • bug fix: adds CA certificate update sequece for system level.
  • adds the ['ssl_cert']['certs_src_dir'] attribute.
  • refactoring.

0.3.2

  • refactoring.

0.3.1

  • Cleanup for FoodCritic and RuboCop.

0.3.0

  • add ssh_ca_krl recipe for SSH-CA
  • add deployed filename extension attributes.

0.2.0

  • add ca_pubkeys recipe for SSH-CA, ...

0.1.5

  • add ['ssl_cert']['rhel']['key_access_group'] attribute.

0.1.4

  • improvement for vault item key setting (add nested hash key path format delimited by slash)

0.1.3

  • add {ca_cert,server_key,server_cert}_file_prefix attributes.

0.1.2

  • add some attributes.

0.1.1

  • a little modified.

0.1.0

  • Initial release of ssl_cert

Collaborator Number Metric
            

0.5.0 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

0.5.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

0.5.0 passed this metric

No Binaries Metric
            

0.5.0 passed this metric

Testing File Metric
            

0.5.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

0.5.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number