berkshelf-api-server-ya CHANGELOG
=================================
-This file is used to list changes made in each version of the berkshelf-api-server-ya cookbook.
+0.2.0
+-----
+- SSL server key deployment by the Chef Vault.
+- Endpoints access user's private key deployment by the Chef Vault.
0.1.0
-----
-- [your_name] - Initial release of berkshelf-api-server-ya
-
-- - -
-Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
+- Application server bind address setting.
+- HTTPS configurations.
-The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
================================
This is yet another berkshelf-api-server cookbook.
+This cookbook provides the following extra features to the original cookbook.
+
+- Application server bind address setting.
+- HTTPS configurations.
+- SSL server key deployment by the Chef Vault.
+- Endpoints access user's private key deployment by the Chef Vault.
Requirements
------------
Attributes
----------
-#### berkshelf-api-server-ya::default
+#### berkshelf-api-server-ya::default added attributes
|Key|Type|Description, example|Default|
|:--|:--|:--|:--|
|`[:berkshelf_api][:app_host]`|String|Application sever bind address.|`'0.0.0.0'`|
|`[:berkshelf_api][:proxy][:ssl]`|Boolean|HTTPS enabled.|`false`|
|`[:berkshelf_api][:proxy][:ssl_certificate]`|String|Path to server certificate file.|`''`|
|`[:berkshelf_api][:proxy][:ssl_certificate_key]`|String|Path to server private key file.|`''`|
+|`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item]`|Hash|Chef Vault item read conf. for the server private key. (ver. 0.2.0 or later)|undefined|
+|`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item][:vault]`|String|Vault name|undefined|
+|`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item][:name]`|String|Vault item name|undefined|
+|`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item][:key]`|String|Vault item key|undefined|
+|`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item]`|Hash|Chef Vault item read conf. for the endpoint access user's private key. (ver. 0.2.0. or later)|undefined|
+|`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item][:vault]`|String|Vault name|undefined|
+|`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item][:name]`|String|Vault item name|undefined|
+|`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item][:key]`|String|Vault item key|undefined|
Usage
-----
# limitations under the License.
#
+# added attributes
default[:berkshelf_api][:app_host] = '0.0.0.0'
default[:berkshelf_api][:proxy][:ssl] = false
default[:berkshelf_api][:proxy][:ssl_certificate] = ''
default[:berkshelf_api][:proxy][:ssl_certificate_key] = ''
+=begin
+default[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item] = {
+ :vault => 'ssl_server_keys',
+ :name => '<COMMON_NAME>',
+ :key => 'private'
+}
+=end
+
+=begin
+default[:berkshelf_api][:config][:endpoints] = [
+ {
+ :options => {
+ :client_key => '/etc/berkshelf/api-server/<ORG_NAME>-berkshelf.pem',
+ # added attributes
+ :client_key_vault_item => {
+ :vault => 'berks_api_client_keys',
+ :name => '<ORG_NAME>',
+ :key => 'berkshelf'
+ }
+ }
+ },
+]
+=end
license 'Apache 2.0'
description 'Installs/Configures berkshelf-api-server-ya'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version '0.1.0'
+version '0.2.0'
# local cookbooks
+#depends 'chef_utils', '>= 0.5.0'
# external cookbooks
depends 'berkshelf-api-server', '>= 2.1.1'
#
# Cookbook Name:: berkshelf-api-server-ya
-# Recipe:: default
+# Recipe:: app
#
# Copyright 2015, whitestar
#
r.cookbook 'berkshelf-api-server-ya'
end
+endpoints = node[:berkshelf_api][:config][:endpoints]
+# deploy client keys from Chef Vault
+endpoints.each {|endpoint|
+ options = endpoint[:options]
+
+ if options.has_key?(:client_key_vault_item) then
+ item_conf = options[:client_key_vault_item]
+
+ pkg = 'chef-vault'
+ resources(:chef_gem => pkg) rescue chef_gem pkg do
+ compile_time true if respond_to?(:compile_time)
+ action :install
+ end
+
+ require 'chef-vault'
+ item = ChefVault::Item.load(item_conf[:vault], item_conf[:name])
+ secret = item[item_conf[:key]]
+
+ file options[:client_key] do
+ content secret
+ sensitive true
+ owner node[:berkshelf_api][:owner]
+ group node[:berkshelf_api][:group]
+ mode 0400
+ end
+ end
+}
+
#
# Cookbook Name:: berkshelf-api-server-ya
-# Recipe:: default
+# Recipe:: http_proxy
#
# Copyright 2015, whitestar
#
res.cookbook 'berkshelf-api-server-ya'
end
+if node[:berkshelf_api][:proxy].has_key?(:ssl_certificate_key_vault_item) then
+ item_conf = node[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item]
+
+ pkg = 'chef-vault'
+ resources(:chef_gem => pkg) rescue chef_gem pkg do
+ compile_time true if respond_to?(:compile_time)
+ action :install
+ end
+
+ require 'chef-vault'
+ item = ChefVault::Item.load(item_conf[:vault], item_conf[:name])
+ secret = item[item_conf[:key]]
+
+ file node[:berkshelf_api][:proxy][:ssl_certificate_key] do
+ content secret
+ sensitive true
+ owner 'root'
+ group 'root'
+ mode 0400
+ notifies :reload, 'service[nginx]', :delayed
+ end
+
+end
+