Chef cookbook uploads with Conjur
| DevOps |
In preparation for our workshop at ChefConf we created a new organization in Hosted Chef and uploaded some starter cookbooks. The best practice here is to create a specific user with permissions to only upload cookbooks. This ensures that the agent in your system responsible for uploading cookbooks cannot affect the rest of your Chef server. Conjur makes this very easy to do securely. Here are the steps:
I created a new user on Hosted Chef to be our trusted agent for deploys. In our case this is [email protected]
I stored the user’s Chef private key that I downloaded from the Hosted Chef UI as a Conjur variable. The $pem variable here holds the private key content.
cat $pem | conjur variable create --as-group v4/ops hostedchef/conjurbot/private_key
Here’s the cool part. I created a mapping file for conjur env to supply the private key at run time.
CLIENT_PEM: !tmp hostedchef/conjurbot/private_key
Now when we use
conjur env run, the private key is pulled from Conjur, stored in a temporary file and CLIENT_PEM is an environment variable containing the path to that file.
I can now use that environment variable in knife.rb to provide authentication.
log_level :info log_location STDOUT node_name 'conjurbot' client_key ENV['CLIENT_PEM'] chef_server_url 'https://api.opscode.com/organizations/chefconf15-conjur'
Now when I want to upload cookbooks I don’t have to hunt around for the private key or even have it on my system.
conjur env run -- knife cookbook upload .
Once the upload finishes, the private key is no longer on your system and access to the key is audited in Conjur. Here you can see I have permitted the build layer, which contains our Jenkins systems, to execute (read) the secret.
In a production scenario you would give read permission on this key to only the parts of the infrastructure that need it – your CI/deploy system.
Check out `.conjurenv`, `knife.rb` and `deploy.sh` here: https://github.com/conjurdemos/chefconf15-base