I am constructing cookbooks for both Linux and Windows machines.
I am looking for the best way to setup Chef cookbook CI.
The reason for this is I want to remove the .pem files from source code but not sure how best to get them on the CI server so I can “knife cookbook upload” when required.
This kind of gets into the whole question of secrets management. At $WORK we use software that distributes secrets to hosts that have permissions for them; thus, we can set a policy like “Please ensure the CI builder has access to foo.pem”, then set up a job there that grabs the key file from wherever the software dropped it. If your CI builder is managed via Chef, you might use encrypted data bags to do this.
One thing we’re doing: in order to avoid writing secrets to disk, we’re using /dev/shm on our CI builder to hold the files in memory – no persistence on the hard drive. That’s a Linux-ism, of course, and I don’t know what the Windows equivalent would be. In case of a reboot, we need to wait for the secret distribution service to sync up, but for us that’s an acceptable tradeoff.
HTH,
Hugh
Indeed our Bamboo agents (not my choice) will be builder from Chef, just trying to work out how and where to store the .pem files in the first place ideally they shouldn’t be in source nor baked into the AMI.
I was looking at Hashicorp Vault but not sure that will work, any ideas?
Steve (steven@stevenwade.co.uk)
Hi Steve, I’ve also been looking at Hashicorp Vault for this sort of thing - I think it’s exactly what it would be perfect for - but I’m not sure how you can avoid the pem files hitting the disk. I’m still working out out CI process (also Windows and Linux) and I’d be happy to share any discoveries.
Shaw
Hi Shaw,
Thanks for getting involved on this topic. Do you have Hangouts or Skype, would be good to talk.
My understand was that Vault simply stores “strings” how would “we” turn these into pem files when provisioning the build agent AMI?