Chef
Chef
Chef External Secrets provider will enable users to seamlessly integrate their Chef-based secret management with Kubernetes through the existing External Secrets framework.
In many enterprises, legacy applications and infrastructure are still tightly integrated with the Chef/Chef Infra Server/Chef Server Cluster for configuration and secrets management. Teams often rely on Chef data bags to securely store sensitive information such as application secrets and infrastructure configurations. These data bags serve as a centralized repository for managing and distributing sensitive data across the Chef ecosystem.
NOTE: Chef External Secrets provider is designed only to fetch data from the Chef data bags into Kubernetes secrets, it won't update/delete any item in the data bags.
Authentication
Every request made to the Chef Infra server needs to be authenticated. Authentication is done using the Private keys of the Chef Users. The User needs to have appropriate Permissions to the data bags containing the data that they want to fetch using the External Secrets Operator.
The following command can be used to create Chef Users:
chef-server-ctl user-create USER_NAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL 'PASSWORD' (options)
More details on the above command are available here Chef User Create Option. The above command will return the default private key (PRIVATE_KEY_VALUE), which we will use for authentication. Additionally, a Chef User with access to specific data bags, a private key pair with an expiration date can be created with the help of the knife user key command.
Create a secret containing your private key
We need to store the above User's API key into a secret resource. Example:
kubectl create secret generic chef-user-secret -n vivid --from-literal=user-private-key='PRIVATE_KEY_VALUE'
Creating ClusterSecretStore
The Chef ClusterSecretStore is a cluster-scoped SecretStore that can be referenced by all Chef ExternalSecrets from all namespaces. You can follow the below example to create a ClusterSecretStore resource.
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vivid-clustersecretstore # name of ClusterSecretStore
spec:
provider:
chef:
username: user # Chef User name
serverUrl: https://manage.chef.io/organizations/testuser/ # Chef server URL
auth:
secretRef:
privateKeySecretRef:
key: user-private-key # name of the key inside Secret resource
name: chef-user-secret # name of Kubernetes Secret resource containing the Chef User's private key
namespace: vivid # the namespace in which the above Secret resource resides
Creating SecretStore
Chef SecretStores are bound to a namespace and can not reference resources across namespaces. For cross-namespace SecretStores, you must use Chef ClusterSecretStores.
You can follow the below example to create a SecretStore resource.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vivid-secretstore # name of SecretStore
namespace: vivid # must be required for kind: SecretStore
spec:
provider:
chef:
username: user # Chef User name
serverUrl: https://manage.chef.io/organizations/testuser/ # Chef server URL
auth:
secretRef:
privateKeySecretRef:
name: chef-user-secret # name of Kubernetes Secret resource containing the Chef User's private key
key: user-private-key # name of the key inside Secret resource
namespace: vivid # the ns where the k8s secret resource containing Chef User's private key resides
Creating ExternalSecret
The Chef ExternalSecret describes what data should be fetched from Chef Data bags, and how the data should be transformed and saved as a Kind=Secret.
You can follow the below example to create an ExternalSecret resource.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vivid-external-secrets # name of ExternalSecret
namespace: vivid # namespace inside which the ExternalSecret will be created
annotations:
company/contacts: user.a@company.com, user.b@company.com
company/team: vivid-dev
labels:
app.kubernetes.io/name: external-secrets
spec:
refreshInterval: 15m
secretStoreRef:
name: vivid-clustersecretstore # name of ClusterSecretStore
kind: ClusterSecretStore
data:
- secretKey: USERNAME
remoteRef:
key: vivid_prod/global_user # databagName/dataItemName
property: username # a json key in dataItem
- secretKey: PASSWORD
remoteRef:
key: vivid_prod/global_user
property: password
- secretKey: APIKEY
remoteRef:
key: vivid_global/apikey
property: api_key
- secretKey: APP_PROPERTIES
remoteRef:
key: vivid_global/app_properties # databagName/dataItemName , it will fetch all key-vlaues present in the dataItem
target:
name: vivid-credentials # name of kubernetes Secret resource that will be created and will contain the obtained secrets
creationPolicy: Owner
template:
mergePolicy: Replace
engineVersion: v2
data:
secrets.json: |
{
"username": "{{ .USERNAME }}",
"password": "{{ .PASSWORD }}",
"app_apikey": "{{ .APIKEY }}",
"app_properties": "{{ .APP_PROPERTIES }}"
}
When the above ClusterSecretStore and ExternalSecret resources are created, the ExternalSecret will connect to the Chef Server using the private key and will fetch the data bags contained in the vivid-credentials secret resource.
To get all data items inside the data bag, you can use the dataFrom directive:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vivid-external-secrets # name of ExternalSecret
namespace: vivid # namespace inside which the ExternalSecret will be created
annotations:
company/contacts: user.a@company.com, user.b@company.com
company/team: vivid-dev
labels:
app.kubernetes.io/name: external-secrets
spec:
refreshInterval: 15m
secretStoreRef:
name: vivid-clustersecretstore # name of ClusterSecretStore
kind: ClusterSecretStore
dataFrom:
- extract:
key: vivid_global # only data bag name
target:
name: vivid_global_all_cred # name of Kubernetes Secret resource that will be created and will contain the obtained secrets
creationPolicy: Owner
follow : this file for more info