This document outlines a presentation on DevOps orchestration with Chef. The agenda includes discussing Chef provisioning, secret management with data bags and Chef Vault, cookbook versioning, dependency management, and test driven infrastructure. Chef provisioning allows managing infrastructure repeatably across environments. Secret management techniques like data bags and Chef Vault are presented. Test driven development for infrastructure configuration includes unit testing, integration testing, and auditing cookbooks.
3. Chef Provisioning
“ Allows to manage infrastructure with repeatable resource
creation/deletion on different environment from dev, QA to production
in very abstract and easy way”
This is next step forward , Chef as configuration management tool
What can be achieved-
Idempotency
Cluster Management
Parallel Provisioning
04/06/16 Mayank Gaikwad
4. 04/06/16 Mayank Gaikwad
• with_chef_server "https://console.chef.io/organizations/mgdevstack",
:client_name => Chef::Config[:node_name],
:signing_key_filename => Chef::Config[:client_key]
• with_machine_options({
convergence_options: {
:ssl_verify_mode => :verify_none
},
bootstrap_options: {
image_id: "ami-08173648",
instance_type: "m1.small",
key_name: “mg-keypair", # If not specified, this will be used and generated
key_path: "/root/.ssh/mg-keypair.pem",
user_data: “~/chef/chef_user_data"
},
ssh_username: 'ec2-user',
security_groups: ["default"],
:transport_address_location => :private_ip,
:sudo => true
})
5. Secret Management
04/06/16 Mayank Gaikwad
• Data bags ( Bags to share data/secret across nodes )
• Encrypted Data bags ( Requires key management across nodes )
• Chef-Vault ( Provides 2 layer encryption decryption mechanism with
no hassle to manage keys across nodes )
6. Data Bags
Data Bag Creation:
Knife data bag create bag_name item_name
knife data bag from file bag_name path_to/item_name.json
Encrypting Data Bag
openssl rand -base64 512 | tr -d 'rn' > encrypted_data_bag_secret
knife data bag create bag_name item_name --secret
encrypted_data_bag_secret
{
/* This is a supported comment style */
// This style is also supported
"id": "ITEM_NAME",
"key": "value"
}
04/06/16 Mayank Gaikwad
7. Uses shared secret key to encrypt data.
Overhead of distributing keys and maintaining security during key share
04/06/16 Mayank Gaikwad
8. Client and Node’s public and private key store
04/06/16 Mayank Gaikwad
9. Chef-vault
When encrypted data created with chef-vault, it encrypts data-bag with
random shared secret key.
Generated Secret key then encrypted with user’s and nodes public key on
chef server.
So provides 2 layers of encryption.
With out managing secret key.
04/06/16 Mayank Gaikwad
10. Chef-Vault continued..
Installation
gem install chef-vault
Vault Creation
knife vault create credentials database -A mayank, meet -M client -S
‘name:poc-meetup*’ -J ./database.json
-A Users/ Nodes names
-M Mode for chef-vault
client -- if Chef-Server
solo -- if Chef-Solo
-S Node search parameter where vault can be decrypted
Vault Deletion:
knife data bag delete credentials
04/06/16 Mayank Gaikwad
11. Chef-Vault continued..
knife vault show credentials database
if user is admin.. Databag content will be shown else it will show
encrypted databag
Using vault within recipe
include_recipe ‘chef-vault’
vault = chef_vault_item(:credentials, ‘database’)
node.set[‘database’][‘password’] = vault[‘password’]
Edit Vault
knife vault edit credentials database
Delete item within vault
knife vault delete credentials database
04/06/16 Mayank Gaikwad
12. Vault Commands
Add Admin user
knife vault update credentials database -A “new-username”
Add new Node
knife vault update credentials database -S “search-query-for-nodes”
Updating users key
knife vault refresh credentials database
Removing user
knife vault remove credentials database -A “role:base”
04/06/16 Mayank Gaikwad
13. Test Driven Infrastructure
Convergence phases:
pre-convergence: syntax checking unit testing, lint checking
convergence:
post-convergence: verifies if node is in desired state(auditing)
Testing workflow
•Code Correctness - Foodcritic and Rubocop
•Unit Tests and testing - ChefSpec
•Integration Tests - Test Kitchen and ServerSpec
04/06/16 Mayank Gaikwad
14. Unit Testing
package "httpd" do
action :install
end
it "installs the httpd package" do
expect(chef_run).to install_package("httpd")
end
04/06/16 Mayank Gaikwad
15. Rubocop
Does Linting and convention check
Discover code style violation
Rubocop.yml
04/06/16 Mayank Gaikwad
16. Foodcritic
Checks cookbook for common problems
•Style
•Correctness
•Syntax
•Best practices
•Common mistakes
•Deprecations
Typically run against cookbook
Currently 61 rules to check linting, style guide and best practices
To exclude rule FC003:
foodcritic cookbooks/ --tags ~FC003
04/06/16 Mayank Gaikwad
18. Foodcritic rules
FC001 : accesses node attributes with
symbols
# Don't do this
package node[:cookbook][:package] do
action :install
End
package node['cookbook']['package'] do
action :install
end
FC004: Use a service resource to start and
stop services
# Don't do this
execute 'start-tomcat' do
command '/etc/init.d/tomcat6 start'
action :run
End
service 'tomcat' do
action :start
end
04/06/16 Mayank Gaikwad
Stretegy:
Use of Linting tools to adhere conventions provides uniformity, portability
Use of Testing tools to verify cookbook is accomplishing intended goals