This document outlines a presentation on DevOps orchestration with Chef. The agenda includes discussing Chef provisioning, secret management with data bags and Chef Vault, cookbook versioning, dependency management, and test driven infrastructure. Chef provisioning allows managing infrastructure repeatably across environments. Secret management techniques like data bags and Chef Vault are presented. Test driven development for infrastructure configuration includes unit testing, integration testing, and auditing cookbooks.

1. DevOps
Orchestration with Chef
Presented By:
Mayank Gaikwad
04/06/16 Mayank Gaikwad

2. Agenda
04/06/16 Mayank Gaikwad
• Chef Provisioner
• Secret Management
• Cookbook Versioning
• Dependency Management
• Test Driven Infrastructure

3. Chef Provisioning
“ Allows to manage infrastructure with repeatable resource
creation/deletion on different environment from dev, QA to production
in very abstract and easy way”
This is next step forward , Chef as configuration management tool
What can be achieved-
Idempotency
Cluster Management
Parallel Provisioning
04/06/16 Mayank Gaikwad

4. 04/06/16 Mayank Gaikwad
• with_chef_server "https://console.chef.io/organizations/mgdevstack",
:client_name => Chef::Config[:node_name],
:signing_key_filename => Chef::Config[:client_key]
• with_machine_options({
convergence_options: {
:ssl_verify_mode => :verify_none
},
bootstrap_options: {
image_id: "ami-08173648",
instance_type: "m1.small",
key_name: “mg-keypair", # If not specified, this will be used and generated
key_path: "/root/.ssh/mg-keypair.pem",
user_data: “~/chef/chef_user_data"
},
ssh_username: 'ec2-user',
security_groups: ["default"],
:transport_address_location => :private_ip,
:sudo => true
})

5. Secret Management
04/06/16 Mayank Gaikwad
• Data bags ( Bags to share data/secret across nodes )
• Encrypted Data bags ( Requires key management across nodes )
• Chef-Vault ( Provides 2 layer encryption decryption mechanism with
no hassle to manage keys across nodes )

6. Data Bags
Data Bag Creation:
Knife data bag create bag_name item_name
knife data bag from file bag_name path_to/item_name.json
Encrypting Data Bag
openssl rand -base64 512 | tr -d 'rn' > encrypted_data_bag_secret
knife data bag create bag_name item_name --secret
encrypted_data_bag_secret
{
/* This is a supported comment style */
// This style is also supported
"id": "ITEM_NAME",
"key": "value"
}
04/06/16 Mayank Gaikwad

7. Uses shared secret key to encrypt data.
Overhead of distributing keys and maintaining security during key share
04/06/16 Mayank Gaikwad

8. Client and Node’s public and private key store
04/06/16 Mayank Gaikwad

9. Chef-vault
When encrypted data created with chef-vault, it encrypts data-bag with
random shared secret key.
Generated Secret key then encrypted with user’s and nodes public key on
chef server.
So provides 2 layers of encryption.
With out managing secret key.
04/06/16 Mayank Gaikwad

10. Chef-Vault continued..
Installation
gem install chef-vault
Vault Creation
knife vault create credentials database -A mayank, meet -M client -S
‘name:poc-meetup*’ -J ./database.json
-A Users/ Nodes names
-M Mode for chef-vault
client -- if Chef-Server
solo -- if Chef-Solo
-S Node search parameter where vault can be decrypted
Vault Deletion:
knife data bag delete credentials
04/06/16 Mayank Gaikwad

11. Chef-Vault continued..
knife vault show credentials database
if user is admin.. Databag content will be shown else it will show
encrypted databag
Using vault within recipe
include_recipe ‘chef-vault’
vault = chef_vault_item(:credentials, ‘database’)
node.set[‘database’][‘password’] = vault[‘password’]
Edit Vault
knife vault edit credentials database
Delete item within vault
knife vault delete credentials database
04/06/16 Mayank Gaikwad

12. Vault Commands
Add Admin user
knife vault update credentials database -A “new-username”
Add new Node
knife vault update credentials database -S “search-query-for-nodes”
Updating users key
knife vault refresh credentials database
Removing user
knife vault remove credentials database -A “role:base”
04/06/16 Mayank Gaikwad

13. Test Driven Infrastructure
Convergence phases:
pre-convergence: syntax checking unit testing, lint checking
convergence:
post-convergence: verifies if node is in desired state(auditing)
Testing workflow
•Code Correctness - Foodcritic and Rubocop
•Unit Tests and testing - ChefSpec
•Integration Tests - Test Kitchen and ServerSpec
04/06/16 Mayank Gaikwad

14. Unit Testing
package "httpd" do
action :install
end
it "installs the httpd package" do
expect(chef_run).to install_package("httpd")
end
04/06/16 Mayank Gaikwad

15. Rubocop
Does Linting and convention check
Discover code style violation
Rubocop.yml
04/06/16 Mayank Gaikwad

16. Foodcritic
Checks cookbook for common problems
•Style
•Correctness
•Syntax
•Best practices
•Common mistakes
•Deprecations
Typically run against cookbook
Currently 61 rules to check linting, style guide and best practices
To exclude rule FC003:
foodcritic cookbooks/ --tags ~FC003
04/06/16 Mayank Gaikwad

17. 04/06/16 Mayank Gaikwad
Foodcritic Rules

18. Foodcritic rules
FC001 : accesses node attributes with
symbols
# Don't do this
package node[:cookbook][:package] do
action :install
End
package node['cookbook']['package'] do
action :install
end
FC004: Use a service resource to start and
stop services
# Don't do this
execute 'start-tomcat' do
command '/etc/init.d/tomcat6 start'
action :run
End
service 'tomcat' do
action :start
end
04/06/16 Mayank Gaikwad

19. Auditing cookbook
Cookbook/meetup/recipes/audit.rb
control_group 'Server Auditing:: ' do
control 'service' do
it 'should be stopped' do
expect(service('crond')).to_not be_running
end
end
end
04/06/16 Mayank Gaikwad

20. Questions & Answers
04/06/16 Mayank Gaikwad

21. Thanks You
04/06/16 Mayank Gaikwad