Learning to write high-quality Chef cookbooks can be a daunting prospect. There are few resources and little documentation. Let's dive in to the best practices to build usable, maintainable, and delightful Chef cookbooks. We'll cover the structure of great cookbooks for new and experienced Chefs alike.
- Principles of High Functioning Cookbooks
- Resources > Recipes
- Right to keep and bear footguns
- Minimalism in Recipes
- Trinity: package, template, service
- Metadata: The good, the bad, and the ugly
- Writing Custom Resources
- 12.5 syntax
- How low can you go
- Effective Node Attributes
- Goldilocks zone
- Common traps
- Tests for Fun and Profit
- Overtesting, a thing
- What to expect when you're expecting
- Documentation for Great Justice
- Maniac Driven Development
- Enumerate your interfaces
Policyfiles, the latest and greatest {{Citation needed}} entry into the Chef workflow arena. There is a lot of chatter about policies and their related tools, but few people have taken the plunge and most that do are charging in without knowing what awaits them on the other side. Together we'll examine what policies are in Chef, how to use them, and what the downsides can be.
- tl;dr
- New vocabulary
- Intro to snapshots
- Push it over there
- A Tour of Policyfile.rb
- Name
- Run list(s)
- Cookbook dependencies
- Sources
- Attributes
- Chef command basics
- The Rough Edges
- The talking stick problem
- Graft v host, aka multi-policy issues
- Environment attributes
- Base/shared policy
- Partial updates
- Workflow Overview
- What is a release process
- To SemVer or not to SemVer
- YoloVer workflow
- Example repository
- Supporting Tools
- Policyfiles and Test Kitchen
- Policyfiles and ChefSpec
- How to upgrade
- Role (cookbook)? conversion
- Environment (cookbook)? conversion
Secrets come in many forms, passwords, keys, tokens. All crucial for the operation of an application, but each dangerous in its own way. In the past, many of us have pasted those secrets in to a text file and moved on, but in a world of config automation and ephemeral microservices these patterns are leaving our data at greater risk than ever before.
New tools, products, and libraries are being released all the time to try to cope with this massive rise in threats, both new and old-but-ignored. This talk will cover the major types of secrets in a normal web application, how to model their security properties, what tools are best for each situation, and how to use them with major web frameworks.
- Intros
- Types of secrets
- Passwords (internal control)
- Key files (TLS, whole files)
- Tokens (external control)
- Other (PCI, etc)
- Hot vs. cold access
- Properties of a secrets management system
- Audit trail
- Least access
- Integrations
- Pre-encryption systems
- The usual solutions, and why they are dangerous
- Attack surfaces and threat modelling
- Code leak
- Backup leak
- Directory traversal/transclude
- RCE
- Laptop theft
- Higher power (gov, etc)
- Identity Management
- Tokens
- Cloud Systems
- HSMs
- Tools
- Text files
- Chef encrypted bags
- Ansible Vault
- Chef Vault
- Hashicorp Vault
- KeyWhiz
- AWS KMS
- Sneaker
- Confidant
- Trousseau
- Sops
- Red October
- Barbican
- Conjur
- Framework Integration
- HVAC
- KeywhizFS
- Consul Template
- botocore
"Behind Closed Doors" would be my favorite but I am not a chef / target audience member