huyanhvn/chef-vault

## chef-vault
### knife.rb:
knife[:vault_mode] = "client"
data_bag_path		"/Users/hnguyen/data_bags"

### Creating a Vault

Vault creation is very similar to data bag creation. Specify a Vault name, and Item name inside of that vault as well as the default JSON data to go into the vault. You can optionally specify a node search, and/or a list of Chef Server users who should have access to the vault.

knife vault create [vault] [item] '{}'
knife vault create [vault] [item] '{}' -S 'search' -A 'user1,user2'

### Editing a Vault

Assuming the EDITOR environment variable is set, editing a vault will open the decrypted JSON into your editor, re-encrypting changes when the editor is closed.

knife vault edit [vault] [item]
Adding Nodes or Users to a Vault

As new servers are added, old ones are removed, and people come and go, you’ll want to ensure the encryption permissions are updated accordingly. If the new nodes match existing Search settings or a user has replaced their keys, just use refresh:

knife vault refresh [vault] [item]
If the settings of the Vault need to change, say removing or adding a user to the vault, use the update command instead. Do note that the -A option must always be the full list of users allowed to access said Vault.

knife vault update [vault] [item] -S "new search" -A "user1"
Cookbooks

Once the Vaults are built and uploaded to the server, accessing the Vault information in your cookbooks is as follows:

chef_gem("chef-vault")

vault_data = ChefVault::Item.load(data_bag_name, item_name)
Configuration

In all of this, Chef Vault has been managing the raw JSON files local to the developer. These need to then be pushed to the Chef Server as data bags (knife data bag from file [data bag] [file]). You can tell Chef Vault to instead work directly with data bags on Chef Server by setting knife[:vault_mode] = "client", however we prefer the default mode, "solo", as that lets us keep the canonical encrypted files in source control and easy to share with the team.

### EXAMPLE:
$ knife vault create <data_bag> <item> '{"key_file":"-----BEGIN RSA PRIVATE KEY-----something-----END RSA PRIVATE KEY-----"}' -S "tags:<server_tag>" -A "admin1,admin2"
$ knife vault update <data_bag> <item> '{"key_file":"-----BEGIN RSA PRIVATE KEY-----something-----END RSA PRIVATE KEY-----"}' -S "tags:<server_tag>" -A "admin1,admin2"
$ knife vault edit <data_bad> <item>
	### knife.rb:
	knife[:vault_mode] = "client"
	data_bag_path "/Users/hnguyen/data_bags"

	### Creating a Vault

	Vault creation is very similar to data bag creation. Specify a Vault name, and Item name inside of that vault as well as the default JSON data to go into the vault. You can optionally specify a node search, and/or a list of Chef Server users who should have access to the vault.

	knife vault create [vault] [item] '{}'
	knife vault create [vault] [item] '{}' -S 'search' -A 'user1,user2'

	### Editing a Vault

	Assuming the EDITOR environment variable is set, editing a vault will open the decrypted JSON into your editor, re-encrypting changes when the editor is closed.

	knife vault edit [vault] [item]
	Adding Nodes or Users to a Vault

	As new servers are added, old ones are removed, and people come and go, you’ll want to ensure the encryption permissions are updated accordingly. If the new nodes match existing Search settings or a user has replaced their keys, just use refresh:

	knife vault refresh [vault] [item]
	If the settings of the Vault need to change, say removing or adding a user to the vault, use the update command instead. Do note that the -A option must always be the full list of users allowed to access said Vault.

	knife vault update [vault] [item] -S "new search" -A "user1"
	Cookbooks

	Once the Vaults are built and uploaded to the server, accessing the Vault information in your cookbooks is as follows:

	chef_gem("chef-vault")

	vault_data = ChefVault::Item.load(data_bag_name, item_name)
	Configuration

	In all of this, Chef Vault has been managing the raw JSON files local to the developer. These need to then be pushed to the Chef Server as data bags (knife data bag from file [data bag] [file]). You can tell Chef Vault to instead work directly with data bags on Chef Server by setting knife[:vault_mode] = "client", however we prefer the default mode, "solo", as that lets us keep the canonical encrypted files in source control and easy to share with the team.

	### EXAMPLE:
	$ knife vault create <data_bag> <item> '{"key_file":"-----BEGIN RSA PRIVATE KEY-----something-----END RSA PRIVATE KEY-----"}' -S "tags:<server_tag>" -A "admin1,admin2"
	$ knife vault update <data_bag> <item> '{"key_file":"-----BEGIN RSA PRIVATE KEY-----something-----END RSA PRIVATE KEY-----"}' -S "tags:<server_tag>" -A "admin1,admin2"
	$ knife vault edit <data_bad> <item>