This repository encompasses some techniques for managing an infrastructure repository making use of:
- Vagrant as a tool for instantiating development environments
- Chef Zero as an orchestration tool
The example below describes how to setup a Vagrant environment with two virtual machine instances (alfa and bravo), each of which will be provisioned by Chef Zero. Each machine uses a separate Chef environment (development and production accordingly) and also makes use of a separate encrypted data bag item.
- *nix shell
- Ruby 2.5.x or later
- Virtualbox 6.0.x or later
- Vagrant 2.2.x or later
$ git clone https://github.com/aspyatkin/vagrant-chef-zero-boilerplate.git
$ cd vagrant-chef-zero-boilerplate
$ script/initThe last command installs necessary Ruby gems along with vagrant-helpers plugin and initializes Berkshelf cookbook manager. It also creates a directory .well-known in $HOME, downloads a default Vagrant private key and generates sample databag encryption keys.
One may want to run rm -rf .git so as to start an infrastructure repository from scratch.
VM instances are declared in opts.yaml file. For more information refer to vagrant-helpers documentation.
$ cp opts.example.yaml opts.yaml
$ vagrant up alfa
$ vagrant up bravoConfigure SSH in ~/.ssh/config:
Host alfa.example
HostName 172.16.0.2
User vagrant
IdentityFile ~/.well-known/vagrant_private_key
Host bravo.example
HostName 172.16.0.3
User vagrant
IdentityFile ~/.well-known/vagrant_private_key
HostName may be omitted if a server's FQDN is resolved via DNS.
Verify an instance is reachable via SSH:
$ ssh alfa.exampleThe necessary Chef environments (development and production) are already present in the repository. For instance, a development environment was created with the following command:
$ script/knife environment create developmentSince encrypted data bags will be used, encryption keys must be generated in the following fashion (each environment must have a separate key):
$ openssl rand -base64 512 | tr -d '\r\n' > /path/to/secure/location/data_bag_secret
$ chmod 600 /path/to/secure/location/data_bag_secretSettings and paths are stored in .env file. Note that script/init call creates sample keys as well as .env file.
Needless to say that a real production environment key should be never left unencrypted. Consider using encrypted containers which can be mounted as a system volume.
Data bags can be created, edited or deleted with the help of script/databag command:
$ script/databag create test [ENVIRONMENT_NAME]
$ script/databag edit test [ENVIRONMENT_NAME]
$ script/databag delete test [ENVIRONMENT_NAME]If ENVIRONMENT_NAME is not specified, a KNIFE_NODE_DEFAULT_ENVIRONMENT value from .env file is taken.
The following command installs Chef on an instance and provides it with an encryption key specific for its environment.
$ script/bootstrap alfa developmentFirst, add a recipe from test cookbook (see local-cookbooks folder) to a machine Chef run list:
$ script/knife node run_list add alfa test::defaultThen, create a data bag named test with the following content:
{
"id": "development",
"secret": "DO NOT TELL ANYONE"
}The recipe does nothing but creates a file /tmp/hello containing the name of Chef environment and a secret from the test data bag.
At last, run converge:
$ script/converge alfa
To check whether converge has succeeded, connect to alfa instance and print /tmp/hello on the screen:
$ cat /tmp/hello
development
DO NOT TELL ANYONE
Similar steps may be performed so as to bootstrap and converge bravo instance. Commands will change slightly, since this instance operates in the other Chef environment (production).
Chef documentation:
- knife environment commands;
- knife node commands;
- data bags.
Knife-Zero project:
MIT @ Alexander Pyatkin