Skip to content

Release Chef Integration v1.0.0 #877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stas-schaller wants to merge 30 commits into
base: master
Choose a base branch
from
Open

Release Chef Integration v1.0.0 #877

stas-schaller wants to merge 30 commits into from

Conversation

@stas-schaller
Copy link
Contributor

@stas-schaller stas-schaller commented Dec 2, 2025
edited
Loading

Summary

This PR adds the Keeper Secrets Manager Chef Integration v1.0.0 to the monorepo, enabling Chef Infra users to securely manage and inject secrets into their infrastructure automation workflows.

What is Chef Infra?

Chef Infra is a powerful automation platform that transforms infrastructure into code. This integration allows Chef-managed nodes to retrieve secrets from Keeper Secrets Manager during Chef runs, eliminating hardcoded credentials and improving security posture.

Integration Components

Chef Cookbook

Location: integration/keeper_secrets_manager_chef/cookbooks/keeper_secrets_manager/
Version: 1.0.0
License: Apache-2.0
Chef Version: >= 16.0

Custom Resources

ksm_install - Installs Keeper Secrets Manager components

  • Installs Python SDK and/or CLI tool
  • Supports custom installation directories
  • Cross-platform (Linux, macOS, Windows)
  • Properties: python_sdk, cli_tool, user_install, base_dir

ksm_fetch - Retrieves secrets from Keeper vault

  • Uses Keeper Notation for flexible secret mapping
  • Supports environment variables, JSON output, and file downloads
  • Configurable timeouts and paths
  • Properties: input_path, timeout, deploy_path

Recipes

  • default - Empty entry point recipe
  • install - Installs KSM with default settings
  • fetch - Demonstrates secret retrieval

Helper Script

ksm.py - Python wrapper for KSM SDK

  • Handles authentication from encrypted data bags, environment variables, or input files
  • Supports Keeper Notation for field/file retrieval
  • Outputs secrets as environment variables, JSON, or files
  • Includes comprehensive error handling

Testing Suite

Unit Tests (RSpec)

  • Resource property validation
  • Recipe behavior testing
  • Platform-specific logic verification

Integration Tests (Test Kitchen + InSpec)

  • End-to-end installation testing
  • Secret retrieval validation
  • Cross-platform compatibility checks

Python Tests (pytest)

  • KSM helper script unit tests
  • Notation parsing validation
  • Error handling verification

Test Script: run_all_tests.sh - Runs all test suites

Publishing Workflow

File: .github/workflows/publish.chefsupermaket.yml

Features

  • Manual trigger: workflow_dispatch with publish input
  • Build-only mode: Set publish=false to test without publishing
  • Inline SBOM generation: Uses Syft v1.18.1 + Manifest CLI v0.18.3
  • Security: Explicit least-privilege permissions on all jobs
  • Authentication: Retrieves Chef credentials from KSM vault

Workflow Jobs

1. get-version

  • Extracts version from metadata.rb
  • Outputs version for downstream jobs
  • Permissions: contents: read

2. generate-sbom

  • Generates SPDX JSON SBOM using Syft
  • Publishes to Manifest Cyber
  • Archives SBOM artifact
  • Permissions: contents: read

3. publish-chef-supermarket (conditional on publish=true)

  • Retrieves Chef credentials from KSM
  • Configures knife authentication
  • Validates version doesn't already exist
  • Runs Cookstyle linting
  • Runs ChefSpec unit tests
  • Publishes to Chef Supermarket
  • Permissions: contents: read
  • Environment: prod

Authentication Setup

The workflow uses KSM to retrieve Hosted Chef credentials:

KSM Record (UID: b9vSxs5Dn-yJTPYr7Yvfmg):

  • login field: Hosted Chef username
  • file attachment: keepersecurity.pem (Chef client private key)
  • custom field server_url: Chef server URL (e.g., https://api.chef.io/organizations/keeper)

The workflow creates ~/.chef/config.rb with knife authentication and secures the private key with chmod 600.

SBOM Configuration

  • Approach: Inline scanning (not using reusable workflow pattern)
  • Format: SPDX JSON
  • Components Detected: 0 runtime dependencies (expected)
  • Reason: Chef cookbook is self-contained with no external runtime dependencies
  • Test Dependencies: Excluded from SBOM (pytest, keeper-secrets-manager-core are test-only)

Usage Example

# Install Keeper Secrets Manager
ksm_install 'keeper_setup' do
  python_sdk true
  cli_tool true
  action :install
end

# Fetch secrets from Keeper vault
ksm_fetch 'fetch_app_secrets' do
  input_path '/opt/keeper_secrets_manager/input.json'
  action :run
end

# Use secrets in templates
secrets = lazy { JSON.parse(File.read('/opt/keeper_secrets_manager/keeper_output.txt')) }

template '/etc/myapp/config.yml' do
  source 'config.yml.erb'
  variables(
    db_password: secrets['DB_PASSWORD'],
    api_key: secrets['API_KEY']
  )
  sensitive true
end

Documentation

  • Cookbook README: integration/keeper_secrets_manager_chef/cookbooks/keeper_secrets_manager/README.md
  • Parent README: integration/keeper_secrets_manager_chef/cookbooks/README.md
  • Changelog: integration/keeper_secrets_manager_chef/cookbooks/keeper_secrets_manager/CHANGELOG.md

yash-metron and others added 19 commits July 15, 2025 14:17
@yash-metron
Adding Keeper-Chef Integration
f9b0fd3
@yash-metron
Updated README file
c08e3e7
@yash-metron
Updated Readme.md file.
d959323
@yash-metron
Address review comments
4d07b59
@yash-metron
Update metadata
c1b2b2f
@yash-metron
Merge pull request #9 from metron-labs/chef_integration_dev
e3b3d51 
Adding Keeper-Chef Integration
@yash-metron
Upated license in metadata
0f3df50
@yash-metron
Added sensitive true to hide output logs
cfc3ed6
@yash-metron
Added github action to publish chef integration.
de592ff
@yash-metron
Updated spec files.
ec8ebd3
@yash-metron
Updated Chef resources as per the new Chef version.
4277c42
@ysolanki-ks
Updated Chef commands in publish-chef-supermarket.yml
6b00fc4
@ysolanki-ks
Addressed the review comments given by the Keeper team.
a4e2e61
@stas-schaller
Added ruby to resuable sbom, updated secrets, updated knife commands …
e16bf43 
…in readme
@yash-metron
Merge pull request #15 from stas-schaller/workflow-and-readme-additions
83158e3 
Added ruby to resuable sbom, updated secrets, updated knife commands …
@stas-schaller
Resolved merge conflict in reusable sbom
ddcf5e1 
We're phasing out reliance on the sbom so this is a commit that should be squashed
@yash-metron
Fix: Resolve bugs in Chef integration
f18e952
@stas-schaller
Merge branch 'master' into release/integration/chef/v1.0.0
57b4205
@stas-schaller
Merge Chef integration v1.0.0 from metron-labs
ea0df27 
Adds Keeper Secrets Manager Chef integration with cookbook, resources,
recipes, and tests.

Resolved conflicts:
- .github/workflows/reusable.sbom.workflow.yml: Kept production version
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 2, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 2, 2025
View reviewed changes
@socket-security
Copy link

socket-security bot commented Dec 2, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedpypi/​pytest-mock@​3.15.1100100100100100

View full report

@stas-schaller
refactor: replace reusable SBOM workflow with inline scanning in Chef…
4b04f13 
… workflow

- Remove dependency on reusable.sbom.workflow.yml
- Add inline SBOM generation using Syft v1.18.1 and Manifest CLI v0.18.3
- Add build-only mode with publish input (default: true)
- When publish=false, runs tests and SBOM generation without publishing
- Matches pattern used in Ruby SDK and .NET workflows
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 2, 2025
View reviewed changes
@stas-schaller
fix: add proper knife authentication for Chef Supermarket publishing
83d96af 
Configure knife with credentials from KSM vault:
- Retrieve Chef username from login field
- Download client key file (keepersecurity.pem) as attachment
- Retrieve Chef server URL from custom field
- Create ~/.chef/config.rb with authentication details
- Set secure permissions (600) on private key file

KSM record contains:
- login: Hosted Chef username (keepersecurity)
- file attachment: keepersecurity.pem (RSA private key)
- custom_field/server_url: Chef server URL

Tested locally with keeper CLI - all secrets retrieve correctly.
@stas-schaller
fix: add explicit permissions to workflow jobs (CodeQL alerts 113, 15…
3a32d69 
…0, 151)

Add permissions: {contents: read} to all workflow jobs:
- get-version job (alert 113)
- generate-sbom job (alert 150)
- publish-chef-supermarket job (alert 151)

Follows GitHub Actions security best practice for principle of least privilege.

Alert #116 audit: All log_message() calls audited - no secret values logged.
Alert #117: Dismissed (intentional functionality for secret injection).
@stas-schaller stas-schaller requested a review from maksimu December 2, 2025 20:53
stas-schaller and others added 3 commits December 2, 2025 15:58
@stas-schaller
revert: remove Ruby support from reusable SBOM workflow
5600696 
Remove Ruby-specific additions to reusable.sbom.workflow.yml:
- Remove Ruby from project-type description
- Remove Ruby setup step
- Remove detect_ruby_version() function
- Remove Ruby case from version detection

Chef integration now uses inline SBOM scanning instead of reusable workflow.
Reverts to master's version of this file.
@stas-schaller
chore: update Chef cookbook version to 1.0.0 and add repository URLs
1be1b4d 
Update version in:
- metadata.rb: 0.1.0 -> 1.0.0
- CHANGELOG.md: 0.1.0 -> 1.0.0
- README.md: Badge and footer (0.1.0 -> 1.0.0)

Add to metadata.rb:
- issues_url: Link to GitHub issues
- source_url: Link to source code in monorepo
@amuley-ks @adityam-metron
addressed cookbook execution issues on windows
39b18e0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maksimu maksimu Awaiting requested review from maksimu

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@stas-schaller @yash-metron @ysolanki-ks @amuley-ks @adityam-metron