This release will focus on reducing tech debt:
- improve the coverage of the RSpec suite
- ensure there are Aruba tests for all the subcommands and scenarios that match DEMO.md
- clean up any leftover Rubocop issues
This will be the last release in the 2.x branch, and is for anyone who is constraining to '~> 2.4' (for example). Anything that we decide to deprecate for v3.0.0 will produce warnings in this release.
This will be a major refactor. The primary goal is to solve the bootstrap problem where a vault can't be encrypted for a node until the node has been created. Exactly how we will do that is open to discussion (watch the chef-vault issues on github for news).
This release will also remove the chef-vault 1.x commands (encrypt/decrypt)
- Remove dependency on rspec-its
- (via Chef/Dan DeLeo): reduce the number of parts of chef that chef-vault
requires to easy integration of chef-vault into ChefDK
- ChefVault::Item#clients can now accept a Chef::ApiClient object instead of a search string. Requested by @lamont-granquist to make implementing chef-vault into
knife bootstrapeasier - allow Ruby 1.9.3 failures to not cause the overall build to fail on Travis
- switch to latest 2.0.x, 2.1.x, and 2.2.x releases of Ruby
- add --clean-unknown-clients switch to
knife vault refresh- as a side effect,
ChefVault::Itemnow has a#refreshmethod which can be used to programatically perform the same operation asknife vault refresh
- as a side effect,
- enhance 'knife vault show VAULTNAME' (without an item name) to list the names of the items in the vault for parity with 'knife data bag show'
- add #raw_keys to ChefVault::Item that calls #keys on the underlying data bag item. We can't make ChefVault::Item work like a true hash without breaking the public API, but this at least makes it easier to get a list of keys
- allow ChefVault::Item.new and ChefVault::Item.load to specify an alternate node name and client key path. See the README for the use case this serves.
- added ChefVault::Item.vault? predicate that returns true if the item is a vault and false otherwise
- added ChefVault::Item.data_bag_item_type method that returns one of :normal, :encrypted or :vault
- added 'knife vault isvault VAULT ITEM' subcommand that exits 0 if the item is a vault and 1 if it is not
- added 'knife vault itemtype VAULT ITEM' subcommand that outputs 'normal', 'encrypted' or 'vault'
- when decrypting, if the vault is encrypted for the node but decryption fails, emit a more friendly error message than 'OpenSSL::PKey::RSAError: padding check failed'
- when attempting to add a client key to a vault item, warn and skip if the node doesn't have a public key (reported by Nik Ormseth)
- add a new 'knife vault list' command that lists the data bags that are vaults
- Add more detailed explanation of how chef-vault works in THEORY.md (Issue #109)
- fix a problem with the --clean-unknown-clients switch to
rotate keysthat made it impossible to delete a client that could not be searched for (i.e. the node object is deleted) - add rubocop tasks to Rakefile and take a first pass at the low-hanging fruit
- add simplecov test coverage configuration (Doug Ireton)
- add --clean-unknown-clients switch to knife remove/rotate (Thomas Gschwind and Reto Hermann)
- add --clean switch to knife update (thanks to Matt Brimstone)
- added aruba CLI testing framework (just for --clean option for now)
- add Ruby 2.0.x and 2.1.x to Travis platforms
- Add knife vault refresh command
- Use node_name as a default admin
- Add DEMO for users
- Add vault_admins to knife.rb for a default set of vault admins
- Validate data bag ID before saving
- Add search_query to vault metadata
- Refactor knife commands to be knife vault verb
- Deprecate old knife commands
- Add knife vault show to deprecate knife decrypt
- Print admins, clients and search_query in show with -p
- Add knife vault edit to edit vault items
- Add mode option for knife.rb
- Fix more README typos
- Update README to correct typos
- Modify admin loading to fall back to clients endpoint if not found in users endpoint
- Add --file to "knife encrypt update" & "knife encrypt create" to do file encryption in chef-vault. It will create a key called "file-content" & "file-name"
- When VALUES is not supplied print the whole vault item
- Modify written data bag json files in solo mode to be valid for the knife data bag from file command
- Modify knife encrypt remove to automatically rotate keys
- Removal of knife encrypt certs
- Removal of knife encrypt passwords
- Add knife encrypt create
- Add knife encrypt update
- Add knife encrypt remove
- Add knife encrypt delete
- Add knife encrypt rotate keys
- Add knife decrypt
- Update chef-vault binary to take -v, -i, -a
- Add ChefVault::Item class
- Add ChefVault::ItemKeys class
- Modify ChefVault::User to use ChefVault::Item to maintain backwards compatability
- Modify ChefVault::Certificate to use ChefVault::Item to maintain backwards compatability
- Update compat to be class ChefVault not module ChefVault to remove knife errors
- Allow nodes/clients to be used as Admins
- Move compat include into the lazy-load deps
- Modify open file commands in knife commands to avoid file locking on windows
- Update to use attr_accessor in chef_vault
- Add rspec tests
- Update to create data bag folder if it does not already exist
- Clarify Readme
- Compatibility with Chef 10/11 (Shef vs Chef-Shell)
- Rename from Chef-Keepass to Chef-Vault
- Add Certificate class
- Add encrypt cert
- initial release