vault

package module
v1.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 24, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

README

Chef-Vault API for Chef Server in Golang

A Go implementation of the Chef-Vault API, built as a sidecar to go-chef and designed to closely mirror the behavior and semantics of the Ruby chef-vault gem.

Install

> go get github.com/justintsteele/go-chef-vault@latest

API

This library exposes a small, opinionated API that mirrors the behavior of the Ruby chef-vault knife commands. The primary entry point is the vault.Service type, which operates on Chef Vaults and Vault Items.

Core Types

  • vault.Service
    The main client used to perform vault operations. It wraps a go-chef client and applies Chef-Vault semantics on top of it.

  • vault.Payload
    A request structure used by mutating operations (Create, Update, Rotate, Remove). Fields are optional unless required by the operation, matching Ruby Chef-Vault behavior.

Read Operations

  • GetItem(vaultName, itemName string)
    Retrieves and decrypts a vault item, returning the plaintext data.

  • List() Retrieves a list of all vaults in the Chef Server.

  • ListItems(name string) Retrieves a list of all items in a specified vault.

  • IsVault(vaultName string)
    Determines whether a data bag represents a Chef Vault.

  • ItemType(vaultName, vaultItem string)
    Determines whether the data bag item is a vault, encrypted data bag, or a normal data bag item.

Write / Mutating Operations

  • Create(payload *Payload)
    Creates a new vault and encrypted item.

  • Update(payload *Payload)
    Updates vault contents while preserving omitted invariants (key mode, search query, existing actors).

  • Delete(payload *Payload) Destroys the entire vault, all the items, and keys from the Chef Server.

  • DeleteItem(payload *Payload) Destroys a specified vault item and its keys

  • RotateKeys(payload *Payload)
    Re-encrypts vault data and keys.

  • RotateAllKeys() Re-encrypts all vaults in the chef servers.

  • Refresh(payload *Payload) Reprocesses the vault search query and ensures all matching nodes have an encrypted secret, without modifying existing vault content or access rules.

  • Remove(payload *Payload) Removes data or actors from an existing vault.

Error Handling

Errors returned by this library may wrap underlying go-chef errors. Helper functions are provided in the cheferr package to inspect error types:

  • cheferr.IsNotFound(err)
  • cheferr.IsConflict(err)
  • cheferr.AsChefError(err)

These helpers are recommended instead of direct type assertions.

Test

> go test -v github.com/justintsteele/go-chef-vault/vault
> go run -v github.com/justintsteele/go-chef-vault/servertest --target [chefserver|goiardi]

See servertest/README.md for further setup and configuration steps for the integration suite.

The integration test suite exercises the vault API against a live Chef Server or goiardi instance to ensure behavioral parity with the Ruby implementation.

Usage

All public API endpoints require a configured Chef client. There are several ways to accomplish this as documented in go-chef.

Following the example laid out in servertest in this project, we start with a knife.rb, read that in and create the client.

package main

import (
	"encoding/json"
	"fmt"
	"os"

	"github.com/go-chef/chef"
	vault "github.com/justintsteele/go-chef-vault"
)

func main() {
	data, err := os.ReadFile("/path/to/.chef/knife.rb")
	if err != nil {
		fmt.Fprintf(os.Stderr, "error: %v\n", err)
		os.Exit(1)
	}

	clientRb, err := chef.NewClientRb(string(data), "/path/to/.chef")
	if err != nil {
		fmt.Fprintf(os.Stderr, "error: %v\n", err)
		os.Exit(1)
	}

	knife := &chef.Config{
		Name:                  clientRb.NodeName,
		Key:                   clientRb.ClientKey,
		BaseURL:               clientRb.ChefServerUrl + "/",
		AuthenticationVersion: "1.0",
	}

	client, err := chef.NewClient(knife)
	if err != nil {
		fmt.Fprintf(os.Stderr, "error: %v\n", err)
		os.Exit(1)
	}

	vaultService := vault.NewService(client)

	result, err := vaultService.GetItem("vault_name", "secret_name")
	if err != nil {
		fmt.Fprintf(os.Stderr, "error: %v\n", err)
		os.Exit(1)
	}

	jsonRes, err := json.Marshal(result)
	if err != nil {
		fmt.Printf("error marshaling result: %v\n", err)
		return
	}

	fmt.Println(string(jsonRes))
}

Contributing

If you feel like contributing, great! Just fork the repo, make your improvements, and submit a pull request. When adding features, please ensure behavior remains compatible with the Ruby chef-vault gem unless explicitly documented otherwise. Please also ensure all new features and bug fixes are covered by a unit test. Bonus points if you are able to extend coverage into the servertest integration suite. Ensure code passes the lint standards provided by golangci-lint.

Copyright 2025-2026, Justin Steele

License

go-chef-vault is licensed under the Apache 2.0 License. See the LICENSE file for details.

Documentation

Overview

Package vault provides a Go implementation of the Chef Vault API.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrNilPayload is returned when a nil *Payload is passed to a public API.
	ErrNilPayload = errors.New("vault: payload cannot be nil")

	// ErrMissingVaultName is returned when VaultName is empty.
	ErrMissingVaultName = errors.New("vault: missing VaultName")

	// ErrMissingVaultItemName is returned when VaultItemName is empty.
	ErrMissingVaultItemName = errors.New("vault: missing VaultItemName")
)

Functions

This section is empty.

Types

type CreateDataResponse 

type CreateDataResponse struct {
	URI string `json:"uri"`
}

CreateDataResponse represents the response returned after creating vault content.

type CreateResponse 

type CreateResponse struct {
	Response
	Data     *CreateDataResponse `json:"data"`
	KeysURIs []string            `json:"keys_uris"`
}

CreateResponse represents the structure of the response from a Create operation.

type DataBagItemType 

type DataBagItemType string

DataBagItemType represents the classification of a Chef data bag item as determined by Chef-Vault semantics. 

const (
	// DataBagItemTypeVault indicates the item is a Chef Vault.
	DataBagItemTypeVault DataBagItemType = "vault"

	// DataBagItemTypeEncrypted indicates the item is an encrypted data bag item containing
	// encrypted application data.
	DataBagItemTypeEncrypted DataBagItemType = "encrypted"

	// DataBagItemTypeNormal indicates the item is a standard Chef data bag item
	// with no Chef-Vault or encrypted data bag semantics applied.
	DataBagItemTypeNormal DataBagItemType = "normal"
)

type DeleteResponse 

type DeleteResponse struct {
	Response
	KeysURIs []string `json:"keys,omitempty"`
}

DeleteResponse represents the structure of the response from a Delete operation.

type Payload 

type Payload struct {
	VaultName     string
	VaultItemName string
	Content       map[string]interface{}
	KeysMode      *item_keys.KeysMode
	SearchQuery   *string
	Admins        []string
	Clients       []string
	Clean         bool
	CleanUnknown  bool
	SkipReencrypt bool
}

Payload represents the input parameters used to create, update, or refresh a vault item.

type RefreshResponse 

type RefreshResponse = UpdateResponse

RefreshResponse intentionally mirrors UpdateResponse for API parity.

type RemoveDataResponse 

type RemoveDataResponse struct {
	URI string `json:"uri"`
}

RemoveDataResponse represents the response returned after removing data from the vault item.

type RemoveResponse 

type RemoveResponse struct {
	Response
	Data     *RemoveDataResponse `json:"data"`
	KeysURIs []string            `json:"keys"`
}

RemoveResponse represents the structure of the response from a Remove operation.

type Response 

type Response struct {
	URI string `json:"uri"`
}

Response represents the basic structure of a response from a Vault operation.

type RotateResponse 

type RotateResponse struct {
	Response
	KeysURIs []string `json:"keys_uris"`
}

RotateResponse represents the structure of the response from a RotateKeys operation.

type Service 

type Service struct {
	Client *chef.Client
}

Service provides Vault operations backed by a Chef Server client.

func NewService 

func NewService(client *chef.Client) *Service

NewService returns a Service configured with the given Chef client.

func (*Service) Create 

func (s *Service) Create(payload *Payload) (*CreateResponse, error)

Create adds a vault item and its associated keys to the Chef server.

References:

func (*Service) Delete 

func (s *Service) Delete(vaultName string) (*DeleteResponse, error)

Delete destroys the entire vault, all the items, and keys from the Chef Server (nuclear option).

References:

func (*Service) DeleteItem 

func (s *Service) DeleteItem(vaultName, vaultItem string) (*DeleteResponse, error)

DeleteItem destroys a specified vault item and its keys.

References:

func (*Service) GetItem 

func (s *Service) GetItem(vaultName, vaultItem string) (chef.DataBagItem, error)

GetItem returns the decrypted items in the vault.

References:

func (*Service) IsVault 

func (s *Service) IsVault(vaultName, vaultItem string) (bool, error)

IsVault determines whether the data bag item is a vault.

References:

func (*Service) ItemType 

func (s *Service) ItemType(vaultName, vaultItem string) (DataBagItemType, error)

ItemType determines whether the data bag item is a vault, encrypted data bag, or a normal data bag item.

References:

func (*Service) List 

func (s *Service) List() (*chef.DataBagListResult, error)

List returns a list of vaults on the server.

References:

func (*Service) ListItems 

func (s *Service) ListItems(vaultName string) (*chef.DataBagListResult, error)

ListItems returns a list of the items in a vault.

References:

func (*Service) Refresh 

func (s *Service) Refresh(payload *Payload) (*RefreshResponse, error)

Refresh reprocesses the vault search query and ensures all matching nodes have an encrypted secret, without modifying existing vault content or access rules.

References:

func (*Service) Remove 

func (s *Service) Remove(payload *Payload) (*RemoveResponse, error)

Remove removes clients, admins, or data keys from an existing vault item.

References:

func (*Service) RotateAllKeys 

func (s *Service) RotateAllKeys() ([]RotateResponse, error)

RotateAllKeys performs a full key rotation for every vault item in the Chef server, regenerating shared secrets and re-encrypting data for each item.

References:

func (*Service) RotateKeys 

func (s *Service) RotateKeys(payload *Payload) (*RotateResponse, error)

RotateKeys rotates the shared secret for a vault item by generating a new secret, re-encrypting all client/admin keys, and re-encrypting the vault data.

References:

func (*Service) Update 

func (s *Service) Update(payload *Payload) (*UpdateResponse, error)

Update modifies a vault item and its access keys on the Chef server.

References:

type UpdateDataResponse 

type UpdateDataResponse struct {
	URI string `json:"uri"`
}

UpdateDataResponse represents the response returned after updating vault content.

type UpdateResponse 

type UpdateResponse struct {
	Response
	Data     *UpdateDataResponse `json:"data,omitempty"`
	KeysURIs []string            `json:"keys_uris,omitempty"`
}

UpdateResponse represents the structure of the response from an Update operation.

Source Files

View all Source files

Directories

Path Synopsis
Package cheferr provides helpers for interpreting errors returned by the go-chef client in a consistent, semantic way.
 Package cheferr provides helpers for interpreting errors returned by the go-chef client in a consistent, semantic way.
Package item defines data structures and helpers for Chef Vault items.
 Package item defines data structures and helpers for Chef Vault items.
Package item_keys contains helpers for managing Chef Vault item keys.
 Package item_keys contains helpers for managing Chef Vault item keys.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.