Guest Post: Introducing Chef-Guard

Sander van Harmelen is a mission-critical engineer at Schuberg Philis, where he helps build and maintain business-critical systems with 100% uptime. With expertise in both coding and operations, he literally lives DevOps and is an epic Chef contributor. In this guest post, Sander introduces us to a new open source Chef tool – Chef-Guard.

Chef-Guard is a feature rich Chef add-on that protects your Chef server from untested and uncommitted cookbooks by running several validations and checks during the cookbook upload process. In addition Chef-Guard will also monitor, audit, save and email (including any difference with the actual change) all configuration changes, and is even capable of validating certain changes before passing them through to Chef.

So installing Chef-Guard (which is completely open source) onto your Chef server(s) will give you a highly configurable component that enables you to configure and enforce a common workflow for all your colleagues working with Chef.

We started working with Chef in 2010/2011 and since then our Chef workflow changed a few times as we learned more and more about the Chef internals, the supporting tools, and various utilities from the Chef ecosystem.

Over time Chef improved a lot in multiple areas. But, as Chef continues to add audit and monitoring capabilities, at Schuberg Philis we need to be a 100% sure that we can always find who changed what at what time at any given point in the past – as part of our ISO/IEC 27001:2013 certification. So, over time and with hard work on behalf of many folks here at Schuberg Philis, we created Chef-Guard, with two primary capabilities:

Monitoring: An advanced/smart reverse proxy written in Go, which can be placed in front of your Chef servers. By having the service in front of Chef (or actually in between the different Chef components, see here), you can monitor the changes inline while they are being executed. The big advantage of this approach is that you can be a 100% sure that you ‘see’ each and every change. At the same time the load on the Chef server(s) is very light weight, as it doesn’t need to make any additional calls to Chef itself.

Cookbook Checking: This feature of Chef-Guard makes sure that all data going in and out of Chef is checked, tested, and secured outside Chef. This happens primarily in Git, but it will also store all your private cookbooks in a private Supermarket if you have one installed.

There is, of course, much more to this project than detailed here. Many of the answers can be found at the project page, where you’ll find significant depth and insight into the configuration options and reasoning behind the workflows.

The rest of Schuberg Philis team and I will be walking around both the Seattle and London Chef Summits in the next few weeks and are happy to discuss and/or explain anything you like! If you can’t make it to the Summits, you can also join the IRC channel #chef-guard and ask us anything.

Lucas Welch

Former Chef Employee