Add support for retrieving secrets from chef-vault

[theckman]

With newer versions of chef-client, it's nice to work with chef-vault to manage secrets for system utilities. Especially with it being included in the ChefDK.

As of right now, the only mechanism for using chef-vault to store datadog credentials, and the datadog cookbook, is to write a wrapper cookbook and set the attributes. That works great! The only downside is that we're setting attributes, and thus effectively leaking credentials in plain text. 😢

Is there any interest in enhancing the installation codepath to conditionally use chef-vault for pulling credentials and setting them in the configuration files? That way we could avoid leaking plain text credentials in to the node object, while still keeping the old behavior as the default (for now)?

[astral303]

@theckman this blog post documents how to use chef-vault more securely, such that attributes are not leaked on node save:

http://jtimberman.housepub.org/blog/2014/12/24/quicktip-delete-attributes/

[martinisoft]

I think this would be solved by moving the agent config into a Chef Resource. I'm planning to put up a PR for one in the near-ish future because I too don't like that it saves API keys in the clear.

[olivielpeau]

@theckman @martinisoft: Could you have a look at the approach of #395 (see discussion in #345)? It makes the cookbook pull the api_key and the application_key from the run_state first, so your wrapper cookbook could set the keys in the run_state and wouldn't leak the credentials.