Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 29 15:59
  • Jan 29 13:46
    OperationalDev opened #329
  • Jan 28 23:58
    tas50 unlabeled #291
  • Jan 28 23:58
    tas50 labeled #291
  • Jan 16 00:19

    tas50 on master

    Use the new GH labels in the ex… (compare)

  • Jan 15 12:38
  • Dec 22 2018 06:14
    tas50 unlabeled #58
  • Dec 22 2018 06:14
    tas50 labeled #58
  • Dec 22 2018 06:14
    tas50 unlabeled #116
  • Dec 22 2018 06:14
    tas50 labeled #116
  • Dec 22 2018 06:14
    tas50 unlabeled #117
  • Dec 22 2018 06:14
    tas50 labeled #117
  • Dec 22 2018 06:14
    tas50 unlabeled #124
  • Dec 22 2018 06:14
    tas50 labeled #124
  • Dec 22 2018 06:14
    tas50 unlabeled #126
  • Dec 22 2018 06:14
    tas50 labeled #126
  • Dec 22 2018 06:14
    tas50 unlabeled #127
  • Dec 22 2018 06:14
    tas50 labeled #127
  • Dec 22 2018 06:14
    tas50 unlabeled #129
  • Dec 22 2018 06:14
    tas50 labeled #129
Dilip Panwar
@dilippanwar1
odl
old*
Does anyone have any good link which I can follow
Dilip Panwar
@dilippanwar1
@seperman can you pls share how are you creating vaults
Dilip Panwar
@dilippanwar1
i have created a vault with plain text passwd
but I m not able to get passwd in my recipe
it is failing since i dont have keys for it
Can any one help how i can fix it
shansky
@Shansky

@dilippanwar1 u should use —search to specify hosts - for example:

knife vault create ssh deploy --search 'fqdn:server-*-prod' --admins dilippanwar1

this should add item deploy_keys in databag ssh with all hosts matching fqdn with given regex

Dilip Panwar
@dilippanwar1
I m getting these errors while create sample vaults
{"error":["Cannot load data bag item root_keys for data bag vault_bag"]}
{"error":["Cannot load data bag vault_bag"]}
Lets say I have fresh chef server with no nodes registered. What would be the command i should use to create vaults in that case
I m workng on one click deployment wherein , instances will be created on demand and vault will be utilized there
knife vault create vault_bag root '{"username": "root", "password": "mypassword"}' -S "role:webserver" -A "admin"
When i fire this command, It just creates the normal databag however I exepect to get a vault with encrypted values which I could fetch from recipes
@Shansky Can you please help
I am exactly following this
but vault is not getting created
<vaultname>_keys never gets created
content is always coming as plain text
I m doing some silly mistake i guess
but not able to catch it
shansky
@Shansky
@dilippanwar1 i manage to reproduce your problem
Dilip Panwar
@dilippanwar1
thats great!
shansky
@Shansky
by default knife vault creates vaults in file path specyfied in knife configuration file. On my workspace i’ve configured this by cookbook_path [ "/Users/Shansky/git/chef/cookbooks" ]then knife adds data_bags directory to this path and vaults lands there.
my knife.rb config strongly depends on current_dir
so when i was in subdirectory
it creates vault item but without keys and i couldn’t magange to read this by using knife data bag show
so when i’m on top of my repository vault creates encrypted items in data_bags directory :)
Dilip Panwar
@dilippanwar1
cookbook_path '/root/chef-repo/cookbooks/techops/chef/cookbooks'
this is my cbk path in knife
so if I will create vault by sitting at chef-repo, it will work
correct me if i misunderstood
shansky
@Shansky
it works this way on my workstation
Dilip Panwar
@dilippanwar1
i tried but it didnt worked
btw i m on linux environment
pls help
shansky
@Shansky
could you paste your knife configuration and commands - step by step what you’re doing
Morgan Nelson
@korishev
@dilippanwar1 I think you may miss one of the basic parts of how these vaults work. If you do not have a node already set up that you want the vault to hold secrets for, the vault won't be of any value to you. A vault keeps your secrets encrypted for a specific node based on the certificate in the node's /etc/chef/client.pem file. If the node does not exist, then its /etc/chef/client.pem file cannot exist, so vault cannot encrypt the secrets for that node.
@dilippanwar1 please correct me if I misunderstand your intent
Morgan Nelson
@korishev
@dilippanwar1 also, when you are creating the vault above, you show the command as
knife vault create vault_bag root '{"username": "root", "password": "mypassword"}' -S "role:webserver" -A "admin"
Is your chef account name admin? The -A "admin" part is looking for a valid chef user to act as the vault admin, the person that has the right to change the vault later, and if that user doesn't exist, it won't be able to find your keys to encrypt with...
Dilip Panwar
@dilippanwar1
@korishev Thanks Korshev for your input. You seems to have a valid point
I will go through the point points mentioned by you and will followup with you soon
Hippie Hacker
@hh
any thoughts on chef-cookbooks/chef-vault#30 particularly how to configure knife-acl with hosted chef to allow read-only access to users for 'admins' ?
I'm also wondering about approaches to searching for nodes to encrypt to... a (malicious) node itself can change it's own environment, or any other attribute to appear in the search results
Hippie Hacker
@hh

Looks like it's a known access to user keys issues: http://onddo.github.io/chef-encrypted-attributes/#chef-user-keys-access-limitation

I'm guessing there aren't many folks using chef-vault (creating/encrypting in a recipe on a node) or they'd have similar issues.

Hippie Hacker
@hh
knife group add client foo.bar.baz admins works, but that is definitely too much permission
Hippie Hacker
@hh
chef_vault_secret("dev-ossec-agent-1") do
      action [:create]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      declared_type :chef_vault_secret
      cookbook_name "my_ossec"
      recipe_name "server"
      data_bag "ossec_agents"
      raw_data {key: 'foobar'}
      admins "hippiehacker"
      search "name:dev-ossec-agent-1 or name:dev-ossec-server"
      id "dev-ossec-agent-1"
end
results in
 knife data bag show ossec_agents ida-dev-ossec-agent-1_keys
Unencrypted data bag detected, ignoring any provided secret options.
admins:       hippiehacker
clients:
hippiehacker: RZIs1nTq+8tBF1Y6Xh5r/Y3fedp8mVEmHch/7LtXOqOVtEMJQZC1m9qkFBMr
HlwKChzZlumA0ql0B0QJ9NihQKpDPxXkPmFJdfX8n5G+x8oc9AGtw5H/HFTq
cUrtV9SxU8vxvMyQ/gKJaZDrYlXJVDj89lqYhcdnWWfl9QgbeuPhSmHT+n+i
l6p4COVdwFp/O3MK984uvOnEezsSYmFxjTkpQy58BvPwfX2pNm4trvM/2GWs
RCwcnJvRiLRXLAolgUCXAKJYTChY/YBc1fiZOyyXjLkCvBUcTuCg3Rnh8DOb
+EbTOVGgVM3I0W26wkkAbD0NWzMFFuohLbX9onGZhg==

id:           dev-ossec-agent-1_keys
search_query: name:dev-ossec-agent-1 or name:dev-ossec-1