Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 29 15:59
  • Jan 29 13:46
    OperationalDev opened #329
  • Jan 28 23:58
    tas50 unlabeled #291
  • Jan 28 23:58
    tas50 labeled #291
  • Jan 16 00:19

    tas50 on master

    Use the new GH labels in the ex… (compare)

  • Jan 15 12:38
  • Dec 22 2018 06:14
    tas50 unlabeled #58
  • Dec 22 2018 06:14
    tas50 labeled #58
  • Dec 22 2018 06:14
    tas50 unlabeled #116
  • Dec 22 2018 06:14
    tas50 labeled #116
  • Dec 22 2018 06:14
    tas50 unlabeled #117
  • Dec 22 2018 06:14
    tas50 labeled #117
  • Dec 22 2018 06:14
    tas50 unlabeled #124
  • Dec 22 2018 06:14
    tas50 labeled #124
  • Dec 22 2018 06:14
    tas50 unlabeled #126
  • Dec 22 2018 06:14
    tas50 labeled #126
  • Dec 22 2018 06:14
    tas50 unlabeled #127
  • Dec 22 2018 06:14
    tas50 labeled #127
  • Dec 22 2018 06:14
    tas50 unlabeled #129
  • Dec 22 2018 06:14
    tas50 labeled #129
Dilip Panwar
@dilippanwar1
pls help
shansky
@Shansky
could you paste your knife configuration and commands - step by step what you’re doing
Morgan Nelson
@korishev
@dilippanwar1 I think you may miss one of the basic parts of how these vaults work. If you do not have a node already set up that you want the vault to hold secrets for, the vault won't be of any value to you. A vault keeps your secrets encrypted for a specific node based on the certificate in the node's /etc/chef/client.pem file. If the node does not exist, then its /etc/chef/client.pem file cannot exist, so vault cannot encrypt the secrets for that node.
@dilippanwar1 please correct me if I misunderstand your intent
Morgan Nelson
@korishev
@dilippanwar1 also, when you are creating the vault above, you show the command as
knife vault create vault_bag root '{"username": "root", "password": "mypassword"}' -S "role:webserver" -A "admin"
Is your chef account name admin? The -A "admin" part is looking for a valid chef user to act as the vault admin, the person that has the right to change the vault later, and if that user doesn't exist, it won't be able to find your keys to encrypt with...
Dilip Panwar
@dilippanwar1
@korishev Thanks Korshev for your input. You seems to have a valid point
I will go through the point points mentioned by you and will followup with you soon
Hippie Hacker
@hh
any thoughts on chef-cookbooks/chef-vault#30 particularly how to configure knife-acl with hosted chef to allow read-only access to users for 'admins' ?
I'm also wondering about approaches to searching for nodes to encrypt to... a (malicious) node itself can change it's own environment, or any other attribute to appear in the search results
Hippie Hacker
@hh

Looks like it's a known access to user keys issues: http://onddo.github.io/chef-encrypted-attributes/#chef-user-keys-access-limitation

I'm guessing there aren't many folks using chef-vault (creating/encrypting in a recipe on a node) or they'd have similar issues.

Hippie Hacker
@hh
knife group add client foo.bar.baz admins works, but that is definitely too much permission
Hippie Hacker
@hh
chef_vault_secret("dev-ossec-agent-1") do
      action [:create]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      declared_type :chef_vault_secret
      cookbook_name "my_ossec"
      recipe_name "server"
      data_bag "ossec_agents"
      raw_data {key: 'foobar'}
      admins "hippiehacker"
      search "name:dev-ossec-agent-1 or name:dev-ossec-server"
      id "dev-ossec-agent-1"
end
results in
 knife data bag show ossec_agents ida-dev-ossec-agent-1_keys
Unencrypted data bag detected, ignoring any provided secret options.
admins:       hippiehacker
clients:
hippiehacker: RZIs1nTq+8tBF1Y6Xh5r/Y3fedp8mVEmHch/7LtXOqOVtEMJQZC1m9qkFBMr
HlwKChzZlumA0ql0B0QJ9NihQKpDPxXkPmFJdfX8n5G+x8oc9AGtw5H/HFTq
cUrtV9SxU8vxvMyQ/gKJaZDrYlXJVDj89lqYhcdnWWfl9QgbeuPhSmHT+n+i
l6p4COVdwFp/O3MK984uvOnEezsSYmFxjTkpQy58BvPwfX2pNm4trvM/2GWs
RCwcnJvRiLRXLAolgUCXAKJYTChY/YBc1fiZOyyXjLkCvBUcTuCg3Rnh8DOb
+EbTOVGgVM3I0W26wkkAbD0NWzMFFuohLbX9onGZhg==

id:           dev-ossec-agent-1_keys
search_query: name:dev-ossec-agent-1 or name:dev-ossec-1
notice the absence of client keys... 8(
knife node search with the search string above returns the two nodes
Hippie Hacker
@hh
however since it doesn't get encrypted, on a second run of chef-client on that resource:
  * chef_vault_secret[dev-ossec-agent-1] action create

    ================================================================================
    Error executing action `create` on resource 'chef_vault_secret[dev-ossec-agent-1]'
    ================================================================================

    ChefVault::Exceptions::SecretDecryption
    ---------------------------------------
    ossec_agents/dev-ossec-agent-1 is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!
otherwise, I'm pretty much stumped
Hippie Hacker
@hh
the search seems fine, as it works via knife search node
seems the most common creation pattern / usage is with knife-vault, NOT with chef_vault_secret
Morgan Nelson
@korishev
I think so.
Hippie Hacker
@hh
:sadpanda:
Hippie Hacker
@hh
:frowning:
Morgan Nelson
@korishev
is there any way to specify the key to use to encrypt/decrypt vault items, independently of the user's API key?
Glenn Meuth
@vortarian
@korishev Use the knife.rb file, you specify the node_name (string) and client_key (path) - inside of recipes you pass them as values to item = ChefVault::Item.load(...) command
Morgan Nelson
@korishev
@vortarian thanks anyway, I just regenerated the vaults
Glenn Meuth
@vortarian
Upgraded chefdk to 0.11.2 yesterday (chef 12.7.2) (chef-vault 2.8.0) and started getting errors creating vault items in solo mode (client mode works fine):
--> knife vault -c etc/knife.rb create dv dev-combine -A vortarian -VV /home/vortarian/.chefdk/gem/ruby/2.1.0/gems/chef-12.7.2/lib/chef/data_bag_item.rb:129:in `from_hash': undefined method `delete' for nil:NilClass (NoMethodError) from /home/vortarian/.chefdk/gem/ruby/2.1.0/gems/chef-12.7.2/lib/chef/data_bag_item.rb:161:in `load'
Anyone have any hints as to what may be going wrong? I downgraded back to chefdk 0.10.0 and things work fine.
(I have a longer stack trace, didn't want to over spam)
torjeh
@torjeh
Hi! We’re thinking of using Chef Vault in our infrastructure. Do you know if Chef Vault provides any way of signing the content of a vault with the private key of a Chef admin, so that the client can verify who uploaded the configuration? Or does this maybe not make any sense given the nature of Chef? Thanks!
Christine Draper
@christinedraper
@vortarian I had the same problem - created a bug chef/chef-vault#203
Erik Dahlinghaus
@ErikDahlinghaus
I have a question about the difference between a client and an admin. Is the difference that clients have RO access only, and admins have RW access (including the ability to modify clients and admins?)
Yvan Castonguay
@Yvangelist01
Hi guys, I need to mix vault and good old enc data bag to support a solo offline scenario. Can they have the same data bag and data bag item name ? If not how to minimize impact on cookbooks using theses ?
Marcelito S. de Guzman
@marzzz21
Is this issue: chef/chef-vault#92 already fixed? I seem to be still experiencing it.
smpilo
@smpilo
ok, got a fun one, hopefully something simple. I've created a vault using knife vault creat, added my client to it, and I'm admin, which is all good so far, but when I try to load the vault in a recipe on my client, it's appending the node-name and trying to get it from databag, like this giving me a 404 error: Initiating GET to https://ush-p-chf-mstr1.columbia.csc/organizations/csc/data/csc_biztalk/apikeys_key_ush-d5-bt-app-1.columbia.csc
surely I'm missnig something
trungkienpvt
@trungkienpvt
hi you guys, i am beginner and i wanna to research about chef to apply for my company. i don't know how to start
can you help me
Suleyman Kutlu
@snkutlu
Hi @trungkienpvt all Chef community is moved to Slack. You can find details at http://community-slack.chef.io/
trungkienpvt
@trungkienpvt
thank you so much for your sharing @snkutlu
Ankit Kumar
@ankitkl
hey guys
any body intergrate the chef-vault in kitchen,yml
please share configuration here
asap
Suleyman Kutlu
@snkutlu
@ankitkl please see the above message…
Devi
@dkhode
Hello everyone,
I'm getting error, while installing gems
`Installing Cookbook Gems:
Fetching gem metadata from https://rubygems.org/..........
Fetching version metadata from https://rubygems.org/..
Resolving dependencies...
Installing chef-vault 3.2.0
   Gem::InstallError: chef-vault requires Ruby version >= 2.2.0.
   Using bundler 1.11.2`
is there any workaround?
gfrntz
@gfrntz
Hello,
You can use chefDK. ChefDK includes vault via chef-vault.
Or you can install rvm -> ruby >= and install chef-vault.
Vineet Gupta
@shapeofarchitect
Hello Folks