Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
  • Jan 29 15:59
  • Jan 29 13:46
    OperationalDev opened #329
  • Jan 28 23:58
    tas50 unlabeled #291
  • Jan 28 23:58
    tas50 labeled #291
  • Jan 16 00:19

    tas50 on master

    Use the new GH labels in the ex… (compare)

  • Jan 15 12:38
  • Dec 22 2018 06:14
    tas50 unlabeled #58
  • Dec 22 2018 06:14
    tas50 labeled #58
  • Dec 22 2018 06:14
    tas50 unlabeled #116
  • Dec 22 2018 06:14
    tas50 labeled #116
  • Dec 22 2018 06:14
    tas50 unlabeled #117
  • Dec 22 2018 06:14
    tas50 labeled #117
  • Dec 22 2018 06:14
    tas50 unlabeled #124
  • Dec 22 2018 06:14
    tas50 labeled #124
  • Dec 22 2018 06:14
    tas50 unlabeled #126
  • Dec 22 2018 06:14
    tas50 labeled #126
  • Dec 22 2018 06:14
    tas50 unlabeled #127
  • Dec 22 2018 06:14
    tas50 labeled #127
  • Dec 22 2018 06:14
    tas50 unlabeled #129
  • Dec 22 2018 06:14
    tas50 labeled #129
could you paste your knife configuration and commands - step by step what you’re doing
Morgan Nelson
@dilippanwar1 I think you may miss one of the basic parts of how these vaults work. If you do not have a node already set up that you want the vault to hold secrets for, the vault won't be of any value to you. A vault keeps your secrets encrypted for a specific node based on the certificate in the node's /etc/chef/client.pem file. If the node does not exist, then its /etc/chef/client.pem file cannot exist, so vault cannot encrypt the secrets for that node.
@dilippanwar1 please correct me if I misunderstand your intent
Morgan Nelson
@dilippanwar1 also, when you are creating the vault above, you show the command as
knife vault create vault_bag root '{"username": "root", "password": "mypassword"}' -S "role:webserver" -A "admin"
Is your chef account name admin? The -A "admin" part is looking for a valid chef user to act as the vault admin, the person that has the right to change the vault later, and if that user doesn't exist, it won't be able to find your keys to encrypt with...
Dilip Panwar
@korishev Thanks Korshev for your input. You seems to have a valid point
I will go through the point points mentioned by you and will followup with you soon
Hippie Hacker
any thoughts on chef-cookbooks/chef-vault#30 particularly how to configure knife-acl with hosted chef to allow read-only access to users for 'admins' ?
I'm also wondering about approaches to searching for nodes to encrypt to... a (malicious) node itself can change it's own environment, or any other attribute to appear in the search results
Hippie Hacker

Looks like it's a known access to user keys issues: http://onddo.github.io/chef-encrypted-attributes/#chef-user-keys-access-limitation

I'm guessing there aren't many folks using chef-vault (creating/encrypting in a recipe on a node) or they'd have similar issues.

Hippie Hacker
knife group add client foo.bar.baz admins works, but that is definitely too much permission
Hippie Hacker
chef_vault_secret("dev-ossec-agent-1") do
      action [:create]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      declared_type :chef_vault_secret
      cookbook_name "my_ossec"
      recipe_name "server"
      data_bag "ossec_agents"
      raw_data {key: 'foobar'}
      admins "hippiehacker"
      search "name:dev-ossec-agent-1 or name:dev-ossec-server"
      id "dev-ossec-agent-1"
results in
 knife data bag show ossec_agents ida-dev-ossec-agent-1_keys
Unencrypted data bag detected, ignoring any provided secret options.
admins:       hippiehacker
hippiehacker: RZIs1nTq+8tBF1Y6Xh5r/Y3fedp8mVEmHch/7LtXOqOVtEMJQZC1m9qkFBMr

id:           dev-ossec-agent-1_keys
search_query: name:dev-ossec-agent-1 or name:dev-ossec-1
notice the absence of client keys... 8(
knife node search with the search string above returns the two nodes
Hippie Hacker
however since it doesn't get encrypted, on a second run of chef-client on that resource:
  * chef_vault_secret[dev-ossec-agent-1] action create

    Error executing action `create` on resource 'chef_vault_secret[dev-ossec-agent-1]'

    ossec_agents/dev-ossec-agent-1 is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!
otherwise, I'm pretty much stumped
Hippie Hacker
the search seems fine, as it works via knife search node
seems the most common creation pattern / usage is with knife-vault, NOT with chef_vault_secret
Morgan Nelson
I think so.
Hippie Hacker
Hippie Hacker
Morgan Nelson
is there any way to specify the key to use to encrypt/decrypt vault items, independently of the user's API key?
Glenn Meuth
@korishev Use the knife.rb file, you specify the node_name (string) and client_key (path) - inside of recipes you pass them as values to item = ChefVault::Item.load(...) command
Morgan Nelson
@vortarian thanks anyway, I just regenerated the vaults
Glenn Meuth
Upgraded chefdk to 0.11.2 yesterday (chef 12.7.2) (chef-vault 2.8.0) and started getting errors creating vault items in solo mode (client mode works fine):
--> knife vault -c etc/knife.rb create dv dev-combine -A vortarian -VV /home/vortarian/.chefdk/gem/ruby/2.1.0/gems/chef-12.7.2/lib/chef/data_bag_item.rb:129:in `from_hash': undefined method `delete' for nil:NilClass (NoMethodError) from /home/vortarian/.chefdk/gem/ruby/2.1.0/gems/chef-12.7.2/lib/chef/data_bag_item.rb:161:in `load'
Anyone have any hints as to what may be going wrong? I downgraded back to chefdk 0.10.0 and things work fine.
(I have a longer stack trace, didn't want to over spam)
Hi! We’re thinking of using Chef Vault in our infrastructure. Do you know if Chef Vault provides any way of signing the content of a vault with the private key of a Chef admin, so that the client can verify who uploaded the configuration? Or does this maybe not make any sense given the nature of Chef? Thanks!
Christine Draper
@vortarian I had the same problem - created a bug chef/chef-vault#203
Erik Dahlinghaus
I have a question about the difference between a client and an admin. Is the difference that clients have RO access only, and admins have RW access (including the ability to modify clients and admins?)
Yvan Castonguay
Hi guys, I need to mix vault and good old enc data bag to support a solo offline scenario. Can they have the same data bag and data bag item name ? If not how to minimize impact on cookbooks using theses ?
Marcelito S. de Guzman
Is this issue: chef/chef-vault#92 already fixed? I seem to be still experiencing it.
ok, got a fun one, hopefully something simple. I've created a vault using knife vault creat, added my client to it, and I'm admin, which is all good so far, but when I try to load the vault in a recipe on my client, it's appending the node-name and trying to get it from databag, like this giving me a 404 error: Initiating GET to https://ush-p-chf-mstr1.columbia.csc/organizations/csc/data/csc_biztalk/apikeys_key_ush-d5-bt-app-1.columbia.csc
surely I'm missnig something
hi you guys, i am beginner and i wanna to research about chef to apply for my company. i don't know how to start
can you help me
Suleyman Kutlu
Hi @trungkienpvt all Chef community is moved to Slack. You can find details at http://community-slack.chef.io/
thank you so much for your sharing @snkutlu
Ankit Kumar
hey guys
any body intergrate the chef-vault in kitchen,yml
please share configuration here
Suleyman Kutlu
@ankitkl please see the above message…
Hello everyone,
I'm getting error, while installing gems
`Installing Cookbook Gems:
Fetching gem metadata from https://rubygems.org/..........
Fetching version metadata from https://rubygems.org/..
Resolving dependencies...
Installing chef-vault 3.2.0
   Gem::InstallError: chef-vault requires Ruby version >= 2.2.0.
   Using bundler 1.11.2`
is there any workaround?
You can use chefDK. ChefDK includes vault via chef-vault.
Or you can install rvm -> ruby >= and install chef-vault.
Vineet Gupta
Hello Folks
I have the above question which is bugging me for sometime , I am not able to passthrough this error in my service template