Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
  • Jan 29 15:59
  • Jan 29 13:46
    OperationalDev opened #329
  • Jan 28 23:58
    tas50 unlabeled #291
  • Jan 28 23:58
    tas50 labeled #291
  • Jan 16 00:19

    tas50 on master

    Use the new GH labels in the ex… (compare)

  • Jan 15 12:38
  • Dec 22 2018 06:14
    tas50 unlabeled #58
  • Dec 22 2018 06:14
    tas50 labeled #58
  • Dec 22 2018 06:14
    tas50 unlabeled #116
  • Dec 22 2018 06:14
    tas50 labeled #116
  • Dec 22 2018 06:14
    tas50 unlabeled #117
  • Dec 22 2018 06:14
    tas50 labeled #117
  • Dec 22 2018 06:14
    tas50 unlabeled #124
  • Dec 22 2018 06:14
    tas50 labeled #124
  • Dec 22 2018 06:14
    tas50 unlabeled #126
  • Dec 22 2018 06:14
    tas50 labeled #126
  • Dec 22 2018 06:14
    tas50 unlabeled #127
  • Dec 22 2018 06:14
    tas50 labeled #127
  • Dec 22 2018 06:14
    tas50 unlabeled #129
  • Dec 22 2018 06:14
    tas50 labeled #129
Hippie Hacker
I'm also wondering about approaches to searching for nodes to encrypt to... a (malicious) node itself can change it's own environment, or any other attribute to appear in the search results
Hippie Hacker

Looks like it's a known access to user keys issues: http://onddo.github.io/chef-encrypted-attributes/#chef-user-keys-access-limitation

I'm guessing there aren't many folks using chef-vault (creating/encrypting in a recipe on a node) or they'd have similar issues.

Hippie Hacker
knife group add client foo.bar.baz admins works, but that is definitely too much permission
Hippie Hacker
chef_vault_secret("dev-ossec-agent-1") do
      action [:create]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      declared_type :chef_vault_secret
      cookbook_name "my_ossec"
      recipe_name "server"
      data_bag "ossec_agents"
      raw_data {key: 'foobar'}
      admins "hippiehacker"
      search "name:dev-ossec-agent-1 or name:dev-ossec-server"
      id "dev-ossec-agent-1"
results in
 knife data bag show ossec_agents ida-dev-ossec-agent-1_keys
Unencrypted data bag detected, ignoring any provided secret options.
admins:       hippiehacker
hippiehacker: RZIs1nTq+8tBF1Y6Xh5r/Y3fedp8mVEmHch/7LtXOqOVtEMJQZC1m9qkFBMr

id:           dev-ossec-agent-1_keys
search_query: name:dev-ossec-agent-1 or name:dev-ossec-1
notice the absence of client keys... 8(
knife node search with the search string above returns the two nodes
Hippie Hacker
however since it doesn't get encrypted, on a second run of chef-client on that resource:
  * chef_vault_secret[dev-ossec-agent-1] action create

    Error executing action `create` on resource 'chef_vault_secret[dev-ossec-agent-1]'

    ossec_agents/dev-ossec-agent-1 is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!
otherwise, I'm pretty much stumped
Hippie Hacker
the search seems fine, as it works via knife search node
seems the most common creation pattern / usage is with knife-vault, NOT with chef_vault_secret
Morgan Nelson
I think so.
Hippie Hacker
Hippie Hacker
Morgan Nelson
is there any way to specify the key to use to encrypt/decrypt vault items, independently of the user's API key?
Glenn Meuth
@korishev Use the knife.rb file, you specify the node_name (string) and client_key (path) - inside of recipes you pass them as values to item = ChefVault::Item.load(...) command
Morgan Nelson
@vortarian thanks anyway, I just regenerated the vaults
Glenn Meuth
Upgraded chefdk to 0.11.2 yesterday (chef 12.7.2) (chef-vault 2.8.0) and started getting errors creating vault items in solo mode (client mode works fine):
--> knife vault -c etc/knife.rb create dv dev-combine -A vortarian -VV /home/vortarian/.chefdk/gem/ruby/2.1.0/gems/chef-12.7.2/lib/chef/data_bag_item.rb:129:in `from_hash': undefined method `delete' for nil:NilClass (NoMethodError) from /home/vortarian/.chefdk/gem/ruby/2.1.0/gems/chef-12.7.2/lib/chef/data_bag_item.rb:161:in `load'
Anyone have any hints as to what may be going wrong? I downgraded back to chefdk 0.10.0 and things work fine.
(I have a longer stack trace, didn't want to over spam)
Hi! We’re thinking of using Chef Vault in our infrastructure. Do you know if Chef Vault provides any way of signing the content of a vault with the private key of a Chef admin, so that the client can verify who uploaded the configuration? Or does this maybe not make any sense given the nature of Chef? Thanks!
Christine Draper
@vortarian I had the same problem - created a bug chef/chef-vault#203
Erik Dahlinghaus
I have a question about the difference between a client and an admin. Is the difference that clients have RO access only, and admins have RW access (including the ability to modify clients and admins?)
Yvan Castonguay
Hi guys, I need to mix vault and good old enc data bag to support a solo offline scenario. Can they have the same data bag and data bag item name ? If not how to minimize impact on cookbooks using theses ?
Marcelito S. de Guzman
Is this issue: chef/chef-vault#92 already fixed? I seem to be still experiencing it.
ok, got a fun one, hopefully something simple. I've created a vault using knife vault creat, added my client to it, and I'm admin, which is all good so far, but when I try to load the vault in a recipe on my client, it's appending the node-name and trying to get it from databag, like this giving me a 404 error: Initiating GET to https://ush-p-chf-mstr1.columbia.csc/organizations/csc/data/csc_biztalk/apikeys_key_ush-d5-bt-app-1.columbia.csc
surely I'm missnig something
hi you guys, i am beginner and i wanna to research about chef to apply for my company. i don't know how to start
can you help me
Suleyman Kutlu
Hi @trungkienpvt all Chef community is moved to Slack. You can find details at http://community-slack.chef.io/
thank you so much for your sharing @snkutlu
Ankit Kumar
hey guys
any body intergrate the chef-vault in kitchen,yml
please share configuration here
Suleyman Kutlu
@ankitkl please see the above message…
Hello everyone,
I'm getting error, while installing gems
`Installing Cookbook Gems:
Fetching gem metadata from https://rubygems.org/..........
Fetching version metadata from https://rubygems.org/..
Resolving dependencies...
Installing chef-vault 3.2.0
   Gem::InstallError: chef-vault requires Ruby version >= 2.2.0.
   Using bundler 1.11.2`
is there any workaround?
You can use chefDK. ChefDK includes vault via chef-vault.
Or you can install rvm -> ruby >= and install chef-vault.
Vineet Gupta
Hello Folks
I have the above question which is bugging me for sometime , I am not able to passthrough this error in my service template
it looks like chef-vault is not working as expected if use outside of kitchen conv
I am trying to use chef-splunk cookbook
I "must" define chef_vault_secret custom resource in chef-splunk to use this cookbook to pass through ??
Vineet Gupta
I found http://docs.aws.amazon.com/opsworks/latest/userguide/data-bags.html that describes my use case , looks like I need to write a new recipe to use s3 for my data bag items , go away chef-vault
Hey Folks
Does any one know how to bootstrap multiple nodes using knife
will knife bootstrap supports for multiple node bootstrapping ?
Suleyman Kutlu
Hi everyone