HELLO.
I’m managing my password hashes and pubkeys for human users via vault. It’s working well for existing hosts, but when I build new hosts, I need to update the vault to put the new keys on, and that’s where things are getting weird- the vault update only seems to work after my new host has tried (and failed) to query the vault.
My suspicion is presently that this is because the chef-vault gem needs to be invoked on the node before the update occurs, which is not the case at this point, but that seems a little counterintuitive. Any suggestions would be welcome!
Here’s how I’m updating the vault, in a bash script. Right now I’m doing this shortly after knife bootstrap and an initial chef-client run. Each user has their own vault item in user_vault containing a pubkey and a hash (and an id.)
echo "Updating vault"
for x in (knife data bag show user_vault | grep -v _keys | tr ‘\n’ ’ ') ; do
echo "Updating user vault for $x"
knife vault update user_vault $x --mode client --search ‘:’ --admins admin_name
done
…Then after that update I add a role that calls my human user cookbook, which looks like this:
chef_gem "chef-vault"
require “chef-vault”
unless Chef::Config[:solo]
data_bag(‘human_users’).each do |item_id|
individual_data = data_bag_item(‘human_users’,item_id)
vault = ChefVault::Item.load(“user_vault”,individual_data[“id”])
username = individual_data[“id”]
user username do
shell individual_data[“shell”]
home “/home/#{username}“
password vault[‘password_hash’]
supports { [”:manage_home”] }
end
directory “/home/#{username}/.ssh” do
owner username
group username
mode '0700’
end
file “/home/#{username}/.ssh/authorized_keys” do
content "#{vault[‘ssh_key’]}"
owner username
group username
mode '0644’
end
individual_data[“groups”].each do |groupname|
group groupname do
members username
append true
end
end
end
end
That “unless" at the beginning is in there because I don’t want to build these users on my test kitchen machines for a variety of reasons, and that was the most expedient way to make that happen. This is all happening in a CentOS environment with open source Chef.
Any insight would be welcome. I’m still pretty new to chef (and I wrote that recipe when I was even newer) so I’m sure I’ve done a bunch of other dumb stuff that you’re all about to tell me about as well, but hopefully nothing TOO dumb. Thanks guys!