Adding new nodes with vault in an organized fashion


#1

HELLO.

I’m managing my password hashes and pubkeys for human users via vault. It’s working well for existing hosts, but when I build new hosts, I need to update the vault to put the new keys on, and that’s where things are getting weird- the vault update only seems to work after my new host has tried (and failed) to query the vault.

My suspicion is presently that this is because the chef-vault gem needs to be invoked on the node before the update occurs, which is not the case at this point, but that seems a little counterintuitive. Any suggestions would be welcome!

Here’s how I’m updating the vault, in a bash script. Right now I’m doing this shortly after knife bootstrap and an initial chef-client run. Each user has their own vault item in user_vault containing a pubkey and a hash (and an id.)

echo "Updating vault"
for x in (knife data bag show user_vault | grep -v _keys | tr ‘\n’ ’ ') ; do
echo "Updating user vault for $x"
knife vault update user_vault $x --mode client --search ‘:’ --admins admin_name
done

…Then after that update I add a role that calls my human user cookbook, which looks like this:

chef_gem "chef-vault"
require “chef-vault”

unless Chef::Config[:solo]
data_bag(‘human_users’).each do |item_id|
individual_data = data_bag_item(‘human_users’,item_id)
vault = ChefVault::Item.load(“user_vault”,individual_data[“id”])
username = individual_data[“id”]
user username do
shell individual_data[“shell”]
home “/home/#{username}“
password vault[‘password_hash’]
supports { [”:manage_home”] }
end
directory “/home/#{username}/.ssh” do
owner username
group username
mode '0700’
end
file “/home/#{username}/.ssh/authorized_keys” do
content "#{vault[‘ssh_key’]}"
owner username
group username
mode '0644’
end
individual_data[“groups”].each do |groupname|
group groupname do
members username
append true
end
end
end
end

That “unless" at the beginning is in there because I don’t want to build these users on my test kitchen machines for a variety of reasons, and that was the most expedient way to make that happen. This is all happening in a CentOS environment with open source Chef.

Any insight would be welcome. I’m still pretty new to chef (and I wrote that recipe when I was even newer) so I’m sure I’ve done a bunch of other dumb stuff that you’re all about to tell me about as well, but hopefully nothing TOO dumb. Thanks guys!


#2

Not that any of you asked, but it looks like the correct solution to my problem was to change the search parameters to look specifically for the relevant host, instead of trying to update them all at once. I only have like 10 hosts in here, so why that is I don’t know, but it worked.

My new search line is:

knife vault update user_vault x --mode client --search "fqdn:{fqdn}" --admins admin_name

(Obviously $fqdn is the FQDN of my new host.)

On Dec 3, 2014, at 12:15 PM, Gottesman, Eric <eric.gottesman@wbgames.commailto:eric.gottesman@wbgames.com> wrote:

HELLO.

I’m managing my password hashes and pubkeys for human users via vault. It’s working well for existing hosts, but when I build new hosts, I need to update the vault to put the new keys on, and that’s where things are getting weird- the vault update only seems to work after my new host has tried (and failed) to query the vault.

My suspicion is presently that this is because the chef-vault gem needs to be invoked on the node before the update occurs, which is not the case at this point, but that seems a little counterintuitive. Any suggestions would be welcome!

Here’s how I’m updating the vault, in a bash script. Right now I’m doing this shortly after knife bootstrap and an initial chef-client run. Each user has their own vault item in user_vault containing a pubkey and a hash (and an id.)

echo "Updating vault"
for x in (knife data bag show user_vault | grep -v _keys | tr ‘\n’ ’ ') ; do
echo "Updating user vault for $x"
knife vault update user_vault $x --mode client --search ‘:’ --admins admin_name
done

…Then after that update I add a role that calls my human user cookbook, which looks like this:

chef_gem "chef-vault"
require “chef-vault”

unless Chef::Config[:solo]
data_bag(‘human_users’).each do |item_id|
individual_data = data_bag_item(‘human_users’,item_id)
vault = ChefVault::Item.load(“user_vault”,individual_data[“id”])
username = individual_data[“id”]
user username do
shell individual_data[“shell”]
home “/home/#{username}“
password vault[‘password_hash’]
supports { [”:manage_home”] }
end
directory “/home/#{username}/.ssh” do
owner username
group username
mode '0700’
end
file “/home/#{username}/.ssh/authorized_keys” do
content "#{vault[‘ssh_key’]}"
owner username
group username
mode '0644’
end
individual_data[“groups”].each do |groupname|
group groupname do
members username
append true
end
end
end
end

That “unless" at the beginning is in there because I don’t want to build these users on my test kitchen machines for a variety of reasons, and that was the most expedient way to make that happen. This is all happening in a CentOS environment with open source Chef.

Any insight would be welcome. I’m still pretty new to chef (and I wrote that recipe when I was even newer) so I’m sure I’ve done a bunch of other dumb stuff that you’re all about to tell me about as well, but hopefully nothing TOO dumb. Thanks guys!