Chef-vault issues behind firewall


#1

I am just trying toprototype chef-vault databag encryption and following


My environment is behind firewall with no internet access

when I run my recipe I get following errors

retrying fetcher due to error (2/4); Bundler::HTTPError could not fetch specs from https://www.rubygems.org/

Googling it tells me setting up a proxy for that url which I don;t want to do. Are there any other work around? I did download chef-vault-3.4.3.gem file and using cookbook_file and chef_gemwas able to install but as soon as I add depends 'chef-vault' in cookbook's metadata.rb the error comes back...

Thanks
M


#2

So the gem is installed in the node you are testing on? Can you provide details on your recipe and the error output? One thing you should definitely consider is running a private gems repository in your network. You can run Geminabox fairly easily and will only need to punch a hole for that to rubygems.org. you will have to point your chef clients to it as their gems source. I have the same restrictions and it is the way that I have it set up.


#3

Thanks for response,

The only recipe in the cookbook has 2 lines displaying plain text (hopefully) values from the vault. The line in metadata.rb depends 'chef-vault' causes it to set up gem chef-vault and everything goes downhill from there..

I guess I will have to look into geminabox solution. Will follow https://github.com/geminabox/geminabox see how far I can go.. unless there is some other option..

Thanks again

M


#4

Hello,

In reality we need chef-vault cookbook to install chef-vault.gem on the node and then use vault helper methods, right?

If I have a node which has chef-vault.gem already installed, I can get away with all geminabox and opening my firewall, only thing I will be missing is helper methods like chef_vault_item

To access vault from node, can I not use knife vault commands form my recipe? I noticed that knife is already installed on the node (not sure how and when), so can I not use it from recipe?

Appreciate any comments?

M


#5

I end up copying the chef-vault-xxx.gem file using cookbook_file and then running chef_gem 'chef-vault' to install gem using source 'file://'

after that

require 'chef-vault'
vault = ChefVault::Item.load("vaultname", "itemname")
mysecret = vault['xxx']

this works.

Thanks
M


#6

I'll get back to you on this when I check my setup again. It's been a while since I have one this so I will double check but I think it has something to do with the way my the vault cookbook is setup.