We are using chef-zero. Challenge is to securely store secret key such that it can be remotely accessed during chef run. I am using hashicorp vault to store private secret keys. Written a cookbook that uses auth backend to remotely call and retrieve secret key to store in a file (say key.pem) on node file system. Now i have my data bags encrypted. I have included vault recipe in my application cookbook to run & create key.pem before logic for decryption of data bag. During chef zero run, it throws error saying
================================================================================←[0m
Recipe Compile Error in /tmp/kitchen/cache/cookbooks/app_mriskjenkins/recipes/default.rb←[0m
================================================================================←[0m
←[0m
Errno::ENOENT←[0m
-------------←[0m
No such file or directory - file not found '/var/.chef/key.pem’←[0m
←[0m
I am guessing you are using a ‘file’ resource to write /var/.chef/key.pem, and using data_bag_item(…) to read the data bag.
If so, the file resource is being executed at ‘converge’ time, whereas the data_bag_item call is happening at ‘compile’ time, before the key file has been written.
You can force the file resource to execute in the compile phase with something like:
file '/var/.chef/key.pem' do
action :nothing
end.run_action(:create)
If this isn’t the problem, can you share some relevant bits of your recipe?
I am guessing you are using a 'file' resource to write /var/.chef/key.pem,
and using data_bag_item(...) to read the data bag.
If so, the file resource is being executed at 'converge' time, whereas the
data_bag_item call is happening at 'compile' time, before the key file has
been written.
You can force the file resource to execute in the compile phase with
something like:
file '/var/.chef/key.pem' do
action :nothing
end.run_action(:create)
If this isn't the problem, can you share some relevant bits of your recipe?