0

I would like to add nodes to a certain vault before creating them, for example:

All vagrant machines that I provision with vagrant up that has the patter vagrant-dev-* could acces the chef vault secrets.

If i try to do this, I've got a warning that no one machine is on chef with that pattern.

WARNING: No clients were returned from search, you may not have got what you expected!!

If I try the command after the machine is provisioned it works, but then the provision fails because the machine does not have acces to the vault for configure the sensitive information.

knife vault create secrets root -M client -S "name:vagrant-dev-*"

How can I make the machines have access to the vaul before provisioning them?

Lechucico
  • 1,914
  • 7
  • 27
  • 60
  • Your question boils down to 'how can I give a user an access before creating this user'. Either you'll have to create the node and client before provisioning or you'll have to tweak your recipe to skip the part needing the vault key on first converge, update your vault and then wait the next converge of chef inside the machines. – Tensibai Jul 05 '17 at 14:50
  • Then the recipe of nginx that needs the certificate for SSL (provided by the chef vault for security purposes) will not work? I'll have to `vagrant up` the machine and then provision it with the nginx recipe? – Lechucico Jul 05 '17 at 14:53
  • As said there's two approaches, either you don't configure nginx at first chef run and wait the key updates or you create the node identity in advance and set it up before the first run.... – Tensibai Jul 05 '17 at 18:19
  • @Tensibai how I can create the node identity in advance? – Lechucico Jul 05 '17 at 19:39
  • Dig on how the [validator less bootstrap](https://docs.chef.io/knife_bootstrap.html#validatorless-bootstrap) work, mainly you'll have to create a client object (keypair), a node object and set the proper ACLs on the node and client. I've no idea on how you provision machines actually, so it's hard to tell. – Tensibai Jul 06 '17 at 08:12

1 Answers1

1

Unfortunately this is not possible. For something to be added to a vault it needs to have an RSA public key available on the Chef Server. This is generally done as part of the node bootstrap and client creation. This is a structural limitation of this whole category of asymmetric pre-encryption systems, the keys for all secrets consumers must be known at the time of the pre-encryption process.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • Using a validator less bootstrap method should work in this case, unless I'm totally off, this process create the client and node and set the proper ACL before sending the client key to the machine. Did I miss a point there ? – Tensibai Jul 06 '17 at 08:12
  • Yes, but this still does the vault encrypt after creating the client, though possibly inside the same command. The question specifically asked about doing it before. – coderanger Jul 06 '17 at 16:47
  • Yep that's the idea, creating client and node, updating vault and then setting up chef client on the machine and running it. I'm unsure how the validator less code can be tweaked for this that said (and agree there's not enough information to give such an answer actually) – Tensibai Jul 06 '17 at 21:01