1

Chef Development Kit Version: 2.4.17
chef-client version: 13.6.4
delivery version: master (73ebb72a6c42b3d2ff5370c476be800fee7e5427)
berks version: 6.3.1
kitchen version: 1.19.2
inspec version: 1.45.13

I am trying to test my chef-vault implementation using the kitchen-ec2 driver by creating unencrypted data bags. I have tried the solution posted here (this was for use w/the vagrant driver, though), with no success. I'm not sure if Kitchen is trying to use the encrypted vault, or not properly parsing the test data bags.

EDIT I should have mentioned that I can successfully use chef-vault on normal instances. What I am having trouble with is using the values in chef-vault while using Kitchen to run tests on a node that Kitchen spins up (via ec2-driver), which is unregistered to the Chef server.

Tree of my chef directory:

+--- .kitchen
|   +--- default-centos-7.yml
|   +--- logs
|   |   +--- default-centos-7.log
|   |   +--- kitchen.log
+--- cookbooks
|   +--- fcctrs
|   |   +--- .kitchen
|   |   |   +--- default-centos-7.yml
|   |   |   +--- logs
|   |   |   |   +--- default-centos-7.log
|   |   |   |   +--- kitchen.log
|   |   +--- .kitchen.yml
|   |   +--- Berksfile
|   |   +--- Berksfile.lock
|   |   +--- chefignore
|   |   +--- metadata.rb
|   |   +--- recipes
|   |   |   +--- default.rb
|   |   |   +--- users.rb
|   |   +--- resources
|   |   |   +--- adminuser.rb
|   |   +--- spec
|   |   |   +--- spec_helper.rb
|   |   |   +--- unit
|   |   |   |   +--- recipes
|   |   |   |   |   +--- default_spec.rb
|   |   +--- test
|   |   |   +--- integration
|   |   |   |   +--- data_bags
|   |   |   |   |   +--- SSH_KEYS
|   |   |   |   |   |   +--- user.json
|   |   |   |   |   |   +--- user.json
|   |   |   +--- smoke
|   |   |   |   +--- default
|   |   |   |   |   +--- default_test.rb
+--- data_bags
|   +--- SSH_KEYS
|   |   +--- user.json
|   |   +--- user.json
+--- README.md

users.rb file:

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end
#
require 'chef-vault'

node.normal['chef-vault']['databag_fallback'] = true

adminuser "user" do
    action :create
    comment 'Some User'
    ssh_keys [ 
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
    ]
    private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
end

user.json:

{"public":"someKey","private":"someKey"}

.kitchen.yml:

driver:
        #name: vagrant
  name: ec2
  aws_ssh_key_id: smasoudv2
  security_group_ids: [sg-4b609036,sg-2066965d]
  availability_zone: d
  subnet_id: subnet-cbf129e6
  require_chef_omnibus: true
  associate_public_ip: true
  instance_type: t2.micro

provisioner:
  name: chef_zero
  http_proxy: http://10.202.1.215:3128
  https_proxy: http://10.202.1.215:3128
  no_proxy: chef.server
  data_bags_path: "../../data_bags"
  always_update_cookbooks: true
  client_rb:
    client_key: /etc/chef/client.pem # added this as per referenced SO post

verifier:
  name: inspec

platforms:
  - name: centos-7
    driver:
      image_id: ami-46c1b650
transport:
  ssh_key: ~/Documents/MobaXterm/home/smasoudv2.pem
  username: centos

suites:
  - name: default
    run_list:
      - recipe[fcctrs::default]
      - recipe[user_shadow]
              #verifier:
                #inspec_tests:
                  #- test/smoke/default
    data_bags_path: '../../data_bags' # This is relative to the directory with .kitchen.yml
    attributes:
      chef-vault:
        databags_fallback: true # added this as per GitHub question within referenced SO post

Stack trace:

PS C:\Users\smasoud\tools\AWS\chef\cookbooks\fcctrs> kitchen converge
-----> Starting Kitchen (v1.19.2)
-----> Converging <default-centos-7>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 6.3.1...
       Removing non-cookbook files before transfer
       Preparing data_bags
       Preparing validation.pem
       Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
       Transferring files to <default-centos-7>
       Starting Chef Client, version 13.7.16
       resolving cookbooks for run list: ["fcctrs::default", "user_shadow"]
       Synchronizing Cookbooks:
         - fcctrs (0.1.1)
         - user_shadow (0.1.5)
       Installing Cookbook Gems:
       Compiling Cookbooks...
       Recipe: fcctrs::mitreusers
         * chef_gem[chef-vault] action install (up to date)

         ================================================================================
         Recipe Compile Error in /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb
         ================================================================================

         ChefVault::Exceptions::SecretDecryption
         ---------------------------------------
         SSH_KEYS/user is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!

         Cookbook Trace:
         ---------------
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:40:in `block in from_file'
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:33:in `from_file'
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb:31:in `from_file'

         Relevant File Content:
         ----------------------
         /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:

          33:  mitre_baseline_adminuser "user" do
          34:      action :create
          35:      comment 'Some User'
          36:      #uid 650
          37:      ssh_keys [
          38:          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
          39:      ]
          40>>     private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
          41:  end
          42:

         System Info:
         ------------
         chef_version=13.7.16
         platform=centos
         platform_version=7.3.1611
         ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
         program_name=chef-client worker: ppid=22289;start=19:59:41;
         executable=/opt/chef/bin/chef-client


         Running handlers:
       [2018-02-20T19:59:43+00:00] ERROR: Running exception handlers
         Running handlers complete
       [2018-02-20T19:59:43+00:00] ERROR: Exception handlers complete
         Chef Client failed. 0 resources updated in 01 seconds
       [2018-02-20T19:59:43+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2018-02-20T19:59:43+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2018-02-20T19:59:43+00:00] ERROR: SSH_KEYS/user is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!
       [2018-02-20T19:59:43+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Converge failed on instance <default-centos-7>.  Please see .kitchen/logs/default-centos-7.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration
Said Masoud
  • 51
  • 7

1 Answers1

0

The databag item user.json posted above doesn't seem correct. Its missing the id which is the data bag item name. I believe as per your code it should user. It should be in this format

{"id": "user", "public":"someKey", "private":"someKey" }

And in your code I don't see where you used the public key defined in databag item, seeing a hard coded value in recipe. You have to use the public key in databag item for that. That seems the issue too from error

Correction for above answer:

You are using a custom resource adminuser for creating vault user. Based on how vault functions, only a existing admin can add new users to vault. So I don't think you will be able to add new admins to vault user from recipe. You would require to use knife command for that. Given admin1 is already existing, you can use

knife vault update VAULTNAME VAULTITEM -A "admin1,admin2"

slashpai
  • 1,141
  • 7
  • 12
  • When I created the item in chef vault, I had to select which servers to grant access to, I believe, so that the item can be signed with each server's public key. However, I'm not sure if I can do that with the server in question, since it was created using Kitchen and is not configured as a node on the Chef master. – Said Masoud Mar 14 '18 at 18:59
  • Also, if you're referring to the 'ssh_keys' value in my recipe, that's unrelated to the chef-vault item so you can safely ignore that. – Said Masoud Mar 14 '18 at 19:08
  • To manage secrets you can use https://github.com/chef-cookbooks/chef-vault instead of directly using gem – slashpai Mar 15 '18 at 05:56
  • Please review my original question as I have added an edit to clarify what the problem I'm having is. Apologies for any confusion! – Said Masoud Mar 16 '18 at 14:05
  • By normal instances you mean you can run it on a node? Only kitchen converge is having a problem? – slashpai Mar 16 '18 at 14:13
  • Correct. I'm having trouble with `kitchen converge`, but uploading the recipe to the chef server and running `chef-client` on a node works just fine. – Said Masoud Mar 17 '18 at 15:12
  • I guess that you might be running chef-client as a user who already has admin access. But that won't be the case in kitchen converge. Could be due to that – slashpai Mar 19 '18 at 14:26
  • Hmm so are you saying `kitchen converge` doesn't run commands via `sudo` by default? – Said Masoud Mar 20 '18 at 15:46
  • Per my understanding only a existing admin user can add new admins https://docs.chef.io/chef_vault.html. when you run kitchen converge its user may not be a existing admin so that could be the problem. I don't know how you have written adminuser resource. Use Chef:: Log statements in your recipe to print existing admins and current user when u run converge – slashpai Mar 20 '18 at 16:06