Chef Development Kit Version: 2.4.17
chef-client version: 13.6.4
delivery version: master (73ebb72a6c42b3d2ff5370c476be800fee7e5427)
berks version: 6.3.1
kitchen version: 1.19.2
inspec version: 1.45.13
I am trying to test my chef-vault implementation using the kitchen-ec2 driver by creating unencrypted data bags. I have tried the solution posted here (this was for use w/the vagrant driver, though), with no success. I'm not sure if Kitchen is trying to use the encrypted vault, or not properly parsing the test data bags.
EDIT I should have mentioned that I can successfully use chef-vault on normal instances. What I am having trouble with is using the values in chef-vault while using Kitchen to run tests on a node that Kitchen spins up (via ec2-driver), which is unregistered to the Chef server.
Tree of my chef directory:
+--- .kitchen
| +--- default-centos-7.yml
| +--- logs
| | +--- default-centos-7.log
| | +--- kitchen.log
+--- cookbooks
| +--- fcctrs
| | +--- .kitchen
| | | +--- default-centos-7.yml
| | | +--- logs
| | | | +--- default-centos-7.log
| | | | +--- kitchen.log
| | +--- .kitchen.yml
| | +--- Berksfile
| | +--- Berksfile.lock
| | +--- chefignore
| | +--- metadata.rb
| | +--- recipes
| | | +--- default.rb
| | | +--- users.rb
| | +--- resources
| | | +--- adminuser.rb
| | +--- spec
| | | +--- spec_helper.rb
| | | +--- unit
| | | | +--- recipes
| | | | | +--- default_spec.rb
| | +--- test
| | | +--- integration
| | | | +--- data_bags
| | | | | +--- SSH_KEYS
| | | | | | +--- user.json
| | | | | | +--- user.json
| | | +--- smoke
| | | | +--- default
| | | | | +--- default_test.rb
+--- data_bags
| +--- SSH_KEYS
| | +--- user.json
| | +--- user.json
+--- README.md
users.rb file:
chef_gem 'chef-vault' do
compile_time true if respond_to?(:compile_time)
end
#
require 'chef-vault'
node.normal['chef-vault']['databag_fallback'] = true
adminuser "user" do
action :create
comment 'Some User'
ssh_keys [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
]
private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
end
user.json:
{"public":"someKey","private":"someKey"}
.kitchen.yml:
driver:
#name: vagrant
name: ec2
aws_ssh_key_id: smasoudv2
security_group_ids: [sg-4b609036,sg-2066965d]
availability_zone: d
subnet_id: subnet-cbf129e6
require_chef_omnibus: true
associate_public_ip: true
instance_type: t2.micro
provisioner:
name: chef_zero
http_proxy: http://10.202.1.215:3128
https_proxy: http://10.202.1.215:3128
no_proxy: chef.server
data_bags_path: "../../data_bags"
always_update_cookbooks: true
client_rb:
client_key: /etc/chef/client.pem # added this as per referenced SO post
verifier:
name: inspec
platforms:
- name: centos-7
driver:
image_id: ami-46c1b650
transport:
ssh_key: ~/Documents/MobaXterm/home/smasoudv2.pem
username: centos
suites:
- name: default
run_list:
- recipe[fcctrs::default]
- recipe[user_shadow]
#verifier:
#inspec_tests:
#- test/smoke/default
data_bags_path: '../../data_bags' # This is relative to the directory with .kitchen.yml
attributes:
chef-vault:
databags_fallback: true # added this as per GitHub question within referenced SO post
Stack trace:
PS C:\Users\smasoud\tools\AWS\chef\cookbooks\fcctrs> kitchen converge
-----> Starting Kitchen (v1.19.2)
-----> Converging <default-centos-7>...
Preparing files for transfer
Preparing dna.json
Resolving cookbook dependencies with Berkshelf 6.3.1...
Removing non-cookbook files before transfer
Preparing data_bags
Preparing validation.pem
Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
Transferring files to <default-centos-7>
Starting Chef Client, version 13.7.16
resolving cookbooks for run list: ["fcctrs::default", "user_shadow"]
Synchronizing Cookbooks:
- fcctrs (0.1.1)
- user_shadow (0.1.5)
Installing Cookbook Gems:
Compiling Cookbooks...
Recipe: fcctrs::mitreusers
* chef_gem[chef-vault] action install (up to date)
================================================================================
Recipe Compile Error in /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb
================================================================================
ChefVault::Exceptions::SecretDecryption
---------------------------------------
SSH_KEYS/user is not encrypted with your public key. Contact an administrator of the vault item to encrypt for you!
Cookbook Trace:
---------------
/tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:40:in `block in from_file'
/tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:33:in `from_file'
/tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb:31:in `from_file'
Relevant File Content:
----------------------
/tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:
33: mitre_baseline_adminuser "user" do
34: action :create
35: comment 'Some User'
36: #uid 650
37: ssh_keys [
38: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
39: ]
40>> private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
41: end
42:
System Info:
------------
chef_version=13.7.16
platform=centos
platform_version=7.3.1611
ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
program_name=chef-client worker: ppid=22289;start=19:59:41;
executable=/opt/chef/bin/chef-client
Running handlers:
[2018-02-20T19:59:43+00:00] ERROR: Running exception handlers
Running handlers complete
[2018-02-20T19:59:43+00:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 01 seconds
[2018-02-20T19:59:43+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2018-02-20T19:59:43+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2018-02-20T19:59:43+00:00] ERROR: SSH_KEYS/user is not encrypted with your public key. Contact an administrator of the vault item to encrypt for you!
[2018-02-20T19:59:43+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>> Converge failed on instance <default-centos-7>. Please see .kitchen/logs/default-centos-7.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration
The databag item user.json posted above doesn't seem correct. Its missing the id which is the data bag item name. I believe as per your code it should user. It should be in this format
{"id": "user", "public":"someKey", "private":"someKey" }And in your code I don't see where you used the public key defined in databag item, seeing a hard coded value in recipe. You have to use the public key in databag item for that. That seems the issue too from error
Correction for above answer:
You are using a custom resource adminuser for creating vault user. Based on how vault functions, only a existing admin can add new users to vault. So I don't think you will be able to add new admins to vault user from recipe. You would require to use knife command for that. Given admin1 is already existing, you can use
knife vault update VAULTNAME VAULTITEM -A "admin1,admin2"