chef-vault icon indicating copy to clipboard operation
chef-vault copied to clipboard

Published 20 hours ago verified publisher icon chef

chef-vault not creating vaults but creating simple data bags

Open ghost opened this issue 8 years ago • 10 comments

I am trying to create a chef-vault to store some password using below command:

knife vault create revsecrets revpass -A "rev-validator,node1,node2,node3" -J data_bags/revpass.json -M client

Where revpass.json contains:

{ "oracle_pass":"welcome1", "ora_db_passwd":"Welcome1", "weblogic_pass":"welcome1"}

I have 3 clients :

#knife client list
node1
node2
node3
rev-validator

But Now while trying to access the vault, its saying no vault:

# knife vault list

Returns nothing.

And :

Trying to refresh : (says vault doesnot exists)

# knife vault refresh revsecrets revpass
ERROR: ChefVault::Exceptions::ItemNotFound: revsecrets/revpass does not exist, use 'knife vault create' to create.

Trying to recreate :(saying already exists)

# knife vault create revsecrets revpass -A "rev-validator,node1,node2,node3" -J data_bags/revpass.json -M client
ERROR: ChefVault::Exceptions::ItemAlreadyExists: revsecrets/revpass already exists, use 'knife vault remove' 'knife vault update' or 'knife vault edit' to make changes.

I am not able to figure out, what is the issue here OR may be a bug ?

Versions:

ruby --version
ruby 1.8.7 (2013-06-27 patchlevel 374) [x86_64-linux]
knife --version
Chef: 12.4.1
/opt/chef/embedded/bin/gem list chef-vault

*** LOCAL GEMS ***

chef-vault (2.9.0)

ghost avatar Aug 09 '16 03:08 ghost

So you seem to be using -M client in some commands but not in others. If you use it consistently, does the problem go away? Also, you're using a really old version of chef; we've fixed a lot of bugs since 12.4, so if you can upgrade you should.

thommay avatar Aug 09 '16 09:08 thommay

I am experiencing this problem myself.

powellchristoph avatar Oct 05 '16 14:10 powellchristoph

@powellchristoph same questions to you - are you using -M client, what version of chef, chef-vault, etc. And some output of your knife commands would help.

thommay avatar Oct 05 '16 14:10 thommay

I am not using the -M client command.

$ knife --version
Chef: 12.7.2
$ gem list | grep vault
chef-vault (2.9.0)
$ ruby --version
ruby 2.1.1p76 (2014-02-24 revision 45161) [x86_64-darwin12.0]

powellchristoph avatar Oct 05 '16 14:10 powellchristoph

@powellchristoph so what is actually happening, are you expecting vaults on a chef server or locally?

thommay avatar Oct 05 '16 16:10 thommay

This issue is still open, so I decided to share what worked for me. Colleague had the same problem (without using the -M flag). Uploading the vault files to the chef server using $ knife upload data_bags/$VAULT_NAME fixed the issue: the item showed when calling $ knife vault list and was accessible afterwards. Although, I'm a bit confused as to why it seems necessary to additionally upload the files to the server if the vault item was created using the command line.

xamebax avatar Mar 14 '17 12:03 xamebax

I ran into this issue and realized I didn't have knife[:vault_mode = 'client'. The confusing behavior is that it "works" (as client) without -J but with -J it needs the vault mode to set to 'client'.

kenmacleod avatar Apr 28 '17 19:04 kenmacleod

This used to work without mentioning the vault_mode in knife.rb, like a week back or so.

The version I am using is

$ chef --version Chef Development Kit Version: 1.2.22 chef-client version: 12.18.31 delivery version: master (0b746cafed65a9ea1a79de3cc546e7922de9187c) berks version: 2017-08-08T14:45:55.613056 52781] 2017-08-08T14:45:55.613410 52781] 2017-08-08T14:45:55.613531 52781] 2017-08-08T14:45:55.613677 52781] 2017-08-08T14:45:55.644053 52781] 2017-08-08T14:45:55.644183 52781] 5.6.0 kitchen version: 1.15.0

$ knife --version Chef: 12.18.31

Thanks for the suggestion @kenmacleod it works after mentioning vault_mode.

raju-divakaran avatar Aug 08 '17 12:08 raju-divakaran

I am having the same issue. Vaults are created as separate data bags.

PS C:\chef-repo>knife vault create auth bind_data -J .\ad_auth.json -A nmcauliffe -M client
PS C:\chef-repo>knife vault list

PS C:\chef-repo> knife data bag list 
auth
PS C:\chef-repo> knife data bag show auth
bind_data
bind_data_keys
PS C:\> knife data bag show auth bind_data
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.
ad_domain:
  auth_tag:       J+kC5gBhgE4BN6BDFoRISQ==

  cipher:         aes-256-gcm
  encrypted_data: xxx

  iv:             qFi50lg/5txPef+S

  version:        3
ad_server:
  auth_tag:       XWI5sQr60Zva6lXMAEQs7w==

  cipher:         aes-256-gcm
  encrypted_data: xxx

  iv:             8vJw7PRlvUMAU0jq

  version:        3
bindName:
  auth_tag:       zeCbMaVT0g3tL8kYZrBGbg==

  cipher:         aes-256-gcm
  encrypted_data: xxx
  zap1Z8o4sA==

  iv:             utyE8ms0t9JswOM1

  version:        3
bindPassword:
  auth_tag:       ah473Xs1mmOghZsrGHIPjw==

  cipher:         aes-256-gcm
  encrypted_data: xxx

  iv:             H8E/vSSfqXV00UD3

  version:        3
id:           bind_data

PS C:\chef-repo> chef --version
Chef Development Kit Version: 2.4.17
chef-client version: 13.6.4
delivery version: master (73ebb72a6c42b3d2ff5370c476be800fee7e5427)
berks version: 6.3.1
kitchen version: 1.19.2
inspec version: 1.45.13

mcaulifn avatar Jan 29 '18 17:01 mcaulifn

Scratch my comment, Found out the hard way -M has to be on every knife command.

mcaulifn avatar Jan 29 '18 17:01 mcaulifn