chef-boneyard / chef-vault Goto Github PK

View Code? Open in Web Editor NEW

60.0 16.0 53.0 169 KB

chef-vault cookbook

Home Page: https://supermarket.chef.io/cookbooks/chef-vault

License: Apache License 2.0

Ruby 100.00%

encryption security chef data-bag cookbook hacktoberfest

chef-vault's Introduction

chef-vault Cookbook

This cookbook provides helper methods to load encrypted data bags that are in The Vault. It also provides a resource that can be used to store secrets as a Chef Vault item in a recipe.

As of version 4.0 of the cookbook, we no longer install the chef-vault gem as this is included in chef-client 13.4+.

Chef Vault is a library originally written by Nordstrom's infrastructure operations team that helps manage encrypted data bags.

https://github.com/chef/chef-vault

Deprecation

The chef-vault gem resources and helpers from this cookbook now ship natively in Chef Infra Client 16 and later. With this functionality now built in this cookbook is no longer receiving updates. Please upgrade to a release of Chef Infra Client with this functionality built in so you can remove this dependency from your infrastructure.

Requirements

This cookbook should work on any system/platform that is supported by Chef Infra.

This cookbook is specifically tested on Ubuntu and CentOS platforms using Test Kitchen. See .kitchen.yml for platforms and test suites.

Helper Methods

This cookbook provides a nice helper method for the Chef Recipe DSL so you can write:

chef_vault_item("secrets", "dbpassword")

Instead of:

ChefVault::Item.load("secrets", "dbpassword")

This has logic in place to fall back to using data bags if the desired item isn't encrypted. If the vault item fails to load because of missing vault metadata (a vaultname_keys data bag), then chef_vault_item will attempt to load the specified item as a regular Data Bag Item with Chef::DataBagItem.load. This is intended to be used only for testing, and not as a fall back to avoid issues loading encrypted items.

This cookbook also provides a handy wrapper if you are storing multiple environment settings within your encrypted items. Using this following helper:

item = chef_vault_item_for_environment('secrets', 'passwords')

Instead of (or any combination of such expression):

item = chef_vault_item('secrets', 'passwords')[node.chef_environment]

In addition, you can list the items in a vault using the chef_vault() method. It is advised to use this method instead of data_bag(), because the latter returns the keys in addition to the items themselves. This method prevents you from having to parse out the keys.

items = chef_vault('secrets')
item = chef_vault_item('secrets',item[0])

Attributes

node['chef-vault']['version'] - Specify a version of the chef-vault gem if required. Default is ~> 2.2, as that version was used for testing.

Resources

chef_vault_secret

The chef_vault_secret resource can be used in recipes to store secrets in Chef Vault items. Where possible and relevant, this resource attempts to map behavior and functionality to the knife vault sub-commands.

Actions

The actions generally map to the knife vault sub-commands, with an exception that create does an update, because the resource enforces declarative state. To get the knife vault create behavior, use create_if_missing.

:create - Default action. Creates the item, or updates it if it already exists.
:create_if_missing - Calls the create action unless it exists.
:delete - Deletes the item and the item's keys ("id"_keys).

Attributes

id - Name attribute. The name of the data bag item.
data_bag - Required. The data bag that contains the item.
admins - A list of admin users who should have access to the item. Corresponds to the "admin" option when using the chef-vault knife plugin. Can be specified as a comma separated string or an array. See examples, below.
clients - A search query for the nodes' API clients that should have access to the item.
search - Search query that would match the same used for the clients, gets stored as a field in the item.
raw_data - The raw data, as a Ruby Hash, that will be stored in the item. See examples, below.

At least one of admins or clients should be specified, otherwise nothing will have access to the item.

Examples

From the test cookbook embedded in this repository.

chef_vault_secret 'clean-energy' do
  data_bag 'green'
  raw_data({'auth' => 'Forged in a mold'})
  admins 'hydroelectric'
  search '*:*'
end

Assuming that the green data bag exists, this will create the clean-energy item as a ChefVault encrypted item, which also creates clean-energy_keys that has the list of admins, clients, and the shared secrets. For example, the content looks like this in plaintext:

{
  "id": "clean-energy",
  "auth": {
    "encrypted_data": "y+l7H4okLu4wisryCaIT+7XeAgomcdgFo3v3p6RKWnXvgvimdzjFGMUfdGId\nq+pP\n",
    "iv": "HLr0uyy9BrieTDmS0TbbmA==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}

And the encrypted data decrypted using the specified client:

$ knife vault show green clean-energy -z -u hydroelectric -k clients/hydroelectric.pem
auth: Forged in a mold
id:   clean-energy

Another example, showing multiple admins allowed access to an item using a comma-separated string, or an array:

chef_vault_secret 'root-password' do
  admins 'jtimberman,paulmooring'
  data_bag 'secrets'
  raw_data({'auth' => 'DontUseThisPasswordForRoot'})
  search '*:*'
end
chef_vault_secret 'root-password' do
  admins ['jtimberman', 'paulmooring']
  data_bag 'secrets'
  raw_data({'auth' => 'DontUseThisPasswordForRoot'})
  search '*:*'
end

Internally, the provider will convert the admins array to a comma-delimited string.

When using the chef_vault_secret resource, the data_bag must exist first. If it doesn't, you can create it in your recipe with a ruby_block:

begin
  data_bag('secrets')
rescue
  ruby_block "create-data_bag-secrets" do
    block do
      Chef::DataBag.validate_name!('secrets')
      databag = Chef::DataBag.new
      databag.name('secrets')
      databag.save
    end
    action :create
  end
end

Or, use the cheffish gem, which provides resources for Chef objects (nodes, roles, data bags, etc):

chef_data_bag 'secrets'

Note that there is a bug in versions of cheffish prior to 0.5.beta.3. Also, cheffish requires the openssl-pkcs8 gem, which has C extensions, so openssl development headers and C build tools need to be installed. To use this, you can create a recipe like the one in the test cookbook.

Usage

Include the recipe before using the Chef Vault library in recipes.

include_recipe 'chef-vault'
secret_stuff = ChefVault::Item.load("secrets", "a_secret")

Or, use the helper library method:

secret_stuff = chef_vault_item("secrets", "a_secret")

If you need a specific version of the chef-vault RubyGem, then specify it with the attribute, node['chef-vault']['version'].

To use the chef_vault_secret resource in your cookbooks' recipes, declare a dependency on this cookbook, and then use the resource as described in the Examples above.

Contributing

This repository contains a CONTRIBUTING file that describes the contribution process for Chef cookbooks.

License and Authors

Author: Joshua Timberman [email protected]
Copyright (c) 2013-2019 Chef Software, Inc. [email protected]
Copyright (c) 2014, 2015 Bloomberg Finance L.P.

License:: Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

chef-vault's People

Contributors

Stargazers

Watchers

Forkers

moserke cstewart87 spion06 ndobson nhuff johnbellone mbrukman jaybocc2 juliandunn nordstrom dblessing tfly-cookbooks http-418 altiscale justintime redwhitemiko dldinternet dissonanz devopstiger mikkoc jklare sundar85 shansky domofactor vinyar dilippanwar1 directionless jeremymv2 relateiq-chef jrmuir amp517 varidottes ist-lmc valentyn-yakovlev vmylaram1908 markgibbons saidmasoud wiu dustinvanbuskirk crassdummy explody cloudandheat schubergphilis sean89us swagopopotamus deepakdefender264 scriptease livelink indygwyn ramereth

chef-vault's Issues

chef_vault_item by default provides encrypted databag in production when decryption or key not found

this seems to be a regression and an exception is much more useful/easy to handle than a raw encrypted databag.

This issue was introduced in d4a3bdf when node['dev_mode'] condition was removed.

perhaps others are ok with this but in my opinion its much better practice to explicitly enable a development workflow rather than default to poor behavior in production.

Fallback to encrypted databag

Hello,

Is there a reason for chef-vault not supporting encrypted databag fallback?

"Why not just use chef-vault which is actually loading your encrypted databags?", one might ask.

The reason for us not being able to use the regular chef-vault functionality is because of the well known "chicken and egg" problem. I know there are ways around this which may be something we need to do but still, it would be nice to be able to fall back to encrypted databags as well.

I haven't made a solution proposal on this yet but if it sounds like a good idea I can do that.

Thanks,
Mathias

Knife vault command doesn't work on non-admin command prompt on windows server 2008 R2 which has chef-client installed

Chef-client version

Chef Client version 12.12.15

Platform Details

Windows Server 2008 R2 Standard

Scenario:

I am trying to execute knife vault show VAULT on a Jenkins slave to retrieve the credentials during job execution time, so that I can explicitly call chef-client on the target nodes using those credentials. However, I receive an error Fatal: Cannot find subcommand for: 'vault show VAULT ITEM'. The same command if execute on the admin command prompt, vault command is executed successfully. Since I want to run these command as part of automation, I require them to execute in non-admin prompt.

The difference I have noted was if there is chef-client and chef DK on that server where I execute knife vault command, it works only on admin command prompt.

If there is no chef-client and only Chef DK, knife vault command works both non-admin and admin command prompt.

Steps to Reproduce:

Install chef-client 12.12.15
Install chef-dk 0.16.28
Open command prompt or powershell
Go to your .chef folder
Type knife vault show VAULT

Expected Result:

List of all vault items in the vault

Actual Result:

Fatal: Cannot find subcommand for: 'vault show VAULT ITEM'

Consider using Cheffish.inline_resource

For the chef_vault_secret :delete action:

Cheffish.inline_resource(self, :delete) do
  chef_data_bag_item new_resource.id do
    action :delete
  end
  chef_data_bag_item [new_resource.id, 'keys'].join('_') do
    action :delete
  end
end

admins option seems useless

For enterprise chef is there anyway to give clients permission to read the users endpoint? I can't find anywhere set permission for user objects on the chef server (11.14). If I set admins to anything other than '' I get a permission denied error and the chef run errors out.

chef-vault fall-back to databag not working with chef-spec 1.1.4

Hey guys,

since version 1.1.4 of chef-vault cookbook my rspec tests are not working anymore. I am stubbing the DataBagItem.

  allow(Chef::DataBagItem)                                                         
    .to receive(:load)                                                             
    .with('nerdswords', 'ci_chef')                                                     
    .and_return(                                                                   
      'keys' => 'test')                                                            
  end

And getting the following errors:

     Failure/Error: runner.converge(described_recipe)
       <Chef::DataBagItem (class)> received :load with unexpected arguments
         expected: ("nerdswords", "ci_chef")
              got: ("nerdswords", "ci_chef_keys")
        Please stub a default value first if message might be received with other args as well.

It seems that the rescue is not working together with rspec.

 34:        begin
 35:          require 'chef-vault'
 36:        rescue LoadError
 37:          Chef::Log.warn("Missing gem 'chef-vault', use recipe[chef-vault] to install it first.")
 38:        end
 39:  
 40:        begin
 41>>         ChefVault::Item.load(bag, item)
 42:        rescue ChefVault::Exceptions::KeysNotFound
 43:          Chef::DataBagItem.load(bag, item)
 44:        end
 45:      end
 46:    end
 47:  end
 48:  

F

Thanks for your help.

chef_vault_secrets should raise LoadError

chef_vault_secrets should raise LoadError when trying to load chef-vault gem instead of suppressing it.
https://github.com/chef-cookbooks/chef-vault/blob/master/libraries/chef_vault_secret.rb#L22

This LWRP does not run properly without chef-vault gem installed but will give cryptic exception during chef-client run rather then clear error message if error got raised.

Undefined method 'unpack' for nil:NilClass

Cookbook version

3.1.0

Chef-client version

13.8.5

Platform Details

Server 2016

Scenario:

trying to install certs on server 2016

Steps to Reproduce:

the step is failing at cookbook compilation

Expected Result:

installed sertificates

Actual Result:

10.21.0.229 Installing Cookbook Gems:
10.21.0.229 [2018-04-30T09:41:21-05:00] INFO: Fetching gem metadata from https://www.rubygems.org/.............
10.21.0.229 Fetching version metadata from https://www.rubygems.org/..
10.21.0.229 Resolving dependencies...
10.21.0.229 Using bundler 1.15.4
10.21.0.229 Using chef-vault 3.3.0
10.21.0.229 Bundle complete! 1 Gemfile dependency, 2 gems now installed.
10.21.0.229 Use bundle info [gemname] to see where a bundled gem is installed.
10.21.0.229
10.21.0.229 [2018-04-30T09:41:21-05:00] INFO: Fetching gem metadata from https://www.rubygems.org/.............
10.21.0.229 Fetching version metadata from https://www.rubygems.org/..
10.21.0.229 Resolving dependencies...
10.21.0.229 Using bundler 1.15.4
10.21.0.229 Using chef-vault 3.3.0
10.21.0.229 Bundle complete! 1 Gemfile dependency, 2 gems now installed.
10.21.0.229 Use bundle info [gemname] to see where a bundled gem is installed.
10.21.0.229
10.21.0.229 Compiling Cookbooks...
10.21.0.229
10.21.0.229
10.21.0.229
10.21.0.229 ================================================================================
10.21.0.229 Recipe Compile Error in c:/chef/cache/cookbooks/recipes/certs.rb
10.21.0.229 ================================================================================
10.21.0.229
10.21.0.229 NoMethodError
10.21.0.229 -------------
10.21.0.229 undefined method unpack' for nil:NilClass 10.21.0.229 10.21.0.229 Cookbook Trace: 10.21.0.229 --------------- 10.21.0.229 c:/chef/cache/cookbooks/chef-vault/libraries/helpers.rb:39:in chef_vault_item'
10.21.0.229 c:/chef/cache/cookbooks/recipes/certs.rb:3:in `from_file'
10.21.0.229
10.21.0.229 Relevant File Content:
10.21.0.229 ----------------------
10.21.0.229 c:/chef/cache/cookbooks/chef-vault/libraries/helpers.rb:
10.21.0.229
10.21.0.229 32: # @example
10.21.0.229 33: # item = chef_vault_item('secrets', 'bacon')
10.21.0.229 34: # log 'Yeah buddy!' if item['_default']['type']
10.21.0.229 35: # @param [String] bag Name of the data bag to load from.
10.21.0.229 36: # @param [String] id Identifier of the data bag item to load.
10.21.0.229 37: def chef_vault_item(bag, id)
10.21.0.229 38: if ChefVault::Item.vault?(bag, id)
10.21.0.229 39>> ChefVault::Item.load(bag, id)
10.21.0.229 40: elsif node['chef-vault']['databag_fallback']
10.21.0.229 41: data_bag_item(bag, id)
10.21.0.229 42: else
10.21.0.229 43: raise "Trying to load a regular data bag item #{id} from #{bag}, and databag_fallback is disabled"
10.21.0.229 44: end
10.21.0.229 45: end
10.21.0.229 46:
10.21.0.229 47: # Helper method which provides an environment wrapper for a data bag.
10.21.0.229 48: # This allows for easy access to current environment secrets inside
10.21.0.229
10.21.0.229 System Info:
10.21.0.229 ------------
10.21.0.229 chef_version=13.8.5
10.21.0.229 platform=windows
10.21.0.229 platform_version=10.0.14393
10.21.0.229 ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x64-mingw32]
10.21.0.229 program_name=C:/opscode/chef/bin/chef-client
10.21.0.229 executable=C:/opscode/chef/bin/chef-client

Document that in order to use chef_vault_secret, the client must be an admin

admins is a required attribute:
https://github.com/chef-cookbooks/chef-vault/blob/master/libraries/chef_vault_secret.rb#L38

However I haven't found a way to configure chef to allow clients to read user pubic keys without providing full admin access:

You can do the following to read clients:

knife acl add client 'node_for_chef_vault_secret_creation' container clients read

But the only way to get them to read users is to give the node full admin privs:

knife group add client 'node_for_chef_vault_secret_creation' group admins

We should document this, and maybe look at creating a ticket around allowing access to public keys. Github does it by default to the entire world: https://github.com/hh.keys

Load vault item created in test recipe

I've created a vault and an item following the example of this cookbook.
I'm creating a vault item that needs to be loaded in the same chef-run (that's why I'm creating it in the first place).
However, I can't load it after creation since the client key used by chef-client is not the same that I used to sign the vault.

To make it more concrete, let's imagine that the we need to load the 'clean-energy' item from the 'green' data bag as created here: https://github.com/opscode-cookbooks/chef-vault/blob/master/test/fixtures/cookbooks/test/recipes/chef_vault_secret.rb

In my case, when chef-client hits the ChefVault::Item.load('green', 'clean-energy') line, it errors out because the keys do not match. I mean the vault item was signed with the key of 'hydroelectric', but that is not the same as the client key of the current chef-client.

I've tried to use the clients and search attributes of the chef_vault_secret to include the client key of the node that is running chef-client, but that always seems to produce no good results.

Compile error on Chef 11

Hello,

I'm having trouble running chef-vault 1.3.2 on nodes running Chef 11. When trying to converge, the following error appears:

SyntaxError
-----------
/var/chef/cache/cookbooks/chef-vault/libraries/matchers.rb:2: unknown type of %string
  %i(create update delete create_if_missing).each do |action|

I suspect this is because doing i%(foo bar) is a Ruby 2.x feature and Chef 11 embeds Ruby 1.9.

Unable to create a chef vault secret from a recipe

Hello,
I am trying to run create a chef vault secret from a recipe. I get a permission denied. I have tried different things including giving specific update permissions to the node/client on that specific databag but to no avail.

Here is the complete stacktrace and error: https://gist.github.com/chirag-jog/1aebe628bd6ddcf1c91c

gem_source attribute no longer being honored

Cookbook version

3.0.0

Chef-client version

12.15.19

Platform Details

RHEL 6

Scenario:

Run this cookbook in an air gapped environment with the default['chef-vault']['gem_source'] attribute set to an internal rubygems mirror.

Steps to Reproduce:

Set the default['chef-vault']['gem_source'] attribute to an internal rubygems mirror. Run the cookbook in an environment that has no access to rubygems.org.

Expected Result:

The cookbook downloads and installs the gem from the internal rubygems mirror set by the default['chef-vault']['gem_source'] attribute.

Actual Result:

The chef-client run fails because it can't talk to rubygems.org.

Installing Cookbook Gems:
[2017-06-07T20:09:56+00:00] DEBUG: generated Gemfile contents:
[2017-06-07T20:09:56+00:00] DEBUG: source 'https://rubygems.org'
gem(*["chef-vault"])

Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/
[2017-06-07T20:15:56+00:00] DEBUG: Re-raising exception: Mixlib::ShellOut::ShellCommandFailed - Expected process to exit with [0], but received '17'
---- Begin output of bundle install ----
STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/
STDERR:
---- End output of bundle install ----
Ran bundle install returned 17
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/mixlib-shellout-2.2.7/lib/mixlib/shellout.rb:289:in `invalid!'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/mixlib-shellout-2.2.7/lib/mixlib/shellout.rb:276:in `error!'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/mixin/shell_out.rb:45:in `shell_out!'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/gem_installer.rb:58:in `block (2 levels) in install'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/gem_installer.rb:50:in `open'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/gem_installer.rb:50:in `block in install'
  /opt/chef/embedded/lib/ruby/2.3.0/tmpdir.rb:89:in `mktmpdir'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/gem_installer.rb:49:in `install'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/cookbook_collection.rb:60:in `install_gems'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/policy_builder/policyfile.rb:156:in `setup_run_context'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:510:in `setup_run_context'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:280:in `run'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:302:in `block in fork_chef_client'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork_chef_client'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:255:in `block in run_chef_client'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/local_mode.rb:44:in `with_server_connectivity'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:243:in `run_chef_client'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:464:in `sleep_then_run_chef_client'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:451:in `block in interval_run_chef_client'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `loop'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `interval_run_chef_client'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:434:in `run_application'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:60:in `run'
  /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/bin/chef-client:26:in `<top (required)>'
  /usr/bin/chef-client:54:in `load'
  /usr/bin/chef-client:54:in `<main>'

Running handlers:
[2017-06-07T20:15:56+00:00] ERROR: Running exception handlers
Running handlers complete
[2017-06-07T20:15:56+00:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 06 minutes 06 seconds
[2017-06-07T20:15:56+00:00] DEBUG: Server doesn't support resource history, skipping resource report.
[2017-06-07T20:15:56+00:00] DEBUG: Audit Reports are disabled. Skipping sending reports.
[2017-06-07T20:15:56+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2017-06-07T20:15:56+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2017-06-07T20:15:56+00:00] DEBUG: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '17'
---- Begin output of bundle install ----
STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/
STDERR:
---- End output of bundle install ----
Ran bundle install returned 17
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/mixlib-shellout-2.2.7/lib/mixlib/shellout.rb:289:in `invalid!'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/mixlib-shellout-2.2.7/lib/mixlib/shellout.rb:276:in `error!'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/mixin/shell_out.rb:45:in `shell_out!'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/gem_installer.rb:58:in `block (2 levels) in install'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/gem_installer.rb:50:in `open'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/gem_installer.rb:50:in `block in install'
/opt/chef/embedded/lib/ruby/2.3.0/tmpdir.rb:89:in `mktmpdir'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/gem_installer.rb:49:in `install'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/cookbook/cookbook_collection.rb:60:in `install_gems'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/policy_builder/policyfile.rb:156:in `setup_run_context'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:510:in `setup_run_context'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:280:in `run'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:302:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:255:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:243:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:464:in `sleep_then_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:451:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:434:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:60:in `run'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/bin/chef-client:26:in `<top (required)>'
/usr/bin/chef-client:54:in `load'
/usr/bin/chef-client:54:in `<main>'
[2017-06-07T20:15:56+00:00] ERROR: Expected process to exit with [0], but received '17'
---- Begin output of bundle install ----
STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/
STDERR:
---- End output of bundle install ----
Ran bundle install returned 17
[2017-06-07T20:15:56+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

chef-vault 3.0.0 failure on node without Internet access

Cookbook version

3.0.0

Chef-client version

12.14.89

Platform Details

RHEL6

Scenario:

Nodes behind a firewall without Internet access fail when chef-vault 3.0.0 is introduced.

Steps to Reproduce:

Run chef-vault 3.0.0 on a node that doesn't have Internet access

Expected Result:

No failure

Actual Result:

Chef run fails:

Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '17'
---- Begin output of bundle install ----
STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/
STDERR: 
---- End output of bundle install ----
Ran bundle install returned 17
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/mixlib-shellout-2.2.7/lib/mixlib/shellout.rb:289:in `invalid!'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/mixlib-shellout-2.2.7/lib/mixlib/shellout.rb:276:in `error!'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/mixin/shell_out.rb:45:in `shell_out!'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/cookbook/gem_installer.rb:58:in `block (2 levels) in install'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/cookbook/gem_installer.rb:50:in `open'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/cookbook/gem_installer.rb:50:in `block in install'
/opt/chef/embedded/lib/ruby/2.3.0/tmpdir.rb:89:in `mktmpdir'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/cookbook/gem_installer.rb:49:in `install'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/cookbook/cookbook_collection.rb:60:in `install_gems'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/policy_builder/expand_node_object.rb:86:in `setup_run_context'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/client.rb:510:in `setup_run_context'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/client.rb:280:in `run'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application.rb:302:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application.rb:290:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application.rb:290:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application.rb:255:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application.rb:243:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application/client.rb:464:in `sleep_then_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application/client.rb:451:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application/client.rb:450:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application/client.rb:450:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application/client.rb:434:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/lib/chef/application.rb:60:in `run'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.14.89/bin/chef-client:26:in `<top (required)>'
/usr/bin/chef-client:54:in `load'
/usr/bin/chef-client:54:in `<main>'

I believe it's due to this line: https://github.com/chef-cookbooks/chef-vault/blob/v3.0.0/metadata.rb#L14

Install not adding subcommands to knife

I'm not sure if I should report this issue here, or somewhere else, so if this is not the correct place, please let me know. I have installed chef no problem, on a brand new install of Ubuntu 14.04 Desktop. I then install the chef-vault gem, and it says it installs successfully:

dang@ubuntu:~$ sudo gem install chef-vault
[sudo] password for dang:
Fetching: chef-vault-2.2.4.gem (100%)
Successfully installed chef-vault-2.2.4
1 gem installed
Installing ri documentation for chef-vault-2.2.4...
Installing RDoc documentation for chef-vault-2.2.4...

But there is no vault sub-command available to knife. I tried poking around to see why it's not seeing the plugin correctly, and the files seem to be there okay. I will admit, I'm no ruby or chef expert, so I'm not really sure what to look for next to confirm the install. Any thoughts or thing I should look to confirm? I'm happy to provide any information off this system to diagnose this.

Testing a cookbook that uses chef-vault in test-kitchen and chef-zero

moved from chef/chef-vault#146

Trying to create some tests in test-kitchen for a cookbook that uses chef-vault. The cookbook actually executes ChefVault::Item.load(...). So I need to create that vault item in my test recipe.

I found chef_vault_item lwrp and trying to use it to create new vault:

chef_vault_secret 'testitem' do
  data_bag 'testbag'
  admins 'hello-world-ubuntu-1204'
  raw_data({ key: 'data' })
  search '*:*'
  action :nothing
end.run_action(:create)

include_recipe "my-cookbook-to-test"

However it fails with

ChefVault::Exceptions::AdminNotFound
------------------------------------
FATAL: Could not find hello-world-ubuntu-1204 in users or clients!

And there're actually no clients or users in chef-zero:

root@5a51fe47d4ca:~# knife client list -c /tmp/kitchen/client.rb -z

root@5a51fe47d4ca:~# knife user list -c /tmp/kitchen/client.rb -z

root@5a51fe47d4ca:~# knife node list -c /tmp/kitchen/client.rb -z
hello-world-ubuntu-1204

Any ideas on how to work it around?

Document use of databags_fallback for chef-vault in kitchen

The databags_fallback flag appears to be undocumented. I have an example excerpt of .kitchen.yml in issue 59 that should serve the purpose.

Incorrect chef-vault gem is selected for Chef 12

Cookbook version

3.1.1

Chef-client version

12.19.36
12.22.5

Platform Details

Oracle Enterprise Linux (RHEL) 6.10
Oracle Enterprise Linux (RHEL) 7

Scenario:

Installing cookbook gems selects the brand-new 4.0.1 chef-vault gem which is incompatible with Chef 12's embedded Ruby 2.3. This breaks the entire chef-client run.

Steps to Reproduce:

Include this cookbook in the run-list of a node running Chef 12, then chef-client

Expected Result:

Chef-client completes

Actual Result:

Chef-client breaks at 'installing cookbook gems'

$ sudo cat /var/chef/cache/chef-stacktrace.out
Generated at 2019-12-30 13:54:37 -0600
Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '5'
---- Begin output of bundle install ----
STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching gem metadata from https://rubygems.org/..........
Fetching gem metadata from https://rubygems.org/..
Resolving dependencies...
Using aws-eventstream 1.0.3
Using aws-partitions 1.228.0
Using aws-sigv4 1.1.0
Using jmespath 1.4.0
Using aws-sdk-core 3.71.0
Using aws-sdk-cloudformation 1.21.0
Using aws-sdk-cloudwatch 1.22.0
Using aws-sdk-dynamodb 1.28.0
Using aws-sdk-ec2 1.115.0
Using aws-sdk-elasticloadbalancing 1.14.0
Using aws-sdk-iam 1.22.0
Using aws-sdk-kinesis 1.15.0
Using aws-sdk-kms 1.20.0
Using aws-sdk-route53 1.24.0
Using aws-sdk-s3 1.38.0
Using aws-sdk-ssm 1.46.0
Using bundler 1.16.6
Fetching chef-vault 4.0.1
Installing chef-vault 4.0.1
Gem::RuntimeRequirementNotMetError: chef-vault requires Ruby version >= 2.4. The
current ruby version is 2.3.0.
An error occurred while installing chef-vault (4.0.1), and Bundler cannot
continue.
Make sure that `gem install chef-vault -v '4.0.1'` succeeds before bundling.
In Gemfile:
  chef-vault

chef-vault recipe fails to install gem: chef_gem[chef-vault] (chef-vault::default line 21) had an error: NoMethodError: undefined method `full_name' for nil:NilClass

Chef-vault recipe failing to install chef-vault gem. I'm running chef 11.12.4.

Platform Info:
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise

Running chef-client with debug output correctly detect embedded location of ruby:

Recipe: chef-vault::default
  * chef_gem[chef-vault] action install[2014-11-04T21:04:39-07:00] INFO: Processing chef_gem[chef-vault] action install (chef-vault::default line 21)
[2014-11-04T21:04:39-07:00] DEBUG: chef_gem[chef-vault] detected omnibus installation in /opt/chef/embedded/bin
[2014-11-04T21:04:39-07:00] DEBUG: chef_gem[chef-vault] using gem from running ruby environment
[2014-11-04T21:04:39-07:00] DEBUG: chef_gem[chef-vault] no installed version found for chef-vault (~> 2.2)

Any assistance would be greatly appreciated.

Stack Trace as follows:

Starting Chef Client, version 11.12.4
resolving cookbooks for run list: ["apt", "java", "activemq", "c4_splunk::queue"]
Synchronizing Cookbooks:
  - chef-vault
  - chef-splunk
  - c4_splunk
  - java
  - activemq
  - apt
Compiling Cookbooks...
[2014-11-04T20:47:20-07:00] WARN: Cloning resource attributes for execute[apt-get-update] from prior resource (CHEF-3694)
[2014-11-04T20:47:20-07:00] WARN: Previous execute[apt-get-update]: /var/chef/cache/cookbooks/apt/recipes/default.rb:29:in `from_file'
[2014-11-04T20:47:20-07:00] WARN: Current  execute[apt-get-update]: /var/chef/cache/cookbooks/apt/recipes/default.rb:38:in `from_file'
Recipe: chef-vault::default
  * chef_gem[chef-vault] action install
================================================================================
Error executing action `install` on resource 'chef_gem[chef-vault]'
================================================================================

NoMethodError
-------------
undefined method `full_name' for nil:NilClass

Cookbook Trace:
---------------
/var/chef/cache/cookbooks/chef-vault/recipes/default.rb:21:in `from_file'
/var/chef/cache/cookbooks/c4_splunk/recipes/client.rb:11:in `from_file'
/var/chef/cache/cookbooks/c4_splunk/recipes/queue.rb:13:in `from_file'

Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/chef-vault/recipes/default.rb

 21: chef_gem 'chef-vault' do
 22:   version node['chef-vault']['version']
 23: end
 24: 

Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/chef-vault/recipes/default.rb:21:in `from_file'

chef_gem("chef-vault") do
  provider Chef::Provider::Package::Rubygems
  action :install
  retries 0
  retry_delay 2
  guard_interpreter :default
  package_name "chef-vault"
  version "~> 2.2"
  cookbook_name "chef-vault"
  recipe_name "default"
end

================================================================================
Recipe Compile Error in /var/chef/cache/cookbooks/c4_splunk/recipes/queue.rb
================================================================================

NoMethodError
-------------
chef_gem[chef-vault] (chef-vault::default line 21) had an error: NoMethodError: undefined method `full_name' for nil:NilClass

Cookbook Trace:
---------------
  /var/chef/cache/cookbooks/chef-vault/recipes/default.rb:21:in `from_file'
  /var/chef/cache/cookbooks/c4_splunk/recipes/client.rb:11:in `from_file'
  /var/chef/cache/cookbooks/c4_splunk/recipes/queue.rb:13:in `from_file'

Relevant File Content:
----------------------
/var/chef/cache/cookbooks/chef-vault/recipes/default.rb:

 14:  #
 15:  # Unless required by applicable law or agreed to in writing, software
 16:  # distributed under the License is distributed on an "AS IS" BASIS,
 17:  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 18:  # See the License for the specific language governing permissions and
 19:  # limitations under the License.
 20:  
 21>> chef_gem 'chef-vault' do
 22:    version node['chef-vault']['version']
 23:  end
 24:  
 25:  require 'chef-vault'
 26:  

Running handlers:
[2014-11-04T20:47:40-07:00] ERROR: Running exception handlers
Running handlers complete

[2014-11-04T20:47:40-07:00] ERROR: Exception handlers complete
[2014-11-04T20:47:40-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 23.612362801 seconds
[2014-11-04T20:47:40-07:00] ERROR: chef_gem[chef-vault] (chef-vault::default line 21) had an error: NoMethodError: undefined method `full_name' for nil:NilClass
[2014-11-04T20:47:40-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Top of debug stack trace (if it helps):
```[2014-11-04T21:05:09-07:00] DEBUG: Re-raising exception: NoMethodError - chef_gem[chef-vault] (chef-vault::default line 21) had an error: NoMethodError: undefined methodfull_name' for nil:NilClass /opt/chef/embedded/lib/ruby/site_ruby/1.9.1/rubygems/dependency_installer.rb:136:in block in gather_dependencies'
/opt/chef/embedded/lib/ruby/site_ruby/1.9.1/rubygems/dependency_installer.rb:136:in`map'
/opt/chef/embedded/lib/ruby/site_ruby/1.9.1/rubygems/dependency_installer.rb:136:in `gather_dependencies'
/opt/chef/embedded/lib/ruby/site_ruby/1.9.1/rubygems/dependency_installer.rb:267:in`install'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.4/lib/chef/provider/package/rubygems.rb:201:in `block (2 levels) in install'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.4/lib/chef/provider/package/rubygems.rb:224:in`with_correct_verbosity'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.4/lib/chef/provider/package/rubygems.rb:200:in `block in install'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.4/lib/chef/provider/package/rubygems.rb:110:in`with_gem_sources'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.4/lib/chef/provider/package/rubygems.rb:199:in `install'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.4/lib/chef/provider/package/rubygems.rb:511:in`install_package'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.4/lib/chef/provider/package.rb:82:in `block in action_install'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.4/lib/chef/mixin/why_run.rb:52:in`call'

Vault Environment Helper Method

I was trying to use the chef_vault_item_for_environment helper method, but realized that the version of chef-vault that is on the Chef Supermarket (1.3.0) does not have this helper method. Any idea when this might get published?

No resource or method named `chef_vault_item' for `Chef::Recipe

Cookbook version

latest

Chef-client version

12.8.1

Platform Details

ubuntu 14.04

Scenario:

Use chef_vault_item method

No resource or method namedchef_vault_item' for Chef::Recipe

What prerequisites do I need to use this method during bootstrapping a node

Steps to Reproduce:

knife bootstrap ...

Expected Result:

Method can be used

Actual Result:

Deletion of items using chef_vault_secret does not work.

chef_vault_secret "delete_home_cluster_info_vault_item" do
  admins []
  id 'home-cluster-info'
  data_bag home_data_bag_name
  action :delete
end

chef_vault_secret "delete_remote_cluster_info_vault_item" do
  admins []
  id 'remote-cluster-info'
  data_bag home_data_bag_name
  action [:delete, :delete]
end

Its seems the reason is because this lwrp calls :delete actions using cheffish resource chef_data_bag_item. For some reason cheffish does not delete the item if only :delete is called, not sure the reason for that logic.

https://github.com/chef-cookbooks/chef-vault/blob/master/libraries/chef_vault_secret.rb#L100
https://github.com/chef/cheffish/blob/master/lib/chef/resource/chef_data_bag_item.rb#L86
https://github.com/chef/cheffish/blob/master/lib/cheffish/base_resource.rb#L23

My workaround:

%w(home-cluster-info remote-cluster-info).each do |item|
  chef_data_bag_item item do
    data_bag home_data_bag_name
    action [:delete, :delete]
  end

  chef_data_bag_item [item, 'keys'].join('_') do
    data_bag home_data_bag_name
    action [:delete, :delete]
  end
end

List Vault Items within recipe

Is there a way to perform the rough equivalent of knife vault show VAULT within a recipe? I would like to build a list of all items, then iterate over that list to do what I need to do with the data in each item. If not, I would like to submit this as a feature request.

How to use chef-vault with Kitchen ?

Cookbook version

chef-vault', '~> 2.1'

Chef-client version

Chef 12.19.36

Platform Details

Ubuntu 16.04/x86_64-linux

Scenario:

Use chef-vault to secure my SSH keys. However, I want to test my cookbook using Kitchen first.

Steps to Reproduce:

Clone my repository:

https://github.com/valterhenrique/stunning-robot

Access my cookbook folder kitchen_vault, and run:

kitchen converge

Expected Result:

I want to have all the benefits of chef-vault, I want to be able to use with my kitchen environment as well.
I guess my items are being retrieved as data bags, and not as vaults.

Actual Result:

kitchen converge
-----> Starting Kitchen (v1.15.0)
-----> Converging <default-ubuntu-1604>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 5.6.2...
       Removing non-cookbook files before transfer
       Preparing data_bags
       Preparing environments
       Preparing nodes
       Preparing clients
       Preparing validation.pem
       Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
       Transferring files to <default-ubuntu-1604>
       [2017-03-03T11:58:32+00:00] INFO: Forking chef instance to converge...
       Starting Chef Client, version 12.19.36
       [2017-03-03T11:58:32+00:00] INFO: *** Chef 12.19.36 ***
       [2017-03-03T11:58:32+00:00] INFO: Platform: x86_64-linux
       [2017-03-03T11:58:32+00:00] INFO: Chef-client pid: 4781
       [2017-03-03T11:58:33+00:00] INFO: Setting the run_list to ["recipe[chef-vault]", "recipe[kitchen_vault::default]"] from CLI options
       [2017-03-03T11:58:33+00:00] INFO: Run List is [recipe[chef-vault], recipe[kitchen_vault::default]]
       [2017-03-03T11:58:33+00:00] INFO: Run List expands to [chef-vault, kitchen_vault::default]
       [2017-03-03T11:58:33+00:00] INFO: Starting Chef Run for default-ubuntu-1604
       [2017-03-03T11:58:33+00:00] INFO: Running start handlers
       [2017-03-03T11:58:33+00:00] INFO: Start handlers complete.
       [2017-03-03T11:58:33+00:00] INFO: HTTP Request Returned 404 Not Found: Object not found: 
       resolving cookbooks for run list: ["chef-vault", "kitchen_vault::default"]
       [2017-03-03T11:58:33+00:00] INFO: Loading cookbooks [[email protected], [email protected]]
       Synchronizing Cookbooks:
         [2017-03-03T11:58:33+00:00] INFO: Storing updated cookbooks/kitchen_vault/recipes/default.rb in the cache.
       - chef-vault (2.1.1)
         - kitchen_vault (0.1.0)
       Installing Cookbook Gems:
       Compiling Cookbooks...
       Recipe: chef-vault::default
         * chef_gem[chef-vault] action install[2017-03-03T11:58:33+00:00] INFO: Processing chef_gem[chef-vault] action install (chef-vault::default line 22)
        (up to date)
         
         ================================================================================
         Recipe Compile Error in /tmp/kitchen/cache/cookbooks/kitchen_vault/recipes/default.rb
         ================================================================================
         
         RuntimeError
         ------------
         Trying to load a regular data bag item dbpassword from secrets, and databag_fallback is disabled
         
         Cookbook Trace:
         ---------------
           /tmp/kitchen/cache/cookbooks/chef-vault/libraries/helpers.rb:41:in `chef_vault_item'
           /tmp/kitchen/cache/cookbooks/kitchen_vault/recipes/default.rb:10:in `from_file'
         
         Relevant File Content:
         ----------------------
         /tmp/kitchen/cache/cookbooks/chef-vault/libraries/helpers.rb:
         
          34:    # @param [String] id Identifier of the data bag item to load.
          35:    def chef_vault_item(bag, id)
          36:      if ChefVault::Item.vault?(bag, id)
          37:        ChefVault::Item.load(bag, id)
          38:      elsif node['chef-vault']['databag_fallback']
          39:        Chef::DataBagItem.load(bag, id)
          40:      else
          41>>       raise "Trying to load a regular data bag item #{id} from #{bag}, and databag_fallback is disabled"
          42:      end
          43:    end
          44:  
          45:    # Helper method which provides an environment wrapper for a data bag.
          46:    # This allows for easy access to current environment secrets inside
          47:    # of an item.
          48:    # @example
          49:    # item = chef_vault_item_for_environment('secrets', 'bacon')
          50:    # log 'Yeah buddy!' if item['type'] == 'applewood_smoked'
         
         Platform:
         ---------
         x86_64-linux
         
         
         Running handlers:
       [2017-03-03T11:58:33+00:00] ERROR: Running exception handlers
         Running handlers complete
       [2017-03-03T11:58:33+00:00] ERROR: Exception handlers complete
         Chef Client failed. 0 resources updated in 01 seconds
       [2017-03-03T11:58:33+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2017-03-03T11:58:33+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2017-03-03T11:58:33+00:00] ERROR: Trying to load a regular data bag item dbpassword from secrets, and databag_fallback is disabled
       [2017-03-03T11:58:33+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Warning about client's chef_vault_secret resource overriding cookbook's chef_vault_secret

I don't understand why it is happening? During my chef-client run on a node:

[2020-09-06T04:47:55+02:00] WARN: Resource chef_vault_secret from the client is overriding the resource from a cookbook. Please upgrade your cookbook or remove the cookbook from your run_list.

I upgraded chef-vault cookbook to 4.0.3, chef-server is 13.2.0, chef-client is 16.x and this is still happening. The cookbook that is in the run_list for this node contains depends chef-vault in metadata.rb and include_recipe 'chef-vault' in a recipe. Resource chef_vault_secret is used only in cookbook chef-vault on my chef-server, nowhere else. How and where this resource on the client might be overriding resource from a cookbook? Seems like a bug for me.

Standard example fails with "Data Bag Items must contain a Hash or Mash!"

Using the standard example from the cookbook readme fails with:

Data Bag Items must contain a Hash or Mash!

code:

chef_gem 'chef-vault'
include_recipe 'chef-vault'
...snip...
begin
  data_bag('credentials')
rescue
  ruby_block "create-data_bag-secrets" do
    block do
      Chef::DataBag.validate_name!('credentials')
      databag = Chef::DataBag.new
      databag.name('credentials')
      databag.save
    end
    action :create
  end
end

chef_vault_secret 'chef_server_password' do
  data_bag 'credentials'
  raw_data({'auth' => 'Forged in a mold'})
  admins ['admin']
  clients 'vm-chef-workstation'
  search '*:*'
  action :create
end

chef-client 12.0.0

Full stacktrace:

==> vm-chef-server: ================================================================================
==> vm-chef-server: Recipe Compile Error in /etc/chef-server/chef-solo-1/cookbooks/wlc-chef-server/recipes/upload.rb
==> vm-chef-server: ================================================================================
==> vm-chef-server: 
==> vm-chef-server: 
==> vm-chef-server: Chef::Exceptions::ValidationFailed
==> vm-chef-server: 
==> vm-chef-server: ----------------------------------
==> vm-chef-server: Data Bag Items must contain a Hash or Mash!
==> vm-chef-server: 
==> vm-chef-server: Cookbook Trace:
==> vm-chef-server: ---------------
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/data_bag_item.rb:75:in `raw_data='
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/data_bag_item.rb:126:in `from_hash'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/data_bag_item.rb:155:in `load'
==> vm-chef-server:   /etc/chef-server/chef-solo-1/cookbooks/chef-vault/libraries/chef_vault_item.rb:43:in `rescue in chef_vault_item'
==> vm-chef-server:   /etc/chef-server/chef-solo-1/cookbooks/chef-vault/libraries/chef_vault_item.rb:40:in `chef_vault_item'
==> vm-chef-server:   /etc/chef-server/chef-solo-1/cookbooks/wlc-chef-server/recipes/default.rb:53:in `from_file'
==> vm-chef-server: 
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/mixin/from_file.rb:30:in `instance_eval'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/mixin/from_file.rb:30:in `from_file'
==> vm-chef-server: 
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/cookbook_version.rb:245:in `load_recipe'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context.rb:169:in `load_recipe'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context.rb:138:in `block in include_recipe'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context.rb:137:in `each'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context.rb:137:in `include_recipe'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/dsl/include_recipe.rb:26:in `include_recipe'
==> vm-chef-server:   /etc/chef-server/chef-solo-1/cookbooks/wlc-chef-server/recipes/upload.rb:9:in `from_file'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/mixin/from_file.rb:30:in `instance_eval'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/mixin/from_file.rb:30:in `from_file'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/cookbook_version.rb:245:in `load_recipe'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context.rb:169:in `load_recipe'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context/cookbook_compiler.rb:140:in `block in compile_recipes'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context/cookbook_compiler.rb:138:in `each'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context/cookbook_compiler.rb:138:in `compile_recipes'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context/cookbook_compiler.rb:75:in `compile'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/run_context.rb:92:in `load'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/policy_builder/expand_node_object.rb:73:in `setup_run_context'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/client.rb:235:in `setup_run_context'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/client.rb:397:in `run'
==> vm-chef-server: 
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application.rb:261:in `block in fork_chef_client'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application.rb:249:in `fork'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application.rb:249:in `fork_chef_client'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application.rb:215:in `block in run_chef_client'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/local_mode.rb:38:in `with_server_connectivity'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application.rb:201:in `run_chef_client'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application/solo.rb:245:in `block in interval_run_chef_client'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application/solo.rb:234:in `loop'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application/solo.rb:234:in `interval_run_chef_client'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application/solo.rb:224:in `run_application'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/lib/chef/application.rb:58:in `run'
==> vm-chef-server:   /opt/chef/embedded/apps/chef/bin/chef-solo:25:in `<top (required)>'
==> vm-chef-server:   /usr/bin/chef-solo:40:in `load'
==> vm-chef-server:   /usr/bin/chef-solo:40:in `<main>'
==> vm-chef-server: 
==> vm-chef-server: Relevant File Content:
==> vm-chef-server: ----------------------
==> vm-chef-server: /opt/chef/embedded/apps/chef/lib/chef/data_bag_item.rb:
==> vm-chef-server: 
==> vm-chef-server:  68:  
==> vm-chef-server:  69:      def validate_id!(id_str)
==> vm-chef-server:  70:        self.class.validate_id!(id_str)
==> vm-chef-server: 
==> vm-chef-server:  71:      end
==> vm-chef-server: 
==> vm-chef-server:  72:  
==> vm-chef-server:  73:      def raw_data=(new_data)
==> vm-chef-server: 
==> vm-chef-server:  74:        unless new_data.respond_to?(:[]) && new_data.respond_to?(:keys)
==> vm-chef-server:  75>>         raise Exceptions::ValidationFailed, "Data Bag Items must contain a Hash or Mash!"
==> vm-chef-server:  76:        end
==> vm-chef-server:  77:        validate_id!(new_data["id"])
==> vm-chef-server:  78:        @raw_data = new_data
==> vm-chef-server:  79:      end
==> vm-chef-server:  80:  
==> vm-chef-server:  81:      def data_bag(arg=nil)
==> vm-chef-server:  82:        set_or_return(
==> vm-chef-server:  83:          :data_bag,
==> vm-chef-server:  84:          arg,
==> vm-chef-server: 
==> vm-chef-server: 
==> vm-chef-server: 
==> vm-chef-server: [2014-12-25T18:53:57+00:00] ERROR: Running exception handlers
==> vm-chef-server: [2014-12-25T18:53:57+00:00] ERROR: Exception handlers complete
==> vm-chef-server: [2014-12-25T18:53:57+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
==> vm-chef-server: [2014-12-25T18:53:57+00:00] ERROR: Data Bag Items must contain a Hash or Mash!
==> vm-chef-server: [2014-12-25T18:53:58+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Make chef_vault_item smarter

The node['dev_mode'] attribute "works" to fallback on DataBagItem loading, but it would be better to not require that end users set that attribute when they don't want to use vault.

Potential idea is to use ChefVault::Item, and rescue the proper exception that leads to falling back to the Chef::DataBagItem. There should be careful guarding around getting the right/expected kind of object back.

Add options resource attribute for chef_gem

Cookbook version

2.0.0

Scenario:

I'm trying to use this cookbook from behind a firewall. So, I need to ability to pass gem install options to the chef_gem resource. in my case, -p for http_proxy.

PR #57

Deprecated features used with Chef: 12.5.1

Deprecated features used!
  install_dir nil currently does not overwrite the value of install_dir. This will change in Chef 13, and the value will be set to nil instead. Please change your code to explicitly accept nil using "property :install_dir, [MyType, nil]", or stop setting this value to nil. at 1 location:
    - /var/cache/chef/cookbooks/redisio/recipes/install.rb:35:in `block in from_file'
  Using an LWRP provider by its name (Ark) directly is no longer supported in Chef 12 and will be removed.  Use Chef::ProviderResolver.new(node, resource, action) instead. at 1 location:
    - /var/cache/chef/cookbooks/ark/resources/default.rb:26:in `initialize'
  chef_gem[chef-vault] chef_gem compile_time installation is deprecated at 1 location:
    - /var/cache/chef/cookbooks/mascherano/recipes/default.rb:10:in `from_file'
  chef_gem[chef-vault] Please set `compile_time false` on the resource to use the new behavior. at 1 location:
    - /var/cache/chef/cookbooks/mascherano/recipes/default.rb:10:in `from_file'
  chef_gem[chef-vault] or set `compile_time true` on the resource if compile_time behavior is required. at 1 location:
    - /var/cache/chef/cookbooks/mascherano/recipes/default.rb:10:in `from_file'

No longer being installed

Cookbook version

0.16.1

Chef-client version

12.11.18

Platform Details

Ubuntu 14.04

Scenario:

I am trying to install percona via test kitchen and it has been broken since chef vault was upgraded.

Steps to Reproduce:

When I tr to compile chef-vault 3.0.3 I get this error
--- Begin output of bundle install ----
STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching gem metadata from https://rubygems.org/..........
Fetching version metadata from https://rubygems.org/..
Resolving dependencies...
Installing chef-vault 3.0.3

   Gem::InstallError: chef-vault requires Ruby version >= 2.2.0.
   Using bundler 1.11.2
   An error occurred while installing chef-vault (3.0.3), and Bundler cannot
   continue.
   Make sure that `gem install chef-vault -v '3.0.3'` succeeds before bundling.
   STDERR:

Expected Result:

It installs correctly

Actual Result:

--- Begin output of bundle install ----
STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching gem metadata from https://rubygems.org/..........
Fetching version metadata from https://rubygems.org/..
Resolving dependencies...
Installing chef-vault 3.0.3

   Gem::InstallError: chef-vault requires Ruby version >= 2.2.0.
   Using bundler 1.11.2
   An error occurred while installing chef-vault (3.0.3), and Bundler cannot
   continue.
   Make sure that `gem install chef-vault -v '3.0.3'` succeeds before bundling.
   STDERR:

ChefSpec mock not working after switching to chef-vault cookbook

I was using the chef-vault gem prior but after switching to the chef-vault cookbook I changed my code to

chef_vault_item('encrypted', 'item')

from

ChefVault::Item.load('encrypted', 'item')

In my spec file I have:

allow(ChefVault::Item).to receive(:load).with('encrypted', 'item').and_return({..})

This was working fine with ChefVault::Item.load but no longer works with chef_vault_item. Is there another was I'm supposed to stub the data bag?

:create_if_missing action fails at compile time in Chef 14

Cookbook version

3.1.0

Chef-client version

14.3.37

Platform Details

CentOS 7

Scenario:

I am trying to use the chef_vault_secret resource to create a secret during the compile-time phase of a Chef run. This lets me create a secret and use it in the same Chef run as it will be available in the converge phase. Specifically the :create_if_missing action is failing.

This behavior works in Chef 13

It appears that the current_value chef function used in the :create_if_missing action does not work at compile time in Chef 14
https://github.com/chef-cookbooks/chef-vault/blob/2ea10defe187904e112ce6a8ef5daaf5402daf5e/resources/secret.rb#L51

Steps to Reproduce:

Modify the test/fixtures/cookbooks/test/recipes/chef_vault_secret.rb test-kitchen recipe to create secrets at compile time:

require 'cheffish'

chef_data_bag 'green'

chef_vault_secret 'clean-energy' do
  data_bag 'green'
  raw_data('auth' => 'Forged in a mold')
  admins 'hydroelectric'
  search '*:*'
  action :nothing
end.run_action(:create)

chef_vault_secret 'dirty-energy' do
  environment '_default'
  data_bag 'green'
  raw_data('auth' => 'carbon-credits')
  admins 'hydroelectric'
  action :nothing
end.run_action(:create_if_missing)

Using the kitchen.yml in this cookbook run the secret-resource-centos-7 test-kitchen suite
See the resource fail during the :create_if_missing action.

Expected Result:

I am expecting the secret to be created in the test-kitchen environment and the kitchen busser tests to pass.

Actual Result:

The run fails at Chef compile-time with a NameError. Full output of error:

* chef_vault_secret[dirty-energy] action create_if_missing

           ================================================================================
           Error executing action `create_if_missing` on resource 'chef_vault_secret[dirty-energy]'
           ================================================================================

           NameError
           ---------
           undefined local variable or method `current_value' for #<#<Class:0x0000000003c65f40>:0x0000000002eb5008>

           Cookbook Trace:
           ---------------
           /tmp/kitchen/cache/cookbooks/chef-vault/resources/secret.rb:51:in `block in class_from_file'
           /tmp/kitchen/cache/cookbooks/test/recipes/chef_vault_secret.rb:37:in `from_file'

           Resource Declaration:
           ---------------------
           # In /tmp/kitchen/cache/cookbooks/test/recipes/chef_vault_secret.rb

            31: chef_vault_secret 'dirty-energy' do
            32:   environment '_default'
            33:   data_bag 'green'
            34:   raw_data('auth' => 'carbon-credits')
            35:   admins 'hydroelectric'
            36:   action :nothing
            37: end.run_action(:create_if_missing)

           Compiled Resource:
           ------------------
           # Declared in /tmp/kitchen/cache/cookbooks/test/recipes/chef_vault_secret.rb:31:in `from_file'

           chef_vault_secret("dirty-energy") do
             action [:nothing]
             default_guard_interpreter :default
             declared_type :chef_vault_secret
             cookbook_name "test"
             recipe_name "chef_vault_secret"
             data_bag "green"
             raw_data {"auth"=>"carbon-credits"}
             admins "hydroelectric"
             id "dirty-energy"
             environment "_default"
           end

           System Info:
           ------------
           chef_version=14.3.37
           platform=centos
           platform_version=7.4.1708
           ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
           program_name=/opt/chef/bin/chef-client
           executable=/opt/chef/bin/chef-client


         ================================================================================
         Recipe Compile Error in /tmp/kitchen/cache/cookbooks/test/recipes/chef_vault_secret.rb
         ================================================================================

         NameError
         ---------
         chef_vault_secret[dirty-energy] (test::chef_vault_secret line 31) had an error: NameError: undefined local variable or method `current_value' for #<#<Class:0x0000000003c65f40>:0x0000000002eb5008>

         Cookbook Trace:
         ---------------
           /tmp/kitchen/cache/cookbooks/chef-vault/resources/secret.rb:51:in `block in class_from_file'
           /tmp/kitchen/cache/cookbooks/test/recipes/chef_vault_secret.rb:37:in `from_file'

         Relevant File Content:
         ----------------------
         /tmp/kitchen/cache/cookbooks/chef-vault/resources/secret.rb:

          44:      Chef::Log.debug("#{new_resource.id} admins (users): '#{new_resource.admins}'")
          45:      item.admins([new_resource.admins].flatten.join(','))
          46:      item.save
          47:    end
          48:  end
          49:
          50:  action :create_if_missing do
          51>>   action_create if current_value.nil?
          52:  end
          53:
          54:  action :delete do
          55:    converge_by("remove #{new_resource.id} and #{new_resource.id}_keys from #{new_resource.data_bag}") do
          56:      chef_data_bag_item new_resource.id do
          57:        data_bag new_resource.data_bag
          58:        action :delete
          59:      end
          60:

         System Info:
         ------------
         chef_version=14.3.37
         platform=centos
         platform_version=7.4.1708
         ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
         program_name=/opt/chef/bin/chef-client
         executable=/opt/chef/bin/chef-client

knife vault refresh - Response: invalid search query: '[]'

Cookbook version

3.3.0

Chef-client version

12.21.26-1

Platform Details

x86_64

Scenario:

If you create a vault without -S option then knife vault refresh will fail with:

Response: invalid search query: '[]'

How to reproduce:

root@chef-server:/vagrant/.chef/roles# knife vault create passwords users -E _default '{"root": "root_password"}' -A ftorre2 -C "chef_client"
root@chef-server:/vagrant/.chef/roles# knife vault refresh passwords users
ERROR: The data in your request was invalid
Response: invalid search query: '[]'

Steps to Reproduce:

root@chef-server:/vagrant/.chef/roles# knife vault create password users -E _default '{"root": "root_password"}' -A ftorre2 -C "chef_client" -S "role:base"
root@chef-server:/vagrant/.chef/roles# knife vault refresh password users

ENVIRONMENT:

chef -v
Chef Development Kit Version: 2.5.3
chef-client version: 13.8.5
delivery version: master (73ebb72a6c42b3d2ff5370c476be800fee7e5427)
berks version: 6.3.1
kitchen version: 1.20.0
inspec version: 1.51.21

/usr/bin/knife -v
Chef: 13.8.5

and Vault
chef-vault (3.3.0)

chef-vault gem no longer being installed

Today I provisioned a new node and when Chef ran I got this:

  NameError
  ---------
  uninitialized constant ChefVaultCookbook::ChefVault

  Cookbook Trace:
  ---------------
    /var/chef/cache/cookbooks/chef-vault/libraries/helpers.rb:36:in `chef_vault_item'
    /var/chef/cache/cookbooks/orcasnet-chef-vault/libraries/env_vault_item.rb:3:in `env_vault_item'
    /var/chef/cache/cookbooks/orcasnet-appserver/recipes/envdir.rb:46:in `from_file'
    /var/chef/cache/cookbooks/orcasnet-appserver/recipes/default.rb:52:in `from_file'

  Relevant File Content:
  ----------------------
  /var/chef/cache/cookbooks/chef-vault/libraries/helpers.rb:

   29:    # +node['chef-vault']['databag_fallback']+.
   30:    # @example
   31:    # item = chef_vault_item('secrets', 'bacon')
   32:    # log 'Yeah buddy!' if item['_default']['type']
   33:    # @param [String] bag Name of the data bag to load from.
   34:    # @param [String] id Identifier of the data bag item to load.
   35:    def chef_vault_item(bag, id)
   36>>     if ChefVault::Item.vault?(bag, id)
   37:        ChefVault::Item.load(bag, id)
   38:      elsif node['chef-vault']['databag_fallback']
   39:        Chef::DataBagItem.load(bag, id)
   40:      else
   41:        raise "Trying to load a regular data bag item #{id} from #{bag}, and databag_fallback is disabled"
   42:      end
   43:    end
   44:  
   45:    # Helper method which provides an environment wrapper for a data bag.

I dug in a bunch and discovered that starting with version 1.3.1 of this cookbook the chef-vault gem is no longer being installed at compile time, which is why it can't find ChefVault.

I'm guessing it's this commit which was part of #19. Honestly I can't figure out why that change would have caused this but I can't figure out what else it might have been.

/cc @johnbellone, since that was his change.

library requires gem chef-vault but cookbook does not specify it

Cookbook version

[Version of the cookbook where you are encountering the issue]
Using chef-vault (4.0.0)

Chef-client version

[Version of chef-client in your environment]
Test Kitchen version 1.25.0

Platform Details

[Operating system distribution and release version. Cloud provider if running in the cloud]
OEL 6.10

Scenario:

[What you are trying to achieve and you can't?]

       
       Compiling Cookbooks...
       
       ================================================================================
       Recipe Compile Error in /tmp/kitchen/cache/cookbooks/chef-vault/libraries/helpers.rb
       ================================================================================
       
       LoadError
       ---------
       cannot load such file -- chef-vault
       
       Cookbook Trace:
       ---------------
         /tmp/kitchen/cache/cookbooks/chef-vault/libraries/helpers.rb:22:in `<top (required)>'
       
       Relevant File Content:
       ----------------------
       /tmp/kitchen/cache/cookbooks/chef-vault/libraries/helpers.rb:
       
        15:  #
        16:  # Unless required by applicable law or agreed to in writing, software
        17:  # distributed under the License is distributed on an "AS IS" BASIS,
        18:  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
        19:  # See the License for the specific language governing permissions and
        20:  # limitations under the License.
        21:  
        22>> require 'chef-vault'
        23:  
        24:  module ChefVaultCookbook
        25:    # Helper method which provides a Recipe/Resource DSL for wrapping
        26:    # creation of {ChefVault::Item}.
        27:    # @note
        28:    # Falls back to normal data bag item loading if the item is not
        29:    # actually a Chef Vault item. This is controlled via
        30:    # +node['chef-vault']['databag_fallback']+.
        31:    # @example
       
       Platform:
       ---------
       x86_64-linux

Steps to Reproduce:

[If you are filing an issue what are the things we need to do in order to repro your problem? How are you using this cookbook or any resources it includes?]
depend on chef-vault causes this issue during kitchen run

Expected Result:

[What are you expecting to happen as the consequence of above reproduction steps?]
When I put gem chef-vault within my metadata.rb file this issue does not reproduce. This cookbook should reference the gem so that it can be found within the dependency tree.

Actual Result:

[What actually happens after the reproduction steps? Include the error output or a link to a gist if possible.]
:(

undefined method `provides' for ChefVaultCookbook::Provider::ChefVaultSecret:Class

Hiya,

I just pulled chef-vault 1.3.1 from supermarket and I'm getting this error when trying to converge nodes:

================================================================================
Recipe Compile Error in /var/chef/cache/cookbooks/chef-vault/libraries/chef_vault_secret.rb
================================================================================

NoMethodError
-------------
undefined method `provides' for ChefVaultCookbook::Provider::ChefVaultSecret:Class

Cookbook Trace:
---------------
  /var/chef/cache/cookbooks/chef-vault/libraries/chef_vault_secret.rb:48:in `<class:ChefVaultSecret>'
  /var/chef/cache/cookbooks/chef-vault/libraries/chef_vault_secret.rb:47:in `<module:Provider>'
  /var/chef/cache/cookbooks/chef-vault/libraries/chef_vault_secret.rb:46:in `<module:ChefVaultCookbook>'
  /var/chef/cache/cookbooks/chef-vault/libraries/chef_vault_secret.rb:27:in `<top (required)>'

Relevant File Content:
----------------------
/var/chef/cache/cookbooks/chef-vault/libraries/chef_vault_secret.rb:

 41:        attribute(:raw_data, kind_of: [Hash, Mash], default: {})
 42:        attribute(:environment, kind_of: [String, NilClass], default: nil)
 43:      end
 44:    end
 45:
 46:    module Provider
 47:      class ChefVaultSecret < Chef::Provider::LWRPBase
 48>>       provides(:chef_vault_secret)

The nodes I was having trouble with are running chef-client 11.8.6. Reverting to chef-vault 1.3.0 fixes the issue.

Helpers do not work with kitchen test as expected

I'm not proficient in Ruby, but It appears that the method being used in this fallback handling (vault?) raises an exception that isn't handled in this helper, so instead of ever going to the "databag_falback" case it instead just hard stops and errors. The chef output in my kitchen test shows that it is resolving "chef-vault (4.0.3)".

https://github.com/chef/chef-vault/blob/master/lib/chef-vault/item.rb#L320

================================================================================
Recipe Compile Error in /tmp/kitchen/cache/cookbooks/cookbook/recipes/default.rb
================================================================================

Net::HTTPServerException
------------------------
404 "Not Found"

Cookbook Trace:
---------------
/tmp/kitchen/cache/cookbooks/chef-vault/libraries/helpers.rb:37:in `chef_vault_item'
/tmp/kitchen/cache/cookbooks/cookbook/recipes/configuration.rb:36:in `block in
from_file'
/tmp/kitchen/cache/cookbooks/cookbook/recipes/configuration.rb:32:in `from_fil
e'
/tmp/kitchen/cache/cookbooks/cookbook/recipes/default.rb:13:in `from_file'

Relevant File Content:
----------------------
/tmp/kitchen/cache/cookbooks/chef-vault/libraries/helpers.rb:

30:    # +node['chef-vault']['databag_fallback']+.
31:    # @example
32:    # item = chef_vault_item('secrets', 'bacon')
33:    # log 'Yeah buddy!' if item['_default']['type']
34:    # @param [String] bag Name of the data bag to load from.
35:    # @param [String] id Identifier of the data bag item to load.
36:    def chef_vault_item(bag, id)
37>>     if ChefVault::Item.vault?(bag, id)
38:        ChefVault::Item.load(bag, id)
39:      elsif node['chef-vault']['databag_fallback']
40:        data_bag_item(bag, id)
41:      else
42:        raise "Trying to load a regular data bag item #{id} from #{bag}, and databag_fallback is disabl
ed"
43:      end
44:    end
45:
46:    # Helper method that allows for listing the ids of a vault in a recipe.

System Info:
------------
chef_version=15.10.12
platform=centos
platform_version=7.8.2003
ruby=ruby 2.6.6p146 (2020-03-31 revision 67876) [x86_64-linux]
program_name=/opt/chef/bin/chef-client
executable=/opt/chef/bin/chef-client

Escalating from a comment in another issue to its own issue as it still presents on new chef versions (initially wondered if it was relevant to being on such an old release). #64 (comment)

New Release for Supermarket

The version on the supermarket still has the uninitialized constant error bug present (fixed by #34). Would it be possible to cut a new release for that bugfix?

Change of client search query or admins does not re-encrypt vault item

Cookbook version

3.1.0

Chef-client version

Chef: 12.21.4 (yes, we know it’s dated. I hope this doesn’t affect this, but from what I can tell (see "Additional Information"), it should not)

Platform Details

Linux: Ubuntu 16.04 and Debian testing

Scenario:

We were previously using the 2.x line of the cookbook. We have multiple chef servers. The master repository from which chef servers are initialised does not know all nodes, and thus secrets cannot be encrypted for all nodes there using knife. We encrypt the vault items for a user which is common on all chef-servers.

We have a provisioning recipe which is run on the chef server. It uses chef_vault_secret to update the search query for the nodes on the chef server and re-encrypt the databag item. The existing item can be decrypted using the common user I mentioned above. It is then encrypted for all nodes which need it. The value stored in the item is left unchanged here.

Steps to Reproduce:

Create vault item foo in data bag test with the contents {"id": "foo", "key": "value"}. Set admin (or whatever user, adapt the recipe below otherwise) as admin and don’t add any clients.

Execute the following recipe:

chef_vault_secret 'foo' do
  action :create
  data_bag 'test'
  raw_data({'id' => 'foo', 'key' => 'value'})
  admins ['admin']
  clients 'name:n1'
  search 'name:n1'
end

Expected Result:

The vault item should be re-encrypted for the clients given in the search expression.

Actual Result:

The vault item is not re-encrypted for the clients, but instead the resource claims to be (up to date).

Additional Information

I think the cause of this is that with the migration to LWRP, desired_state: false was added to the admins, clients and search properties. I think this should be removed, because change to any of those effectively requires re-encryption of the vault item.

Alternatively, I suggest to add a chef_vault_reencrypt resource (or something similiar) which allows to do this.

Auto refresh of node list

Is there a way to have chef-vault's node list refreshed automatically during knife bootstrap ( when new nodes are added )?

Thanks

4.0.3 Release incoming?

I would like to upgrade my cookbook to use the 4.x line in order to maintain compatibility with Chef 16, but if I do so then I believe I would lose compatibility with Chef 15 and below. The problem has already been fixed in the master branch here. Can we get that latest code released?

chef_gem's compile_time property must only be set if it is available

Instead of just setting the property, it should be checked whether it is available on the resource for backwards compatibility. Compare Chef 12.1.0 chef_gem resource warnings, section "Community Cookbooks".

recipes/default.rb L23 and test/fixtures/cookbooks/test/recipes/chef_vault_secret.rb L33 should read

  compile_time true if respond_to?(:compile_time)

Add command to add client to clients list by name (not requiring search).

Would it be possible to add a command to and a client name to to a vault item (even if that client doesn't exist yet). This would allow me to add the credentials of a user I want services to run as before bootstrapping the node, and get these services setup on bootstrap.

The alternative I have is just to store these in a node attribute, which is insecure.