带有测试厨房，无业游民和零厨师预配者的厨师库 [英] Chef Vault with Test-Kitchen, Vagrant and Chef-Zero provisioner

问题描述

我使用Test-Kitchen v1.5.0，Vagrant v1.8.1进行了环境设置.我有一个食谱，使用厨师库来解密我们在data_bags_path/passwords/pilot.json文件中使用的加密密码.

I have an environment setup with Test-Kitchen v1.5.0, Vagrant v1.8.1. I have a recipe that uses chef vault to decrypt our encrypted passwords that our in our data_bags_path/passwords/pilot.json file.

我在这里使用解决方案 https://github.com/chef/chef- daxgames 在页面末尾提供的vault/issues/58 .

I am using the solution here https://github.com/chef/chef-vault/issues/58 that daxgames provides towards the end of the page.

我的 .kitchen.yml :

---
driver:
  name: vagrant

provisioner:
  name: chef_zero
  require_chef_omnibus: 12.14.77
  roles_path: ../../roles
  environments_path: ../../environments
  data_bags_path: ../../data_bags
  client_rb:
    environment: lgrid2-dev
    node_name: "ltylapp400a"
    client_key: "/etc/chef/ltylapp400a.pem"

platforms:
  - name: centos-6.8
    driver:
    synced_folders:
      - ["/Users/212466756/.chef", "/etc/chef", "disabled:false"]

 suites:
   - name: ltylapp400a
     run_list:
       - role[lgrid-db]
     attributes:
       chef_client:

我的食谱中涉及厨师库的摘录:

A snippet from my recipe that deals with chef-vault:

case node["customer_conf"]["status"]
when 'pilot'
  passwords = ChefVault::Item.load('passwords', 'pilot')
when 'production'
  passwords = ChefVault::Item.load('passwords', node[:hostname][1..3])
end

我的相关data_bags的目录结构:

My directory structure for relevant data_bags:

data_bags
  --passwords
     --pilot.json
     --pilot_keys.json

我得到的错误是，流浪汉在/etc/chef/ltylapp400a.pem生成的client.pem无法解密该数据包的内容.厨师建议我运行刀库刷新，但我未连接到本地计算机上的厨师服务器，因此如果运行此命令，将会出现有关没有厨师服务器连接的错误.我的问题是如何将流浪汉生成的新密钥添加到pilot_keys.json中，以便能够解密该data_bag?

The error I am getting is that my client.pem that vagrant generates at /etc/chef/ltylapp400a.pem can not decrypt the contents of that databag. Chef suggest that I run knife vault refresh, I am not connected to my chef server on my local machine so if I run this it will give an error about not having a chef server to connect to. My question is how I can add my new key that vagrant generated to the pilot_keys.json so that it is able to decrypt that data_bag?

答案越详细越好，我还是厨师，测试厨房等的新手.

The more detailed answers are better I am still somewhat new to chef, test-kitchen, etc...

推荐答案

我能够完成这项工作，以下是我的结果和结论.如上所述，我的问题是我无法解密data_bag，因为我没有连接到厨师服务器并且无法运行刀库，所以无法将vagrant创建的新密钥添加到pilot_key.json文件中.刷新/更新.我要做的是从已经可以访问pilot.json data_bag的服务器上获取client.pem密钥.我使用了实用程序服务器密钥，因为它不会在不久的将来销毁.

I was able to get this working, below are my results and conclusions. As I stated above my issue was I was unable to decrypt the data_bag since I could not add the new key that vagrant created to the pilot_key.json file since I was not connected to the chef server and could not run a knife vault refresh/update. What I had to do was get the client.pem key from a server that already had access to the pilot.json data_bag. I used our utility server key since it will not be destroyed in the near future.

因此，在本地PC上的主目录下有一个 .chef/目录，我从实用程序服务器复制了client.pem密钥，并将其与/tmp/kitchen/，它在test-kitchen环境中充当/etc/chef 目录.

So on my local PC I have a .chef/ directory under my home directory, I have the client.pem key I copied from the utility server and I sync this with the /tmp/kitchen/ which acts as the /etc/chef directory in the test-kitchen environment.

---
driver:
  name: vagrant

provisioner:
  name: chef_zero
  require_chef_omnibus: 12.14.77
  roles_path: ../../roles
  environments_path: ../../environments
  data_bags_path: ../../data_bags
  client_rb:
    node_name: "utilityServer"
    client_key: "/tmp/kitchen/client.pem"       #The Chef::Vault needs a client.pem file to authenticate back to the data_bag to decrypt it, this needs to be stored at /tmp/kitchen/client.pem
    environment: dev
    no_proxy: 10.0.2.2

platforms:
  - name: centos-6.8
    driver:
      synced_folders:
        - ["~/.chef","/tmp/kitchen/","disabled:false"] # Allows the vagrant box to have  access to your .chef directory in your home directory. This is where you will store the client.pem for authentication.

suites:
  - name: lzzzdbx400a
    run_list:
      - role[lgrid-db]
attributes:

data_bags/passwords/pilot_key.json 看起来像这样:

{
 "id": "pilot_keys",
 "admins": [
   "utilityServer"
 ],
 "clients": [
   "webserver",
   "database"
 ],
 "search_query":"*:*"
 "utilityServer":"key",
 "webserver":"key",
 "database": "key"
 }

由于UtilityServer密钥已经能够解密 passwords/pilot 数据包，因此下次我运行厨房融合时，它运行得很好.

Since the utilityServer key was already able to decrypt the passwords/pilot data_bag it ran through fine during the next time I ran kitchen converge.

这篇关于带有测试厨房，无业游民和零厨师预配者的厨师库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！