Have to perform `knife vault refresh` after vagrant up

[dgorack]

Is there a way to tell vagrant to do a knife vault refresh blah blah on vagrant up?

This is the exception once chef-client runs after a vagrant up.

==> default: ChefVault::Exceptions::SecretDecryption
==> default: ---------------------------------------
==> default: auth/client is encrypted for you, but your private key failed to decrypt the contents.  (if you regenerated your client key, have an administrator of the vault run 'knife vault refresh')

At this point I run knife vault refresh auth client and vagrant provision

[jf647]

If you're just talking about doing this against chef-zero running the Vagrant box, you should be able to do this with a shell provisioner, passing the -k switch to use some random RSA key (chef-zero doesn't check the signature of requests, but knife requires a key to sign them).

If you're talking about against your real chef server, that's a bit harder. Again, use a shell provisoner, but you'd have to ensure that an administrative key was mounted into the Vagrant machine. Normally inside the box you only have access to the node's private key, which is good for decryption, but can't update the encrypted data bag.

A better solution is to use test-kitchen for cookbook tests, combined with the chef-vault-testfixtures gem and the companion cookbook to create real encrypted values inside the box under test.

[jf647]

Did this resolve your question? Absent any further feedback, I'll be closing this in the sweep before the next release.

[dgorack]

I'm talking about running it against a real chef server. I'm not sure I understand your response properly so I'll read up on the chef-vault docs again so I understand how it works.

[jf647]

The knife vault refresh would have to be run from the host machine (because the guest shouldn't have a private admin key inside). There is a plugin that might be of use:

https://github.com/phinze/vagrant-host-shell

Though I've never used it.

You'd need to ensure that it ran after provisioning the guest (and if you're on Chef 11, ensuring that the new node had been indexed by SOLR), and then use it to run 'knife vault refresh'.

[dgorack]

Trying this but I don't see how I can get this to run the command after provisioning but before the actual chef-client run.

[jf647]

I assume this box is for running tests; can we go back to why you want to get a test box talking to your real chef server?

There are solutions for making chef-vault fall back to test data bags in both ChefSpec and Test-Kitchen runs; it seems like you're trying to solve the same problem in a different way. What's your use case?

[dgorack]

I'm testing the cookbook in vagrant. I finish writing a recipe and chefspec tests and if it all passes, I upload my databags to the Chef Server and test it on a vagrant instance with vagrant up.

[jf647]

What you're trying to do sounds like exactly what test-kitchen was designed to do.

I don't think it will be possible to orchestrate what you're trying to do, unless you either

a) pre-encrypt the vault and somehow pass the private key into the provisioner so that chef-client doesn't create one on the fly

or b) provide the node inside with a key that can run vault refresh, and somehow get that to run in your client run after the node identity has been created but before any vault access happens - like an execute block that runs at compile time.

Neither are particularly attractive options though.

[dgorack]

Thanks for the clarification. I'm using minitest but is the current recommendation to use chefspec for unit testing and test-kitchen instead of minitest? or serverspec?

IOW what's the current suggested Chef workflow, if you don't mind?

[jf647]

We use ChefSpec for unit testing (with the chef-vault-testfixtures gem) and Test-Kitchen/Serverspec for integration testing (with the chef-vault cookbook and the chef_vault_item helper).

Using these together, you just create a dummy test data bag in test/integration/data_bags/bag_name/item_name.json. For ChefSpec, the gem automatically mocks the ChefVault and Chef::DataBag calls to return the values from the JSON file. For Test-Kitchen, the helper falls back to the unencrypted data bag.

[dgorack]

Thanks! This issue can be closed.