chef-server-populator public key name not compatible with Chef Vault

[ryanl-ee]

Hi all! I'm trying to use this cookbook to set up a Chef server and then store secrets using Chef Vault. Unfortunately, Chef Vault only supports using the default public key (https://github.com/chef/chef-vault/blob/c98d4fbe4f7443f7341b278b436aa19ef4240e06/lib/chef-vault/chef_key.rb#L39) and this cookbook deletes it & creates a new one under the name of populator (https://github.com/hw-cookbooks/chef-server-populator/blob/develop/recipes/client.rb#L104-L115). I'll look into adding the default key back with my wrapper cookbook, but thought you'd want to be aware. Thanks!

[ryanl-ee]

It's pretty hacky, but setting node['chef_server']['users'] and running something like this seems to work:

chef_gem 'chef-rewind'
require 'chef/rewind'

node['chef_server']['users'].each do |bag|
  bag_item = data_bag_item(node['chef_server_populator']['databag'], bag)

  unwind "execute[set user key: #{bag_item['id']}]"
  unwind "execute[delete default user key: #{bag_item['id']}]"

  key_file = "#{Chef::Config[:file_cache_path]}/#{bag_item['id']}.pub"
  file key_file do
    backup false
    content bag_item['chef_server']['client_key']
    mode '0400'
  end

  execute "fix default user key #{bag_item['id']}" do
    command "chef-server-ctl add-user-key #{bag_item['id']} #{key_file} --key-name default"
    not_if { Mixlib::ShellOut.new("chef-server-ctl list-user-keys #{bag_item['id']} -v").run_command.stdout.include? bag_item['chef_server']['client_key'] }
  end
end

[glennmate]

This is causing a good amount of grief in our organization, as removing the default key breaks the ability to do password resets via chef-server-ctl password <username>. It also causes oddities with being able to create/update new vaults.