[chef] Adding new nodes with vault in an organized fashion

["Gottesman, Eric" < >]

HELLO.

I’m managing my password hashes and pubkeys for human users via vault. It’s working well for existing hosts, but when I build new hosts, I need to update the vault to put the new keys on, and that’s where things are getting weird- the vault update only seems to work after my new host has tried (and failed) to query the vault.

My suspicion is presently that this is because the chef-vault gem needs to be invoked on the node before the update occurs, which is not the case at this point, but that seems a little counterintuitive. Any suggestions would be welcome!

Here’s how I’m updating the vault, in a bash script. Right now I’m doing this shortly after knife bootstrap and an initial chef-client run. Each user has their own vault item in user_vault containing a pubkey and a hash (and an id.)

echo "Updating vault"
for x in $(knife data bag show user_vault | grep -v _keys$ | tr '\n' ' ') ; do
  echo "Updating user vault for $x"
  knife vault update user_vault $x --mode client --search '*:*' --admins admin_name
done

…Then after that update I add a role that calls my human user cookbook, which looks like this:

chef_gem "chef-vault"
require "chef-vault"

unless Chef::Config[:solo]
  data_bag('human_users').each do |item_id|
    individual_data = data_bag_item('human_users',item_id)
    vault = ChefVault::Item.load("user_vault",individual_data["id"])
    username = individual_data["id"]
    user username do
      shell individual_data["shell"]
      home "/home/#{username}"
      password vault['password_hash']
      supports { [":manage_home"] }
    end
    directory "/home/#{username}/.ssh" do
      owner username
      group username
      mode '0700'
    end
    file "/home/#{username}/.ssh/authorized_keys" do
      content "#{vault['ssh_key']}"
      owner username
      group username
      mode '0644'
    end
    individual_data["groups"].each do |groupname|
      group groupname do
        members username
        append true
      end
    end
  end
end

That “unless" at the beginning is in there because I don’t want to build these users on my test kitchen machines for a variety of reasons, and that was the most expedient way to make that happen. This is all happening in a CentOS environment with open source Chef.

Any insight would be welcome. I’m still pretty new to chef (and I wrote that recipe when I was even newer) so I’m sure I’ve done a bunch of other dumb stuff that you’re all about to tell me about as well, but hopefully nothing TOO dumb. Thanks guys!