Chef Vault项目未使用您的公钥加密

Question

尝试存储user creation Chef Vault的加密凭据，然后将cookbook部署到要在其上创建用户的节点。

使用Chef版本12.13.37

使用chef-vault食谱2.1.1

最初使用创建的存储库

knife vault create ftp users \ '{"user":"password"}' \ --search 'name:my_node_name' \ --admins bk0155 \ --mode client

knife vault show ftp users的输出给出了

id:             users
user: password

我的食谱里有这样的内容：

include_recipe 'chef-vault'
vault = ChefVault::Item.load("ftp", "users")
user 'testuser' do
      comment 'Test User Account'
      home '/home/testuser'
      shell '/sbin/bash'
      group 'testusers'
      password vault['user']
end

我得到的错误是

 ChefVault::Exceptions::SecretDecryption
 ---------------------------------------
 ftp/users is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!

 Cookbook Trace:
 ---------------
 /var/chef/cache/cookbooks/ftp_test/recipes/default.rb:10:in 
 `from_file'


/var/chef/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/run_context.rb:347:in `load_recipe'

  Relevant File Content:
  ----------------------
  /var/chef/cache/cookbooks/ftp_test/recipes/default.rb:

    3:  # Recipe:: default
    4:  #
    5:  # Copyright:: 2017, The Authors, All Rights Reserved.
    6:  #
    7:
    8:  include_recipe 'chef-vault'
    9:
   10>> vault = ChefVault::Item.load("ftp", "users")
   11:

我尝试过使用knife update ftp users -S 'name:my_node_name' -M client进行更新，但似乎没有什么帮助

执行knife data bag show ftp users_keys会带来以下好处：

WARNING: Unencrypted data bag detected, ignoring any provided secret options.
admins:
  bk0155
  my_node_name
my_node_name: fqkwg0098mpbDiJKFCsBEoMLiyN0kZLksiZpWwoxepr6lUgBMFGkJvSpkoGf
3ZwZt8PG2keNe9RYQ93rvgRBKGhLwP46lvDMLO78CEBPfSV5S2mYoe7B7mBb
NFhHPmWkXX2IhaL6TkLvvjATVqBEuUbeqtDb7HO5XOSTuBHacovQxEJerHmA
dXWBsPgs/GPnsu8xK3BNLHjvyVJ3ovaYkvCTxdFTWvDfb8184jC9rJX882Op
XCeGhZ3I5BPXDmNi5XW7EAPgjtbqgxIGPZwYHrrEcZji4TMKxnc6O5+9rPB/
/j4mM/QEL5zGtTeeluzmX+wSE605p9KwGAqsLpUn/g==

clients:                  my_node_name
id:                       users_keys
bk0155:                 mDsML41veFJclX0yXVMqYGvW52uRnZRtQTrRl1XTddgUJc0N9RR1qnyk0gxC
07jKkN+AsdkFuMoOGr7UcUCo/1MEsL125CvsSevOGOF9QMvUk67xw8Q+OlP0
4vqmvJNyaxeXxVV7FOVJSTC2ytovStD2WaSshZutNhG+EgIZ0zSOivHHryW+
aFyClqjVIA3Sm7ITuEyheqBJZZntpHhK1a4Gwk1V3T9aJZ3OT5vvFtNzppnx
CerZvQjPdthwmrqbKfMmYG3KmsPUPEMsAHxK8ryw8Sntu/MYechWzUTGYDii
gcuhehwUCgb+6LAM66ygiIqxcpZ3qg2ddcSUbo5V0g==

search_query:             name:my_node_name

我也尝试过knife vault rotate keys，但仍然收到相同的错误。

Answer 1

如果您的节点键发生了更改，如果您没有在knife.rb中对其进行设置，则应该使用-M client运行knife vault refresh ftp users_keys。如果不起作用，请尝试删除整个vault并从头开始创建，但refresh应该就足够了。

update is for updating the content of the vault, rotate is for rotating shared key not client's keys。