provisioner/chef: Add bootstrapping with knife to support chef-vault #7440
Conversation
Allows setting up node with `knife bootstrap` to gain access to chef-vault vaults while bootstrapping nodes
jmccann
changed the title
|
@jmccann thanks for the PR! I can tell you invested some time into this one, but I must admit that it feels a little weird to me to use the I understand that you miss some functionality in the current |
|
@svanharmelen Thanks for taking a quick look at this and for your comments. I understand some of the concerns you bring up and initially had the same concerns. I'll explain why I feel this is an OK approach and how it helps me and people I work with. First let me clarify I'm by no means a terraform expert and am learning things as I go. ;) I'm trying to use source control and CI/CD to manage my infrastructure. Specifically I'm using Drone with drone-terraform for managing my infra with terraform. Unfortunately drone-terraform does not contain the Chef stack inside of it so What I had been doing prior to creating this code and PR was passing I then saw other co-workers using the chef provisioner to get around both of these issues by setting a bastion host for the connection. This was pretty much exactly what I wanted and was very easy to use except that it does not support chef-vaults. One thing I did think of before working on this was using For me having a good pattern to give people I work with for provisioning Chef, configuring Chef and having it have access to chef-vaults on the first Chef run is what I'm trying to accomplish. A lot of people are already familiar with using |
|
@svanharmelen I was wondering if you have some time to review this and think it over more. Again, my use case is the ability to bootstrap a system with access to chef-vaults using the chef provisioner. I think the primary concern should be attributes I've added to the provisioner ( I'm hoping this is a wanted feature and that we can work through any implementation details. Thanks! |
|
@jmccann sorry for the lack of response here! I'm currently on holiday, but will be back coming week (Tuesday) and will make time to process this one so we can move it forward. So please give me another few days and then see if we can get this (or a slightly adjusted version) merged end of next week. Thx! |
|
So I ended up ill the day before getting back from holiday an so I didn't have a look yet... Did think about possible solutions and I think I have a good approach which I will try to work out today/tomorrow. Will keep you posted! |
|
So I think I have a very nice solution, but I will need to run some tests on OSX, Linux and Windows to confirm it all works as expected first... Will update and share (if all works as expected) the solution after I'm done testing. |
|
@svanharmelen Awesome! Excited to see what you have. |
|
The solution I'm working on also fixes issue #3605. I managed to test and verify that part, but got disturbed with other work when I was about to go and test the vault part... So that will have to wait until tomorrow, but it looks good 😉 |
|
@jmccann again sorry for all the delays, but please have a look at PR #8577. The only code changes that are directly related to this PR are in this file and as you can see there are effectively two new functions here. One for fixing issue #3605 and one for adding Chef Vault support. The rest is mainly updating and cleaning code and tests in order to get the Chef provisioner up-to-spec again. Let me know what you think of this approach and if you are able to build from this branch and give it a test run, that would be great. |
|
Hi, does this also include vaults that are already on the server and would be added to the bootstrap command via Cheers |
|
@mrmarbury This is to allow bootstrapping a new node to existing vaults on the server. This work is being done under #8577 now. |
|
@jmccann, @svanharmelen |
|
Closing in favor of #8577 |
Fixes hashicorp#3605 and adds the functionality suggested in PR hashicorp#7440. This PR is using a different appraoch that (IMHO) feels cleaner and (even more important) adds support for Windows at the same time.
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Use Case
I would like the ability to bootstrap a node that has a
run_listthat utilizes vaults from chef-vaultProblem
Current chef provisioner bootstraps a node by using a validator and running chef-client on the node. This does not allow you to add the node to chef-vaults and therefore can not have an initial
run_listthat includes cookbooks/recipes that utilize a chef-vault.Fix
I am adding code to the chef provisioner to allow bootstrapping a node with
knife bootstraprather then running chef-client and using a validator. Newer versions of knife included with Chef allow "validatorless" bootstrapping and supports flag--bootstrap-vault-jsonwhich allows specifying chef-vaults to add the node to.