10

I have a requirement, where I want to provision several Virtual Machine's with machine specific SSL certificates (generated using machine's IP/Host Name) required by a Java application.

I can create these certificates with some names like QA-Machine01, Prod-Machine01 etc. in advance and can keep these in folder somewhere.

How can I make Vagrant to dynamically pick these certificates, takes it's name (QA-Machine01, Prod-Machine01) and provision VM with certificates name as Machine Name?

RyPeck
  • 7,830
  • 3
  • 38
  • 58
Vishal Bhatt
  • 123
  • 1
  • 9

3 Answers3

1

Vagrant files are ruby code so if you have all certs in a directory you may write a loop in your vagrant file from the Dir.glob to make a multimachine vagrantfile:

Example:

mnames = Dir.glob("/my/cert/store/*.crt")

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  mname.each do |filename|
    hostname = File.basename(filename).gsub(File.extname(filename),'')

    config.vm.define hostname do |box|
      box.vm.hostname = "#{hostname}.my.domain"
      [.. any configuration you wish ...]
      box.vm.provision :chef_client do |chef|
        chef.add_recipe "my_recipe"
        [..chef conf for your case ...]
      end
    end
  end
end

Then you can vagrant up to create and provision all machines or call vagrant up QA-Machine01 for only the QA machine.

Tensibai
  • 15,557
  • 1
  • 37
  • 57
0

You can mount the certificates into the vagrant machine and use hostname to pick the right one.

ooxi
  • 3,159
  • 2
  • 28
  • 41
  • Unless I'm wrong, the OP wish to create the VM from the certificates. – Tensibai Apr 20 '15 at 14:18
  • I don't think so @Tensibai since OP stated /I can create these certificates with some names like QA-Machine01, Prod-Machine01 etc. in advance and can keep these in folder somewhere./ – ooxi Apr 21 '15 at 08:26
  • Well, Op has now the two side of our understanding ;) (I was more on this sentence: "and provision VM with certificates name as Machine Name") – Tensibai Apr 21 '15 at 08:29
0

It is not clear to me what you mean when you say you want "Vagrant to dynamically pick these certificates". Usually it is chef that is going to put these certificates to use (since it will be the technology that will be installing the web server, ssl proxy or whatever is going to use the certs). It is also not clear what the operational environment is, but presuming that if you are depoying to QA and prod, you have a chef-server available, I recommend using chef-vault.

In this scenario, we use data_bags, and specifically, chef-vault data_bags for this purpose. We have a vault named ssl-certificates with items in it named for the CN of the SSL certificate each contains. The item's search query is used to scope access to only the machine(s) that host that CN.

Because chef-vault has a fallback mechanism to use un-encrypted regular data-bags, it makes it ideal for using in both dev/qa environments where maintaining secure credentials gets in the way and use in production where maintaining custody of your SSL private keys is critical.

Kenneth Baltrinic
  • 2,941
  • 2
  • 28
  • 45