Using chef-vault instead of data bag

Question

Ohai chefs.

I wrote a definition that takes usename and password as parameters. When used in a recipe with parameters fetched from a databag it works.

However it fails when fetching parameters from chef-vault

Here is the code using data bags:

databag = 'credentials'
authalias = data_bag_item(databag, ldapalias)
username = authalias[node['was']['credentialsUsername']]
password = authalias[node['was']['credentialsPassword']]

and then pass them to my definition which works fine

connectProfiletoLdap 'ldapmain' do
 profile  dmgrProfile 
 baseDN  'dc=mydomain,dc=com'
 bindDN  username
 binpwd  password
 ldapServer  'LDAPPROD.mydomain.com'
end

However, when I try to do the same with chef-vault it fails since the definition is checking the input for NIL values. It seems to me that data bags are evaluated at compile time and vault items at exececute.

What should I do if I want this to work? Is there a way to force vault items evaluation to occure at compile time?

Here is the code using vaults which fails:

 vault = node['was']['credentialsVault']
 authalias = chef_vault_item(vault, ldapalias)
 username = authalias[node['was']['credentialsUsername']]
 password = authalias[node['was']['credentialsPassword']]

 connectProfiletoLdap 'ldapmain' do
  profile  dmgrProfile 
  baseDN  'dc=mydomain,dc=com'
  bindDN  username
  binpwd  password
  ldapServer  'LDAPPROD.mydomain.com'
 end

It raises the exception that's in my code in case one of the parametes is null This is the code from the definition:

  if params[:baseDN].nil? or params[:ldapServer].nil? or params :profile].nil? or params[:bindDN].nil? or params[:binpwd].nil?
   raise "Exiting - nil values are unaxceptable for connectProfiletoLdap"
  else
    ......
  end

So the exception I get is "Exiting - nil values are unaxceptable for connectProfiletoLdap"

What error are you seeing (where it complains that it is NIL} — matt freake, Nov 03 '15 at 15:31
I've updated the question with the error. It's the exception my code raises if one of the values is nil — Pavel Jeloudovski, Nov 03 '15 at 16:01
And I assume you've checked that node['was']['credentialsVault']' definitely contains a String of the vault name ? — matt freake, Nov 03 '15 at 17:18
Yes. The problem is that what data bags are fetched at compile time and vaults in converge. — Pavel Jeloudovski, Nov 04 '15 at 07:24

score 0 · Answer 1 · answered Nov 04 '15 at 07:51

In order to use chef vault in a scenario like decribed in the question one can use the following bypass: rewrite the definion as LWRP

Rewrite the definition as chef LWRP, exapmle can be found in here towards the end: Chef Definitions documentation

After that the data from chef vault given to the LWRP are evaluated in converge time like so:

 ldapalias = 'ldap-matam'
 vault = node['was']['credentialsVault']
 authalias = chef_vault_item(vault, ldapalias)
 username = authalias[node['was']['credentialsUsername']]
 password = authalias[node['was']['credentialsPassword']]

 wasbnhp_ldapconnection 'LDAP MAIN' do
  profile  dmgrProfile 
  baseDN  'dc=mydomain,dc=com'
  bindDN   username
  binpwd   password 
  ldapServer  'LDAPPROD.mydomain.com'
 end

Using chef-vault instead of data bag

1 Answers1