Add support for clients

[svanharmelen]

Before finishing up this PR I would like some feedback about the feasibility of getting this functionality merged in chef-vault?

The reason we have a need for this is because we would like the Terraform chef provisioner to be able to add single clients in the same way as knife bootstrap currently does. knife bootstrap does this by directly calling/using the chef-vault package, but that approach is not possible for the chef provisioner.

So currently we add clients as admins, but of course this has all kinds of nasty side effects and is now how chef-vault should be used so people are not happy with that approach.

Besides this very specific reason, I would imagine that this is adds value by extending the number use cases in which knife vault can be used.

I really hope this is something that can be merged as it would make the Terraform chef provisioner able to handle chef-vaults correctly and with that have better Chef support/integration.

EDIT: I know this branch is outdated because I based it of v2.9.0 instead of master. I will of course rebase this if/when we can move forward with this PR!

[thommay]

Hi
this looks great and I'd be really happy to include it. If you rebase I'll get this merged; I'd like to get 3.0 out reasonably soon but if we can get this done relatively soon I'll include this. :)
Thanks

[svanharmelen]

@thommay very nice 😀

I'll make sure to update and finish the PR this week (today or tomorrow most likely), so we can include it in 3.0 👍

[svanharmelen]

@thommay I rebased the PR, added a few tests and updated the README.md and KNIFE-EXAMPLES.md files to represent the changes.

So all seems to be good now, but I notice that when I do some functional tests with the current code, I get these errors:

ERROR: OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key: nested asn1 error

Is there anything changed that is not backwards compatible? We're using knife version 2.13.37 against a 12.2.0 Chef server.

The error is not related to my changes, because I get the same error when using master instead of my feature branch. So I guess it is unrelated, yet it would be nice to know so I can make sure we can use 3.0 when it is released.

Thx!

[thommay]

Hm, that really doesn't look good. Can you share exactly which steps you're performing, and the output of knife vault ... -VV ?

[svanharmelen]

@thommay sure, here you go (I included the output of git status and git log | head -1 so you can see that I'm using current master):

sander@svhadm01:/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0$ git status
# On branch master
nothing to commit (working directory clean)
sander@svhadm01:/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0$ git log | head -1
commit 00cda89286dead02c019cae6b97f501f59e299ad
sander@svhadm01:/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0$ knife vault create test test '{"test": "test"}' -A "svanharmelen" -S "name:svhadm01" -M client -VV
INFO: Using configuration from /home/sander/.chef/knife.rb
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::JSONOutput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_request
DEBUG: Signing the request as svanharmelen
DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::ValidateContentLength#handle_request
DEBUG: Initiating GET to https://betachef.schubergphilis.com/organizations/svh/data/test/test_keys
DEBUG: ---- HTTP Request Header Data: ----
DEBUG: Accept: application/json
DEBUG: Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
DEBUG: X-Ops-Server-API-Version: 1
DEBUG: X-OPS-SIGN: algorithm=sha1;version=1.1;
DEBUG: X-OPS-USERID: svanharmelen
DEBUG: X-OPS-TIMESTAMP: 2016-10-06T15:58:48Z
DEBUG: X-OPS-CONTENT-HASH: 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
DEBUG: X-OPS-AUTHORIZATION-1: rcqsDe6kkY77EAYUBORPLzgFEkSHnoa+CX/QpCK9DbWlzyuXsuvShF4B4jjb
DEBUG: X-OPS-AUTHORIZATION-2: AtHpQ0/t+M84pnI8k9LzGAaMGmSRq65H8IdOydX1RDckNVyHkpIB/zv5R/b7
DEBUG: X-OPS-AUTHORIZATION-3: toyvxPZqfheFm7kUnXc5VgpWuCvJERWhF5mD9Lw1Y5N0QBJMQ8MdmNQIo9+E
DEBUG: X-OPS-AUTHORIZATION-4: 1l0bMeI3UfqEhIjJPI8QT0/qTTlgZ2hnNo+qNt86UfgFMH9e7KVv3YlqbNtk
DEBUG: X-OPS-AUTHORIZATION-5: /Jii4aJKwP+pWuI7Zx/0hSYTTrbcnWvg7CjRbjuXnzn9PBNIQ0prlfenP1/C
DEBUG: X-OPS-AUTHORIZATION-6: RvZPHxHXbW6NncJYD0N1f1WgP4Tt4SIU9crxloSO6g==
DEBUG: HOST: betachef.schubergphilis.com:443
DEBUG: X-REMOTE-REQUEST-ID: 3e555f3d-1c13-4a97-ab10-885564938bbc
DEBUG: ---- End HTTP Request Header Data ----
DEBUG: ---- HTTP Status and Header Data: ----
DEBUG: HTTP 1.1 404 Not Found
DEBUG: server: openresty/1.7.10.1
DEBUG: date: Thu, 06 Oct 2016 15:59:39 GMT
DEBUG: content-type: application/json
DEBUG: transfer-encoding: chunked
DEBUG: connection: close
DEBUG: x-ops-api-info: flavor=cs;version=12.0.0;oc_erchef=12.2.0
DEBUG: x-ops-server-api-version: {"min_version":"0","max_version":"1","request_version":"1","response_version":"1"}
DEBUG: content-encoding: gzip
DEBUG: ---- End HTTP Status/Header Data ----
DEBUG: ---- HTTP Response Body ----
DEBUG:VJ-*RVrNQOLQHI,ITHJLWI(I-.,VHBȁbkfpC
DEBUG: ---- End HTTP Response Body -----
DEBUG: Chef::HTTP calling Chef::HTTP::ValidateContentLength#handle_response
DEBUG: HTTP server did not include a Content-Length header in response, cannot identify truncated downloads.
DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_response
DEBUG: Decompressing gzip response
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::JSONOutput#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_response
INFO: HTTP Request Returned 404 Not Found: Cannot load data bag item test_keys for data bag test
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::JSONOutput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_request
DEBUG: Signing the request as svanharmelen
DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::ValidateContentLength#handle_request
DEBUG: Initiating GET to https://betachef.schubergphilis.com/organizations/svh/search/node?q=name:svhadm01&sort=X_CHEF_id_CHEF_X%20asc&start=0
DEBUG: ---- HTTP Request Header Data: ----
DEBUG: Accept: application/json
DEBUG: Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
DEBUG: X-Ops-Server-API-Version: 1
DEBUG: X-OPS-SIGN: algorithm=sha1;version=1.1;
DEBUG: X-OPS-USERID: svanharmelen
DEBUG: X-OPS-TIMESTAMP: 2016-10-06T15:58:48Z
DEBUG: X-OPS-CONTENT-HASH: 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
DEBUG: X-OPS-AUTHORIZATION-1: LdHUTZg1nmXZgILLM23Qvm38/JmLZN5jqwK604YlGzfSMwbyM6vmqYaPRHDh
DEBUG: X-OPS-AUTHORIZATION-2: O7TQRZw41SKqTBX0nNxXb5oX7Ctvo0ic3CIFRt6vdsektJFBLrLPk1GW7Uvm
DEBUG: X-OPS-AUTHORIZATION-3: dR97N2nPZDxGAXYEgm7gHG9jFXC7sY7wJcGICIDbBN4YjcQKRNzQEQrG7IWg
DEBUG: X-OPS-AUTHORIZATION-4: 8fTcByHvIlK9652oHS2xhYGchLj6JZxH4r0Z5nw4XQpNlLzsUmgOVemPJfoy
DEBUG: X-OPS-AUTHORIZATION-5: UUN9gGvUJh+Cewb+y0n9g8dSgrzBIUS1iM5RkSJeRDWGodXFqt7TarGsVNSy
DEBUG: X-OPS-AUTHORIZATION-6: 5KhzoioZRJU3H5ioWCuXHqI/HCIk3UxB3pvslrKcTQ==
DEBUG: HOST: betachef.schubergphilis.com:443
DEBUG: X-REMOTE-REQUEST-ID: 3e555f3d-1c13-4a97-ab10-885564938bbc
DEBUG: ---- End HTTP Request Header Data ----
DEBUG: ---- HTTP Status and Header Data: ----
DEBUG: HTTP 1.1 200 OK
DEBUG: server: openresty/1.7.10.1
DEBUG: date: Thu, 06 Oct 2016 15:59:39 GMT
DEBUG: content-type: application/json
DEBUG: transfer-encoding: chunked
DEBUG: connection: close
DEBUG: x-ops-api-info: flavor=cs;version=12.0.0;oc_erchef=12.2.0
DEBUG: x-ops-server-api-version: {"min_version":"0","max_version":"1","request_version":"1","response_version":"1"}
DEBUG: x-content-type-options: nosniff
DEBUG: x-xss-protection: 1; mode=block
DEBUG: content-encoding: gzip
DEBUG: ---- End HTTP Status/Header Data ----
DEBUG: Chef::HTTP calling Chef::HTTP::ValidateContentLength#handle_response
DEBUG: HTTP server did not include a Content-Length header in response, cannot identify truncated downloads.
DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_response
DEBUG: Decompressing gzip response
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::JSONOutput#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::JSONOutput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_request
DEBUG: Signing the request as svanharmelen
DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::ValidateContentLength#handle_request
DEBUG: Initiating GET to https://betachef.schubergphilis.com/organizations/svh/clients/svhadm01/keys/default
DEBUG: ---- HTTP Request Header Data: ----
DEBUG: Accept: application/json
DEBUG: Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
DEBUG: X-Ops-Server-API-Version: 1
DEBUG: X-OPS-SIGN: algorithm=sha1;version=1.1;
DEBUG: X-OPS-USERID: svanharmelen
DEBUG: X-OPS-TIMESTAMP: 2016-10-06T15:58:48Z
DEBUG: X-OPS-CONTENT-HASH: 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
DEBUG: X-OPS-AUTHORIZATION-1: Tn2AJh5FJmnCPzcBgL4aVZkUpqNU3sLbk7o8dNC1pb7GxZVqZpvsNkkUTMQW
DEBUG: X-OPS-AUTHORIZATION-2: VPqUl9CFH+MHGcETHo/OMWmCB/PinRfQlwMU6IihHCBY8ADxNQVoGMr9KyL5
DEBUG: X-OPS-AUTHORIZATION-3: jkV6CiFUI5pSo0eBXLoLxN38Ogns0/5N9nn/szD3KW4VnpNd1lpTj4bDo+ba
DEBUG: X-OPS-AUTHORIZATION-4: MPo+y9BJGlbaITYVnwe5piE6H4+kS1f1AHtRPOTLij1sVVGfSwknVWyYNnJB
DEBUG: X-OPS-AUTHORIZATION-5: +QEXt+JBEKzVNPXQ3z1S5/0nYdYKVqCRHyEwdL5oURprO1sJejDNsf4l2+5Y
DEBUG: X-OPS-AUTHORIZATION-6: tAEDwI6AV+/vDq/6ZrY5+WdgomDqBGsc7uCt7LP86w==
DEBUG: HOST: betachef.schubergphilis.com:443
DEBUG: X-REMOTE-REQUEST-ID: 3e555f3d-1c13-4a97-ab10-885564938bbc
DEBUG: ---- End HTTP Request Header Data ----
DEBUG: ---- HTTP Status and Header Data: ----
DEBUG: HTTP 1.1 200 OK
DEBUG: server: openresty/1.7.10.1
DEBUG: date: Thu, 06 Oct 2016 15:59:39 GMT
DEBUG: content-type: application/json
DEBUG: transfer-encoding: chunked
DEBUG: connection: close
DEBUG: x-ops-api-info: flavor=cs;version=12.0.0;oc_erchef=12.2.0
DEBUG: x-ops-server-api-version: {"min_version":"0","max_version":"1","request_version":"1","response_version":"1"}
DEBUG: x-content-type-options: nosniff
DEBUG: x-xss-protection: 1; mode=block
DEBUG: content-encoding: gzip
DEBUG: ---- End HTTP Status/Header Data ----
DEBUG: Chef::HTTP calling Chef::HTTP::ValidateContentLength#handle_response
DEBUG: HTTP server did not include a Content-Length header in response, cannot identify truncated downloads.
DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_response
DEBUG: Decompressing gzip response
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::JSONOutput#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_response
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef-vault/item_keys.rb:133:in `initialize': Neither PUB key nor PRIV key: nested asn1 error (OpenSSL::PKey::RSAError)
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef-vault/item_keys.rb:133:in `new'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef-vault/item_keys.rb:133:in `encode_key'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef-vault/item_keys.rb:43:in `add'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef-vault/item.rb:454:in `add_client'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef-vault/item.rb:90:in `block in clients'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/lib/chef/search/query.rb:90:in `block in search'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/lib/chef/search/query.rb:90:in `each'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/lib/chef/search/query.rb:90:in `search'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef-vault/item.rb:84:in `clients'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef/knife/vault_create.rb:84:in `rescue in run'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.9.0/lib/chef/knife/vault_create.rb:57:in `run'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/lib/chef/knife.rb:421:in `block in run_with_pretty_exceptions'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/lib/chef/local_mode.rb:44:in `with_server_connectivity'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/lib/chef/knife.rb:420:in `run_with_pretty_exceptions'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/lib/chef/knife.rb:219:in `run'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/lib/chef/application/knife.rb:156:in `run'
        from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.13.37/bin/knife:25:in `<top (required)>'
        from /usr/local/bin/knife:23:in `load'
        from /usr/local/bin/knife:23:in `<main>'

[svanharmelen]

@thommay guess this should not be a blocker for this PR right? Maybe we should merge this PR and open a separate issue for the error I got? Let me know how you want to proceed...

[thommay]

Yeah. Mind opening that issue?

[svanharmelen]

Sure, will create a new issue in a few... Thx for merging this one!

[svanharmelen]

@thommay done: #230

[rneu31]

@thommay Was this included in the release candidate for 3.0.0? Any idea when 3.0.0 will be released? Sorry if this is not the place for this question.

[thommay]

@rneu31 yes it's in the RCs