This cookbook configures a node to trust PrivX issued OpenSSH user certificates. Please see also https://github.com/SSHcom/privx-chef-cookbook.
Attributes
Required attributes under node['privx']:
'api_endpoint':https://prefixed hostname for PrivX.'api_ca_cert': Trust anchor for PrivX's TLS certificate.'roles': JSON array of objects which have key'principal'(str) and'roles'(array).
{
"api_endpoint": "https://privx.example.com",
"api_ca_cert": "-----BEGIN CERTIFICATE-----
YXNkZmFzZGZhc2Zhc2Zhc2RmYXNkZmFzZGY=
-----END CERTIFICATE-----",
"principals": [
{
"principal": "root",
"roles": [{"name": "root-everywhere"}, {"name": "dev-admin"}]
}
]
}
Chef-vault
PrivX cookbook expects to find vault with name privx and an databag with name privx which has following fields:
'oauth_client_secret': This value is get from PrivX command line using the command:sudo /opt/privx/bin/keyvault-tool -name privx_auth_client_secret_privx-external get-passphrase'api_client_id': Name of the API user'api_client_secret': Password for the API user
Such as
knife vault create privx privx '{"oauth_client_secret": "ZGdoZGZ0aGRmZ2hkZ2hibmN2", "api_client_id": "deploy-script", "api_client_secret": "0000000000000"}' --mode client
This vault needs to be exposed to the node at bootstrap with --bootstrap-vault-item 'privx:privx'
Bootstrapping
knife bootstrap ec2-18-194-178-70.eu-central-1.compute.amazonaws.com\
--ssh-user ec2-user \
--sudo \
--identity-file ~/.ssh/aws \
--node-name node1 \
--environment development \
--run-list 'role[system]' \
--bootstrap-vault-item 'privx:privx'
With Openstack nodes --hint openstack is probably required.