Onboarding SSH target hosts to PrivX via Chef

Chef Deployment

This cookbook configures a node to trust PrivX issued OpenSSH user certificates. Please see also https://github.com/SSHcom/privx-chef-cookbook.

Attributes

Required attributes under node['privx']:

'api_endpoint': https:// prefixed hostname for PrivX.
'api_ca_cert': Trust anchor for PrivX's TLS certificate.
'roles': JSON array of objects which have key 'principal' (str) and 'roles' (array).

{
  "api_endpoint": "https://privx.example.com",
  "api_ca_cert": "-----BEGIN CERTIFICATE-----
  YXNkZmFzZGZhc2Zhc2Zhc2RmYXNkZmFzZGY=
  -----END CERTIFICATE-----",
  "principals": [
    {
      "principal": "root",
      "roles": [{"name": "root-everywhere"}, {"name": "dev-admin"}]
    }
  ]
}

Chef-vault

PrivX cookbook expects to find vault with name privx and an databag with name privx which has following fields:

'oauth_client_secret': This value is get from PrivX command line using the command: sudo /opt/privx/bin/keyvault-tool -name privx_auth_client_secret_privx-external get-passphrase
'api_client_id': Name of the API user
'api_client_secret': Password for the API user

knife vault create privx privx '{"oauth_client_secret": "ZGdoZGZ0aGRmZ2hkZ2hibmN2", "api_client_id": "deploy-script", "api_client_secret": "0000000000000"}' --mode client

This vault needs to be exposed to the node at bootstrap with --bootstrap-vault-item 'privx:privx'

Bootstrapping

knife bootstrap ec2-18-194-178-70.eu-central-1.compute.amazonaws.com\
    --ssh-user ec2-user \
    --sudo \
    --identity-file ~/.ssh/aws \
    --node-name node1 \
    --environment development \
    --run-list 'role[system]' \
    --bootstrap-vault-item 'privx:privx'

With Openstack nodes --hint openstack is probably required.