1

I have a chef_vault with a search_query of role:myrole.

I want the chef server to periodically refresh the search query for the vault adding new nodes and removing any nodes that no longer have the role applied to them.

To test this a applied the role to a node and ran: 

knife vault update mevault item1 -S "role:myrole" --mode client

The node appeared in the vaults clients list. I then removed the role from the node and ran the command again, but the node still appears in the vaults clients list. I also tried this command with the --clean switch, but that did not remove the node from the clients list it seems to not work for the refresh command.

The vault update command with the clean switch works, but I have to hard code the search query into it, I just want to refresh the search query already applied to the vault item.

red888
  • 27,709
  • 55
  • 204
  • 392

2 Answers2

2

You have to run knife rotate, which will update the shared key and drop out all hosts that do not match the search query:

knife vault rotate keys VAULT ITEM

The secret itself is encrypted using a shared key, which all nodes can decrypt through the ITEM_keys data bag item. Therefore, this key needs to be rotated.

StephenKing
  • 36,187
  • 11
  • 83
  • 112
  • Hmm that does not seem to be working for me. To recap: My node is in the clients list, I removed it from the role and ran chef-client on it. I tried running `knife vault rotate keys VAULT ITEM --mode client` but after doing so I see the node is still in the clients list for the vault item. – red888 Jul 17 '16 at 18:45
  • I also tried the clean switch but this didn't work either: `knife vault update vault123 item1 -search 'role:merole' --mode client --clean` – red888 Jul 17 '16 at 18:47
  • Whoops typed it wrong! `knife vault update vault123 item1 -S 'role:merole' --mode client --clean` works like it should. Now my question is why didn't the rotate command work? Should I do this instead of --clean or maybe run both? – red888 Jul 17 '16 at 18:53
  • Oh.. I might be even wrong. Maybe `rotate` really just updates keys but doesn't remove clients not matching the search query (which would mean that `update` is your friend). – StephenKing Jul 17 '16 at 19:08
  • 1
    @red888 `refresh` is the way to go to update nodes list, `update` is the way to replace the values in the vault: [doc here](https://github.com/chef/chef-vault/blob/master/KNIFE_EXAMPLES.md#refresh) (comment corrected) – Tensibai Jul 19 '16 at 13:31
1

Ok so I think I have a possibly solution, but I don't like it.

The clean switch does not work on refresh and while the update command with --clean removes nodes it will not add new ones without hard coding the query in the command (I just want to re-run the query the vault was configured with) so this sort of does what I want: 

knife vault update vault123 item1 --mode client --clean
knife vault refresh vault123 item1 --mode client

I't kinda scary though to blow away entire clients list and re-add them, I also worry about how safe this would be for many nodes. I can schedule this and be done with it, but I think this might be stupid.

Or maybe I could have a script pull the search query out of the vault and use it to run vault update.

Is a better way someone can suggest...

red888
  • 27,709
  • 55
  • 204
  • 392
  • Your second command with `--clean` would be enough. `update`is meant to update values into the vault itself or to modify the search query and admin list. If your target is to refresh the clients list allowed, then use `refresh` – Tensibai Jul 19 '16 at 13:37
  • Clean didn't work with refresh, it refused to remove nodes no longer matching the search_query- maybe a bug? – red888 Jul 19 '16 at 15:00
  • Just saw --clean-unknown-clients in doc you linked maybe I'll try that instead of just --clean – red888 Jul 19 '16 at 15:01
  • Depends on the version of knife vault you're using, check `knife vault --help` to be sure – Tensibai Jul 19 '16 at 15:33
  • --clean-unknown-clients seem to only purge nodes in the clients list that do not have a corresponding key. I tested removing the webservers role from a node then ran refresh with this --clean-unknown-clients switch and it did not remove the node. – red888 Jul 20 '16 at 19:40