-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There doesnt seem to be a way to remove authorized client from vault_keys #103
Comments
Have you tried:
For you I think this will work:
|
The one thing to note about knife vault remove is that the client still needs to be searchable/indexed for chef-vault to find it to remove it. So the decommission workflow is:
If you have removed the node from chef first, then you will have to hand edit the vault_item_keys.json file directly to remove the orphaned nodes. |
Verified that this workflow works, thanks! |
+1 I need this feature too... |
+1 |
v2.3.0 adds a --clean switch to 'knife vault update' that should do what you're looking for. |
This behaviour and the --clear switch should be documented at the README please! Thanks! |
👍 ☕ for the --clean switch |
Hi, I was unable to find a way to remove clients from vault_keys. Maybe I'm just missing something simple, but here is the full writeup in case it's a bug/regression.
Use case:
I have around 50 active test nodes, and vault_keys has almost 400 entries from the various nodes created and deleted over the last couple of months. In an auto scaling environment where nodes are brought up and down continuously, the vault_keys will quickly become unwieldy. We would like to make chef-vault client removal part of automated server decommission.
Knife vault update command updates existing clients, but does not remove clients excluded from the search:
example:
result:
I've tested various methods, and the only way that worked for me, was to delete the vault_keys item with (knife data bag delete alexv alexvault_keys) and recreate it with the knife vault create query above. A very heavy handed approach.
working solution:
Solution:
There should be a command to remove authorized clients without having to delete the data_bag which can be ran as part of server removal automation. I'm fairly new to chef-vault, so if update switch used to perform this function, would it be possible to reimplement it?
The text was updated successfully, but these errors were encountered: