There doesnt seem to be a way to remove authorized client from vault_keys

[vinyar]

Hi, I was unable to find a way to remove clients from vault_keys. Maybe I'm just missing something simple, but here is the full writeup in case it's a bug/regression.

Use case:
I have around 50 active test nodes, and vault_keys has almost 400 entries from the various nodes created and deleted over the last couple of months. In an auto scaling environment where nodes are brought up and down continuously, the vault_keys will quickly become unwieldy. We would like to make chef-vault client removal part of automated server decommission.

Knife vault update command updates existing clients, but does not remove clients excluded from the search:
example:

knife vault update alexv alexvault \
'{"vaultuser":"$6$VqEIDjsp$7NtPMhA9cnxvSMTE9l7DMmydJJEymi9b4t1Vhk475vrWlfxMgVb3bDLhpk/RZt0J3X7l5H8WnqFgvq3dIa9Kt/"}' \
 --search 'recipe:test_recipe NOT name:server3' \ 
 --admins alex --mode client

result:

knife data bag show alexv alexvault_keys

  server1
  server2
  server3
  server4
id:                 alexvault_keys
search_query:                 recipe:ge_role_secure_os NOT name:server3

I've tested various methods, and the only way that worked for me, was to delete the vault_keys item with (knife data bag delete alexv alexvault_keys) and recreate it with the knife vault create query above. A very heavy handed approach.

working solution:

knife data bag delete alexv alexvault_keys
knife vault create alexv alexvault '{"vaultuser":"$6$VqEIDjsp$7NtPMhA9cnxvSMTE9l7DMmydJJEymi9b4t1Vhk475vrWlfxMgVb3bDLhpk/RZt0J3X7l5H8WnqFgvq3dIa9Kt/"}' --search 'recipe:test_recipe NOT name:server3' --admins alex --mode client

knife data bag show alexv alexvault_keys

  server1
  server2
  server4
id:                 alexvault_keys
search_query:                 recipe:ge_role_secure_os NOT name:server3

Solution:
There should be a command to remove authorized clients without having to delete the data_bag which can be ran as part of server removal automation. I'm fairly new to chef-vault, so if update switch used to perform this function, would it be possible to reimplement it?

[afiune]

@vinyar

Have you tried:

knife vault remove VAULT ITEM VALUES (options)

For you I think this will work:

knife vault remove alexv alexvault  \ 
  --search 'name:server3' \ 
  --mode client

[moserke]

The one thing to note about knife vault remove is that the client still needs to be searchable/indexed for chef-vault to find it to remove it. So the decommission workflow is:

1. Remove node from chef-vault
2. Remove node from chef

If you have removed the node from chef first, then you will have to hand edit the vault_item_keys.json file directly to remove the orphaned nodes.

[vinyar]

Verified that this workflow works, thanks!
Are there any plans to add support for removal of dead nodes?

[galindro]

+1

I need this feature too...

[galindro]

+1

[jf647]

v2.3.0 adds a --clean switch to 'knife vault update' that should do what you're looking for.

[8la]

This behaviour and the --clear switch should be documented at the README please!

Thanks!

[vinyar]

👍 ☕ for the --clean switch