chef-infrachef-recipeknifedatabags

How do I refresh a chef vault's client list and remove nodes not matched by the search query?


I have a chef_vault with a search_query of role:myrole.

I want the chef server to periodically refresh the search query for the vault adding new nodes and removing any nodes that no longer have the role applied to them.

To test this a applied the role to a node and ran:

knife vault update mevault item1 -S "role:myrole" --mode client

The node appeared in the vaults clients list. I then removed the role from the node and ran the command again, but the node still appears in the vaults clients list. I also tried this command with the --clean switch, but that did not remove the node from the clients list it seems to not work for the refresh command.

The vault update command with the clean switch works, but I have to hard code the search query into it, I just want to refresh the search query already applied to the vault item.


Solution

  • Ok so I think I have a possibly solution, but I don't like it.

    The clean switch does not work on refresh and while the update command with --clean removes nodes it will not add new ones without hard coding the query in the command (I just want to re-run the query the vault was configured with) so this sort of does what I want:

    knife vault update vault123 item1 --mode client --clean
    knife vault refresh vault123 item1 --mode client
    

    I't kinda scary though to blow away entire clients list and re-add them, I also worry about how safe this would be for many nodes. I can schedule this and be done with it, but I think this might be stupid.

    Or maybe I could have a script pull the search query out of the vault and use it to run vault update.

    Is a better way someone can suggest...