Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to force reencryption of keys during refresh #287

Merged
merged 2 commits into from
Jul 28, 2017
Merged

Allow to force reencryption of keys during refresh #287

merged 2 commits into from
Jul 28, 2017

Conversation

kamaradclimber
Copy link
Contributor

@kamaradclimber kamaradclimber commented Jul 19, 2017
edited
Loading

During a refresh operation, speed optimization lead to avoid
re-encrypting symetrical key for each existing clients.

This lead to issues when clients change their chef key.

This patch adds an option --skip-reencryption to workaround that for
users having such behavior.

Fix #286

Change-Id: I0ffa71934d29198fa71aa6e1a9630ad302e21f6a
Signed-off-by: Grégoire Seux g.seux@criteo.com

@krzkowalczyk
Copy link

@kamaradclimber thanks for the path
The knife command in exception message in /lib/chef-vault/item.rb

rescue OpenSSL::PKey::RSAError raise ChefVault::Exceptions::SecretDecryption, "#{data_bag}/#{id} is encrypted for you, but your private key failed to decrypt the contents. "\ "(if you regenerated your client key, have an administrator of the vault run 'knife vault refresh')" end

Should be updated as well, to include new parameter

@whiteley
Copy link

whiteley commented Jul 25, 2017
edited
Loading

Usage of --bootstrap-vault-[file, item, json] is also broken by #269 in cases where you are recreating a client despite answering yes to the Node/Client exists messages.

The proposed solution of --force-reencryption for the CLI will not fix this type of failure without also updating https://github.com/chef/chef/blob/master/lib/chef/knife/bootstrap/chef_vault_handler.rb to supply the force_reencryption option.

I'm all for the speedup provided by not re-encrypting all clients unnecessarily but knife bootstrap should be a first class usage pattern from the chef client. It seems to me that during bootstrap force_reencryption could be provided in all cases. It is only acting on the single client being bootstrapped so the speed concern isn't an issue and reusing the client isn't supported.

The difficulty here is that requires a change in https://github.com/chef/chef and this workflow is broken until these both are updated.

@kamaradclimber
Allow to force reencryption of keys during refresh
410998d 
During a refresh operation, speed optimization lead to avoid
re-encrypting symetrical key for each existing clients.

This lead to issues when clients change their chef key.

This patch adds an option --force-reencryption to workaround that for
users having such behavior.

Fix #286

Change-Id: I0ffa71934d29198fa71aa6e1a9630ad302e21f6a
Signed-off-by: Grégoire Seux <g.seux@criteo.com>
@kamaradclimber
Copy link
Contributor Author

updated the patch to transform the option to --skip-reencryption (false by default) to restore the old behavior while enabling users to improve their performance

@thommay
Copy link
Contributor

thommay commented Jul 27, 2017

The cucumber tests are pretty unhappy, but other than that I think this is 👍

ensure we only delete the node in tests
0f35246 
Signed-off-by: Thom May <thom@chef.io>
@thommay
Copy link
Contributor

thommay commented Jul 28, 2017

@kamaradclimber i think this is good to go, but please check that my change makes sense.

@kamaradclimber
Copy link
Contributor Author

Ok for me

@kamaradclimber kamaradclimber merged commit cfc257e into master Jul 28, 2017
@thommay thommay added the Type: Enhancement Adds new functionality. label Aug 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Type: Enhancement Adds new functionality.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kamaradclimber @krzkowalczyk @whiteley @thommay