Earlier versions of Chef Server do not support key rotation. You must have a version at or later than 12.1.x to do this procedure.
root@chef:/# chef-server-ctl org-list
delivery
demo
Generate a new key for the pivotal user
root@chef:/# chef-server-ctl add-user-key pivotal -k pivotal-`date +%s` > /etc/opscode/pivotal.pem
Add the new private key to the veiled /etc/opscode/private-chef-secrets.json file
env PROVIDER=chef-secrets-file /opt/opscode/embedded/bin/veil-ingest-secret chef-server.superuser_key < /etc/opscode/pivotal.pem
Try to list the organizations again
root@chef:/# chef-server-ctl org-list
delivery
demo
Now, the new key pivotal-1493779202 is authenticating requests coming from the pivotal user, not the original default key. The original default key can be removed.
root@chef:/# chef-server-ctl list-user-keys pivotal
name: default
expired: false
name: pivotal-1493779202
expired: false
Delete the old key
root@chef:/# chef-server-ctl delete-user-key pivotal default
Check that authentication
root@chef:/# chef-server-ctl org-list
delivery
demo
NOTE: It is common practice to use the pivotal credential named "default" as a credential of last resort for chef-vault. If you use chef-vault (don't use it), you should do the above process again, creating a key for the pivotal user named "default", and deleting the timestamped one. Unfortunately, you cannot just rename the new key with the embedded timestamp name.
Comments
0 comments
Article is closed for comments.