haskal
/
vagrant
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #2845 from tmatilai/chef_data_bag_secret 

provisioners/chef: DRY and unify encrypted data bag secret handling
This commit is contained in:
Teemu Matilainen 2014-02-19 00:54:57 -02:00
parent b66283c4a4 eea9c07029
commit 807c879ac8
9 changed files with 98 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
plugins/provisioners/chef/config/base.rb
View File

@ -11,6 +11,7 @@ module VagrantPlugins
attr_accessor :binary_path attr_accessor :binary_path
attr_accessor :binary_env attr_accessor :binary_env
attr_accessor :custom_config_path attr_accessor :custom_config_path
attr_accessor :encrypted_data_bag_secret_key_path
attr_accessor :formatter attr_accessor :formatter
attr_accessor :http_proxy attr_accessor :http_proxy
attr_accessor :http_proxy_user attr_accessor :http_proxy_user
@ -36,6 +37,7 @@ module VagrantPlugins
@binary_path = UNSET_VALUE @binary_path = UNSET_VALUE
@binary_env = UNSET_VALUE @binary_env = UNSET_VALUE
@custom_config_path = UNSET_VALUE @custom_config_path = UNSET_VALUE
@encrypted_data_bag_secret_key_path = UNSET_VALUE
@formatter = UNSET_VALUE @formatter = UNSET_VALUE
@http_proxy = UNSET_VALUE @http_proxy = UNSET_VALUE
@http_proxy_user = UNSET_VALUE @http_proxy_user = UNSET_VALUE
@ -55,6 +57,12 @@ module VagrantPlugins
@run_list = [] @run_list = []
end end
def encrypted_data_bag_secret=(value)
puts "DEPRECATION: Chef encrypted_data_bag_secret has no effect anymore."
puts "Remove this from your Vagrantfile since it'll be removed in the next"
puts "Vagrant version."
end
def finalize! def finalize!
@arguments = nil if @arguments == UNSET_VALUE @arguments = nil if @arguments == UNSET_VALUE
@attempts = 1 if @attempts == UNSET_VALUE @attempts = 1 if @attempts == UNSET_VALUE
@ -76,6 +84,10 @@ module VagrantPlugins
@file_cache_path = "/var/chef/cache" if @file_cache_path == UNSET_VALUE @file_cache_path = "/var/chef/cache" if @file_cache_path == UNSET_VALUE
@verbose_logging = false if @verbose_logging == UNSET_VALUE @verbose_logging = false if @verbose_logging == UNSET_VALUE
if @encrypted_data_bag_secret_key_path == UNSET_VALUE
@encrypted_data_bag_secret_key_path = nil
end
# Make sure the log level is a symbol # Make sure the log level is a symbol
@log_level = @log_level.to_sym @log_level = @log_level.to_sym

9
plugins/provisioners/chef/config/chef_client.rb
View File

@ -10,7 +10,6 @@ module VagrantPlugins
attr_accessor :client_key_path attr_accessor :client_key_path
attr_accessor :delete_client attr_accessor :delete_client
attr_accessor :delete_node attr_accessor :delete_node
attr_accessor :encrypted_data_bag_secret_key_path
attr_accessor :environment attr_accessor :environment
attr_accessor :validation_key_path attr_accessor :validation_key_path
attr_accessor :validation_client_name attr_accessor :validation_client_name
@ -22,18 +21,11 @@ module VagrantPlugins
@client_key_path = UNSET_VALUE @client_key_path = UNSET_VALUE
@delete_client = UNSET_VALUE @delete_client = UNSET_VALUE
@delete_node = UNSET_VALUE @delete_node = UNSET_VALUE
@encrypted_data_bag_secret_key_path = UNSET_VALUE
@environment = UNSET_VALUE @environment = UNSET_VALUE
@validation_key_path = UNSET_VALUE @validation_key_path = UNSET_VALUE
@validation_client_name = UNSET_VALUE @validation_client_name = UNSET_VALUE
end end
def encrypted_data_bag_secret=(value)
puts "DEPRECATION: Chef encrypted_data_bag_secret has no effect anymore."
puts "Remove this from your Vagrantfile since it'll be removed in the next"
puts "Vagrant version."
end
def finalize! def finalize!
super super
@ -41,7 +33,6 @@ module VagrantPlugins
@client_key_path = "/etc/chef/client.pem" if @client_key_path == UNSET_VALUE @client_key_path = "/etc/chef/client.pem" if @client_key_path == UNSET_VALUE
@delete_client = false if @delete_client == UNSET_VALUE @delete_client = false if @delete_client == UNSET_VALUE
@delete_node = false if @delete_node == UNSET_VALUE @delete_node = false if @delete_node == UNSET_VALUE
@encrypted_data_bag_secret_key_path = nil if @encrypted_data_bag_secret_key_path == UNSET_VALUE
@environment = nil if @environment == UNSET_VALUE @environment = nil if @environment == UNSET_VALUE
@validation_client_name = "chef-validator" if @validation_client_name == UNSET_VALUE @validation_client_name = "chef-validator" if @validation_client_name == UNSET_VALUE
@validation_key_path = nil if @validation_key_path == UNSET_VALUE @validation_key_path = nil if @validation_key_path == UNSET_VALUE

9
plugins/provisioners/chef/config/chef_solo.rb
View File

@ -6,8 +6,6 @@ module VagrantPlugins
class ChefSolo < Base class ChefSolo < Base
attr_accessor :cookbooks_path attr_accessor :cookbooks_path
attr_accessor :data_bags_path attr_accessor :data_bags_path
attr_accessor :encrypted_data_bag_secret_key_path
attr_accessor :encrypted_data_bag_secret
attr_accessor :environments_path attr_accessor :environments_path
attr_accessor :environment attr_accessor :environment
attr_accessor :recipe_url attr_accessor :recipe_url
@ -24,8 +22,6 @@ module VagrantPlugins
@recipe_url = UNSET_VALUE @recipe_url = UNSET_VALUE
@roles_path = UNSET_VALUE @roles_path = UNSET_VALUE
@synced_folder_type = UNSET_VALUE @synced_folder_type = UNSET_VALUE
@encrypted_data_bag_secret = UNSET_VALUE
@encrypted_data_bag_secret_key_path = UNSET_VALUE
end end
def nfs=(value) def nfs=(value)
@ -67,11 +63,6 @@ module VagrantPlugins
@data_bags_path = prepare_folders_config(@data_bags_path) @data_bags_path = prepare_folders_config(@data_bags_path)
@roles_path = prepare_folders_config(@roles_path) @roles_path = prepare_folders_config(@roles_path)
@environments_path = prepare_folders_config(@environments_path) @environments_path = prepare_folders_config(@environments_path)
@encrypted_data_bag_secret = "/tmp/encrypted_data_bag_secret" if \
@encrypted_data_bag_secret == UNSET_VALUE
@encrypted_data_bag_secret_key_path = nil if \
@encrypted_data_bag_secret_key_path == UNSET_VALUE
end end
def validate(machine) def validate(machine)

32
plugins/provisioners/chef/provisioner/base.rb
View File

@ -57,6 +57,7 @@ module VagrantPlugins
config_file = Vagrant::Util::TemplateRenderer.render(template, { config_file = Vagrant::Util::TemplateRenderer.render(template, {
:custom_configuration => remote_custom_config_path, :custom_configuration => remote_custom_config_path,
:encrypted_data_bag_secret => guest_encrypted_data_bag_secret_key_path,
:file_cache_path => @config.file_cache_path, :file_cache_path => @config.file_cache_path,
:file_backup_path => @config.file_backup_path, :file_backup_path => @config.file_backup_path,
:log_level => @config.log_level.to_sym, :log_level => @config.log_level.to_sym,
@ -104,6 +105,37 @@ module VagrantPlugins
comm.upload(temp.path, remote_file) comm.upload(temp.path, remote_file)
end end
end end
def upload_encrypted_data_bag_secret
remote_file = guest_encrypted_data_bag_secret_key_path
return if !remote_file
@machine.env.ui.info I18n.t(
"vagrant.provisioners.chef.upload_encrypted_data_bag_secret_key")
@machine.communicate.tap do |comm|
comm.sudo("rm -f #{remote_file}", error_check: false)
comm.upload(encrypted_data_bag_secret_key_path, remote_file)
end
end
def delete_encrypted_data_bag_secret
remote_file = guest_encrypted_data_bag_secret_key_path
if remote_file
@machine.communicate.sudo("rm -f #{remote_file}", error_check: false)
end
end
def encrypted_data_bag_secret_key_path
File.expand_path(@config.encrypted_data_bag_secret_key_path,
@machine.env.root_path)
end
def guest_encrypted_data_bag_secret_key_path
if @config.encrypted_data_bag_secret_key_path
File.join(@config.provisioning_path, "encrypted_data_bag_secret_key")
end
end
end end
end end
end end

19
plugins/provisioners/chef/provisioner/chef_client.rb
View File

@ -20,10 +20,11 @@ module VagrantPlugins
chown_provisioning_folder chown_provisioning_folder
create_client_key_folder create_client_key_folder
upload_validation_key upload_validation_key
upload_encrypted_data_bag_secret if @config.encrypted_data_bag_secret_key_path upload_encrypted_data_bag_secret
setup_json setup_json
setup_server_config setup_server_config
run_chef_client run_chef_client
delete_encrypted_data_bag_secret
end end
def cleanup def cleanup
@ -43,12 +44,6 @@ module VagrantPlugins
@machine.communicate.upload(validation_key_path, guest_validation_key_path) @machine.communicate.upload(validation_key_path, guest_validation_key_path)
end end
def upload_encrypted_data_bag_secret
@machine.env.ui.info I18n.t("vagrant.provisioners.chef.upload_encrypted_data_bag_secret_key")
@machine.communicate.upload(encrypted_data_bag_secret_key_path,
guest_encrypted_data_bag_secret_key_path)
end
def setup_server_config def setup_server_config
setup_config("provisioners/chef_client/client", "client.rb", { setup_config("provisioners/chef_client/client", "client.rb", {
:node_name => @config.node_name, :node_name => @config.node_name,
@ -57,7 +52,6 @@ module VagrantPlugins
:validation_key => guest_validation_key_path, :validation_key => guest_validation_key_path,
:client_key => @config.client_key_path, :client_key => @config.client_key_path,
:environment => @config.environment, :environment => @config.environment,
:encrypted_data_bag_secret => guest_encrypted_data_bag_secret_key_path,
}) })
end end
@ -98,15 +92,6 @@ module VagrantPlugins
File.expand_path(@config.validation_key_path, @machine.env.root_path) File.expand_path(@config.validation_key_path, @machine.env.root_path)
end end
def encrypted_data_bag_secret_key_path
File.expand_path(@config.encrypted_data_bag_secret_key_path, @machine.env.root_path)
end
def guest_encrypted_data_bag_secret_key_path
File.join(@config.provisioning_path,
"encrypted_data_bag_secret_key.pem")
end
def guest_validation_key_path def guest_validation_key_path
File.join(@config.provisioning_path, "validation.pem") File.join(@config.provisioning_path, "validation.pem")
end end

22
plugins/provisioners/chef/provisioner/chef_solo.rb
View File

@ -48,7 +48,7 @@ module VagrantPlugins
chown_provisioning_folder chown_provisioning_folder
verify_shared_folders(check) verify_shared_folders(check)
verify_binary(chef_binary_path("chef-solo")) verify_binary(chef_binary_path("chef-solo"))
upload_encrypted_data_bag_secret if @config.encrypted_data_bag_secret_key_path upload_encrypted_data_bag_secret
setup_json setup_json
setup_solo_config setup_solo_config
run_chef_solo run_chef_solo
@ -115,21 +115,6 @@ module VagrantPlugins
end end
end end
def delete_encrypted_data_bag_secret
@machine.communicate.tap do |comm|
comm.sudo("rm -f #{@config.encrypted_data_bag_secret}", error_check: false)
end
end
def upload_encrypted_data_bag_secret
@machine.env.ui.info I18n.t("vagrant.provisioners.chef.upload_encrypted_data_bag_secret_key")
@machine.communicate.tap do |comm|
comm.sudo("rm -f #{@config.encrypted_data_bag_secret}", :error_check => false)
comm.upload(encrypted_data_bag_secret_key_path,
@config.encrypted_data_bag_secret)
end
end
def setup_solo_config def setup_solo_config
cookbooks_path = guest_paths(@cookbook_folders) cookbooks_path = guest_paths(@cookbook_folders)
roles_path = guest_paths(@role_folders).first roles_path = guest_paths(@role_folders).first
@ -141,7 +126,6 @@ module VagrantPlugins
:recipe_url => @config.recipe_url, :recipe_url => @config.recipe_url,
:roles_path => roles_path, :roles_path => roles_path,
:data_bags_path => data_bags_path, :data_bags_path => data_bags_path,
:encrypted_data_bag_secret => @config.encrypted_data_bag_secret,
:environments_path => environments_path, :environments_path => environments_path,
:environment => @config.environment, :environment => @config.environment,
}) })
@ -197,10 +181,6 @@ module VagrantPlugins
end end
end end
def encrypted_data_bag_secret_key_path
File.expand_path(@config.encrypted_data_bag_secret_key_path, @machine.env.root_path)
end
protected protected
# Extracts only the remote paths from a list of folders # Extracts only the remote paths from a list of folders

2
templates/provisioners/chef_client/client.erb
View File

@ -11,7 +11,7 @@ validation_client_name "<%= validation_client_name %>"
validation_key "<%= validation_key %>" validation_key "<%= validation_key %>"
client_key "<%= client_key %>" client_key "<%= client_key %>"
encrypted_data_bag_secret "<%= encrypted_data_bag_secret %>" encrypted_data_bag_secret <%= encrypted_data_bag_secret.inspect %>
<% if environment %> <% if environment %>
environment "<%= environment %>" environment "<%= environment %>"

2
templates/provisioners/chef_solo/solo.erb
View File

@ -10,7 +10,7 @@ role_path <%= roles_path.inspect %>
log_level <%= log_level.inspect %> log_level <%= log_level.inspect %>
verbose_logging <%= verbose_logging.inspect %> verbose_logging <%= verbose_logging.inspect %>
encrypted_data_bag_secret "<%= encrypted_data_bag_secret %>" encrypted_data_bag_secret <%= encrypted_data_bag_secret.inspect %>
<% if data_bags_path -%> <% if data_bags_path -%>
data_bag_path <%= data_bags_path.inspect %> data_bag_path <%= data_bags_path.inspect %>

49
test/unit/plugins/provisioners/chef/provisioner/base_test.rb Normal file
View File

@ -0,0 +1,49 @@
require_relative "../../../../base"
require Vagrant.source_root.join("plugins/provisioners/chef/provisioner/base")
describe VagrantPlugins::Chef::Provisioner::Base do
include_context "unit"
let(:machine) { double("machine") }
let(:config) { double("config") }
subject { described_class.new(machine, config) }
describe "#encrypted_data_bag_secret_key_path" do
let(:env) { double("env") }
let(:root_path) { "/my/root" }
before do
machine.stub(:env).and_return(env)
env.stub(:root_path).and_return(root_path)
end
it "returns absolute path as is" do
config.should_receive(:encrypted_data_bag_secret_key_path).
and_return("/foo/bar")
expect(subject.encrypted_data_bag_secret_key_path).to eq "/foo/bar"
end
it "returns relative path joined to root_path" do
config.should_receive(:encrypted_data_bag_secret_key_path).
and_return("secret")
expect(subject.encrypted_data_bag_secret_key_path).to eq "/my/root/secret"
end
end
describe "#guest_encrypted_data_bag_secret_key_path" do
it "returns nil if host path is not configured" do
config.stub(:encrypted_data_bag_secret_key_path).and_return(nil)
config.stub(:provisioning_path).and_return("/tmp/foo")
expect(subject.guest_encrypted_data_bag_secret_key_path).to be_nil
end
it "returns path under config.provisioning_path" do
config.stub(:encrypted_data_bag_secret_key_path).and_return("secret")
config.stub(:provisioning_path).and_return("/tmp/foo")
expect(File.dirname(subject.guest_encrypted_data_bag_secret_key_path)).
to eq "/tmp/foo"
end
end
end