provisioners/chef: DRY and unify encrypted data bag secret handling
Pull up encrypted data bag secret management into the base classes, thus also unifying the functionality. Especially this complements the issues: * Upload the secret to provisioning path also with chef-solo [GH-1246] * Delete the secret also with chef-client [GH-2712] * Remove the secret before uploading also with chef-client [GH-1111]
This commit is contained in:
parent
4f89bdb947
commit
ad34d474bc
|
@ -11,6 +11,7 @@ module VagrantPlugins
|
|||
attr_accessor :binary_path
|
||||
attr_accessor :binary_env
|
||||
attr_accessor :custom_config_path
|
||||
attr_accessor :encrypted_data_bag_secret_key_path
|
||||
attr_accessor :formatter
|
||||
attr_accessor :http_proxy
|
||||
attr_accessor :http_proxy_user
|
||||
|
@ -36,6 +37,7 @@ module VagrantPlugins
|
|||
@binary_path = UNSET_VALUE
|
||||
@binary_env = UNSET_VALUE
|
||||
@custom_config_path = UNSET_VALUE
|
||||
@encrypted_data_bag_secret_key_path = UNSET_VALUE
|
||||
@formatter = UNSET_VALUE
|
||||
@http_proxy = UNSET_VALUE
|
||||
@http_proxy_user = UNSET_VALUE
|
||||
|
@ -55,6 +57,12 @@ module VagrantPlugins
|
|||
@run_list = []
|
||||
end
|
||||
|
||||
def encrypted_data_bag_secret=(value)
|
||||
puts "DEPRECATION: Chef encrypted_data_bag_secret has no effect anymore."
|
||||
puts "Remove this from your Vagrantfile since it'll be removed in the next"
|
||||
puts "Vagrant version."
|
||||
end
|
||||
|
||||
def finalize!
|
||||
@arguments = nil if @arguments == UNSET_VALUE
|
||||
@attempts = 1 if @attempts == UNSET_VALUE
|
||||
|
@ -76,6 +84,10 @@ module VagrantPlugins
|
|||
@file_cache_path = "/var/chef/cache" if @file_cache_path == UNSET_VALUE
|
||||
@verbose_logging = false if @verbose_logging == UNSET_VALUE
|
||||
|
||||
if @encrypted_data_bag_secret_key_path == UNSET_VALUE
|
||||
@encrypted_data_bag_secret_key_path = nil
|
||||
end
|
||||
|
||||
# Make sure the log level is a symbol
|
||||
@log_level = @log_level.to_sym
|
||||
|
||||
|
|
|
@ -10,7 +10,6 @@ module VagrantPlugins
|
|||
attr_accessor :client_key_path
|
||||
attr_accessor :delete_client
|
||||
attr_accessor :delete_node
|
||||
attr_accessor :encrypted_data_bag_secret_key_path
|
||||
attr_accessor :environment
|
||||
attr_accessor :validation_key_path
|
||||
attr_accessor :validation_client_name
|
||||
|
@ -22,18 +21,11 @@ module VagrantPlugins
|
|||
@client_key_path = UNSET_VALUE
|
||||
@delete_client = UNSET_VALUE
|
||||
@delete_node = UNSET_VALUE
|
||||
@encrypted_data_bag_secret_key_path = UNSET_VALUE
|
||||
@environment = UNSET_VALUE
|
||||
@validation_key_path = UNSET_VALUE
|
||||
@validation_client_name = UNSET_VALUE
|
||||
end
|
||||
|
||||
def encrypted_data_bag_secret=(value)
|
||||
puts "DEPRECATION: Chef encrypted_data_bag_secret has no effect anymore."
|
||||
puts "Remove this from your Vagrantfile since it'll be removed in the next"
|
||||
puts "Vagrant version."
|
||||
end
|
||||
|
||||
def finalize!
|
||||
super
|
||||
|
||||
|
@ -41,7 +33,6 @@ module VagrantPlugins
|
|||
@client_key_path = "/etc/chef/client.pem" if @client_key_path == UNSET_VALUE
|
||||
@delete_client = false if @delete_client == UNSET_VALUE
|
||||
@delete_node = false if @delete_node == UNSET_VALUE
|
||||
@encrypted_data_bag_secret_key_path = nil if @encrypted_data_bag_secret_key_path == UNSET_VALUE
|
||||
@environment = nil if @environment == UNSET_VALUE
|
||||
@validation_client_name = "chef-validator" if @validation_client_name == UNSET_VALUE
|
||||
@validation_key_path = nil if @validation_key_path == UNSET_VALUE
|
||||
|
|
|
@ -6,8 +6,6 @@ module VagrantPlugins
|
|||
class ChefSolo < Base
|
||||
attr_accessor :cookbooks_path
|
||||
attr_accessor :data_bags_path
|
||||
attr_accessor :encrypted_data_bag_secret_key_path
|
||||
attr_accessor :encrypted_data_bag_secret
|
||||
attr_accessor :environments_path
|
||||
attr_accessor :environment
|
||||
attr_accessor :recipe_url
|
||||
|
@ -24,8 +22,6 @@ module VagrantPlugins
|
|||
@recipe_url = UNSET_VALUE
|
||||
@roles_path = UNSET_VALUE
|
||||
@synced_folder_type = UNSET_VALUE
|
||||
@encrypted_data_bag_secret = UNSET_VALUE
|
||||
@encrypted_data_bag_secret_key_path = UNSET_VALUE
|
||||
end
|
||||
|
||||
def nfs=(value)
|
||||
|
@ -67,11 +63,6 @@ module VagrantPlugins
|
|||
@data_bags_path = prepare_folders_config(@data_bags_path)
|
||||
@roles_path = prepare_folders_config(@roles_path)
|
||||
@environments_path = prepare_folders_config(@environments_path)
|
||||
|
||||
@encrypted_data_bag_secret = "/tmp/encrypted_data_bag_secret" if \
|
||||
@encrypted_data_bag_secret == UNSET_VALUE
|
||||
@encrypted_data_bag_secret_key_path = nil if \
|
||||
@encrypted_data_bag_secret_key_path == UNSET_VALUE
|
||||
end
|
||||
|
||||
def validate(machine)
|
||||
|
|
|
@ -57,6 +57,7 @@ module VagrantPlugins
|
|||
|
||||
config_file = Vagrant::Util::TemplateRenderer.render(template, {
|
||||
:custom_configuration => remote_custom_config_path,
|
||||
:encrypted_data_bag_secret => guest_encrypted_data_bag_secret_key_path,
|
||||
:file_cache_path => @config.file_cache_path,
|
||||
:file_backup_path => @config.file_backup_path,
|
||||
:log_level => @config.log_level.to_sym,
|
||||
|
@ -104,6 +105,34 @@ module VagrantPlugins
|
|||
comm.upload(temp.path, remote_file)
|
||||
end
|
||||
end
|
||||
|
||||
def upload_encrypted_data_bag_secret
|
||||
return if !@config.encrypted_data_bag_secret_key_path
|
||||
|
||||
@machine.env.ui.info I18n.t(
|
||||
"vagrant.provisioners.chef.upload_encrypted_data_bag_secret_key")
|
||||
|
||||
remote_file = guest_encrypted_data_bag_secret_key_path
|
||||
@machine.communicate.tap do |comm|
|
||||
comm.sudo("rm -f #{remote_file}", error_check: false)
|
||||
comm.upload(encrypted_data_bag_secret_key_path, remote_file)
|
||||
end
|
||||
end
|
||||
|
||||
def delete_encrypted_data_bag_secret
|
||||
@machine.communicate.sudo(
|
||||
"rm -f #{guest_encrypted_data_bag_secret_key_path}",
|
||||
error_check: false)
|
||||
end
|
||||
|
||||
def encrypted_data_bag_secret_key_path
|
||||
File.expand_path(@config.encrypted_data_bag_secret_key_path,
|
||||
@machine.env.root_path)
|
||||
end
|
||||
|
||||
def guest_encrypted_data_bag_secret_key_path
|
||||
File.join(@config.provisioning_path, "encrypted_data_bag_secret_key")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -20,10 +20,11 @@ module VagrantPlugins
|
|||
chown_provisioning_folder
|
||||
create_client_key_folder
|
||||
upload_validation_key
|
||||
upload_encrypted_data_bag_secret if @config.encrypted_data_bag_secret_key_path
|
||||
upload_encrypted_data_bag_secret
|
||||
setup_json
|
||||
setup_server_config
|
||||
run_chef_client
|
||||
delete_encrypted_data_bag_secret
|
||||
end
|
||||
|
||||
def cleanup
|
||||
|
@ -43,12 +44,6 @@ module VagrantPlugins
|
|||
@machine.communicate.upload(validation_key_path, guest_validation_key_path)
|
||||
end
|
||||
|
||||
def upload_encrypted_data_bag_secret
|
||||
@machine.env.ui.info I18n.t("vagrant.provisioners.chef.upload_encrypted_data_bag_secret_key")
|
||||
@machine.communicate.upload(encrypted_data_bag_secret_key_path,
|
||||
guest_encrypted_data_bag_secret_key_path)
|
||||
end
|
||||
|
||||
def setup_server_config
|
||||
setup_config("provisioners/chef_client/client", "client.rb", {
|
||||
:node_name => @config.node_name,
|
||||
|
@ -57,7 +52,6 @@ module VagrantPlugins
|
|||
:validation_key => guest_validation_key_path,
|
||||
:client_key => @config.client_key_path,
|
||||
:environment => @config.environment,
|
||||
:encrypted_data_bag_secret => guest_encrypted_data_bag_secret_key_path,
|
||||
})
|
||||
end
|
||||
|
||||
|
@ -98,15 +92,6 @@ module VagrantPlugins
|
|||
File.expand_path(@config.validation_key_path, @machine.env.root_path)
|
||||
end
|
||||
|
||||
def encrypted_data_bag_secret_key_path
|
||||
File.expand_path(@config.encrypted_data_bag_secret_key_path, @machine.env.root_path)
|
||||
end
|
||||
|
||||
def guest_encrypted_data_bag_secret_key_path
|
||||
File.join(@config.provisioning_path,
|
||||
"encrypted_data_bag_secret_key.pem")
|
||||
end
|
||||
|
||||
def guest_validation_key_path
|
||||
File.join(@config.provisioning_path, "validation.pem")
|
||||
end
|
||||
|
|
|
@ -48,7 +48,7 @@ module VagrantPlugins
|
|||
chown_provisioning_folder
|
||||
verify_shared_folders(check)
|
||||
verify_binary(chef_binary_path("chef-solo"))
|
||||
upload_encrypted_data_bag_secret if @config.encrypted_data_bag_secret_key_path
|
||||
upload_encrypted_data_bag_secret
|
||||
setup_json
|
||||
setup_solo_config
|
||||
run_chef_solo
|
||||
|
@ -115,21 +115,6 @@ module VagrantPlugins
|
|||
end
|
||||
end
|
||||
|
||||
def delete_encrypted_data_bag_secret
|
||||
@machine.communicate.tap do |comm|
|
||||
comm.sudo("rm -f #{@config.encrypted_data_bag_secret}", error_check: false)
|
||||
end
|
||||
end
|
||||
|
||||
def upload_encrypted_data_bag_secret
|
||||
@machine.env.ui.info I18n.t("vagrant.provisioners.chef.upload_encrypted_data_bag_secret_key")
|
||||
@machine.communicate.tap do |comm|
|
||||
comm.sudo("rm -f #{@config.encrypted_data_bag_secret}", :error_check => false)
|
||||
comm.upload(encrypted_data_bag_secret_key_path,
|
||||
@config.encrypted_data_bag_secret)
|
||||
end
|
||||
end
|
||||
|
||||
def setup_solo_config
|
||||
cookbooks_path = guest_paths(@cookbook_folders)
|
||||
roles_path = guest_paths(@role_folders).first
|
||||
|
@ -141,7 +126,6 @@ module VagrantPlugins
|
|||
:recipe_url => @config.recipe_url,
|
||||
:roles_path => roles_path,
|
||||
:data_bags_path => data_bags_path,
|
||||
:encrypted_data_bag_secret => @config.encrypted_data_bag_secret,
|
||||
:environments_path => environments_path,
|
||||
:environment => @config.environment,
|
||||
})
|
||||
|
@ -197,10 +181,6 @@ module VagrantPlugins
|
|||
end
|
||||
end
|
||||
|
||||
def encrypted_data_bag_secret_key_path
|
||||
File.expand_path(@config.encrypted_data_bag_secret_key_path, @machine.env.root_path)
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
# Extracts only the remote paths from a list of folders
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
require_relative "../../../../base"
|
||||
|
||||
require Vagrant.source_root.join("plugins/provisioners/chef/provisioner/base")
|
||||
|
||||
describe VagrantPlugins::Chef::Provisioner::Base do
|
||||
include_context "unit"
|
||||
|
||||
let(:machine) { double("machine") }
|
||||
let(:config) { double("config") }
|
||||
|
||||
subject { described_class.new(machine, config) }
|
||||
|
||||
describe "#encrypted_data_bag_secret_key_path" do
|
||||
let(:env) { double("env") }
|
||||
let(:root_path) { "/my/root" }
|
||||
|
||||
before do
|
||||
machine.stub(:env).and_return(env)
|
||||
env.stub(:root_path).and_return(root_path)
|
||||
end
|
||||
|
||||
it "returns absolute path as is" do
|
||||
config.should_receive(:encrypted_data_bag_secret_key_path).
|
||||
and_return("/foo/bar")
|
||||
expect(subject.encrypted_data_bag_secret_key_path).to eq "/foo/bar"
|
||||
end
|
||||
|
||||
it "returns relative path joined to root_path" do
|
||||
config.should_receive(:encrypted_data_bag_secret_key_path).
|
||||
and_return("secret")
|
||||
expect(subject.encrypted_data_bag_secret_key_path).to eq "/my/root/secret"
|
||||
end
|
||||
end
|
||||
|
||||
describe "#guest_encrypted_data_bag_secret_key_path" do
|
||||
it "returns path under config.provisioning_path" do
|
||||
config.stub(:provisioning_path).and_return("/tmp/foo")
|
||||
expect(File.dirname(subject.guest_encrypted_data_bag_secret_key_path)).
|
||||
to eq "/tmp/foo"
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue