diff options
author | Claire McQuin <mcquin@users.noreply.github.com> | 2014-09-15 14:56:40 -0700 |
---|---|---|
committer | Claire McQuin <mcquin@users.noreply.github.com> | 2014-09-15 14:56:40 -0700 |
commit | 49582c3db4e3b54674ecfb57fe82157720350274 (patch) | |
tree | f83871612ac5d8cee68c51c32171fbbbd40d0684 | |
parent | cb61daebfb0d255cae928ca1a92db29b055755cf (diff) | |
parent | e4ac353bebdc949cd2cd8ce69983a56b96917dfa (diff) | |
download | chef-49582c3db4e3b54674ecfb57fe82157720350274.tar.gz |
Merge pull request #2003 from opscode/mcquin/transfer_trusted_certs
Mcquin/transfer trusted certs
-rw-r--r-- | CHANGELOG.md | 1 | ||||
-rw-r--r-- | lib/chef/knife/bootstrap/archlinux-gems.erb | 5 | ||||
-rw-r--r-- | lib/chef/knife/bootstrap/chef-aix.erb | 5 | ||||
-rw-r--r-- | lib/chef/knife/bootstrap/chef-full.erb | 5 | ||||
-rw-r--r-- | lib/chef/knife/core/bootstrap_context.rb | 20 | ||||
-rw-r--r-- | spec/unit/knife/bootstrap_spec.rb | 38 |
6 files changed, 74 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index edc52412e4..d3b4d82d21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -132,6 +132,7 @@ * Add `:node_ssl_verify_mode` & `:node_verify_api_cert` options to bootstrap to be able to configure these settings on the bootstrapped node. * Add partial_search dsl method to Chef::Search::Query, add result filtering to search. +* Transfer trusted certificates under :trusted_certs_dir during bootstrap. ## Last Release: 11.14.2 diff --git a/lib/chef/knife/bootstrap/archlinux-gems.erb b/lib/chef/knife/bootstrap/archlinux-gems.erb index bb84340c05..eb134b90d5 100644 --- a/lib/chef/knife/bootstrap/archlinux-gems.erb +++ b/lib/chef/knife/bootstrap/archlinux-gems.erb @@ -23,6 +23,11 @@ EOP chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> +<% unless trusted_certs.empty? -%> +mkdir -p /etc/chef/trusted_certs +<%= trusted_certs %> +<% end -%> + <%# Generate Ohai Hints -%> <% unless @chef_config[:knife][:hints].nil? || @chef_config[:knife][:hints].empty? -%> mkdir -p /etc/chef/ohai/hints diff --git a/lib/chef/knife/bootstrap/chef-aix.erb b/lib/chef/knife/bootstrap/chef-aix.erb index 59993b478a..3a031ee738 100644 --- a/lib/chef/knife/bootstrap/chef-aix.erb +++ b/lib/chef/knife/bootstrap/chef-aix.erb @@ -36,6 +36,11 @@ EOP chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> +<% unless trusted_certs.empty? -%> +mkdir -p /etc/chef/trusted_certs +<%= trusted_certs %> +<% end -%> + <%# Generate Ohai Hints -%> <% unless @chef_config[:knife][:hints].nil? || @chef_config[:knife][:hints].empty? -%> mkdir -p /etc/chef/ohai/hints diff --git a/lib/chef/knife/bootstrap/chef-full.erb b/lib/chef/knife/bootstrap/chef-full.erb index a4e85b9d67..6edb485f44 100644 --- a/lib/chef/knife/bootstrap/chef-full.erb +++ b/lib/chef/knife/bootstrap/chef-full.erb @@ -50,6 +50,11 @@ EOP chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> +<% unless trusted_certs.empty? -%> +mkdir -p /etc/chef/trusted_certs +<%= trusted_certs %> +<% end -%> + <%# Generate Ohai Hints -%> <% unless @chef_config[:knife][:hints].nil? || @chef_config[:knife][:hints].empty? -%> mkdir -p /etc/chef/ohai/hints diff --git a/lib/chef/knife/core/bootstrap_context.rb b/lib/chef/knife/core/bootstrap_context.rb index 9fa6dcc46f..87c25ca160 100644 --- a/lib/chef/knife/core/bootstrap_context.rb +++ b/lib/chef/knife/core/bootstrap_context.rb @@ -54,6 +54,10 @@ class Chef end end + def trusted_certs + @trusted_certs ||= trusted_certs_content + end + def config_content client_rb = <<-CONFIG log_location STDOUT @@ -109,6 +113,10 @@ CONFIG client_rb << %Q{encrypted_data_bag_secret "/etc/chef/encrypted_data_bag_secret"\n} end + unless trusted_certs.empty? + client_rb << %Q{trusted_certs_dir "/etc/chef/trusted_certs"\n} + end + client_rb end @@ -155,6 +163,18 @@ CONFIG (@config[:first_boot_attributes] || {}).merge(:run_list => @run_list) end + private + def trusted_certs_content + content = "" + if @chef_config[:trusted_certs_dir] + Dir.glob(File.join(@chef_config[:trusted_certs_dir], "*.{crt,pem}")).each do |cert| + content << "cat > /etc/chef/trusted_certs/#{File.basename(cert)} <<'EOP'\n" + + IO.read(File.expand_path(cert)) + "\nEOP\n" + end + end + content + end + end end end diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb index 78be9632f6..41fc57338e 100644 --- a/spec/unit/knife/bootstrap_spec.rb +++ b/spec/unit/knife/bootstrap_spec.rb @@ -355,6 +355,44 @@ describe Chef::Knife::Bootstrap do end end + describe "when transferring trusted certificates" do + let(:trusted_certs_dir) { File.join(CHEF_SPEC_DATA, 'trusted_certs') } + + let(:rendered_template) do + knife.merge_configs + knife.render_template + end + + before do + Chef::Config[:trusted_certs_dir] = trusted_certs_dir + IO.stub(:read).and_call_original + IO.stub(:read).with("/etc/chef/validation.pem").and_return("") + end + + def certificates + Dir[File.join(trusted_certs_dir, "*.{crt,pem}")] + end + + it "creates /etc/chef/trusted_certs" do + rendered_template.should match(%r{mkdir -p /etc/chef/trusted_certs}) + end + + it "copies the certificates in the directory" do + certificates.each do |cert| + IO.should_receive(:read).with(File.expand_path(cert)) + end + + certificates.each do |cert| + rendered_template.should match(%r{cat > /etc/chef/trusted_certs/#{File.basename(cert)} <<'EOP'}) + end + end + + it "doesn't create /etc/chef/trusted_certs if :trusted_certs_dir is empty" do + Dir.should_receive(:glob).with(File.join(trusted_certs_dir, "*.{crt,pem}")).and_return([]) + rendered_template.should_not match(%r{mkdir -p /etc/chef/trusted_certs}) + end + end + describe "when configuring the underlying knife ssh command" do context "from the command line" do let(:knife_ssh) do |