diff options
author | Serdar Sutay <serdar@opscode.com> | 2014-08-28 13:51:08 -0700 |
---|---|---|
committer | Serdar Sutay <serdar@opscode.com> | 2014-08-28 13:51:08 -0700 |
commit | f0cc9ee51c50fb5f896b329d243ec273a65ff14a (patch) | |
tree | f080d2a38c9b42134c42d8db456ee1057d59be78 | |
parent | 395534b88d54e6ec57eadfaab81c736c688e7938 (diff) | |
parent | 753e7162f6fb2e45cd6082c3b58ebc41cd1c01a0 (diff) | |
download | chef-f0cc9ee51c50fb5f896b329d243ec273a65ff14a.tar.gz |
Merge pull request #1895 from opscode/mcquin/CHEF-5282
Add --ssl-verify-mode and --[no-]verify-api-cert options.
-rw-r--r-- | CHANGELOG.md | 2 | ||||
-rw-r--r-- | RELEASE_NOTES.md | 2 | ||||
-rw-r--r-- | lib/chef/knife/bootstrap.rb | 16 | ||||
-rw-r--r-- | lib/chef/knife/core/bootstrap_context.rb | 30 | ||||
-rw-r--r-- | spec/unit/knife/bootstrap_spec.rb | 43 | ||||
-rw-r--r-- | spec/unit/knife/core/bootstrap_context_spec.rb | 53 |
6 files changed, 145 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index ca8cff3958..48cefb0b68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -109,6 +109,8 @@ * Remove the unused bootstrap templates that install chef from rubygems * Remove the Chef 10 functionality from bootstrap. * Deprecate --distro / --template_file options in favor of --boostrap-template +* Add `:node_ssl_verify_mode` & `:node_verify_api_cert` options to bootstrap + to be able to configure these settings on the bootstrapped node. ## Last Release: 11.14.2 diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index d67a1b9a04..33e405d273 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -6,7 +6,7 @@ Chef Client 12 introduces a set of changes to `knife bootstrap`. Here is the lis * Unused / untested bootstrap templates that install Chef Client from rubygems are removed. The recommended installation path for Chef Client is to use the omnibus packages. `chef-full` template (which is the default) installs Chef Client using omnibus packages on all the supported platforms. * `--distro` & `--template-file` options are deprecated in Chef 12 in favor of `--boostrap-template` option. This option can take a boostrap template name (e.g. 'chef-full') or the full path to a bootstrap template. - +* Chef now configures `:ssl_verify_mode` & `:verify_api_cert` config options on the node that is being bootstrapped. This setting can be controlled by `:node_ssl_verify_mode` & `:node_verify_api_cert` CLI options. If these are not specified the configured value will be inferred from knife config. ## Solaris Mount Provider diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb index cf4f3c7a0c..36a0fc1e47 100644 --- a/lib/chef/knife/bootstrap.rb +++ b/lib/chef/knife/bootstrap.rb @@ -188,6 +188,21 @@ class Chef :description => "Add options to curl when install chef-client", :proc => Proc.new { |co| Chef::Config[:knife][:bootstrap_curl_options] = co } + option :node_ssl_verify_mode, + :long => "--node-ssl-verify-mode [peer|none]", + :description => "Whether or not to verify the SSL cert for all HTTPS requests.", + :proc => Proc.new { |v| + valid_values = ["none", "peer"] + unless valid_values.include?(v) + raise "Invalid value '#{v}' for --node-ssl-verify-mode. Valid values are: #{valid_values.join(", ")}" + end + } + + option :node_verify_api_cert, + :long => "--[no-]node-verify-api-cert", + :description => "Verify the SSL cert for HTTPS requests to the Chef server API.", + :boolean => true + def bootstrap_template # For some reason knife.merge_configs doesn't pick up the default values from # Chef::Config[:knife][:bootstrap_template] unless Chef::Config[:knife][:bootstrap_template] @@ -204,6 +219,7 @@ class Chef if File.exists?(template) Chef::Log.debug("Using the specified bootstrap template: #{File.dirname(template)}") return template + end # Otherwise search the template directories until we find the right one diff --git a/lib/chef/knife/core/bootstrap_context.rb b/lib/chef/knife/core/bootstrap_context.rb index 0fdd77594a..12d422a162 100644 --- a/lib/chef/knife/core/bootstrap_context.rb +++ b/lib/chef/knife/core/bootstrap_context.rb @@ -64,6 +64,36 @@ CONFIG client_rb << "# Using default node name (fqdn)\n" end + # We configure :verify_api_cert only when it's overridden on the CLI + # or when specified in the knife config. + if !@config[:node_verify_api_cert].nil? || knife_config.has_key?(:verify_api_cert) + value = @config[:node_verify_api_cert].nil? ? knife_config[:verify_api_cert] : @config[:node_verify_api_cert] + client_rb << %Q{verify_api_cert #{value}\n} + end + + # We configure :ssl_verify_mode only when it's overridden on the CLI + # or when specified in the knife config. + if @config[:node_ssl_verify_mode] || knife_config.has_key?(:ssl_verify_mode) + value = case @config[:node_ssl_verify_mode] + when "peer" + :verify_peer + when "none" + :verify_none + when nil + knife_config[:ssl_verify_mode] + else + nil + end + + if value + client_rb << %Q{ssl_verify_mode :#{value}\n} + end + end + + if @config[:ssl_verify_mode] + client_rb << %Q{ssl_verify_mode :#{knife_config[:ssl_verify_mode]}\n} + end + if knife_config[:bootstrap_proxy] client_rb << %Q{http_proxy "#{knife_config[:bootstrap_proxy]}"\n} client_rb << %Q{https_proxy "#{knife_config[:bootstrap_proxy]}"\n} diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb index f28879fb4e..78be9632f6 100644 --- a/spec/unit/knife/bootstrap_spec.rb +++ b/spec/unit/knife/bootstrap_spec.rb @@ -246,6 +246,46 @@ describe Chef::Knife::Bootstrap do rendered_template.should match(%r{.*no_proxy\s*"api.opscode.com,172.16.10.\*".*}) end end + + context "via --ssl-verify-mode none" do + let(:options) { ["--node-ssl-verify-mode", "none"] } + + it "renders the client.rb with ssl_verify_mode set to :verify_none" do + rendered_template.should match(/ssl_verify_mode :verify_none/) + end + end + + context "via --node-ssl-verify-mode peer" do + let(:options) { ["--node-ssl-verify-mode", "peer"] } + + it "renders the client.rb with ssl_verify_mode set to :verify_peer" do + rendered_template.should match(/ssl_verify_mode :verify_peer/) + end + end + + context "via --node-ssl-verify-mode all" do + let(:options) { ["--node-ssl-verify-mode", "all"] } + + it "raises error" do + lambda{ rendered_template }.should raise_error + end + end + + context "via --node-verify-api-cert" do + let(:options) { ["--node-verify-api-cert"] } + + it "renders the client.rb with verify_api_cert set to true" do + rendered_template.should match(/verify_api_cert true/) + end + end + + context "via --no-node-verify-api-cert" do + let(:options) { ["--no-node-verify-api-cert"] } + + it "renders the client.rb with verify_api_cert set to false" do + rendered_template.should match(/verify_api_cert false/) + end + end end describe "specifying the encrypted data bag secret key" do @@ -483,6 +523,9 @@ describe Chef::Knife::Bootstrap do knife_ssh.should_receive(:run).and_raise(Net::SSH::AuthenticationFailed) lambda { knife.run }.should raise_error(Net::SSH::AuthenticationFailed) end + end + + describe "specifying ssl verification" do end diff --git a/spec/unit/knife/core/bootstrap_context_spec.rb b/spec/unit/knife/core/bootstrap_context_spec.rb index c5ad531a27..064f8c5621 100644 --- a/spec/unit/knife/core/bootstrap_context_spec.rb +++ b/spec/unit/knife/core/bootstrap_context_spec.rb @@ -168,4 +168,57 @@ EXPECTED bootstrap_context.latest_current_chef_version_string.should eq("-v #{Chef::VERSION.to_i}") end end + + describe "ssl_verify_mode" do + it "isn't set in the config_content by default" do + bootstrap_context.config_content.should_not include("ssl_verify_mode") + end + + describe "when configured in config" do + let(:chef_config) do + { + :knife => {:ssl_verify_mode => :verify_peer} + } + end + + it "uses the config value" do + bootstrap_context.config_content.should include("ssl_verify_mode :verify_peer") + end + + describe "when configured via CLI" do + let(:config) {{:node_ssl_verify_mode => "none"}} + + it "uses CLI value" do + bootstrap_context.config_content.should include("ssl_verify_mode :verify_none") + end + end + end + end + + describe "verify_api_cert" do + it "isn't set in the config_content by default" do + bootstrap_context.config_content.should_not include("verify_api_cert") + end + + describe "when configured in config" do + let(:chef_config) do + { + :knife => {:verify_api_cert => :false} + } + end + + it "uses the config value" do + bootstrap_context.config_content.should include("verify_api_cert false") + end + + describe "when configured via CLI" do + let(:config) {{:node_verify_api_cert => true}} + + it "uses CLI value" do + bootstrap_context.config_content.should include("verify_api_cert true") + end + end + end + end + end |