Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CHEF-5282: add "verify-api-cert true" to be default in bootstrap client config and add ssl peer verify as option. #1416

Closed
wants to merge 6 commits into from
Closed

CHEF-5282: add "verify-api-cert true" to be default in bootstrap client config and add ssl peer verify as option. #1416

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cda2680
add chef-client 11.12 recommended behavior of enabling ssl peer verif…
May 7, 2014
8f04f31
add test for proposed bootstrap option to disable peer verification
May 7, 2014
16cccf8
Changing SSL peer verify to be opt in, adding in default to verify SS…
May 7, 2014
dd1fb88
missing a comma, shortening command flag to satisfy Travis
May 7, 2014
127b5e5
because I of do
May 7, 2014
97c90f9
add verify_api_cert to spec test
May 8, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions lib/chef/knife/bootstrap.rb
View file
Open in desktop
Expand Up @@ -94,6 +94,14 @@ class Bootstrap < Knife
:description => "Do not proxy locations for the node being bootstrapped; this option is used internally by Opscode",
:proc => Proc.new { |np| Chef::Config[:knife][:bootstrap_no_proxy] = np }

option :disable_api_cert_verify,
:long => "--disable-api-cert-verify",
:description => "Disables SSL certificate verification against your Chef server"

option :client_ssl_peer_verify,
:long => "--client-ssl-peer-verify",
:description => "Enables SSL peer verification in client configuration"

option :distro,
:short => "-d DISTRO",
:long => "--distro DISTRO",
Expand Down
10 changes: 10 additions & 0 deletions lib/chef/knife/core/bootstrap_context.rb
View file
Open in desktop
Expand Up @@ -66,6 +66,16 @@ def config_content
chef_server_url "#{@chef_config[:chef_server_url]}"
validation_client_name "#{@chef_config[:validation_client_name]}"
CONFIG
if @config[:disable_api_cert_verify]
client_rb << %Q{verify_api_cert false\n}
else
client_rb << %Q{verify_api_cert true\n}
end

if @config[:client_ssl_peer_verify]
client_rb << %Q{ssl_verify_mode :verify_peer\n}
end

if @config[:chef_node_name]
client_rb << %Q{node_name "#{@config[:chef_node_name]}"\n}
else
Expand Down
15 changes: 15 additions & 0 deletions spec/unit/knife/core/bootstrap_context_spec.rb
View file
Open in desktop
Expand Up @@ -57,6 +57,7 @@
log_location STDOUT
chef_server_url "http://chef.example.com:4444"
validation_client_name "chef-validator-testing"
verify_api_cert true
# Using default node name (fqdn)
EXPECTED
bootstrap_context.config_content.should eq expected
Expand Down Expand Up @@ -102,6 +103,20 @@
end
end

describe "when disabling SSL cert verification against Chef server" do
let(:config){ {:disable_api_cert_verify => true }}
it "supplies --disable-api-cert-verify as a flag to disable SSL cert verification against Chef" do
bootstrap_context.config_content.should match(/verify_api_cert false/)
end
end

describe "when enabling SSL peer verification" do
let(:config){ {:client_ssl_peer_verify => true }}
it "supplies --client-ssl-peer-verify as a flag to indicate enabling peer verification for the client" do
bootstrap_context.config_content.should match(/ssl_verify_mode \:verify_peer/)
end
end

describe "when installing an explicit version of chef" do
let(:chef_config) do
{
Expand Down