From 2587a9f7e35b7083b22659caf96ae76bfca276be Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 6 Sep 2022 15:38:21 -0700 Subject: [PATCH 1/9] (profile::core::common) add manage_resolv_conf param This param is needed to allow management of hosts in which we do not want to manage the content of /etc/resolv.conf. --- site/profile/manifests/core/common.pp | 10 +++++- spec/classes/core/common_spec.rb | 45 +++++++++++++++++++++------ 2 files changed, 44 insertions(+), 11 deletions(-) diff --git a/site/profile/manifests/core/common.pp b/site/profile/manifests/core/common.pp index d66f611e72..14c0f4f698 100644 --- a/site/profile/manifests/core/common.pp +++ b/site/profile/manifests/core/common.pp @@ -46,6 +46,9 @@ # @param manage_irqbalance # If `true`, manage irqbalance # +# @param manage_resolv_conf +# If `true`, manage resolv.conf +# class profile::core::common ( Boolean $deploy_icinga_agent = false, Boolean $manage_puppet_agent = true, @@ -61,6 +64,7 @@ Boolean $manage_scl = true, Boolean $manage_repos = true, Boolean $manage_irqbalance = true, + Boolean $manage_resolv_conf = true, ) { include accounts include augeas @@ -78,7 +82,6 @@ include profile::core::selinux include profile::core::systemd include profile::core::yum - include resolv_conf include rsyslog include rsyslog::config include selinux @@ -159,6 +162,11 @@ include scl } } + + if $manage_resolv_conf { + include resolv_conf + } + class { 'lldpd': manage_repo => true, } diff --git a/spec/classes/core/common_spec.rb b/spec/classes/core/common_spec.rb index 1b68231008..ca95c1cef0 100644 --- a/spec/classes/core/common_spec.rb +++ b/spec/classes/core/common_spec.rb @@ -7,18 +7,43 @@ context "on #{os}" do let(:facts) { facts } - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('hosts') } - it { is_expected.to contain_class('network') } - it { is_expected.to contain_class('profile::core::nm_dispatch') } - it { is_expected.to contain_package('ca-certificates').with_ensure('latest') } - - it do - is_expected.to contain_service('NetworkManager').with(ensure: 'running', enable: true) + context 'with no params' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('hosts') } + it { is_expected.to contain_class('network') } + it { is_expected.to contain_class('resolv_conf') } + it { is_expected.to contain_class('profile::core::nm_dispatch') } + it { is_expected.to contain_package('ca-certificates').with_ensure('latest') } + + it do + is_expected.to contain_service('NetworkManager').with(ensure: 'running', enable: true) + end + + it do + is_expected.to contain_file('/etc/sysconfig/network-scripts/ifcfg-').with_ensure('absent') + end end - it do - is_expected.to contain_file('/etc/sysconfig/network-scripts/ifcfg-').with_ensure('absent') + context 'with resolv_conf param' do + context 'when false' do + let(:params) do + { + manage_resolv_conf: false, + } + end + + it { is_expected.not_to contain_class('resolv_conf') } + end + + context 'when true' do + let(:params) do + { + manage_resolv_conf: true, + } + end + + it { is_expected.to contain_class('resolv_conf') } + end end end end From 8f543686ebd86c506538d9b787dabe7eff3af29d Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 6 Sep 2022 15:42:38 -0700 Subject: [PATCH 2/9] (tel-lt1.tu node) disable management of resolv.conf This host is currently in 140.252.32/23 and unable to reach the regular tu nameservers. --- hieradata/node/tel-lt1.tu.lsst.org.yaml | 2 ++ spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb | 25 ++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 hieradata/node/tel-lt1.tu.lsst.org.yaml create mode 100644 spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb diff --git a/hieradata/node/tel-lt1.tu.lsst.org.yaml b/hieradata/node/tel-lt1.tu.lsst.org.yaml new file mode 100644 index 0000000000..530b3da102 --- /dev/null +++ b/hieradata/node/tel-lt1.tu.lsst.org.yaml @@ -0,0 +1,2 @@ +--- +profile::core::common::manage_resolv_conf: false diff --git a/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb b/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb new file mode 100644 index 0000000000..dc8429707a --- /dev/null +++ b/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'tel-lt1.tu.lsst.org', :site do + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge( + fqdn: 'tel-lt1.tu.lsst.org', + ) + end + + let(:node_params) do + { + role: 'generic', + site: 'tu', + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.not_to contain_class('resolv_conf') } + end # on os + end # on_supported_os +end # role From be22ef1339ddefc27e5dcb2d66512f1a7106634e Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 6 Sep 2022 16:05:55 -0700 Subject: [PATCH 3/9] (tel-hw1.tu node) allow login as saluser from saluser@tel-lt1.tu.lsst.org --- .rubocop.yml | 2 ++ hieradata/node/tel-hw1.tu.lsst.org.yaml | 6 ++++ spec/hosts/nodes/tel-hw1.tu.lsst.org_spec.rb | 31 ++++++++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 spec/hosts/nodes/tel-hw1.tu.lsst.org_spec.rb diff --git a/.rubocop.yml b/.rubocop.yml index fed20ee310..b463588725 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -126,3 +126,5 @@ RSpec/ImplicitSubject: Enabled: false Style/CommentedKeyword: Enabled: false +Naming/FileName: + Enabled: false diff --git a/hieradata/node/tel-hw1.tu.lsst.org.yaml b/hieradata/node/tel-hw1.tu.lsst.org.yaml index d859bfd09a..9c543158c7 100644 --- a/hieradata/node/tel-hw1.tu.lsst.org.yaml +++ b/hieradata/node/tel-hw1.tu.lsst.org.yaml @@ -29,3 +29,9 @@ network::mroutes_hash: routes: "140.252.147.16/28": "140.252.147.129" "140.252.147.48/28": "140.252.147.129" + +profile::core::k5login::k5login: + "/home/saluser/.k5login": + ensure: "present" + principals: + - "saluser/tel-lt1.tu.lsst.org@LSST.CLOUD" diff --git a/spec/hosts/nodes/tel-hw1.tu.lsst.org_spec.rb b/spec/hosts/nodes/tel-hw1.tu.lsst.org_spec.rb new file mode 100644 index 0000000000..35d7076029 --- /dev/null +++ b/spec/hosts/nodes/tel-hw1.tu.lsst.org_spec.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'tel-hw1.tu.lsst.org', :site do + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge( + fqdn: 'tel-hw1.tu.lsst.org', + ) + end + + let(:node_params) do + { + role: 'generic', + site: 'tu', + } + end + + it { is_expected.to compile.with_all_deps } + + it do + is_expected.to contain_k5login('/home/saluser/.k5login').with( + ensure: 'present', + principals: ['saluser/tel-lt1.tu.lsst.org@LSST.CLOUD'], + ) + end + end # on os + end # on_supported_os +end # role From 85a57a314faab4f43da8e3afa24e794da095c2d1 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 7 Sep 2022 08:47:20 -0700 Subject: [PATCH 4/9] (tel-lt1.tu node) allow login as saluser from saluser@tel-hw1.tu.lsst.org --- hieradata/node/tel-lt1.tu.lsst.org.yaml | 5 +++++ spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/hieradata/node/tel-lt1.tu.lsst.org.yaml b/hieradata/node/tel-lt1.tu.lsst.org.yaml index 530b3da102..b5c5018f04 100644 --- a/hieradata/node/tel-lt1.tu.lsst.org.yaml +++ b/hieradata/node/tel-lt1.tu.lsst.org.yaml @@ -1,2 +1,7 @@ --- profile::core::common::manage_resolv_conf: false +profile::core::k5login::k5login: + "/home/saluser/.k5login": + ensure: "present" + principals: + - "saluser/tel-hw1.tu.lsst.org@LSST.CLOUD" diff --git a/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb b/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb index dc8429707a..f2e998d3dc 100644 --- a/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb +++ b/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb @@ -20,6 +20,13 @@ it { is_expected.to compile.with_all_deps } it { is_expected.not_to contain_class('resolv_conf') } + + it do + is_expected.to contain_k5login('/home/saluser/.k5login').with( + ensure: 'present', + principals: ['saluser/tel-hw1.tu.lsst.org@LSST.CLOUD'], + ) + end end # on os end # on_supported_os end # role From f71555c7b781187abb836d7cbc090a9a16e53683 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 7 Sep 2022 09:25:42 -0700 Subject: [PATCH 5/9] (profile::archive::forwarder) rm hieradata fixture; class was deleted --- spec/fixtures/hieradata/common.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index 09e94e9df3..2fac0acead 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -6,7 +6,6 @@ easy_ipa::directory_services_password: "foofoofoofoo" # ipa master only easy_ipa::domain_join_password: "foofoofoofoo" # 8 char min foreman_proxy::plugin::dns::route53::aws_access_key: "foo" foreman_proxy::plugin::dns::route53::aws_secret_key: "foo" -profile::archive::forwarder::keytab_base64: "foo" profile::ccs::krb5_token::keytab_base64: "foo" profile::ccs::krb5_token::uid: "foo" profile::ccs::krb5_token::user: "foo" From 52735ead8ab74e2b0caaf38f249c3642cc0935f9 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 7 Sep 2022 09:47:16 -0700 Subject: [PATCH 6/9] (profile::util::keytab) convert keytab_base64 param to Sensitive --- site/profile/manifests/ccs/krb5_token.pp | 2 +- site/profile/manifests/core/ipa_pwd_reset.pp | 4 ++-- site/profile/manifests/core/rke.pp | 6 +++--- site/profile/manifests/util/keytab.pp | 13 +++++++------ spec/classes/core/ipa_pwd_reset_spec.rb | 6 +++--- spec/classes/core/rke_spec.rb | 4 ++-- spec/defines/util/keytab_spec.rb | 3 ++- spec/fixtures/hieradata/common.yaml | 3 +++ 8 files changed, 23 insertions(+), 18 deletions(-) diff --git a/site/profile/manifests/ccs/krb5_token.pp b/site/profile/manifests/ccs/krb5_token.pp index bdd8b668f6..8a7ed0021d 100644 --- a/site/profile/manifests/ccs/krb5_token.pp +++ b/site/profile/manifests/ccs/krb5_token.pp @@ -13,7 +13,7 @@ class profile::ccs::krb5_token ( String $user, Integer $uid, - String $keytab_base64, + Sensitive[String[1]] $keytab_base64, ) { profile::util::keytab { $user: uid => $uid, diff --git a/site/profile/manifests/core/ipa_pwd_reset.pp b/site/profile/manifests/core/ipa_pwd_reset.pp index 4a031e37bf..aff23f0e90 100644 --- a/site/profile/manifests/core/ipa_pwd_reset.pp +++ b/site/profile/manifests/core/ipa_pwd_reset.pp @@ -15,7 +15,7 @@ # class profile::core::ipa_pwd_reset ( - String $keytab_base64, + Sensitive[String[1]] $keytab_base64, String $secret_key, String $ldap_user, String $ldap_pwd, @@ -103,7 +103,7 @@ # Create Keytab file { "${keytab_path}/${ldap_user}.keytab": ensure => file, - content => base64('decode', $keytab_base64), + content => base64('decode', $keytab_base64.unwrap), mode => '0600', owner => $ldap_user, group => $ldap_user, diff --git a/site/profile/manifests/core/rke.pp b/site/profile/manifests/core/rke.pp index d4643f4c8f..83b934ae45 100644 --- a/site/profile/manifests/core/rke.pp +++ b/site/profile/manifests/core/rke.pp @@ -11,9 +11,9 @@ # Version of rke utility to install # class profile::core::rke ( - Boolean $enable_dhcp = false, - Optional[String] $keytab_base64 = undef, - String $version = '1.3.3', + Boolean $enable_dhcp = false, + Optional[Sensitive[String[1]]] $keytab_base64 = undef, + String $version = '1.3.3', ) { $user = 'rke' $uid = 75500 diff --git a/site/profile/manifests/util/keytab.pp b/site/profile/manifests/util/keytab.pp index d8034792ee..ba066db5ff 100644 --- a/site/profile/manifests/util/keytab.pp +++ b/site/profile/manifests/util/keytab.pp @@ -12,7 +12,7 @@ # define profile::util::keytab ( Integer $uid, - String $keytab_base64, + Sensitive[String[1]] $keytab_base64, ) { $home_path = "/home/${name}" $keytab_path = "${home_path}/.keytab" @@ -24,11 +24,12 @@ mode => '0700', }) file { $keytab_path: - ensure => file, - owner => $name, - group => $name, - mode => '0400', - content => base64('decode', $keytab_base64), + ensure => file, + owner => $name, + group => $name, + mode => '0400', + show_diff => false, # do not print keytab in logs + content => base64('decode', $keytab_base64.unwrap), } cron { 'k5start_root': diff --git a/spec/classes/core/ipa_pwd_reset_spec.rb b/spec/classes/core/ipa_pwd_reset_spec.rb index 87e8c4f8ba..210a4149e7 100644 --- a/spec/classes/core/ipa_pwd_reset_spec.rb +++ b/spec/classes/core/ipa_pwd_reset_spec.rb @@ -18,10 +18,10 @@ context 'with no params' do let(:params) do { - keytab_base64: 'foo', - secret_key: 'bar', - ldap_user: 'baz', + keytab_base64: sensitive('foo'), ldap_pwd: 'quix', + ldap_user: 'baz', + secret_key: 'bar', } end diff --git a/spec/classes/core/rke_spec.rb b/spec/classes/core/rke_spec.rb index d4f8699cee..0e241bd20a 100644 --- a/spec/classes/core/rke_spec.rb +++ b/spec/classes/core/rke_spec.rb @@ -67,7 +67,7 @@ context 'when 42' do let(:params) do { - keytab_base64: '42', + keytab_base64: sensitive('42'), } end @@ -76,7 +76,7 @@ it do is_expected.to contain_profile__util__keytab('rke').with( uid: 75_500, - keytab_base64: '42', + keytab_base64: sensitive('42'), ) end end diff --git a/spec/defines/util/keytab_spec.rb b/spec/defines/util/keytab_spec.rb index 153d209b26..b02636f271 100644 --- a/spec/defines/util/keytab_spec.rb +++ b/spec/defines/util/keytab_spec.rb @@ -7,7 +7,7 @@ context "on #{os}" do let(:facts) { facts } let(:title) { 'foo' } - let(:params) { { 'uid' => 123, 'keytab_base64' => 'YmFy' } } + let(:params) { { 'uid' => 123, 'keytab_base64' => sensitive('YmFy') } } it { is_expected.to compile.with_all_deps } @@ -26,6 +26,7 @@ owner: 'foo', group: 'foo', mode: '0400', + show_diff: false, content: 'bar', ) end diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index 2fac0acead..62b0983afe 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -1,4 +1,7 @@ --- +lookup_options: + '^profile::.+::keytab_base64$': + convert_to: "Sensitive" ccs_database::database: "comcamdbprod" ccs_database::password: "foo" easy_ipa::admin_password: "foofoofoofoo" # ipa master only From 2271f8308b38ed63147aa296019faccc384eb638 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 7 Sep 2022 10:12:16 -0700 Subject: [PATCH 7/9] (profile::core::keytab) fwv Generates profile::util::keytab resources. --- site/profile/manifests/core/keytab.pp | 17 ++++++++++++ spec/classes/core/keytab_spec.rb | 40 +++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 site/profile/manifests/core/keytab.pp create mode 100644 spec/classes/core/keytab_spec.rb diff --git a/site/profile/manifests/core/keytab.pp b/site/profile/manifests/core/keytab.pp new file mode 100644 index 0000000000..cc63ae7d4c --- /dev/null +++ b/site/profile/manifests/core/keytab.pp @@ -0,0 +1,17 @@ +# @summary +# Generates profile::util::keytab resources +# +# @param keytab +# Hash of keytab resources to create +# +class profile::core::keytab ( + Optional[Hash[String[1], Hash[String[1], NotUndef]]] $keytab = undef, +) { + if $keytab { + $keytab.each | String $name, Hash $conf | { + profile::util::keytab { $name: + * => $conf, + } + } + } +} diff --git a/spec/classes/core/keytab_spec.rb b/spec/classes/core/keytab_spec.rb new file mode 100644 index 0000000000..e3219f0f9e --- /dev/null +++ b/spec/classes/core/keytab_spec.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'profile::core::keytab' do + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts + end + + context 'with no parameters' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to have_profile__util__keytab_resource_count(0) } + end + + context 'with keytab param' do + let(:params) do + { + keytab: { + foo: { + uid: 1234, + keytab_base64: sensitive('Zm9v'), + }, + }, + } + end + + it { is_expected.to have_profile__util__keytab_resource_count(1) } + + it do + is_expected.to contain_profile__util__keytab('foo').with( + uid: 1234, + keytab_base64: sensitive('Zm9v'), + ) + end + end + end + end +end From 6cd7896d66ce969d718595530e3794fbe311f3bb Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 7 Sep 2022 10:41:45 -0700 Subject: [PATCH 8/9] (profile::core::common) include profile::core::keytab --- site/profile/manifests/core/common.pp | 1 + spec/classes/core/common_spec.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/site/profile/manifests/core/common.pp b/site/profile/manifests/core/common.pp index 14c0f4f698..e9c7c70683 100644 --- a/site/profile/manifests/core/common.pp +++ b/site/profile/manifests/core/common.pp @@ -78,6 +78,7 @@ include profile::core::ipa include profile::core::k5login include profile::core::kernel + include profile::core::keytab include profile::core::nm_dispatch include profile::core::selinux include profile::core::systemd diff --git a/spec/classes/core/common_spec.rb b/spec/classes/core/common_spec.rb index ca95c1cef0..34fe740840 100644 --- a/spec/classes/core/common_spec.rb +++ b/spec/classes/core/common_spec.rb @@ -12,6 +12,7 @@ it { is_expected.to contain_class('hosts') } it { is_expected.to contain_class('network') } it { is_expected.to contain_class('resolv_conf') } + it { is_expected.to contain_class('profile::core::keytab') } it { is_expected.to contain_class('profile::core::nm_dispatch') } it { is_expected.to contain_package('ca-certificates').with_ensure('latest') } From 44b50a8c39035d692d97cfdd786dae4df6d46c76 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 7 Sep 2022 17:51:29 -0700 Subject: [PATCH 9/9] (profile::util::keytab) make TGT non-forwardable Generally, we want to allow ssh between 2 pair of hosts only. We don't not want the TGT to be reusable to make another hop from the destination host. If additional access from the destination ssh host is needed, a role user TGT should also be present on the destination host. --- site/profile/manifests/util/keytab.pp | 2 +- spec/defines/util/keytab_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/util/keytab.pp b/site/profile/manifests/util/keytab.pp index ba066db5ff..385a6d6ce4 100644 --- a/site/profile/manifests/util/keytab.pp +++ b/site/profile/manifests/util/keytab.pp @@ -33,7 +33,7 @@ } cron { 'k5start_root': - command => "/usr/bin/k5start -f ${keytab_path} -U -o ${uid} -k /tmp/krb5cc_${uid} -H 60 > /dev/null 2>&1", + command => "/usr/bin/k5start -f ${keytab_path} -U -o ${uid} -k /tmp/krb5cc_${uid} -H 60 -F > /dev/null 2>&1", user => 'root', minute => '*/1', require => File[$keytab_path], diff --git a/spec/defines/util/keytab_spec.rb b/spec/defines/util/keytab_spec.rb index b02636f271..df11adad06 100644 --- a/spec/defines/util/keytab_spec.rb +++ b/spec/defines/util/keytab_spec.rb @@ -33,7 +33,7 @@ it do is_expected.to contain_cron('k5start_root').with( - command: '/usr/bin/k5start -f /home/foo/.keytab -U -o 123 -k /tmp/krb5cc_123 -H 60 > /dev/null 2>&1', + command: '/usr/bin/k5start -f /home/foo/.keytab -U -o 123 -k /tmp/krb5cc_123 -H 60 -F > /dev/null 2>&1', ) end