diff --git a/.rubocop.yml b/.rubocop.yml index fed20ee310..b463588725 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -126,3 +126,5 @@ RSpec/ImplicitSubject: Enabled: false Style/CommentedKeyword: Enabled: false +Naming/FileName: + Enabled: false diff --git a/hieradata/node/tel-hw1.tu.lsst.org.yaml b/hieradata/node/tel-hw1.tu.lsst.org.yaml index d859bfd09a..9c543158c7 100644 --- a/hieradata/node/tel-hw1.tu.lsst.org.yaml +++ b/hieradata/node/tel-hw1.tu.lsst.org.yaml @@ -29,3 +29,9 @@ network::mroutes_hash: routes: "140.252.147.16/28": "140.252.147.129" "140.252.147.48/28": "140.252.147.129" + +profile::core::k5login::k5login: + "/home/saluser/.k5login": + ensure: "present" + principals: + - "saluser/tel-lt1.tu.lsst.org@LSST.CLOUD" diff --git a/hieradata/node/tel-lt1.tu.lsst.org.yaml b/hieradata/node/tel-lt1.tu.lsst.org.yaml new file mode 100644 index 0000000000..b5c5018f04 --- /dev/null +++ b/hieradata/node/tel-lt1.tu.lsst.org.yaml @@ -0,0 +1,7 @@ +--- +profile::core::common::manage_resolv_conf: false +profile::core::k5login::k5login: + "/home/saluser/.k5login": + ensure: "present" + principals: + - "saluser/tel-hw1.tu.lsst.org@LSST.CLOUD" diff --git a/site/profile/manifests/ccs/krb5_token.pp b/site/profile/manifests/ccs/krb5_token.pp index bdd8b668f6..8a7ed0021d 100644 --- a/site/profile/manifests/ccs/krb5_token.pp +++ b/site/profile/manifests/ccs/krb5_token.pp @@ -13,7 +13,7 @@ class profile::ccs::krb5_token ( String $user, Integer $uid, - String $keytab_base64, + Sensitive[String[1]] $keytab_base64, ) { profile::util::keytab { $user: uid => $uid, diff --git a/site/profile/manifests/core/common.pp b/site/profile/manifests/core/common.pp index d66f611e72..e9c7c70683 100644 --- a/site/profile/manifests/core/common.pp +++ b/site/profile/manifests/core/common.pp @@ -46,6 +46,9 @@ # @param manage_irqbalance # If `true`, manage irqbalance # +# @param manage_resolv_conf +# If `true`, manage resolv.conf +# class profile::core::common ( Boolean $deploy_icinga_agent = false, Boolean $manage_puppet_agent = true, @@ -61,6 +64,7 @@ Boolean $manage_scl = true, Boolean $manage_repos = true, Boolean $manage_irqbalance = true, + Boolean $manage_resolv_conf = true, ) { include accounts include augeas @@ -74,11 +78,11 @@ include profile::core::ipa include profile::core::k5login include profile::core::kernel + include profile::core::keytab include profile::core::nm_dispatch include profile::core::selinux include profile::core::systemd include profile::core::yum - include resolv_conf include rsyslog include rsyslog::config include selinux @@ -159,6 +163,11 @@ include scl } } + + if $manage_resolv_conf { + include resolv_conf + } + class { 'lldpd': manage_repo => true, } diff --git a/site/profile/manifests/core/ipa_pwd_reset.pp b/site/profile/manifests/core/ipa_pwd_reset.pp index 4a031e37bf..aff23f0e90 100644 --- a/site/profile/manifests/core/ipa_pwd_reset.pp +++ b/site/profile/manifests/core/ipa_pwd_reset.pp @@ -15,7 +15,7 @@ # class profile::core::ipa_pwd_reset ( - String $keytab_base64, + Sensitive[String[1]] $keytab_base64, String $secret_key, String $ldap_user, String $ldap_pwd, @@ -103,7 +103,7 @@ # Create Keytab file { "${keytab_path}/${ldap_user}.keytab": ensure => file, - content => base64('decode', $keytab_base64), + content => base64('decode', $keytab_base64.unwrap), mode => '0600', owner => $ldap_user, group => $ldap_user, diff --git a/site/profile/manifests/core/keytab.pp b/site/profile/manifests/core/keytab.pp new file mode 100644 index 0000000000..cc63ae7d4c --- /dev/null +++ b/site/profile/manifests/core/keytab.pp @@ -0,0 +1,17 @@ +# @summary +# Generates profile::util::keytab resources +# +# @param keytab +# Hash of keytab resources to create +# +class profile::core::keytab ( + Optional[Hash[String[1], Hash[String[1], NotUndef]]] $keytab = undef, +) { + if $keytab { + $keytab.each | String $name, Hash $conf | { + profile::util::keytab { $name: + * => $conf, + } + } + } +} diff --git a/site/profile/manifests/core/rke.pp b/site/profile/manifests/core/rke.pp index d4643f4c8f..83b934ae45 100644 --- a/site/profile/manifests/core/rke.pp +++ b/site/profile/manifests/core/rke.pp @@ -11,9 +11,9 @@ # Version of rke utility to install # class profile::core::rke ( - Boolean $enable_dhcp = false, - Optional[String] $keytab_base64 = undef, - String $version = '1.3.3', + Boolean $enable_dhcp = false, + Optional[Sensitive[String[1]]] $keytab_base64 = undef, + String $version = '1.3.3', ) { $user = 'rke' $uid = 75500 diff --git a/site/profile/manifests/util/keytab.pp b/site/profile/manifests/util/keytab.pp index d8034792ee..385a6d6ce4 100644 --- a/site/profile/manifests/util/keytab.pp +++ b/site/profile/manifests/util/keytab.pp @@ -12,7 +12,7 @@ # define profile::util::keytab ( Integer $uid, - String $keytab_base64, + Sensitive[String[1]] $keytab_base64, ) { $home_path = "/home/${name}" $keytab_path = "${home_path}/.keytab" @@ -24,15 +24,16 @@ mode => '0700', }) file { $keytab_path: - ensure => file, - owner => $name, - group => $name, - mode => '0400', - content => base64('decode', $keytab_base64), + ensure => file, + owner => $name, + group => $name, + mode => '0400', + show_diff => false, # do not print keytab in logs + content => base64('decode', $keytab_base64.unwrap), } cron { 'k5start_root': - command => "/usr/bin/k5start -f ${keytab_path} -U -o ${uid} -k /tmp/krb5cc_${uid} -H 60 > /dev/null 2>&1", + command => "/usr/bin/k5start -f ${keytab_path} -U -o ${uid} -k /tmp/krb5cc_${uid} -H 60 -F > /dev/null 2>&1", user => 'root', minute => '*/1', require => File[$keytab_path], diff --git a/spec/classes/core/common_spec.rb b/spec/classes/core/common_spec.rb index 1b68231008..34fe740840 100644 --- a/spec/classes/core/common_spec.rb +++ b/spec/classes/core/common_spec.rb @@ -7,18 +7,44 @@ context "on #{os}" do let(:facts) { facts } - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('hosts') } - it { is_expected.to contain_class('network') } - it { is_expected.to contain_class('profile::core::nm_dispatch') } - it { is_expected.to contain_package('ca-certificates').with_ensure('latest') } - - it do - is_expected.to contain_service('NetworkManager').with(ensure: 'running', enable: true) + context 'with no params' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('hosts') } + it { is_expected.to contain_class('network') } + it { is_expected.to contain_class('resolv_conf') } + it { is_expected.to contain_class('profile::core::keytab') } + it { is_expected.to contain_class('profile::core::nm_dispatch') } + it { is_expected.to contain_package('ca-certificates').with_ensure('latest') } + + it do + is_expected.to contain_service('NetworkManager').with(ensure: 'running', enable: true) + end + + it do + is_expected.to contain_file('/etc/sysconfig/network-scripts/ifcfg-').with_ensure('absent') + end end - it do - is_expected.to contain_file('/etc/sysconfig/network-scripts/ifcfg-').with_ensure('absent') + context 'with resolv_conf param' do + context 'when false' do + let(:params) do + { + manage_resolv_conf: false, + } + end + + it { is_expected.not_to contain_class('resolv_conf') } + end + + context 'when true' do + let(:params) do + { + manage_resolv_conf: true, + } + end + + it { is_expected.to contain_class('resolv_conf') } + end end end end diff --git a/spec/classes/core/ipa_pwd_reset_spec.rb b/spec/classes/core/ipa_pwd_reset_spec.rb index 87e8c4f8ba..210a4149e7 100644 --- a/spec/classes/core/ipa_pwd_reset_spec.rb +++ b/spec/classes/core/ipa_pwd_reset_spec.rb @@ -18,10 +18,10 @@ context 'with no params' do let(:params) do { - keytab_base64: 'foo', - secret_key: 'bar', - ldap_user: 'baz', + keytab_base64: sensitive('foo'), ldap_pwd: 'quix', + ldap_user: 'baz', + secret_key: 'bar', } end diff --git a/spec/classes/core/keytab_spec.rb b/spec/classes/core/keytab_spec.rb new file mode 100644 index 0000000000..e3219f0f9e --- /dev/null +++ b/spec/classes/core/keytab_spec.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'profile::core::keytab' do + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts + end + + context 'with no parameters' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to have_profile__util__keytab_resource_count(0) } + end + + context 'with keytab param' do + let(:params) do + { + keytab: { + foo: { + uid: 1234, + keytab_base64: sensitive('Zm9v'), + }, + }, + } + end + + it { is_expected.to have_profile__util__keytab_resource_count(1) } + + it do + is_expected.to contain_profile__util__keytab('foo').with( + uid: 1234, + keytab_base64: sensitive('Zm9v'), + ) + end + end + end + end +end diff --git a/spec/classes/core/rke_spec.rb b/spec/classes/core/rke_spec.rb index d4f8699cee..0e241bd20a 100644 --- a/spec/classes/core/rke_spec.rb +++ b/spec/classes/core/rke_spec.rb @@ -67,7 +67,7 @@ context 'when 42' do let(:params) do { - keytab_base64: '42', + keytab_base64: sensitive('42'), } end @@ -76,7 +76,7 @@ it do is_expected.to contain_profile__util__keytab('rke').with( uid: 75_500, - keytab_base64: '42', + keytab_base64: sensitive('42'), ) end end diff --git a/spec/defines/util/keytab_spec.rb b/spec/defines/util/keytab_spec.rb index 153d209b26..df11adad06 100644 --- a/spec/defines/util/keytab_spec.rb +++ b/spec/defines/util/keytab_spec.rb @@ -7,7 +7,7 @@ context "on #{os}" do let(:facts) { facts } let(:title) { 'foo' } - let(:params) { { 'uid' => 123, 'keytab_base64' => 'YmFy' } } + let(:params) { { 'uid' => 123, 'keytab_base64' => sensitive('YmFy') } } it { is_expected.to compile.with_all_deps } @@ -26,13 +26,14 @@ owner: 'foo', group: 'foo', mode: '0400', + show_diff: false, content: 'bar', ) end it do is_expected.to contain_cron('k5start_root').with( - command: '/usr/bin/k5start -f /home/foo/.keytab -U -o 123 -k /tmp/krb5cc_123 -H 60 > /dev/null 2>&1', + command: '/usr/bin/k5start -f /home/foo/.keytab -U -o 123 -k /tmp/krb5cc_123 -H 60 -F > /dev/null 2>&1', ) end diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index 09e94e9df3..62b0983afe 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -1,4 +1,7 @@ --- +lookup_options: + '^profile::.+::keytab_base64$': + convert_to: "Sensitive" ccs_database::database: "comcamdbprod" ccs_database::password: "foo" easy_ipa::admin_password: "foofoofoofoo" # ipa master only @@ -6,7 +9,6 @@ easy_ipa::directory_services_password: "foofoofoofoo" # ipa master only easy_ipa::domain_join_password: "foofoofoofoo" # 8 char min foreman_proxy::plugin::dns::route53::aws_access_key: "foo" foreman_proxy::plugin::dns::route53::aws_secret_key: "foo" -profile::archive::forwarder::keytab_base64: "foo" profile::ccs::krb5_token::keytab_base64: "foo" profile::ccs::krb5_token::uid: "foo" profile::ccs::krb5_token::user: "foo" diff --git a/spec/hosts/nodes/tel-hw1.tu.lsst.org_spec.rb b/spec/hosts/nodes/tel-hw1.tu.lsst.org_spec.rb new file mode 100644 index 0000000000..35d7076029 --- /dev/null +++ b/spec/hosts/nodes/tel-hw1.tu.lsst.org_spec.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'tel-hw1.tu.lsst.org', :site do + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge( + fqdn: 'tel-hw1.tu.lsst.org', + ) + end + + let(:node_params) do + { + role: 'generic', + site: 'tu', + } + end + + it { is_expected.to compile.with_all_deps } + + it do + is_expected.to contain_k5login('/home/saluser/.k5login').with( + ensure: 'present', + principals: ['saluser/tel-lt1.tu.lsst.org@LSST.CLOUD'], + ) + end + end # on os + end # on_supported_os +end # role diff --git a/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb b/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb new file mode 100644 index 0000000000..f2e998d3dc --- /dev/null +++ b/spec/hosts/nodes/tel-lt1.tu.lsst.org_spec.rb @@ -0,0 +1,32 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'tel-lt1.tu.lsst.org', :site do + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge( + fqdn: 'tel-lt1.tu.lsst.org', + ) + end + + let(:node_params) do + { + role: 'generic', + site: 'tu', + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.not_to contain_class('resolv_conf') } + + it do + is_expected.to contain_k5login('/home/saluser/.k5login').with( + ensure: 'present', + principals: ['saluser/tel-hw1.tu.lsst.org@LSST.CLOUD'], + ) + end + end # on os + end # on_supported_os +end # role