Make the TLS certificate management optional

The prescription by this cookbook to manage the TLS certificate, using chef-vault, is overly strong, and, while it is an excellent practice, may not jibe with some potential users’ workflows.
sous-chefs · Aug 19, 2015 · 9fe9c2d · 9fe9c2d
1 parent 810c60b
commit 9fe9c2d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -8,6 +8,8 @@
 default['vault']['service_user'] = 'vault'
 default['vault']['service_group'] = 'vault'
 
+# Chef-vault required for certificate management
+default['vault']['manage_certificate'] = true
 default['vault']['bag_name'] = 'secrets'
 default['vault']['bag_item'] = 'vault'
 

diff --git a/libraries/vault_config.rb b/libraries/vault_config.rb
@@ -40,7 +40,9 @@ class VaultConfig < Chef::Resource
       attribute(:backend_options, option_collector: true)
 
       def tls?
-        tls_disable.match(/^$/)
+        return true if tls_disable.match(/^$/) && node['vault']['manage_certificate']
+
+        false
       end
 
       # Transforms the resource into a JSON format which matches the
@@ -71,7 +73,10 @@ def to_json
               mode '0755'
             end
 
-            item = chef_vault_item(new_resource.bag_name, new_resource.bag_item)
+            item = chef_vault_item(
+              new_resource.bag_name,
+              new_resource.bag_item
+            )
             file new_resource.tls_cert_file do
               content item['certificate']
               mode '0644'