From ee44bf98f4062e6112f7d9e6a5db8bcca689e6f2 Mon Sep 17 00:00:00 2001 From: Marek Hulan Date: Fri, 13 Feb 2015 16:06:02 +0000 Subject: [PATCH] Add smart_proxy_chef plugin support --- manifests/plugin/chef.pp | 54 +++++++++++++++++++ manifests/plugin/chef/params.pp | 12 +++++ .../foreman_proxy__plugin__chef__spec.rb | 49 +++++++++++++++++ templates/plugin/chef.yml.erb | 23 ++++++++ 4 files changed, 138 insertions(+) create mode 100644 manifests/plugin/chef.pp create mode 100644 manifests/plugin/chef/params.pp create mode 100644 spec/classes/foreman_proxy__plugin__chef__spec.rb create mode 100644 templates/plugin/chef.yml.erb diff --git a/manifests/plugin/chef.pp b/manifests/plugin/chef.pp new file mode 100644 index 000000000..5313282f7 --- /dev/null +++ b/manifests/plugin/chef.pp @@ -0,0 +1,54 @@ +# = Foreman Proxy Chef plugin +# +# This class installs chef plugin +# +# === Parameters: +# +# $group:: group owner of the configuration file +# +# $version:: plugin package version, it's passed to ensure parameter of package resource +# can be set to specific version number, 'latest', 'present' etc. +# +# $enabled:: enables/disables the plugin +# +# $listen_on:: Proxy feature listens on http, https, or both +# +# $server_url:: chef server url +# +# $client_name:: chef client name used for authentication of other client requests +# +# $private_key:: path to file containing private key for $client_name client +# +# $ssl_verify:: should we perform chef server ssl cert verification? this requires +# CA certificate installed and trusted +# type:boolean +# +# $ssl_pem_file:: if $ssl_verify is true you can specify a path to a file which +# contains certificate and related private key if the certificate +# is not globally trusted +# +class foreman_proxy::plugin::chef ( + $enabled = $::foreman_proxy::plugin::chef::params::enabled, + $listen_on = $::foreman_proxy::plugin::chef::params::listen_on, + $version = $::foreman_proxy::plugin::chef::params::version, + $group = $::foreman_proxy::plugin::chef::params::group, + $server_url = $::foreman_proxy::plugin::chef::params::server_url, + $client_name = $::foreman_proxy::plugin::chef::params::client_name, + $private_key = $::foreman_proxy::plugin::chef::params::private_key, + $ssl_verify = $::foreman_proxy::plugin::chef::params::ssl_verify, + $ssl_pem_file = $::foreman_proxy::plugin::chef::params::ssl_pem_file, +) inherits foreman_proxy::plugin::chef::params { + + validate_bool($enabled) + validate_listen_on($listen_on) + + foreman_proxy::plugin {'chef': + version => $version, + } -> + foreman_proxy::settings_file { 'chef': + listen_on => $listen_on, + enabled => $enabled, + group => $group, + template_path => 'foreman_proxy/plugin/chef.yml.erb', + } +} diff --git a/manifests/plugin/chef/params.pp b/manifests/plugin/chef/params.pp new file mode 100644 index 000000000..9ad50e36a --- /dev/null +++ b/manifests/plugin/chef/params.pp @@ -0,0 +1,12 @@ +# Default parameters for the Chef smart proxy plugin +class foreman_proxy::plugin::chef::params { + $enabled = true + $group = undef + $listen_on = 'https' + $version = undef + $server_url = "https://${::fqdn}" + $client_name = $::fqdn + $private_key = '/etc/chef/client.pem' + $ssl_verify = true + $ssl_pem_file = undef +} diff --git a/spec/classes/foreman_proxy__plugin__chef__spec.rb b/spec/classes/foreman_proxy__plugin__chef__spec.rb new file mode 100644 index 000000000..34e8c330e --- /dev/null +++ b/spec/classes/foreman_proxy__plugin__chef__spec.rb @@ -0,0 +1,49 @@ +require 'spec_helper' + +describe 'foreman_proxy::plugin::chef' do + on_supported_os.each do |os, facts| + context "on #{os}" do + context 'chef plugin is enabled' do + let :params do + { + :enabled => true + } + end + + it 'should call the plugin' do + should contain_foreman_proxy__plugin('chef') + end + + it 'should install configuration file' do + should contain_foreman_proxy__settings_file('chef') + content = subject.resource('file', '/etc/foreman-proxy/settings.d/chef.yml').send(:parameters)[:content] + content.split("\n").reject { |c| c =~ /(^#|^$)/ }.should == [ + '---', + ':enabled: https', + ] + end + end + + context 'chef plugin is disabled' do + let :params do + { + :enabled => false + } + end + + it 'should call the plugin' do + should contain_foreman_proxy__plugin('chef') + end + + it 'should install configuration file' do + should contain_foreman_proxy__settings_file('chef') + content = subject.resource('file', '/etc/foreman-proxy/settings.d/chef.yml').send(:parameters)[:content] + content.split("\n").reject { |c| c =~ /(^#|^$)/ }.should == [ + '---', + ':enabled: false', + ] + end + end + end + end +end diff --git a/templates/plugin/chef.yml.erb b/templates/plugin/chef.yml.erb new file mode 100644 index 000000000..9184460bd --- /dev/null +++ b/templates/plugin/chef.yml.erb @@ -0,0 +1,23 @@ +--- +:enabled: <%= scope.lookupvar("foreman_proxy::plugin::chef::enabled") %> +:chef_authenticate_nodes: true +:chef_server_url: <%= scope.lookupvar("foreman_proxy::plugin::chef::server_url") %> +# smart-proxy client node needs to have some admin right on chef-server +# in order to retrive all nodes public keys +# e.g. 'host.example.net' +:chef_smartproxy_clientname: <%= scope.lookupvar("foreman_proxy::plugin::chef::client_name") %> +# e.g. /etc/chef/client.pem +:chef_smartproxy_privatekey: <%= scope.lookupvar("foreman_proxy::plugin::chef::private_key") %> + +# turning of chef_ssl_verify is not recommended as it turn off authentication +# you can try set path to chef server certificate by chef_ssl_pem_file +# before setting chef_ssl_verify to false +# note that chef_ssl_pem_file must contain both private key and certificate +# because chef-api 0.5 requires it +:chef_ssl_verify: <%= scope.lookupvar("foreman_proxy::plugin::chef::ssl_verify") %> +<% custom_pem = scope.lookupvar("foreman_proxy::plugin::chef::ssl_pem_file") -%> +<% if !custom_pem.nil? && !['', :undef, :undefined].include?(custom_pem)-%> +:chef_ssl_pem_file: <%= custom_pem %> +<% else -%> +# :chef_ssl_pem_file: /path +<% end -%>