• R/O
  • HTTP
  • SSH
  • HTTPS

grid-chef-repo: Commit

Grid環境構築用のChefリポジトリです。


Commit MetaInfo

Revision483e0887bef93d43921bedd70da4104071476884 (tree)
Time2018-10-06 12:22:32
Authorwhitestar <whitestar@user...>
Commiterwhitestar

Log Message

adds wildcard common name support. e.g. *.example.com

Change Summary

Incremental Difference

--- /dev/null
+++ b/cookbooks/ssl_cert/Berksfile
@@ -0,0 +1,19 @@
1+#
2+# Copyright 2018 whitestar
3+#
4+# Licensed under the Apache License, Version 2.0 (the "License");
5+# you may not use this file except in compliance with the License.
6+# You may obtain a copy of the License at
7+#
8+# http://www.apache.org/licenses/LICENSE-2.0
9+#
10+# Unless required by applicable law or agreed to in writing, software
11+# distributed under the License is distributed on an "AS IS" BASIS,
12+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+# See the License for the specific language governing permissions and
14+# limitations under the License.
15+#
16+
17+source 'https://supermarket.chef.io'
18+
19+metadata
--- a/cookbooks/ssl_cert/CHANGELOG.md
+++ b/cookbooks/ssl_cert/CHANGELOG.md
@@ -1,6 +1,10 @@
11 ssl_cert CHANGELOG
22 ==================
33
4+0.5.0
5+-----
6+- adds wildcard common name support. e.g. `*.example.com`
7+
48 0.4.2
59 -----
610 - adds the `['ssl_cert']['ca_name_symlinks']` attribute.
--- /dev/null
+++ b/cookbooks/ssl_cert/Gemfile.lock
@@ -0,0 +1,22 @@
1+GEM
2+ remote: https://rubygems.org/
3+ specs:
4+ chef-api (0.8.0)
5+ logify (~> 0.1)
6+ mime-types
7+ logify (0.2.0)
8+ mime-types (3.2.2)
9+ mime-types-data (~> 3.2015)
10+ mime-types-data (3.2018.0812)
11+ stove (6.0.0)
12+ chef-api (~> 0.5)
13+ logify (~> 0.2)
14+
15+PLATFORMS
16+ ruby
17+
18+DEPENDENCIES
19+ stove
20+
21+BUNDLED WITH
22+ 1.16.0
--- a/cookbooks/ssl_cert/README.md
+++ b/cookbooks/ssl_cert/README.md
@@ -203,6 +203,8 @@ $ knife vault create ssl_server_certs node.example.com.prod \
203203 > --json ~/tmp/node_example_com.prod.crt.json
204204 ```
205205
206+Note: You must translate wildcard character `'*'` of common name into `'_'`, because Data Bag items must have an id matching `/^[\.\-[:alnum:]_]+$/`. e.g. `'*.example.com'` => `'_.example.com'`
207+
206208 - grant reference permission to the appropriate nodes
207209
208210 ```text
@@ -225,11 +227,13 @@ override_attributes(
225227
226228 ### References of deployed key and certificate file paths (with default attributes)
227229
230+`undotted_cn`: `'*'` and `'.'` of common name are translated into `'_'`. e.g. `'*.example.com'` => `'__example_com'`
231+
228232 - `node['ssl_cert']["#{ca}_cert_path"]`: e.g. `node['ssl_cert']['grid_ca_cert_path']`
229233 - `node['ssl_cert']["#{ca}_pubkey_path"]`: e.g. `node['ssl_cert']['grid_ssh_ca_pubkey_path']`
230234 - `node['ssl_cert']["#{ca}_krl_path"]`: e.g. `node['ssl_cert']['grid_ssh_ca_krl_path']`
231-- `node['ssl_cert']["#{undotted_cn}_key_path"]`: e.g. `node['ssl_cert']['node_example_com_key_path']`
232-- `node['ssl_cert']["#{undotted_cn}_cert_path"]`: e.g. `node['ssl_cert']['node_example_com_cert_path']`
235+- `node['ssl_cert']["#{undotted_cn}_key_path"]`: e.g. `node['ssl_cert']['node_example_com_key_path']`, `node['ssl_cert']['__example_com_key_path']`
236+- `node['ssl_cert']["#{undotted_cn}_cert_path"]`: e.g. `node['ssl_cert']['node_example_com_cert_path']`, `node['ssl_cert']['__example_com_cert_path']`
233237
234238 ### Helper methods
235239
@@ -252,6 +256,8 @@ append_members_to_key_access_group(['openldap'])
252256 grid_ca_cert_path = ca_cert_path('grid_ca')
253257 ldap_key_path = server_key_path('ldap.grid.example.com')
254258 ldap_cert_path = server_cert_path('ldap.grid.example.com')
259+wildcard_cn_key_path = server_key_path('*.grid.example.com')
260+wildcard_cn_cert_path = server_cert_path('*.grid.example.com')
255261 ```
256262
257263 ## License and Authors
@@ -259,7 +265,7 @@ ldap_cert_path = server_cert_path('ldap.grid.example.com')
259265 - Author:: whitestar at osdn.jp
260266
261267 ```text
262-Copyright 2016, whitestar
268+Copyright 2016-2018, whitestar
263269
264270 Licensed under the Apache License, Version 2.0 (the "License");
265271 you may not use this file except in compliance with the License.
--- a/cookbooks/ssl_cert/Rakefile
+++ b/cookbooks/ssl_cert/Rakefile
@@ -3,12 +3,58 @@ require 'rubocop/rake_task'
33 require 'foodcritic'
44 require 'stove/rake_task'
55
6+tpl_cookbook = '00cookbook'
7+cookbook_name = File.basename(Dir.pwd)
8+
9+desc 'Initialize project'
10+task :init do
11+ next if cookbook_name == tpl_cookbook
12+
13+ [
14+ '.foodcritic',
15+ '.rubocop.yml',
16+ 'Berksfile',
17+ 'chefignore',
18+ 'concourse.yml',
19+ 'fly-vars.yml',
20+ 'fly-vars.local.yml',
21+ 'Gemfile',
22+ 'Gemfile.lock',
23+ 'version',
24+ ].each {|conf|
25+ sh "cp ../#{tpl_cookbook}/#{conf} ./" unless File.exist?(conf)
26+ }
27+
28+ ruby [
29+ %(-pne '$_.gsub!(/^cookbook-name: .*$/, "cookbook-name: #{cookbook_name}")'),
30+ '-i fly-vars.local.yml',
31+ ].join(' ')
32+end
33+
34+desc 'Update project'
35+task :update do
36+ next if cookbook_name == tpl_cookbook
37+
38+ [
39+ 'Rakefile',
40+ 'chefignore',
41+ 'concourse.yml',
42+ 'fly-vars.yml',
43+ 'Gemfile',
44+ 'Gemfile.lock',
45+ ].each {|conf|
46+ sh "cp ../#{tpl_cookbook}/#{conf} ./"
47+ }
48+end
49+
50+desc 'fly set-pipeline'
651 task :'set-pipeline' do
752 sh [
8- "fly -t $CC_TARGET sp -p #{File.basename(Dir.pwd)}-cookbook -c concourse.yml",
9- '-l fly-vars.yml -l ~/sec/credentials-prod.yml',
53+ "fly -t $CC_TARGET sp -p #{cookbook_name}-cookbook -c concourse.yml",
54+ '-l fly-vars.yml -l fly-vars.local.yml -l ~/sec/credentials-prod.yml',
1055 ].join(' ')
1156 end
57+desc 'rake set-pipeline alias'
1258 task sp: 'set-pipeline'
1359
1460 namespace :style do
--- a/cookbooks/ssl_cert/attributes/default.rb
+++ b/cookbooks/ssl_cert/attributes/default.rb
@@ -151,7 +151,7 @@ default['ssl_cert']['server_cert_file_extension'] = 'crt'
151151 =end
152152
153153 undotted_cns = node['ssl_cert']['common_names'].map {|item|
154- item.tr('.', '_')
154+ item.tr('*.', '__') # '*': wildcard
155155 }
156156
157157 default['ssl_cert']['certs_src_dir'] = node.value_for_platform_family(
--- /dev/null
+++ b/cookbooks/ssl_cert/chefignore
@@ -0,0 +1,20 @@
1+# Put files/directories that should be ignored in this file.
2+# Lines that start with '# ' are comments.
3+
4+Berksfile.lock
5+
6+# concourse
7+concourse.yml
8+fly-vars.yml
9+fly-vars.local.yml
10+
11+# emacs
12+*~
13+
14+.rubocop_todo.yml
15+
16+# vim
17+*.sw[a-z]
18+
19+# subversion
20+*/.svn/*
--- a/cookbooks/ssl_cert/concourse.yml
+++ b/cookbooks/ssl_cert/concourse.yml
@@ -1,5 +1,4 @@
11 ---
2-# $ fly -t $CC_TARGET sp -p ssl_cert-cookbook -c concourse.yml -l fly-vars.yml -l ~/sec/credentials-prod.yml
32 resources:
43 - name: src-git
54 type: git
--- /dev/null
+++ b/cookbooks/ssl_cert/fly-vars.local.yml
@@ -0,0 +1,2 @@
1+---
2+cookbook-name: ssl_cert
--- a/cookbooks/ssl_cert/fly-vars.yml
+++ b/cookbooks/ssl_cert/fly-vars.yml
@@ -1,3 +1,2 @@
11 ---
2-cookbook-name: ssl_cert
32 chefdk-version: 1.6.11
--- a/cookbooks/ssl_cert/libraries/helper.rb
+++ b/cookbooks/ssl_cert/libraries/helper.rb
@@ -2,7 +2,7 @@
22 # Cookbook Name:: ssl_cert
33 # Library:: Helper
44 #
5-# Copyright 2016, whitestar
5+# Copyright 2016-2018, whitestar
66 #
77 # Licensed under the Apache License, Version 2.0 (the "License");
88 # you may not use this file except in compliance with the License.
@@ -272,7 +272,7 @@ module SSLCert
272272 end
273273
274274 def server_cert_path(cn)
275- undotted_cn = cn.tr('.', '_')
275+ undotted_cn = cn.tr('*.', '__') # '*': wildcard
276276 node['ssl_cert']["#{undotted_cn}_cert_path"]
277277 end
278278
@@ -281,7 +281,9 @@ module SSLCert
281281
282282 require 'chef-vault'
283283 cert = ChefVault::Item.load(
284- node['ssl_cert']['server_cert_vault'], "#{cn}#{vault_item_suffix}"
284+ node['ssl_cert']['server_cert_vault'],
285+ # Note: Data Bag items must have an id matching /^[\.\-[:alnum:]_]+$/
286+ "#{cn.tr('*', '_')}#{vault_item_suffix}"
285287 )
286288 node['ssl_cert']['server_cert_vault_item_key'].split('/').each {|elm|
287289 cert = cert[elm]
@@ -305,7 +307,7 @@ module SSLCert
305307 end
306308
307309 def server_key_path(cn)
308- undotted_cn = cn.tr('.', '_')
310+ undotted_cn = cn.tr('*.', '__') # '*': wildcard
309311 node['ssl_cert']["#{undotted_cn}_key_path"]
310312 end
311313
@@ -314,7 +316,9 @@ module SSLCert
314316
315317 require 'chef-vault'
316318 secret = ChefVault::Item.load(
317- node['ssl_cert']['server_key_vault'], "#{cn}#{vault_item_suffix}"
319+ node['ssl_cert']['server_key_vault'],
320+ # Note: Data Bag items must have an id matching /^[\.\-[:alnum:]_]+$/
321+ "#{cn.tr('*', '_')}#{vault_item_suffix}"
318322 )
319323 node['ssl_cert']['server_key_vault_item_key'].split('/').each {|elm|
320324 secret = secret[elm]
--- a/cookbooks/ssl_cert/version
+++ b/cookbooks/ssl_cert/version
@@ -1 +1 @@
1-0.4.2
1+0.5.0
Show on old repository browser