-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: allow injecting of arbitrary env variables #629
Open
majormoses
wants to merge
2
commits into
develop
Choose a base branch
from
feature/arbitrary-env-vars
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As these variables _could_ contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly reccommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like `git-crypt` or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes any `sudoer` as they can run `sudo chef-shell -z` and then query the attribute. If you do need this functionality for secrets you should probably use `node['sensu']['etc_default_sensu']['cookbook']` and override it with a template in your wrapper. You should leverage `node.run_state` object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence. Signed-off-by: Ben Abrams <[email protected]>
majormoses
force-pushed
the
feature/arbitrary-env-vars
branch
from
March 14, 2019 02:00
9b42bb0
to
a6aaec7
Compare
I locally converged via vagrant, if unit tests pass we should be good to go. |
Not sure why tests are failing on travis but are working locally maybe the version of chefdk? Running Locally$ /opt/chefdk/embedded/bin/chef --version
Chef Development Kit Version: 2.5.13
chef-client version: 13.10.4
delivery version: master (6862f27aba89109a9630f0b6c6798efec56b4efe)
berks version: 6.3.4
kitchen version: 1.22.1
inspec version: 1.51.25
$ /opt/chefdk/embedded/bin/chef exec rake
!!!!!! The `berkshelf' gem is missing and must be installed or cannot be properly activated. Run `gem install berkshelf` or add the following to your Gemfile if you are using Bundler: `gem 'berkshelf'`.
>>> Gem load error: Could not load or activate Berkshelf (Unable to activate berkshelf-6.3.4, because thor-0.20.3 conflicts with thor (< 0.19.2, ~> 0.19)), omitting
/opt/chefdk/embedded/bin/ruby -I/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-support-3.7.1/lib:/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.1/lib /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.1/exe/rspec test/unit/check_spec.rb test/unit/client_service_spec.rb test/unit/default_spec.rb test/unit/libraries/sensu_helpers_spec.rb test/unit/libraries/sensu_helpers_spec.rb test/unit/libraries/sensu_json_file_spec.rb test/unit/libraries/sensu_json_file_spec.rb test/unit/lwrps/base_config_spec.rb test/unit/lwrps/base_config_spec.rb test/unit/lwrps/client_spec.rb test/unit/lwrps/client_spec.rb test/unit/lwrps/filter_spec.rb test/unit/lwrps/filter_spec.rb test/unit/lwrps/gem_spec.rb test/unit/lwrps/gem_spec.rb test/unit/lwrps/json_file_spec.rb test/unit/lwrps/json_file_spec.rb
sensu-test::good_checks
creates valid_check_with_default_interval
creates valid_cron_check
creates valid_standalone_check sensu_check
creates valid_pubsub_check sensu_check
deletes removed_check without specifying subscriptions/standalone
sensu-test::bad_check_name
raises an exception when the check name contains invalid characters
sensu-test::bad_check_attributes
raises an exception when the check has neither subscribers nor standalone attributes
sensu-test::bad_cron_and_interval
raises an exception when the check has both cron and interval attributes
sensu-test::bad_check_no_interval_or_cron
raises an exception when in check both cron and interval are false
sensu-test::bad_check_invalid_interval
raises an exception when in check interval is equal or less than 0
sensu::client_service
enables the sensu-client service in ubuntu 14.04
starts the sensu-client service in ubuntu 14.04
sensu::client_service
enables the sensu-client service in ubuntu 16.04
starts the sensu-client service in ubuntu 16.04
sensu::default
when running on unix-like platforms
when running on ubuntu linux
includes the sensu::_linux recipe
installs the sensu package
configures the apt repo definition with the default codename
behaves like sensu default recipe
creates the log directory
creates the conf.d directory
creates the plugins directory
creates the handlers directory
creates the extensions directory
writes a base sensu configuration using sensu_base_config
ssl is enabled
writes the certificate chain file
writes the private key file
ssl is disabled
[2019-03-13T19:09:51-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
does not write the certificate chain file
[2019-03-13T19:09:53-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
does not write the private key file
when overriding the apt repository codename
configures the apt repo definition with the provided codename
when running on rhel linux
includes the sensu::_linux recipe
installs the sensu package
configures the yum repo definition
behaves like sensu default recipe
creates the log directory
creates the conf.d directory
creates the plugins directory
creates the handlers directory
creates the extensions directory
writes a base sensu configuration using sensu_base_config
ssl is enabled
writes the certificate chain file
writes the private key file
ssl is disabled
[2019-03-13T19:10:16-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
does not write the certificate chain file
[2019-03-13T19:10:20-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
does not write the private key file
when overriding the yum repository releasever
configures the yum repo definition with the provided releasever
when running on aix
includes the sensu::_aix recipe
installs the sensu package
behaves like sensu default recipe
creates the log directory
creates the conf.d directory
creates the plugins directory
creates the handlers directory
creates the extensions directory
writes a base sensu configuration using sensu_base_config
ssl is enabled
writes the certificate chain file
writes the private key file
ssl is disabled
[2019-03-13T19:10:41-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
does not write the certificate chain file
[2019-03-13T19:10:43-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
does not write the private key file
when running on windows platform
includes the sensu::_windows recipe
installs the Sensu package
when install_dotnet is true
includes the appropriate recipe from the ms_dotnet cookbook
when install_dotnet is false
does not include a recipe from the ms_dotnet cookbook
behaves like sensu default recipe
creates the log directory
creates the conf.d directory
creates the plugins directory
creates the handlers directory
creates the extensions directory
writes a base sensu configuration using sensu_base_config
ssl is enabled
writes the certificate chain file
writes the private key file
ssl is disabled
[2019-03-13T19:11:09-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
does not write the certificate chain file
[2019-03-13T19:11:11-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
does not write the private key file
Sensu::Helpers
.select_attributes
when the requested attribute exists
returns the requested key/value pair
when the requested attribute does not exist
returns an empty hash
when multiple attributes are requested and all exist
returns a hash containing the requested key/value pairs
when multiple attributes are requested and only a subset exist
returns a hash containing the existing key/value pairs
.gem_binary
on unix-like platforms
with omnibus ruby available
returns the full path to the omnibus ruby gem binary
without omnibus ruby available
returns an unqualified path to the gem binary
on windows platforms
with omnibus ruby available
returns the full path to the omnibus ruby gem binary
without omnibus ruby available
returns an unqualified path to the gem binary
.redhat_version_string
the desired version is prior to 0.27
returns the version string unaltered
the desired version is 0.27.0 or newer
returns the version string with the Redhat platform major version suffix
when a suffix override is provided
returns the version string with the custom suffix
.amazon_linux_2_rhel_version
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 6
returns the rhel version 7
throws an exception
throws an exception
throws an exception
.amazon_linux_2_version_string
the desired version is prior to 0.27
returns the version string unaltered
the desired version is 0.27.0 or newer
returns the version string with the Redhat platform major version suffix
when a suffix override is provided
returns the version string with the custom suffix
Sensu::JSONFile
.load_json
returns a non-empty hash
returns a hash containing the expected keys
.dump_json
returns a non-empty string, terminated with a new line
.to_mash
converts a hash into a mash
.compare_content
returns false when comparing the content of a file to a non-matching hash
returns true when comparing the content of a file to a matching hash
sensu_base_config
[2019-03-13T19:11:11-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
creates a base sensu configuration at /etc/sensu/config.json
base configuration is derived from node attributes
[2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
transport node attributes are present in base configuration
[2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
redis node attributes are present in base configuration
[2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
api node attributes are present in base configuration
single rabbitmq host provided
[2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
yields a rabbitmq array with a single hash
multiple rabbitmq hosts provided
[2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
[2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
yields a rabbitmq array containing multiple brokers
sensu_client with minimum required attributes
renders client.json to directory defined by attributes
configures client name
configures client address
configures client subscriptions
does not provide configuration for unconfigured optional attributes
sensu_client with optional attributes
renders client.json to directory defined by attributes
configures client name
configures client address
configures client subscriptions
configures client keepalives
configures client keepalive behavior
configures client safe_mode
configures client socket
configures attributes for client redaction
configures client registration
configures client to deregister
configures client deregistration
configures custom client attributes specified as additional
sensu_filter
defaults to action :create
action :create
creates the specified filter definition
negate specified
creates the specified filter definition
days specified
with symbol hash keys
creates the specified filter definition
with string hash keys
creates the specified filter definition
action :delete
deletes the specified filter
deletes the specified filter definition
sensu_gem
defaults to action :install
action :install
installs the specified gem package
version specified
installs the specified version of the gem package
source specified
installs the specified gem package from the specified source
upgrades the specified gem package from the specified source
action :remove
removes the specified gem package
action :upgrade
installs or upgrades the specified gem package to the specified version
sensu_json_file
creates the /etc/sensu directory using value of directory_mode attribute
creates a "pretty" json file with the provided content
Finished in 1 minute 57.05 seconds (files took 2 seconds to load)
146 examples, 0 failures |
majormoses
changed the title
allow injecting of arbitrary env variables
WIP: allow injecting of arbitrary env variables
Mar 25, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As these variables could contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly recommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like
git-crypt
or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes anysudoer
as they can runsudo chef-shell -z
and then query the attribute. If you do need this functionality for secrets you should probably usenode['sensu']['etc_default_sensu']['cookbook']
and override it with a template in your wrapper. You should leveragenode.run_state
object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence.Signed-off-by: Ben Abrams [email protected]
Description
Enable people to inject arbitrary key value pairs to be sent to the sensu process by means of
/etc/default/sensu
.As these variables could contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly recommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like
git-crypt
or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes anysudoer
as they can runsudo chef-shell -z
and then query the attribute. If you do need this functionality for secrets you should probably usenode['sensu']['etc_default_sensu']['cookbook']
and override it with a template in your wrapper. You should leveragenode.run_state
object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence.Motivation and Context
Someone requested this a while back in slack, unfortunately I did not have them file an issue and I forgot that I had most of the code ready to go uncommitted until today.
How Has This Been Tested?
This has not been properly tested.
Screenshots (if appropriate):
Types of changes
Checklist: