Grid環境構築用のChefリポジトリです。
Révision | 69b89ffcc4ecdc4d48a887fd945a826a9807c4d7 (tree) |
---|---|
l'heure | 2015-12-29 11:11:45 |
Auteur | whitestar <whitestar@gaea...> |
Commiter | whitestar |
environment-sensitive vault item improvemnet.
@@ -1,6 +1,10 @@ | ||
1 | 1 | berkshelf-api-server-ya CHANGELOG |
2 | 2 | ================================= |
3 | 3 | |
4 | +0.3.0 | |
5 | +----- | |
6 | +- Vault item scan improvement for nested hash. | |
7 | + | |
4 | 8 | 0.2.0 |
5 | 9 | ----- |
6 | 10 | - SSL server key deployment by the Chef Vault. |
@@ -28,11 +28,13 @@ Attributes | ||
28 | 28 | |`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item]`|Hash|Chef Vault item read conf. for the server private key. (ver. 0.2.0 or later)|undefined| |
29 | 29 | |`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item][:vault]`|String|Vault name|undefined| |
30 | 30 | |`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item][:name]`|String|Vault item name|undefined| |
31 | -|`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item][:key]`|String|Vault item key|undefined| | |
31 | +|`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item][:env_context]`|Boolean|for multiple environment settings within encrypted items.|`false`| | |
32 | +|`[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item][:key]`|String|Vault item key (single key or nested hash key path delimited by slash)|undefined| | |
32 | 33 | |`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item]`|Hash|Chef Vault item read conf. for the endpoint access user's private key. (ver. 0.2.0. or later)|undefined| |
33 | 34 | |`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item][:vault]`|String|Vault name|undefined| |
34 | 35 | |`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item][:name]`|String|Vault item name|undefined| |
35 | -|`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item][:key]`|String|Vault item key|undefined| | |
36 | +|`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item][:env_context]`|Boolean|for multiple environment settings within encrypted items.|`false`| | |
37 | +|`[:berkshelf_api][:config][:endpoints][1..n][:options][:client_key_vault_item][:key]`|String|Vault item key (single key or nested hash key path delimited by slash)|undefined| | |
36 | 38 | |
37 | 39 | Usage |
38 | 40 | ----- |
@@ -26,7 +26,23 @@ default[:berkshelf_api][:proxy][:ssl_certificate_key] = '' | ||
26 | 26 | default[:berkshelf_api][:proxy][:ssl_certificate_key_vault_item] = { |
27 | 27 | :vault => 'ssl_server_keys', |
28 | 28 | :name => '<COMMON_NAME>', |
29 | + # single key or nested hash key path delimited by slash | |
30 | + # Case 1. | |
31 | + :env_context => false, | |
29 | 32 | :key => 'private' |
33 | + # -> item['private'] | |
34 | + # Case 2. | |
35 | + #:env_context => true, | |
36 | + #:key => 'private' | |
37 | + # -> item[node.chef_environment]['private'] | |
38 | + # Case 3. | |
39 | + #:env_context => true, | |
40 | + #:key => nil, # or '' or undefined | |
41 | + # -> item[node.chef_environment] | |
42 | + # Case 4. | |
43 | + #:env_context => true, | |
44 | + #:key => 'hash/path/to/private/key' | |
45 | + # -> item[node.chef_environment]['hash']['path']['to']['private']['key'] | |
30 | 46 | } |
31 | 47 | =end |
32 | 48 |
@@ -39,7 +55,11 @@ default[:berkshelf_api][:config][:endpoints] = [ | ||
39 | 55 | :client_key_vault_item => { |
40 | 56 | :vault => 'berks_api_client_keys', |
41 | 57 | :name => '<ORG_NAME>', |
58 | + # single key or nested hash key path delimited by slash | |
59 | + :env_context => false, | |
42 | 60 | :key => 'berkshelf' |
61 | + #:env_context => true, | |
62 | + #:key => 'hash/path/to/private/key' | |
43 | 63 | } |
44 | 64 | } |
45 | 65 | }, |
@@ -4,7 +4,7 @@ maintainer_email '' | ||
4 | 4 | license 'Apache 2.0' |
5 | 5 | description 'Installs/Configures berkshelf-api-server-ya' |
6 | 6 | long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) |
7 | -version '0.2.0' | |
7 | +version '0.3.0' | |
8 | 8 | |
9 | 9 | # local cookbooks |
10 | 10 | #depends 'chef_utils', '>= 0.5.0' |
@@ -39,8 +39,17 @@ endpoints.each {|endpoint| | ||
39 | 39 | end |
40 | 40 | |
41 | 41 | require 'chef-vault' |
42 | - item = ChefVault::Item.load(item_conf[:vault], item_conf[:name]) | |
43 | - secret = item[item_conf[:key]] | |
42 | + secret = ChefVault::Item.load(item_conf[:vault], item_conf[:name]) | |
43 | + | |
44 | + if item_conf.has_key?(:env_context) && item_conf[:env_context] == true then | |
45 | + secret = secret[node.chef_environment] | |
46 | + end | |
47 | + | |
48 | + if !item_conf[:key].nil? && !item_conf[:key].empty? then | |
49 | + item_conf[:key].split('/').each {|elm| | |
50 | + secret = secret[elm] | |
51 | + } | |
52 | + end | |
44 | 53 | |
45 | 54 | file options[:client_key] do |
46 | 55 | content secret |
@@ -34,8 +34,17 @@ if node[:berkshelf_api][:proxy].has_key?(:ssl_certificate_key_vault_item) then | ||
34 | 34 | end |
35 | 35 | |
36 | 36 | require 'chef-vault' |
37 | - item = ChefVault::Item.load(item_conf[:vault], item_conf[:name]) | |
38 | - secret = item[item_conf[:key]] | |
37 | + secret = ChefVault::Item.load(item_conf[:vault], item_conf[:name]) | |
38 | + | |
39 | + if item_conf.has_key?(:env_context) && item_conf[:env_context] == true then | |
40 | + secret = secret[node.chef_environment] | |
41 | + end | |
42 | + | |
43 | + if !item_conf[:key].nil? && !item_conf[:key].empty? then | |
44 | + item_conf[:key].split('/').each {|elm| | |
45 | + secret = secret[elm] | |
46 | + } | |
47 | + end | |
39 | 48 | |
40 | 49 | file node[:berkshelf_api][:proxy][:ssl_certificate_key] do |
41 | 50 | content secret |