| リビジョン | 7a46b99ec68e489c7868389632b08c35597b399c (tree) |
|---|---|
| 日時 | 2016-01-31 17:51:53 |
| 作者 | whitestar <whitestar@gaea...> |
| コミッター | whitestar |
add ssl_cert::ssh_ca_krl recipe.
cookbooks/ssl_cert/CHANGELOG.md (diff) cookbooks/ssl_cert/README.md (diff) cookbooks/ssl_cert/attributes/default.rb (diff) cookbooks/ssl_cert/libraries/helper.rb (diff) cookbooks/ssl_cert/metadata.rb (diff) cookbooks/ssl_cert/recipes/ssh_ca_krl.rb (diff)| @@ -1,6 +1,11 @@ | ||
| 1 | 1 | ssl_cert CHANGELOG |
| 2 | 2 | ================== |
| 3 | 3 | |
| 4 | +0.3.0 | |
| 5 | +----- | |
| 6 | +- add `ssh_ca_krl` recipe for SSH-CA | |
| 7 | +- add deployed filename extension attributes. | |
| 8 | + | |
| 4 | 9 | 0.2.0 |
| 5 | 10 | ----- |
| 6 | 11 | - add `ca_pubkeys` recipe for SSH-CA, ... |
| @@ -18,6 +18,7 @@ Attributes | ||
| 18 | 18 | |:--|:--|:--|:--| |
| 19 | 19 | |`['ssl_cert']['ca_names']`|Array|deployed CA certificates from chef-vault|empty| |
| 20 | 20 | |`['ssl_cert']['ca_pubkey_names']`|Array|deployed CA public keys from chef-vault (0.2.0 or later)|empty| |
| 21 | +|`['ssl_cert']['ssh_ca_krl_name']`|String|deployed SSH-CA KRL (Key Revocation List) from chef-vault (0.3.0 or later)|`nil`| | |
| 21 | 22 | |`['ssl_cert']['common_names']`|Array|deployed server keys and/or certificates from chef-vault|empty| |
| 22 | 23 | |`['ssl_cert']['rhel']['key_access_group']`|String|RHEL family's key access group (ver. 0.1.5 or later)|`'ssl-cert'`| |
| 23 | 24 | |`['ssl_cert']['chef_gem']['clear_sources']`|Boolean|chef_gem resource's clear_sources property.|`false`| |
| @@ -29,19 +30,27 @@ Attributes | ||
| 29 | 30 | |`['ssl_cert']['ca_cert_vault']`|String|CA certificate stored vault name.|`'ca_certs'`| |
| 30 | 31 | |`['ssl_cert']['ca_cert_vault_item_key']`|String|CA certificate stored vault item key name. (single key or nested hash key path delimited by slash)|`'public'`| |
| 31 | 32 | |`['ssl_cert']['ca_cert_file_prefix']`|String|CA certificate file name's prefix.|`''`| |
| 33 | +|`['ssl_cert']['ca_cert_file_extension']`|String|CA certificate file name's extension. (0.3.0 or later)|`'crt'`| | |
| 32 | 34 | |`['ssl_cert']['ca_pubkey_vault']`|String|CA public key stored vault name. (0.2.0 or later)|`'ca_pubkeys'`| |
| 33 | 35 | |`['ssl_cert']['ca_pubkey_vault_item_key']`|String|CA public key stored vault item key name. (single key or nested hash key path delimited by slash. 0.2.0 or later)|`'public'`| |
| 34 | 36 | |`['ssl_cert']['ca_pubkey_file_prefix']`|String|CA public key file name's prefix. (0.2.0 or later)|`''`| |
| 37 | +|`['ssl_cert']['ca_pubkey_file_extension']`|String|CA public key file name's extension. (0.3.0 or later)|`'pub'`| | |
| 38 | +|`['ssl_cert']['ssh_ca_krl_vault']`|String|SSH-CA KRL stored vault name. (0.3.0 or later)|`'ssh_ca_krls'`| | |
| 39 | +|`['ssl_cert']['ssh_ca_krl_vault_item_key']`|String|SSH-CA KRL stored vault item key name. (single key or nested hash key path delimited by slash. 0.3.0 or later)|`'public'`| | |
| 40 | +|`['ssl_cert']['ssh_ca_krl_file_prefix']`|String|SSH-CA KRL file name's prefix. (0.3.0 or later)|`''`| | |
| 41 | +|`['ssl_cert']['ssh_ca_krl_file_extension']`|String|SSH-CA KRL file name's extension. (0.3.0 or later)|`'krl'`| | |
| 35 | 42 | |`['ssl_cert']['server_key_vault']`|String|SSL server key stored vault name.|`'ssl_server_keys'`| |
| 36 | 43 | |`['ssl_cert']['server_key_vault_item_key']`|String|SSL server key stored vault item key name. (single key or nested hash key path delimited by slash)|`'private'`| |
| 37 | 44 | |`['ssl_cert']['server_key_file_prefix']`|String|SSL server key file name's prefix.|`''`| |
| 45 | +|`['ssl_cert']['server_key_file_extension']`|String|SSL server key file name's extension. (0.3.0 or later)|`'key'`| | |
| 38 | 46 | |`['ssl_cert']['server_cert_vault']`|String|SSL server certificate stored vault name.|`'ssl_server_certs'`| |
| 39 | 47 | |`['ssl_cert']['server_cert_vault_item_key']`|String|SSL server certificate stored vault item key name. (single key or nested hash key path delimited by slash)|`'public'`| |
| 40 | 48 | |`['ssl_cert']['server_cert_file_prefix']`|String|SSL server certificate file name's prefix.|`''`| |
| 41 | -|`['ssl_cert']["#{ca}_cert_path"]`|String|deployed CA certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.crt"`| | |
| 42 | -|`['ssl_cert']["#{ca}_pubkey_path"]`|String|deployed CA public key file path. (0.2.0 or later)|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.pub"`| | |
| 43 | -|`['ssl_cert']["#{undotted_cn}_key_path"]`|String|deployed SSL server key file path.|`"#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{undotted_cn}.key"`| | |
| 44 | -|`['ssl_cert']["#{undotted_cn}_cert_path"]`|String|deployed SSL server certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{undotted_cn}.crt"`| | |
| 49 | +|`['ssl_cert']['server_cert_file_extension']`|String|SSL server certificate file name's extension. (0.3.0 or later)|`'crt'`| | |
| 50 | +|`['ssl_cert']["#{ca}_cert_path"]`|String|deployed CA certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.#{node['ssl_cert']['ca_cert_file_extension']}"`| | |
| 51 | +|`['ssl_cert']["#{ca}_pubkey_path"]`|String|deployed CA public key file path. (0.2.0 or later)|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.#{node['ssl_cert']['ca_pubkey_file_extension']}"`| | |
| 52 | +|`['ssl_cert']["#{undotted_cn}_key_path"]`|String|deployed SSL server key file path.|`"#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{undotted_cn}.#{node['ssl_cert']['server_key_file_extension']}"`| | |
| 53 | +|`['ssl_cert']["#{undotted_cn}_cert_path"]`|String|deployed SSL server certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{undotted_cn}.#{node['ssl_cert']['server_cert_file_extension']}"`| | |
| 45 | 54 | |
| 46 | 55 | Usage |
| 47 | 56 | ----- |
| @@ -50,6 +59,7 @@ Usage | ||
| 50 | 59 | - `ssl_cert::default` - deploys CA certificates, SSL server keys and/or certificates. |
| 51 | 60 | - `ssl_cert::ca_certs` - deploys CA certificates. |
| 52 | 61 | - `ssl_cert::ca_pubkeys` - deploys CA public keys for SSH-CA, ... (0.2.0 or later) |
| 62 | +- `ssl_cert::ssh_ca_krl` - deploys a SSH-CA KRL (Key Revocation List) file. (0.3.0 or later) | |
| 53 | 63 | - `ssl_cert::server_key_pairs` - deploys SSL server keys and certificates. |
| 54 | 64 | - `ssl_cert::server_keys` - deploys SSL server keys. |
| 55 | 65 | - `ssl_cert::server_certs` - deploys SSL server certificates. |
| @@ -106,6 +116,28 @@ override_attributes( | ||
| 106 | 116 | ) |
| 107 | 117 | ``` |
| 108 | 118 | |
| 119 | +#### SSH-CA KRL (0.3.0 or later) | |
| 120 | + | |
| 121 | +- create vault items. | |
| 122 | + | |
| 123 | +```text | |
| 124 | +$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.krl")})' \ | |
| 125 | +> > ~/tmp/grid_ssh_ca.prod.krl.json | |
| 126 | + | |
| 127 | +$ knife vault create ssh_ca_krls grid_ssh_ca.prod \ | |
| 128 | +> --json ~/tmp/grid_ssh_ca.prod.krl.json | |
| 129 | +``` | |
| 130 | + | |
| 131 | +- add cookbook attributes. | |
| 132 | + | |
| 133 | +```ruby | |
| 134 | +override_attributes( | |
| 135 | + 'ssl_cert' => { | |
| 136 | + 'ssh_ca_krl_name' => 'grid_ssh_ca', | |
| 137 | + }, | |
| 138 | +) | |
| 139 | +``` | |
| 140 | + | |
| 109 | 141 | #### SSL server keys and certificates |
| 110 | 142 | |
| 111 | 143 | - create vault items. |
| @@ -141,6 +173,7 @@ override_attributes( | ||
| 141 | 173 | |
| 142 | 174 | - `node['ssl_cert']["#{ca}_cert_path"]` - e.g. `node['ssl_cert']['grid_ca_cert_path']` |
| 143 | 175 | - `node['ssl_cert']["#{ca}_pubkey_path"]` - e.g. `node['ssl_cert']['grid_ssh_ca_pubkey_path']` |
| 176 | +- `node['ssl_cert']["#{ca}_krl_path"]` - e.g. `node['ssl_cert']['grid_ssh_ca_krl_path']` | |
| 144 | 177 | - `node['ssl_cert']["#{undotted_cn}_key_path"]` - e.g. `node['ssl_cert']['node_example_com_key_path']` |
| 145 | 178 | - `node['ssl_cert']["#{undotted_cn}_cert_path"]` - e.g. `node['ssl_cert']['node_example_com_cert_path']` |
| 146 | 179 |
| @@ -28,6 +28,9 @@ default['ssl_cert']['ca_pubkey_names'] = [ | ||
| 28 | 28 | #'grid_ssh_ca', |
| 29 | 29 | ] |
| 30 | 30 | |
| 31 | +# deployed SSH-CA KRL (Key Revocation List) from chef-vault | |
| 32 | +default['ssl_cert']['ssh_ca_krl_name'] = nil # e.g. 'grid_ssh_ca' | |
| 33 | + | |
| 31 | 34 | # deployed server keys and/or certificates from chef-vault |
| 32 | 35 | default['ssl_cert']['common_names'] = [ |
| 33 | 36 | #'ldap.grid.example.com', |
| @@ -47,9 +50,11 @@ default['ssl_cert']['vault_item_suffix'] = \ | ||
| 47 | 50 | (!node['ssl_cert']['env_context'].nil? && !node['ssl_cert']['env_context'].empty?) \ |
| 48 | 51 | ? ".#{node['ssl_cert']['env_context']}" : '' |
| 49 | 52 | |
| 53 | +# CA certificates attributes | |
| 50 | 54 | default['ssl_cert']['ca_cert_vault'] = 'ca_certs' |
| 51 | 55 | default['ssl_cert']['ca_cert_vault_item_key'] = 'public' |
| 52 | 56 | default['ssl_cert']['ca_cert_file_prefix'] = '' |
| 57 | +default['ssl_cert']['ca_cert_file_extension'] = 'crt' | |
| 53 | 58 | =begin |
| 54 | 59 | CA certificate vault item name is |
| 55 | 60 | each CA name + ".#{node['ssl_cert']['vault_item_suffix']}". |
| @@ -63,9 +68,11 @@ default['ssl_cert']['ca_cert_file_prefix'] = '' | ||
| 63 | 68 | > --json ~/tmp/grid_ca.prod.crt.json |
| 64 | 69 | =end |
| 65 | 70 | |
| 71 | +# CA public keys attributes | |
| 66 | 72 | default['ssl_cert']['ca_pubkey_vault'] = 'ca_pubkeys' |
| 67 | 73 | default['ssl_cert']['ca_pubkey_vault_item_key'] = 'public' |
| 68 | 74 | default['ssl_cert']['ca_pubkey_file_prefix'] = '' |
| 75 | +default['ssl_cert']['ca_pubkey_file_extension'] = 'pub' | |
| 69 | 76 | =begin |
| 70 | 77 | CA public key vault item name is |
| 71 | 78 | each CA name + ".#{node['ssl_cert']['vault_item_suffix']}". |
| @@ -79,9 +86,29 @@ default['ssl_cert']['ca_pubkey_file_prefix'] = '' | ||
| 79 | 86 | > --json ~/tmp/grid_ssh_ca.prod.pub.json |
| 80 | 87 | =end |
| 81 | 88 | |
| 89 | +# SSH-CA KRL attributes | |
| 90 | +default['ssl_cert']['ssh_ca_krl_vault'] = 'ssh_ca_krls' | |
| 91 | +default['ssl_cert']['ssh_ca_krl_vault_item_key'] = 'public' | |
| 92 | +default['ssl_cert']['ssh_ca_krl_file_prefix'] = '' | |
| 93 | +default['ssl_cert']['ssh_ca_krl_file_extension'] = 'krl' | |
| 94 | +=begin | |
| 95 | + SSH-CA KRL vault item name is | |
| 96 | + each SSH-CA KRL name + ".#{node['ssl_cert']['vault_item_suffix']}". | |
| 97 | + valut item key is 'public'. | |
| 98 | + | |
| 99 | + * vault item management | |
| 100 | + | |
| 101 | + $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.krl")})' \ | |
| 102 | + > > ~/tmp/grid_ssh_ca.prod.krl.json | |
| 103 | + $ knife vault create ssh_ca_krls grid_ssh_ca.prod \ | |
| 104 | + > --json ~/tmp/grid_ssh_ca.prod.krl.json | |
| 105 | +=end | |
| 106 | + | |
| 107 | +# SSL sever private key attributes | |
| 82 | 108 | default['ssl_cert']['server_key_vault'] = 'ssl_server_keys' |
| 83 | 109 | default['ssl_cert']['server_key_vault_item_key'] = 'private' |
| 84 | 110 | default['ssl_cert']['server_key_file_prefix'] = '' |
| 111 | +default['ssl_cert']['server_key_file_extension'] = 'key' | |
| 85 | 112 | =begin |
| 86 | 113 | server key vault item name is |
| 87 | 114 | each common name + "#{node['ssl_cert']['vault_item_suffix']}". |
| @@ -95,9 +122,11 @@ default['ssl_cert']['server_key_file_prefix'] = '' | ||
| 95 | 122 | > --json ~/tmp/node_example_com.prod.key.json |
| 96 | 123 | =end |
| 97 | 124 | |
| 125 | +# SSL sever caertificates attributes | |
| 98 | 126 | default['ssl_cert']['server_cert_vault'] = 'ssl_server_certs' |
| 99 | 127 | default['ssl_cert']['server_cert_vault_item_key'] = 'public' |
| 100 | 128 | default['ssl_cert']['server_cert_file_prefix'] = '' |
| 129 | +default['ssl_cert']['server_cert_file_extension'] = 'crt' | |
| 101 | 130 | =begin |
| 102 | 131 | server certificate vault item name is |
| 103 | 132 | each common name + ".#{node['ssl_cert']['vault_item_suffix']}". |
| @@ -127,18 +156,22 @@ default['ssl_cert']['private_dir'] = node.value_for_platform_family( | ||
| 127 | 156 | |
| 128 | 157 | node['ssl_cert']['ca_names'].each {|ca| |
| 129 | 158 | default['ssl_cert']["#{ca}_cert_path"] \ |
| 130 | - = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.crt" | |
| 159 | + = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.#{node['ssl_cert']['ca_cert_file_extension']}" | |
| 131 | 160 | } |
| 132 | 161 | |
| 133 | 162 | node['ssl_cert']['ca_pubkey_names'].each {|ca| |
| 134 | 163 | default['ssl_cert']["#{ca}_pubkey_path"] \ |
| 135 | - = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.pub" | |
| 164 | + = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.#{node['ssl_cert']['ca_pubkey_file_extension']}" | |
| 136 | 165 | } |
| 137 | 166 | |
| 167 | +krl_name = node['ssl_cert']['ssh_ca_krl_name'] | |
| 168 | +default['ssl_cert']["#{krl_name}_krl_path"] \ | |
| 169 | + = "/etc/ssh/#{node['ssl_cert']['ssh_ca_krl_file_prefix']}#{krl_name}.#{node['ssl_cert']['ssh_ca_krl_file_extension']}" | |
| 170 | + | |
| 138 | 171 | undotted_cns.each {|cn| |
| 139 | 172 | default['ssl_cert']["#{cn}_key_path"] \ |
| 140 | - = "#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{cn}.key" | |
| 173 | + = "#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{cn}.#{node['ssl_cert']['server_key_file_extension']}" | |
| 141 | 174 | default['ssl_cert']["#{cn}_cert_path"] \ |
| 142 | - = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{cn}.crt" | |
| 175 | + = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{cn}.#{node['ssl_cert']['server_cert_file_extension']}" | |
| 143 | 176 | } |
| 144 | 177 |
| @@ -126,6 +126,27 @@ module Helper | ||
| 126 | 126 | end |
| 127 | 127 | |
| 128 | 128 | |
| 129 | + def ssh_ca_krl(ca) | |
| 130 | + undotted_ca = ca.gsub('.', '_') | |
| 131 | + | |
| 132 | + chef_gem_chef_vault | |
| 133 | + require 'chef-vault' | |
| 134 | + krl = ChefVault::Item.load( | |
| 135 | + node['ssl_cert']['ssh_ca_krl_vault'], "#{ca}#{vault_item_suffix}") | |
| 136 | + node['ssl_cert']['ssh_ca_krl_vault_item_key'].split('/').each {|elm| | |
| 137 | + krl = krl[elm] | |
| 138 | + } | |
| 139 | + | |
| 140 | + krl_path = node['ssl_cert']["#{undotted_ca}_krl_path"] | |
| 141 | + resources(:file => krl_path) rescue file krl_path do | |
| 142 | + content krl | |
| 143 | + owner 'root' | |
| 144 | + group 'root' | |
| 145 | + mode 0644 | |
| 146 | + end | |
| 147 | + end | |
| 148 | + | |
| 149 | + | |
| 129 | 150 | def server_certificate(cn) |
| 130 | 151 | undotted_cn = cn.gsub('.', '_') |
| 131 | 152 |
| @@ -4,5 +4,5 @@ maintainer_email '' | ||
| 4 | 4 | license 'Apache 2.0' |
| 5 | 5 | description 'Installs/Configures ssl_cert' |
| 6 | 6 | long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) |
| 7 | -version '0.2.0' | |
| 7 | +version '0.3.0' | |
| 8 | 8 |
| @@ -0,0 +1,23 @@ | ||
| 1 | +# | |
| 2 | +# Cookbook Name:: ssl_cert | |
| 3 | +# Recipe:: ssh_ca_krl | |
| 4 | +# | |
| 5 | +# Copyright 2016, whitestar | |
| 6 | +# | |
| 7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
| 8 | +# you may not use this file except in compliance with the License. | |
| 9 | +# You may obtain a copy of the License at | |
| 10 | +# | |
| 11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
| 12 | +# | |
| 13 | +# Unless required by applicable law or agreed to in writing, software | |
| 14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
| 15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 16 | +# See the License for the specific language governing permissions and | |
| 17 | +# limitations under the License. | |
| 18 | +# | |
| 19 | + | |
| 20 | +::Chef::Recipe.send(:include, SSLCert::Helper) | |
| 21 | + | |
| 22 | +ssh_ca_krl(node['ssl_cert']['ssh_ca_krl_name']) | |
| 23 | + |
Fork