• R/O
  • HTTP
  • SSH
  • HTTPS

grid-chef-repo: コミット

Grid環境構築用のChefリポジトリです。


コミットメタ情報

リビジョンc31645aca973692c7517e0c15ee3cd742fb987b6 (tree)
日時2018-09-09 09:49:35
作者whitestar <whitestar@user...>
コミッターwhitestar

ログメッセージ

improves CA certificates and server key pair deployment.

変更サマリ

差分

--- a/cookbooks/openldap-grid/CHANGELOG.md
+++ b/cookbooks/openldap-grid/CHANGELOG.md
@@ -1,5 +1,11 @@
11 # CHANGELOG for openldap-grid
22
3+0.2.6
4+-----
5+- adds the `['openldap']['server']['enabled']` attribute.
6+- improves CA certificates and server key pair deployment.
7+- refactors specs.
8+
39 0.2.5
410 -----
511 - refactoring.
--- a/cookbooks/openldap-grid/README.md
+++ b/cookbooks/openldap-grid/README.md
@@ -38,6 +38,7 @@ None.
3838 |`['openldap']['nss-ldapd']['base']`|String||`dc=example,dc=net`|
3939 |`['openldap']['nss-ldapd']['<nscd.conf key>']`|String|other nscd.conf key||
4040 |`['openldap']['ldap_lookup_nameservices']`|Array|['passwd', 'group']|`empty`|
41+|`['openldap']['server']['enabled']`|Boolean|`slapd` service enabled (ver. 0.2.6 or later)|`true`|
4142 |`['openldap']['server']['extra_schema']['samba']`|Boolean|add the schema for Samba (ver. 0.2.3 or later)|`false`|
4243 |`['openldap']['server']['ldaps']`|Boolean|enable ldaps (ver. 0.1.2 or later)|`false`|
4344 |`['openldap']['server']['KRB5_KTNAME']`|String|e.g. `'/etc/krb5.keytab'` (ver. 0.1.2 or later)|`nil`|
@@ -57,16 +58,67 @@ Just include `openldap-grid::recipe` in your node's `run_list`:
5758 }
5859 ```
5960
60-### with ssl_cert cookbook
61+### SSL CA certificate management by ssl_cert cookbook
6162
6263 If `node['openldap']['with_ssl_cert_cookbook']` is `true`, `node['openldap']['client']['TLS_CACERT']` and `node['openldap']['nss-ldapd']['tls_cacertfile']` are overridden by the file path based on `['openldap']['ssl_cert']['ca_name']` attribute.
6364
65+### SSL server keys and certificates management by ssl_cert cookbook
66+
67+- create vault items.
68+
69+```text
70+$ ruby -rjson -e 'puts JSON.generate({"private" => File.read("ldap.grid.example.com.prod.key")})' \
71+> > ~/tmp/ldap.grid.example.com.prod.key.json
72+
73+$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("ldap.grid.example.com.prod.crt")})' \
74+> > ~/tmp/ldap.grid.example.com.prod.crt.json
75+
76+$ cd $CHEF_REPO_PATH
77+
78+$ knife vault create ssl_server_keys ldap.grid.example.com.prod \
79+> --json ~/tmp/ldap.grid.example.com.prod.key.json
80+
81+$ knife vault create ssl_server_certs ldap.grid.example.com.prod \
82+> --json ~/tmp/ldap.grid.example.com.prod.crt.json
83+```
84+
85+- grant reference permission to the ldap host
86+
87+```text
88+$ knife vault update ssl_server_keys ldap.grid.example.com.prod -S 'name:ldap*.grid.example.com'
89+$ knife vault update ssl_server_certs ldap.grid.example.com.prod -S 'name:ldap*.grid.example.com'
90+```
91+
92+- modify run_list and attributes
93+
94+```ruby
95+run_list(
96+ #'recipe[ssl_cert::server_key_pairs]', # gitlab-grid <= 0.2.5
97+ 'recipe[opeldap-grid::server]',
98+)
99+
100+override_attributes(
101+ 'ssl_cert' => {
102+ #'common_names' => [
103+ # 'ldap.grid.example.com', # gitlab-grid <= 0.2.5
104+ #],
105+ },
106+ 'openldap' => {
107+ 'with_ssl_cert_cookbook' => true,
108+ 'ssl_cert' => {
109+ 'common_name' => 'ldap.grid.example.com',
110+ },
111+ # ...
112+ },
113+)
114+```
115+
64116 ## License and Authors
65117
66118 - Author:: whitestar at osdn.jp
67119
68120 ```text
69-Copyright 2013-2017, whitestar
121+Copyright 2013-2018, whitestar
70122
71123 Licensed under the Apache License, Version 2.0 (the "License");
72124 you may not use this file except in compliance with the License.
--- a/cookbooks/openldap-grid/attributes/default.rb
+++ b/cookbooks/openldap-grid/attributes/default.rb
@@ -2,7 +2,7 @@
22 # Cookbook Name:: openldap-grid
33 # Attributes:: default
44 #
5-# Copyright 2013-2016, whitestar
5+# Copyright 2013-2018, whitestar
66 #
77 # Licensed under the Apache License, Version 2.0 (the "License");
88 # you may not use this file except in compliance with the License.
@@ -45,6 +45,7 @@ default['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
4545 default['openldap']['ldap_lookup_nameservices'] = [] # e.g. ['passwd', 'group']
4646 #default['openldap'][''] =
4747
48+default['openldap']['server']['enabled'] = true
4849 default['openldap']['server']['extra_schema'] = {
4950 'samba' => false,
5051 }
--- a/cookbooks/openldap-grid/concourse.yml
+++ b/cookbooks/openldap-grid/concourse.yml
@@ -1,5 +1,5 @@
11 ---
2-# $ fly -t target sp -p openldap-grid-cookbook -c concourse.yml -l fly-vars.yml -l ~/sec/credentials-prod.yml
2+# $ fly -t $CC_TARGET sp -p openldap-grid-cookbook -c concourse.yml -l fly-vars.yml -l ~/sec/credentials-prod.yml
33 resources:
44 - name: src-git
55 type: git
@@ -21,7 +21,7 @@ resources:
2121 ca_certs:
2222 - domain: ((registry-mirror-domain)) # e.g. registry.docker.example.com:5000
2323 cert: ((docker-reg-ca-cert))
24- check_every: 12h # default: 1m
24+ check_every: 6h # default: 1m
2525
2626 jobs:
2727 - name: test-cookbook
@@ -97,4 +97,4 @@ jobs:
9797 tag_prefix: ((cookbook-name))-
9898 tag: src-git/cookbooks/((cookbook-name))/version
9999 only_tag: true
100- annotate: ../src-git/cookbooks/((cookbook-name))/version
100+ annotate: src-git/cookbooks/((cookbook-name))/version
--- a/cookbooks/openldap-grid/recipes/client.rb
+++ b/cookbooks/openldap-grid/recipes/client.rb
@@ -2,7 +2,7 @@
22 # Cookbook Name:: openldap-grid
33 # Recipe:: client
44 #
5-# Copyright 2013-2016, whitestar
5+# Copyright 2013-2018, whitestar
66 #
77 # Licensed under the Apache License, Version 2.0 (the "License");
88 # you may not use this file except in compliance with the License.
@@ -53,6 +53,13 @@ tls_cacert = node['openldap']['client']['TLS_CACERT']
5353 if node['openldap']['with_ssl_cert_cookbook'] \
5454 && (tls_cacert.nil? || tls_cacert.empty?)
5555 ::Chef::Recipe.send(:include, SSLCert::Helper)
56+
57+ ca_name = node['openldap']['ssl_cert']['ca_name']
58+ unless ca_name.nil?
59+ append_ca_name(ca_name)
60+ include_recipe 'ssl_cert::ca_certs'
61+ end
62+
5663 node.force_override['openldap']['client']['TLS_CACERT'] \
5764 = ca_cert_path(node['openldap']['ssl_cert']['ca_name'])
5865 end
--- a/cookbooks/openldap-grid/recipes/nss-ldapd.rb
+++ b/cookbooks/openldap-grid/recipes/nss-ldapd.rb
@@ -2,7 +2,7 @@
22 # Cookbook Name:: openldap-grid
33 # Recipe:: nss-ldapd
44 #
5-# Copyright 2013-2016, whitestar
5+# Copyright 2013-2018, whitestar
66 #
77 # Licensed under the Apache License, Version 2.0 (the "License");
88 # you may not use this file except in compliance with the License.
@@ -59,6 +59,13 @@ tls_cacertfile = node['openldap']['nss-ldapd']['tls_cacertfile']
5959 if node['openldap']['with_ssl_cert_cookbook'] \
6060 && (tls_cacertfile.nil? || tls_cacertfile.empty?)
6161 ::Chef::Recipe.send(:include, SSLCert::Helper)
62+
63+ ca_name = node['openldap']['ssl_cert']['ca_name']
64+ unless ca_name.nil?
65+ append_ca_name(ca_name)
66+ include_recipe 'ssl_cert::ca_certs'
67+ end
68+
6269 node.force_override['openldap']['nss-ldapd']['tls_cacertfile'] \
6370 = ca_cert_path(node['openldap']['ssl_cert']['ca_name'])
6471 end
--- a/cookbooks/openldap-grid/recipes/server.rb
+++ b/cookbooks/openldap-grid/recipes/server.rb
@@ -2,7 +2,7 @@
22 # Cookbook Name:: openldap-grid
33 # Recipe:: server
44 #
5-# Copyright 2016, whitestar
5+# Copyright 2016-2018, whitestar
66 #
77 # Licensed under the Apache License, Version 2.0 (the "License");
88 # you may not use this file except in compliance with the License.
@@ -65,8 +65,20 @@ when 'rhel'
6565 end
6666 end
6767
68-# deploy ldif file for TLS settings.
68+# deploy SSL certs and keys and ldif file for TLS settings.
6969 if node['openldap']['with_ssl_cert_cookbook']
70+ ::Chef::Recipe.send(:include, SSLCert::Helper)
71+
72+ ca_name = node['openldap']['ssl_cert']['ca_name']
73+ unless ca_name.nil?
74+ append_ca_name(ca_name)
75+ include_recipe 'ssl_cert::ca_certs'
76+ end
77+
78+ cn = node['openldap']['ssl_cert']['common_name']
79+ append_server_ssl_cn(cn)
80+ include_recipe 'ssl_cert::server_key_pairs'
81+
7082 [
7183 '00_olc-add-ldaps.ldif',
7284 '00_olc-mod-ldaps.ldif',
@@ -81,9 +93,9 @@ if node['openldap']['with_ssl_cert_cookbook']
8193 }
8294 end
8395
96+srv_act = node['openldap']['server']['enabled'] ? [:enable] : [:disable, :stop]
8497 service 'slapd' do
85- #action [:enable, :start]
86- action [:enable]
98+ action srv_act
8799 supports status: true, restart: true, reload: false
88100 end
89101
--- a/cookbooks/openldap-grid/spec/recipes/client_spec.rb
+++ b/cookbooks/openldap-grid/spec/recipes/client_spec.rb
@@ -2,7 +2,7 @@
22 # Cookbook Name:: openldap
33 # Recipe Spec:: client_spec
44 #
5-# Copyright 2015, whitestar
5+# Copyright 2015-2018, whitestar
66 #
77 # Licensed under the Apache License, Version 2.0 (the "License");
88 # you may not use this file except in compliance with the License.
@@ -22,8 +22,8 @@ require_relative '../spec_helper'
2222 describe 'openldap::client' do
2323 let(:chef_run_on_debian) {
2424 ChefSpec::SoloRunner.new(platform: 'debian', version: '7.6') {|node|
25- node.set['openldap']['client']['URI'] = 'ldap://ldap.example.com'
26- node.set['openldap']['client']['BASE'] = 'dc=example,dc=com'
25+ node.override['openldap']['client']['URI'] = 'ldap://ldap.example.com'
26+ node.override['openldap']['client']['BASE'] = 'dc=example,dc=com'
2727 }.converge(described_recipe)
2828 }
2929
@@ -41,8 +41,8 @@ describe 'openldap::client' do
4141
4242 let(:chef_run_on_rhel) {
4343 ChefSpec::SoloRunner.new(platform: 'centos', version: '7.0') {|node|
44- node.set['openldap']['client']['URI'] = 'ldap://ldap.example.com'
45- node.set['openldap']['client']['BASE'] = 'dc=example,dc=com'
44+ node.override['openldap']['client']['URI'] = 'ldap://ldap.example.com'
45+ node.override['openldap']['client']['BASE'] = 'dc=example,dc=com'
4646 }.converge(described_recipe)
4747 }
4848
--- a/cookbooks/openldap-grid/spec/recipes/nss-ldapd_spec.rb
+++ b/cookbooks/openldap-grid/spec/recipes/nss-ldapd_spec.rb
@@ -2,7 +2,7 @@
22 # Cookbook Name:: openldap
33 # Recipe Spec:: nss-ldapd_spec
44 #
5-# Copyright 2015, whitestar
5+# Copyright 2015-2018, whitestar
66 #
77 # Licensed under the Apache License, Version 2.0 (the "License");
88 # you may not use this file except in compliance with the License.
@@ -22,8 +22,8 @@ require_relative '../spec_helper'
2222 describe 'openldap::nss-ldapd' do
2323 let(:chef_run_on_debian) {
2424 ChefSpec::SoloRunner.new(platform: 'debian', version: '7.6') {|node|
25- node.set['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
26- node.set['openldap']['nss-ldapd']['invalid_key'] = 'value'
25+ node.override['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
26+ node.override['openldap']['nss-ldapd']['invalid_key'] = 'value'
2727 }.converge(described_recipe)
2828 }
2929
@@ -61,8 +61,8 @@ describe 'openldap::nss-ldapd' do
6161
6262 let(:chef_run_on_rhel) {
6363 ChefSpec::SoloRunner.new(platform: 'centos', version: '7.0') {|node|
64- node.set['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
65- node.set['openldap']['nss-ldapd']['invalid_key'] = 'value'
64+ node.override['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
65+ node.override['openldap']['nss-ldapd']['invalid_key'] = 'value'
6666 }.converge(described_recipe)
6767 }
6868
旧リポジトリブラウザで表示