From 3656e311182a770c6d3890b2596b9fdee7137f81 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Fri, 5 Jul 2019 15:46:36 +0100 Subject: [PATCH 1/6] refactor(defaults): place common values in defaults.yaml --- vault/defaults.yaml | 2 ++ vault/osfamilymap.yaml | 4 ---- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 3357b68..5a4096e 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -3,6 +3,8 @@ vault: version: 1.1.0 + platform: linux_amd64 + gpg_pkg: gnupg2 dev_mode: False verify_download: True self_signed_cert: diff --git a/vault/osfamilymap.yaml b/vault/osfamilymap.yaml index d15d7f4..20067e0 100644 --- a/vault/osfamilymap.yaml +++ b/vault/osfamilymap.yaml @@ -2,12 +2,8 @@ # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent RedHat: - platform: linux_amd64 - gpg_pkg: gnupg2 Debian: - gpg_pkg: gnupg2 - platform: linux_amd64 MacOS: platform: darwin_amd64 From d476700c0fc6907384ae9ea89024065d333124cf Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Fri, 5 Jul 2019 15:48:21 +0100 Subject: [PATCH 2/6] fix(package): explicitly require package providing setcap --- vault/defaults.yaml | 1 + vault/osfamilymap.yaml | 3 +-- vault/package/install.sls | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 5a4096e..504ff7f 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -5,6 +5,7 @@ vault: version: 1.1.0 platform: linux_amd64 gpg_pkg: gnupg2 + setcap_pkg: libcap dev_mode: False verify_download: True self_signed_cert: diff --git a/vault/osfamilymap.yaml b/vault/osfamilymap.yaml index 20067e0..4b97d7d 100644 --- a/vault/osfamilymap.yaml +++ b/vault/osfamilymap.yaml @@ -1,9 +1,8 @@ # -*- coding: utf-8 -*- # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent -RedHat: - Debian: + setcap_pkg: libcap2-bin MacOS: platform: darwin_amd64 diff --git a/vault/package/install.sls b/vault/package/install.sls index 038e479..149c62c 100644 --- a/vault/package/install.sls +++ b/vault/package/install.sls @@ -51,8 +51,14 @@ vault-package-install-file-symlink: - target: /opt/vault/bin/vault - force: true +vault-package-install-pkg-installed: + pkg.installed: + - name: {{ vault.setcap_pkg }} + vault-package-install-cmd-run: cmd.run: - name: setcap cap_ipc_lock=+ep /opt/vault/bin/vault + - require: + - pkg: vault-package-install-pkg-installed - onchanges: - archive: vault-package-install-archive-extracted From 76b8ac38955bb88a64997948df630d4713bbee95 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Fri, 5 Jul 2019 15:50:52 +0100 Subject: [PATCH 3/6] feat: add support for openSUSE --- vault/osfamilymap.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vault/osfamilymap.yaml b/vault/osfamilymap.yaml index 4b97d7d..f79a276 100644 --- a/vault/osfamilymap.yaml +++ b/vault/osfamilymap.yaml @@ -4,5 +4,9 @@ Debian: setcap_pkg: libcap2-bin +Suse: + gpg_pkg: gpg2 + setcap_pkg: libcap-progs + MacOS: platform: darwin_amd64 From 34f05bd16e19a34d15e6e5068d2cf61416ea359d Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Fri, 5 Jul 2019 16:23:14 +0100 Subject: [PATCH 4/6] ci(kitchen+travis): bring into line with `template-formula` DEPRECATION: this change removes automated testing of the Amazon Linux v1 platform from Travis CI, however this platform can still be tested locally. --- .travis.yml | 34 +++++++++++-- FORMULA | 6 +-- kitchen.yml | 144 +++++++++++++++++++++++++++++++++++++++++++--------- 3 files changed, 153 insertions(+), 31 deletions(-) diff --git a/.travis.yml b/.travis.yml index 28381b3..a5d665a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,16 +7,42 @@ stages: sudo: required cache: bundler language: ruby +dist: xenial services: - docker +# Make sure the instances listed below match up with +# the `platforms` defined in `kitchen.yml` env: - - PLATFORM=ubuntu - - PLATFORM=centos - - PLATFORM=amazon + matrix: + - INSTANCE: debian-9-develop-py3 + # - INSTANCE: ubuntu-1804-develop-py3 + # - INSTANCE: centos-7-develop-py3 + # - INSTANCE: fedora-30-develop-py3 + # - INSTANCE: opensuse-leap-15-develop-py3 + # - INSTANCE: debian-9-2019-2-py3 + - INSTANCE: ubuntu-1804-2019-2-py3 + - INSTANCE: centos-7-2019-2-py3 + # - INSTANCE: fedora-30-2019-2-py3 + # - INSTANCE: opensuse-leap-15-2019-2-py3 + # - INSTANCE: debian-9-2018-3-py2 + # - INSTANCE: ubuntu-1604-2018-3-py2 + # - INSTANCE: centos-7-2018-3-py2 + - INSTANCE: fedora-29-2018-3-py2 + # TODO: Use this when fixed instead of `opensuse-leap-42` + # Ref: https://github.com/netmanagers/salt-image-builder/issues/2 + # - INSTANCE: opensuse-leap-15-2018-3-py2 + - INSTANCE: opensuse-leap-42-2018-3-py2 + - INSTANCE: debian-8-2017-7-py2 + # - INSTANCE: ubuntu-1604-2017-7-py2 + # TODO: Enable after improving the formula to work with other than `systemd` + # - INSTANCE: centos-6-2017-7-py2 + # - INSTANCE: fedora-29-2017-7-py2 + # - INSTANCE: opensuse-leap-15-2017-7-py2 -script: bundle exec kitchen test ${PLATFORM} +script: + - bundle exec kitchen test ${INSTANCE} jobs: include: diff --git a/FORMULA b/FORMULA index ff8ec48..f0eeeb2 100644 --- a/FORMULA +++ b/FORMULA @@ -1,9 +1,9 @@ name: vault -os: Debian, Ubuntu, RedHat, Fedora, CentOS, Amazon -os_family: Debian, RedHat +os: Debian, Ubuntu, RedHat, Fedora, CentOS, Amazon, SUSE +os_family: Debian, RedHat, Suse version: 1.0.6 release: 1 -minimum_version: 2018.3 +minimum_version: 2017.7 summary: Vault formula description: Formula to install and configure Hashicorp Vault top_level_dir: vault diff --git a/kitchen.yml b/kitchen.yml index aa52c30..75e9ae7 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -1,40 +1,136 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml --- +# For help on this file's format, see https://kitchen.ci/ driver: name: docker use_sudo: false privileged: true - run_command: /sbin/init - provision_command: - - curl -L https://bootstrap.saltstack.com | sh -s -- -X # install Salt and dependencies here to make use of Docker build cache, speeding up tests massively + run_command: /lib/systemd/systemd -verifier: - name: inspec +# Make sure the platforms listed below match up with +# the `env.matrix` instances defined in `.travis.yml` +platforms: + - name: amazonlinux + driver: + image: amazonlinux:1 + platform: rhel + run_command: /sbin/init + provision_command: + - curl -L https://bootstrap.saltstack.com | sh -s -- -X # install latest stable Salt + + ## SALT `develop` + - name: debian-9-develop-py3 + driver: + image: netmanagers/salt-develop-py3:debian-9 + provision_command: + - curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com + - sh bootstrap-salt.sh -XdPbfrq -x python3 git develop + - name: ubuntu-1804-develop-py3 + driver: + image: netmanagers/salt-develop-py3:ubuntu-18.04 + provision_command: + - curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com + - sh bootstrap-salt.sh -XdPbfrq -x python3 git develop + - name: centos-7-develop-py3 + driver: + image: netmanagers/salt-develop-py3:centos-7 + provision_command: + - curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com + - sh bootstrap-salt.sh -XdPbfrq -x python3 git develop + - name: fedora-30-develop-py3 + driver: + image: netmanagers/salt-develop-py3:fedora-30 + provision_command: + - curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com + - sh bootstrap-salt.sh -XdPbfrq -x python3 git develop + - name: opensuse-leap-15-develop-py3 + driver: + image: netmanagers/salt-develop-py3:opensuse-leap-15 + provision_command: + - curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com + - sh bootstrap-salt.sh -XdPbfrq -x python3 git develop + run_command: /usr/lib/systemd/systemd + + ## SALT 2019.2 + - name: debian-9-2019-2-py3 + driver: + image: netmanagers/salt-2019.2-py3:debian-9 + - name: ubuntu-1804-2019-2-py3 + driver: + image: netmanagers/salt-2019.2-py3:ubuntu-18.04 + - name: centos-7-2019-2-py3 + driver: + image: netmanagers/salt-2019.2-py3:centos-7 + - name: fedora-30-2019-2-py3 + driver: + image: netmanagers/salt-2019.2-py3:fedora-30 + - name: opensuse-leap-15-2019-2-py3 + driver: + image: netmanagers/salt-2019.2-py3:opensuse-leap-15 + run_command: /usr/lib/systemd/systemd + + ## SALT 2018.3 + - name: debian-9-2018-3-py2 + driver: + image: netmanagers/salt-2018.3-py2:debian-9 + - name: ubuntu-1604-2018-3-py2 + driver: + image: netmanagers/salt-2018.3-py2:ubuntu-16.04 + - name: centos-7-2018-3-py2 + driver: + image: netmanagers/salt-2018.3-py2:centos-7 + - name: fedora-29-2018-3-py2 + driver: + image: netmanagers/salt-2018.3-py2:fedora-29 + # TODO: Use this when fixed instead of `opensuse-leap-42` + # Ref: https://github.com/netmanagers/salt-image-builder/issues/2 + # - name: opensuse-leap-15-2018-3-py2 + # driver: + # image: netmanagers/salt-2018.3-py2:opensuse-leap-15 + # run_command: /usr/lib/systemd/systemd + - name: opensuse-leap-42-2018-3-py2 + driver: + image: netmanagers/salt-2018.3-py2:opensuse-leap-42 + run_command: /usr/lib/systemd/systemd + + ## SALT 2017.7 + - name: debian-8-2017-7-py2 + driver: + image: netmanagers/salt-2017.7-py2:debian-8 + - name: ubuntu-1604-2017-7-py2 + driver: + image: netmanagers/salt-2017.7-py2:ubuntu-16.04 + # TODO: Modify the formula to work for non-`systemd` platforms + - name: centos-6-2017-7-py2 + driver: + image: netmanagers/salt-2017.7-py2:centos-6 + run_command: /sbin/init + - name: fedora-29-2017-7-py2 + driver: + image: netmanagers/salt-2017.7-py2:fedora-29 + - name: opensuse-leap-15-2017-7-py2 + driver: + image: netmanagers/salt-2017.7-py2:opensuse-leap-15 + run_command: /usr/lib/systemd/systemd provisioner: name: salt_solo - salt_version: latest log_level: info + salt_install: none require_chef: false formula: vault + salt_copy_filter: + - .kitchen + - .git -platforms: - - name: ubuntu-16.04 - driver: - name: docker - provision_command: - - apt-get install -y locales net-tools && locale-gen en_US.UTF-8 - - curl -L https://bootstrap.saltstack.com | sh -s -- -X - - name: centos-7 - driver: - name: docker - provision_command: - - yum -y install net-tools # needed by inspec - - curl -L https://bootstrap.saltstack.com | sh -s -- -X - - name: amazonlinux - driver: - name: docker - image: amazonlinux:1 - platform: rhel +verifier: + # https://www.inspec.io/ + name: inspec + sudo: true + # cli, documentation, html, progress, json, json-min, json-rspec, junit + reporter: + - cli suites: - name: install_binary From ff5cdf9068822b1f81c6b3beeea06b3c9eb2ba18 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Mon, 8 Jul 2019 19:15:14 +0100 Subject: [PATCH 5/6] test(user+group): test for vault user/group existence --- test/integration/prod_server/vault_spec.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/integration/prod_server/vault_spec.rb b/test/integration/prod_server/vault_spec.rb index 15a4d5a..1eb2989 100644 --- a/test/integration/prod_server/vault_spec.rb +++ b/test/integration/prod_server/vault_spec.rb @@ -10,8 +10,16 @@ its(:stdout) { should match(/\/vault = cap_ipc_lock\+ep$/) } end +describe user('vault') do + it { should exist } + its('group') { should eq 'vault' } +end + describe file('/etc/vault/conf.d/config.json') do it { should be_a_file } + its('owner') { should eq 'root' } + its('group') { should eq 'vault' } + its('mode') { should cmp '0640' } end describe.one do From dee3748b65e55b4237af804e6abe0d8dcda16a32 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Mon, 8 Jul 2019 19:39:13 +0100 Subject: [PATCH 6/6] fix(user): handle removal of `gid_from_name` in Salt develop branch saltstack/salt#48640 explains how `gid_from_name` is broken/redundant --- vault/package/install.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vault/package/install.sls b/vault/package/install.sls index 149c62c..8fd3ea3 100644 --- a/vault/package/install.sls +++ b/vault/package/install.sls @@ -12,8 +12,10 @@ vault-package-install-user-present: user.present: - name: vault - system: True - - gid_from_name: True + - gid: vault - home: /var/lib/vault + - require: + - group: vault-package-install-group-present vault-package-install-file-directory: file.directory: