Commit 8756f2d4 authored by Christopher Huhn's avatar Christopher Huhn 🥚
Browse files

Merge branch 'master' into cumulus

parents e0eea383 042d71be
......@@ -69,6 +69,7 @@ The "sys" cookbook can be added to a nodes run-list anytime. **By default the co
* [serial](documents/serial.md) – Configure `/etc/inittab`.
* [shutdown](documents/shutdown.md) – Resource to restart and power down the node at a defined time.
* [ssh](documents/ssh.md) – Configure the SSH daemon and deploy/manage authorized keys.
* [ssl](documents/ssl.md) – Distribute SSL certs and keys via data bags and chef-vault.
* [sudo](documents/sudo.md) – Add Sudo privileges to `/etc/sudoers.d/`.
* [sysctl](documents/sysctl.md) (`sysctl`) – Define kernel variables in `/etc/sysctl.d/`.
* [time](documents/time.md) – Connect to site NTP server and set local time zone.
......@@ -81,16 +82,23 @@ The `Sys::Secret` enables [transport of encrypted data between nodes](documents/
[reaper]: http://packages.debian.org/search?keywords=tmpreaper
# Authors
# License
* Matteo Dessalvi
* Stefan Haller
* Christopher Huhn
* Gabriele Iannetti
* André Kerkhoff
* Dennis Klein
* Ilona Neis
* Bastian Neuburger
* Matthias Pausch
* Victor Penso
* Thomas Roth
Author:: Bastian Neuburger
Author:: Christopher Huhn
Author:: Dennis Klein
Author:: Matthias Pausch
Author:: Victor Penso
# License
Copyright:: 2012-2013, GSI HPC Department
Copyright:: 2012-2021 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
......
# `sys::ssl`
Deploys SSL certificates from data bags.
Deploys SSL certificates from data bags
and the corresponding keys from chef vaults.
`recipes/ssl.rb`
`tests/integration/sys_ssl/`
## Attributes
`node['sys']['ssl']['certs']` has to be defined as an *array of hashes*.
Each hash may contain three elements:
......@@ -40,7 +41,9 @@ sys: {
}
~~~
It will look into the data bag "ssl_certs" and create the file "/etc/ssl/certs/*FQDN*.pem" from the contents of an item with the nodes FQDN as its `id`.
It will look into the data bag "ssl_certs" and create
the file "/etc/ssl/certs/*FQDN*.pem" from the contents
of an item with the nodes FQDN as its `id`.
## Data bag format
......@@ -55,3 +58,20 @@ The data bag item must provide two attribute:
"file-content": "-----BEGIN CERTIFICATE-----\nAAAA[…]ZZZZ\n-----END CERTIFICATE-----"
}
~~~
## Private keys
Private keys corresponding to SSL certificates con be read from chef vaults.
The management of the private key is controlled by attributes for the respective
cert in `node['sys']['ssl']['certs']`.
`key_vault`
: The vault name. Default `ssl_keys`
`key_file`
: The file the key is written into. Default: "/etc/ssl/private/*data_bag_item*.key"
The file will be readable for the group `ssl-cert`.
Even without explicitly given options, `sys::ssl` will always look for
corresponding private key for every certificate found.
If no appropriate vault item is found, a warning is issued.
......@@ -14,5 +14,6 @@ chef_version '>= 12.0' if respond_to?(:chef_version)
supports 'debian'
depends 'line', '< 1.0'
depends 'chef-vault'
version '1.57.2'
version '1.58.0'
......@@ -2,7 +2,7 @@
# Cookbook Name:: sys
# Recipe:: ssl
#
# Copyright 2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
# Copyright 2020-2021 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <C.Huhn@gsi.de>
......@@ -24,10 +24,13 @@
return unless node['sys']['ssl']
package 'ssl-cert'
defaults = {
cert: {
'data_bag' => 'ssl_certs',
'data_bag_item' => node['fqdn']
'data_bag_item' => node['fqdn'],
'key_vault' => 'ssl_keys'
}
}
......@@ -45,4 +48,17 @@ node['sys']['ssl']['certs'].each do |attrs|
rescue Net::HTTPServerException
next
end
cert['key_file'] ||= "/etc/ssl/private/#{cert['data_bag_item']}.key"
begin
file cert['key_file'] do
content chef_vault_item(cert['key_vault'], cert['data_bag_item'])['file-content']
owner 'root'
group 'ssl-cert'
mode '0640' # this file is only readable for the ssl-cert group
sensitive true
end
rescue Net::HTTPServerException, ChefVault::Exceptions => e
Chef::Log.warn "Could not retrieve SSL key for #{cert['data_bag_item']}: #{e}"
end
end
{
"id": "www-linux.gsi.de",
// openssl genrsa 1973
"file-content": "-----BEGIN RSA PRIVATE KEY-----\nMIIEcgIBAAKB9xVhwG/PDFsBKxIzfRngrCVKghBEdl5bkgpFiY+WD43ujYl6cbU1\njp0nulfD+JTuVLIah/ArKjHllUC6zXxcHoqm3g4hdXZ2oeYlGeji26aKWGbtPkkp\nOgPnvdykFVesRZ6kf32ao9skGeF9L6WTzCZFsGqjnBb8jKTk5a5VKlVCOP+90isG\nyFbpkZ3nPD2gB8d+EZBlwF8u1zzoHZxDwh+U/fhez0mzf/bQ81jK395cONCssj+E\n4bAcUwUJGZcotZ00kU7zm/R5MH5lKr7mpKA9l+6q4WknQbCpGY/hxdYz7rPLIOTz\nQau9TGK+Tr/o8523KkiVUX0CAwEAAQKB9xQC4K/D/7RMa5slRTgq5fIgwYmoCYBW\nA2BJpG0V7IjRcvXv+uu1rDu5KtVpPAVm6S2nVwKX422/iOiD7D0vmgX6FmjzN5Qf\ng3Z50r37U8eSQxpRf7HJO9rb0P3nM3JScPYAzrEnQaOfLfmzyBwXL0HCh1HGvhdl\nVdwdvi9vb/jFUq4bvMF6bcGDI5cVtLlWlsjntycq0p/zoCXg/LOM0y+Dkb5dkR61\nJN1b5tS3/4kOpQKM/7+peK1y5VmQR1DMcgTn1/tIPh97u6fWCDeTAXoiVlCIpp0h\nqHysdzu8+DO9OFeyOumCXBPhKMKDoE/01s7Xaj2ZlKECfAYABd+MzT8XTqJt5wmp\njIkyUwfy08khzhcgDtMLwYj6Gdxre031RHhU6PbmRfL/4w+aMB2ZjaSrj71mVJMo\n3NzqrJjw1yr8pcZjUekJHBEnRYqOLZmelXbm0yunGlJys7IAlDyR+yn6MQXIvetI\n1aYVbAikpHyqRPIn5FsCfAOQR0BL0+ogkz0KEyt0sA+gQpkqHTDAf+n89oTuoP/A\n3F0jV6EUjOqnxOHiag1uAwcMvcW1sCRZiqG8BC+RUSzv196VFOY9iuPiSfIWUJSR\nZzN/U4tc/vu6E1uvE5Ml66AoXU3y1oCF5ixO2lbJnzk4DKwGvk1Moe+aqQcCfAJ5\nWfKerTbZlmv1YzGhvrgHjyMU5mzlyoPQjSxKiafAcI9ppjMz8eKoKFM+ChOznV2e\nlz5tRXFj6GYRXsg7Li7NeROrIx2vhW9zHqA3SGJuTgdersDMGhcoAGTch0b90siP\n4o/DJcxeRH59EoqEwsuzw5MgyE47KyiqeEcCfAJNEZUU4ZuWuTx62vH+gQk2BIr+\nRKcMRgyDSXOA2vkKQcDqZ1Ud/fgvqNPq7WwKk23j7k5SCZEPOJNC4rkMboxDuvKA\n9WPObXbE0da+Tf4A/dCk8P9WZ1eISaO0I0GrBMEAD2+b1KJc08nciOPtgSDjbltO\nZ2dmilI7XdUCfADaudKiUAM8GjcsgrEshSiR3vrNIjE5qG8duK+P6teOd7y/ASmD\nQtwvC1JnuPmdbFl0DRFzsIUbFImderP2RpevtCtnST2jqdNzZ0a37Kirt2O8pO5I\nNaSHhQi5RYZR7duTGZg/bz2m12DmhRBaW+/DoykPFQE1Nu89Rjs=\n-----END RSA PRIVATE KEY-----\n"
}
# Cookbook Name:: sys
# Integration tests for recipe sys::ssl
#
# Copyright 2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
# Copyright 2020-2021 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
......@@ -26,6 +26,13 @@ describe file('/etc/ssl/certs/www-linux.gsi.de.pem') do
it { should exist }
end
describe file('/etc/ssl/private/www-linux.gsi.de.key') do
it { should exist }
its(:content) do
should match(/^-----BEGIN RSA PRIVATE KEY-----\nMIIEcgIBAAK.*/)
end
end
describe file('/tmp/covfefe.pem') do
it { should exist }
end
......
......@@ -5,5 +5,7 @@ Vagrant.configure(2) do |config|
sudo DEBIAN_FRONTEND=noninteractive apt-get -qq -y install chef
sudo DEBIAN_FRONTEND=noninteractive apt-get -qq -y install exim4-base
sudo DEBIAN_FRONTEND=noninteractive apt-get -qq -y install shellcheck
# v2 is the last version that works with Ruby 2.1:
sudo gem install chef-vault --version '< 4'
SHELL
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment