chef-flavor-flay 0.4.1 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +66 -20
- data/lib/chef/knife/data_bag_decrypt.rb +14 -0
- data/lib/chef/knife/data_bag_encrypt.rb +14 -0
- data/lib/chef/knife/flay_knife_helpers.rb +42 -0
- data/lib/flay/cli.rb +32 -6
- data/lib/flay/commands/release.rb +1 -1
- data/lib/flay/version.rb +1 -1
- data/shared/flavor/flay/files/default/Rakefile +0 -26
- data/shared/flavor/flay/recipes/cookbook.rb +0 -4
- metadata +5 -3
- data/shared/flavor/flay/files/default/test/integration/data_bags/ejson/keys.plaintext.json +0 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6114d63746f15e1bf98e6a80070b68bf7455c5fa
|
4
|
+
data.tar.gz: 7631eba19a6fd5c47bd9d480a9c3477938a6eff2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b9cd09e71dc97912aa44dc829baf3c7fc473308b75a12ea98fa1478102557acf3287bb1505cc08e92ee2b110fbac455240b8337d981bec64dcc3835784c627f4
|
7
|
+
data.tar.gz: e2c72641f9328f4d18e7ac5858764493955a8ccbb16b9b62083fbc36a84eef3ef07360ce7285723db5f0267f829015e01bcfbc6e72c26a406b69c109dab767eb
|
data/README.md
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# Flay - A
|
1
|
+
# Flay - A Customized Chef Cookbook Template with Other Useful Things
|
2
2
|
|
3
3
|
[](https://travis-ci.org/sweeperio/flay)
|
4
4
|
[](https://badge.fury.io/rb/chef-flavor-flay)
|
@@ -28,23 +28,7 @@ It's very opinionated and works with the sweeperio infrastructure specifically.
|
|
28
28
|
* Updates all templates to pass `bundle exec rubocop && bundle exec rspec`
|
29
29
|
* Adds a travis file for CI that will use the chefdk to run tests
|
30
30
|
* Creates a single `test` directory rather than spec/unit and test/integration
|
31
|
-
* Adds a _dummy_ `encrypted_data_bag_secret` file for [Test Kitchen]
|
32
|
-
* Adds `encrypt_data_bag` rake task for working with encrypted data bags in [Test Kitchen] (see note below)
|
33
|
-
|
34
|
-
### Testing Encrypted Data Bags
|
35
|
-
|
36
|
-
In order to make testing encrypted data bags easier, there's a convention (and rake task) in place in this template.
|
37
|
-
|
38
|
-
The _test/integration/data_bags_ directory should contain subdirectories for each data bag you want to test (just like
|
39
|
-
your chef repo would).
|
40
|
-
|
41
|
-
**To create an encrypted data bag item, follow these steps (assuming you're testing ejson/keys):**
|
42
|
-
|
43
|
-
* Create `test/integration/data_bags/ejson/keys.plaintext.json` and add your items
|
44
|
-
* Run `bundle exec rake encrypt_data_bag[ejson,keys]` (zsh users, you'll need to quote, escape or `unsetopt nomatch`)
|
45
|
-
* Notice that `test/integration/data_bags/ejson/keys.json` has been created and contains the encrypted contents
|
46
|
-
|
47
|
-
Updating follows the exact same process.
|
31
|
+
* Adds a _dummy_ `encrypted_data_bag_secret` file for [Test Kitchen] (see note about testing data bags below)
|
48
32
|
|
49
33
|
[Berkshelf]: https://docs.chef.io/berkshelf.html
|
50
34
|
[ChefSpec]: https://docs.chef.io/chefspec.html
|
@@ -72,6 +56,8 @@ Celebrate! :rocket:
|
|
72
56
|
|
73
57
|
* `chef exec flay cookbook my_cookbook`
|
74
58
|
* `chef exec flay recipe my_cookbook` (from within the cookbook directory)
|
59
|
+
* `chef exec flay encrypt DATA_BAG ITEM (options)`
|
60
|
+
* `chef exec flay decrypt DATA_BAG ITEM (options)`
|
75
61
|
* `chef exec flay release` (see below)
|
76
62
|
|
77
63
|
There are a few other commands available. Run `chef exec flay help` for details.
|
@@ -91,9 +77,69 @@ It will run:
|
|
91
77
|
* `git tag -a -m "Version #{version}" v#{version}` - unless the tag already exists
|
92
78
|
* `git push && git push --tags`
|
93
79
|
* `chef exec berks install`
|
94
|
-
* `chef exec berks upload
|
80
|
+
* `chef exec berks upload`
|
81
|
+
|
82
|
+
### Working With Data Bags
|
83
|
+
|
84
|
+
Normally data bags are edited directly on the chef server by using the normal `knife data bag` commands. I'm not fond of
|
85
|
+
this practise because there is no history there. If someone changes an item, how do you go back to what it was if
|
86
|
+
something goes wrong?
|
87
|
+
|
88
|
+
For this reason, I've added a simple knife plugin that exposes 2 new knife commands `data bag encrypt` and `data bag
|
89
|
+
decrypt`. These commands work with json files in the `data_bags/` directory of your chef repo. The basic idea is that
|
90
|
+
you encrypt the items locally, commit to git and then create/update the items from json files.
|
91
|
+
|
92
|
+
For example, suppose you have an unencrypted json file at `data_bags/ejson/keys.json` that defines an item. To encrypt
|
93
|
+
this item you can run the following command:
|
94
|
+
|
95
|
+
`chef exec knife data bag encrypt ejson keys -w`
|
96
|
+
|
97
|
+
This will encrypt the contents using your `encrypted_data_bag_secret` (pulled from chef config/knife.rb).
|
98
|
+
|
99
|
+
Similarly there's a `decrypt` version that does the opposite. `knife data bag decrypt ejson keys -w`
|
100
|
+
|
101
|
+
Both of these commands support the following options:
|
102
|
+
|
103
|
+
* `-w` - whether or not to write the file. If false, the results will be printed to STDOUT, but not written to the file.
|
104
|
+
Default `false`
|
105
|
+
* `-s` - The path to your encrypted_data_bag_secret file. Default `Chef::Config[:encrypted_data_bag_secret]`
|
106
|
+
* `-p` - The path to your data bag directory. Default `Chef::Config[:data_bag_path]`
|
107
|
+
|
108
|
+
For example to use test data bags with a custom secret file you could run:
|
109
|
+
|
110
|
+
`chef exec knife data bag encrypt -w -s /some/path/to/secret -p /custom/data_bags/dir`
|
111
|
+
|
112
|
+
#### Flay Wrappers
|
113
|
+
|
114
|
+
For convenience, there are equivalent commands added to flay that really just wrap the call to these commands.
|
115
|
+
|
116
|
+
* `flay encrypt DATA_BAG ITEM` - Will encrypt the data bag and write to the file
|
117
|
+
* `flay decrypt DATA_BAG ITEM` - Will decrypt the data bag and write to the file
|
118
|
+
|
119
|
+
Both of these support the `--no-write` option to prevent writing the result to the file. There is also the `-t` option,
|
120
|
+
we sets the secret file and data bag path to `test/integration/encrypted_data_bag_secret` and
|
121
|
+
`test/integration/data_bags` respectively.
|
122
|
+
|
123
|
+
### Testing Encrypted Data Bags
|
124
|
+
|
125
|
+
The _test/integration/data_bags_ directory should contain subdirectories for each data bag you want to test (just like
|
126
|
+
your chef repo would).
|
127
|
+
|
128
|
+
**To create an encrypted data bag item, follow these steps (assuming you're testing ejson/keys):**
|
129
|
+
|
130
|
+
* Create `test/integration/data_bags/ejson/keys.json` and add your items
|
131
|
+
* Run `chef exec flay encrypt ejson keys -t`
|
132
|
+
* Notice that `test/integration/data_bags/ejson/keys.json` contains the encrypted contents
|
133
|
+
|
134
|
+
**Updating a data bag**
|
135
|
+
|
136
|
+
* Decrypt the data bag using `chef exec flay decrypt ejson keys -t`
|
137
|
+
* Notice that `test/integration/data_bags/ejson/keys.json` contains the decrypted contents
|
138
|
+
* Update the contents as necessary
|
139
|
+
* Run `chef exec flay encrypt ejson keys -t`
|
140
|
+
* Notice that `test/integration/data_bags/ejson/keys.json` contains the (updated) encrypted contents
|
95
141
|
|
96
|
-
### Example
|
142
|
+
### Cookbook Generation Example
|
97
143
|
|
98
144
|
```
|
99
145
|
$ chef exec flay generate cookbook chef-demo-flay
|
@@ -0,0 +1,14 @@
|
|
1
|
+
require_relative "flay_knife_helpers"
|
2
|
+
|
3
|
+
class Chef::Knife::DataBagDecrypt < Chef::Knife
|
4
|
+
include Chef::Knife::FlayKnifeHelpers
|
5
|
+
|
6
|
+
banner "knife data bag decrypt DATA_BAG ITEM (options)"
|
7
|
+
category "data bag"
|
8
|
+
|
9
|
+
def run
|
10
|
+
plain_text_bag = Chef::EncryptedDataBagItem.new(data_bag, secret)
|
11
|
+
write_to_file(plain_text_bag) if config.fetch(:write, false)
|
12
|
+
display(plain_text_bag)
|
13
|
+
end
|
14
|
+
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
require_relative "flay_knife_helpers"
|
2
|
+
|
3
|
+
class Chef::Knife::DataBagEncrypt < Chef::Knife
|
4
|
+
include Chef::Knife::FlayKnifeHelpers
|
5
|
+
|
6
|
+
banner "knife data bag encrypt DATA_BAG ITEM (options)"
|
7
|
+
category "data bag"
|
8
|
+
|
9
|
+
def run
|
10
|
+
cipher_text_bag = Chef::EncryptedDataBagItem.encrypt_data_bag_item(data_bag, secret)
|
11
|
+
write_to_file(cipher_text_bag) if config.fetch(:write, false)
|
12
|
+
display(cipher_text_bag)
|
13
|
+
end
|
14
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
require "chef"
|
2
|
+
require "chef/knife"
|
3
|
+
|
4
|
+
module Chef::Knife::FlayKnifeHelpers
|
5
|
+
def self.included(base)
|
6
|
+
base.class_eval do
|
7
|
+
option :data_bag_path, short: "-p", long: "--path", default: nil
|
8
|
+
option :secret_file, short: "-s", long: "--secret-file", default: nil
|
9
|
+
option :write, short: "-w", long: "--write", boolean: true, default: false
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
private
|
14
|
+
|
15
|
+
def write_to_file(bag)
|
16
|
+
json = JSON.pretty_generate(bag.to_hash)
|
17
|
+
File.open(data_bag_path, "w") { |file| file.write(json) }
|
18
|
+
end
|
19
|
+
|
20
|
+
def display(bag)
|
21
|
+
output(format_for_display(bag))
|
22
|
+
end
|
23
|
+
|
24
|
+
def secret
|
25
|
+
@secret ||= begin
|
26
|
+
path = config.fetch(:secret_file, Chef::Config[:encrypted_data_bag_secret])
|
27
|
+
Chef::EncryptedDataBagItem.load_secret(path)
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
def data_bag
|
32
|
+
@data_bag ||= Chef::DataBagItem.from_hash(JSON.parse(File.read(data_bag_path)))
|
33
|
+
end
|
34
|
+
|
35
|
+
def data_bag_path
|
36
|
+
@data_bag_path ||= begin
|
37
|
+
base_path = config.fetch(:data_bag_path, Chef::Config[:data_bag_path])
|
38
|
+
bag, item = name_args
|
39
|
+
File.join(base_path, bag, "#{item}.json")
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
data/lib/flay/cli.rb
CHANGED
@@ -1,17 +1,13 @@
|
|
1
1
|
class Flay::CLI < Thor
|
2
2
|
include Thor::Actions
|
3
|
+
include Flay::Helpers
|
3
4
|
|
4
5
|
package_name "flay"
|
5
6
|
|
6
7
|
Flay::Commands::Generate.register_with(self, as: "generate")
|
7
8
|
Flay::Commands::Release.register_with(self, as: "release")
|
8
9
|
|
9
|
-
method_option
|
10
|
-
:chef_path,
|
11
|
-
type: :string,
|
12
|
-
desc: "The path that contains your knife.rb file",
|
13
|
-
default: "~/.chef-sweeper/"
|
14
|
-
)
|
10
|
+
method_option :chef_path, type: :string, desc: "Your .chef/ folder", default: "~/.chef-sweeper/"
|
15
11
|
desc "link [--chef-path=PATH]", "symlinks .chef to --chef-path"
|
16
12
|
long_desc "Creates a symlink in the current directory from .chef to --chef-path"
|
17
13
|
def link
|
@@ -26,4 +22,34 @@ class Flay::CLI < Thor
|
|
26
22
|
def version
|
27
23
|
say "flay version: #{Flay::VERSION}"
|
28
24
|
end
|
25
|
+
|
26
|
+
method_option :write, type: :boolean, desc: "Whether or not to write the file", default: true
|
27
|
+
method_option :test, type: :boolean, desc: "Whether or not this is a test data bag", default: false, aliases: "-t"
|
28
|
+
desc "encrypt DATA_BAG ITEM (options)", "encrypt a data bag item"
|
29
|
+
long_desc "Encrypts a data bag item"
|
30
|
+
def encrypt(data_bag, item)
|
31
|
+
cmd = "chef exec knife data bag encrypt #{data_bag} #{item}"
|
32
|
+
cmd << " -w" if options.fetch("write")
|
33
|
+
cmd << " #{test_data_bag_args}" if options.fetch("test")
|
34
|
+
|
35
|
+
shell_exec(cmd)
|
36
|
+
end
|
37
|
+
|
38
|
+
method_option :write, type: :boolean, desc: "Whether or not to write the file", default: true
|
39
|
+
method_option :test, type: :boolean, desc: "Whether or not this is a test data bag", default: false, aliases: "-t"
|
40
|
+
desc "decrypt DATA_BAG ITEM (options)", "decrypt a data bag item"
|
41
|
+
long_desc "Decrypts a data bag item"
|
42
|
+
def decrypt(data_bag, item)
|
43
|
+
cmd = "chef exec knife data bag decrypt #{data_bag} #{item}"
|
44
|
+
cmd << " -w" if options.fetch("write")
|
45
|
+
cmd << " #{test_data_bag_args}" if options.fetch("test")
|
46
|
+
|
47
|
+
shell_exec(cmd)
|
48
|
+
end
|
49
|
+
|
50
|
+
private
|
51
|
+
|
52
|
+
def test_data_bag_args
|
53
|
+
"-s test/integration/encrypted_data_bag_secret -p test/integration/data_bags"
|
54
|
+
end
|
29
55
|
end
|
data/lib/flay/version.rb
CHANGED
@@ -1,20 +1,7 @@
|
|
1
|
-
require "chef"
|
2
1
|
require "foodcritic"
|
3
2
|
require "rspec/core/rake_task"
|
4
3
|
require "rubocop/rake_task"
|
5
4
|
|
6
|
-
# Data Bag Helpers
|
7
|
-
SECRET_FILE = "./test/integration/encrypted_data_bag_secret".freeze
|
8
|
-
INPUT_PATH_FORMAT = "./test/integration/data_bags/%s/%s.plaintext.json".freeze
|
9
|
-
OUTPUT_PATH_FORMAT = "./test/integration/data_bags/%s/%s.json".freeze
|
10
|
-
|
11
|
-
def raw_bag_item(args)
|
12
|
-
path = format(INPUT_PATH_FORMAT, *args.values_at(:bag, :item))
|
13
|
-
hash = JSON.parse(File.read(path))
|
14
|
-
|
15
|
-
Chef::DataBagItem.from_hash(hash)
|
16
|
-
end
|
17
|
-
|
18
5
|
RSpec::Core::RakeTask.new { |rspec| rspec.rspec_opts = File.read("./.rspec").split("\n") }
|
19
6
|
|
20
7
|
RuboCop::RakeTask.new { |rubocop| rubocop.options = %w(-D) }
|
@@ -24,19 +11,6 @@ FoodCritic::Rake::LintTask.new do |foodcritic|
|
|
24
11
|
foodcritic.options[:fail_tags] = "any"
|
25
12
|
end
|
26
13
|
|
27
|
-
desc "encrypts a data bag item for integration tests"
|
28
|
-
task :encrypt_data_bag, [:bag, :item] do |_, args|
|
29
|
-
data_bag_item = raw_bag_item(args)
|
30
|
-
data_bag_secret = Chef::EncryptedDataBagItem.load_secret(SECRET_FILE)
|
31
|
-
encrypted_item = Chef::EncryptedDataBagItem.encrypt_data_bag_item(data_bag_item, data_bag_secret)
|
32
|
-
|
33
|
-
pretty_json = JSON.pretty_generate(encrypted_item.to_hash)
|
34
|
-
output_path = format(OUTPUT_PATH_FORMAT, *args.values_at(:bag, :item))
|
35
|
-
File.open(output_path, "w") { |file| file.write(pretty_json) }
|
36
|
-
|
37
|
-
puts format("encrypted test data bag: %s", output_path)
|
38
|
-
end
|
39
|
-
|
40
14
|
desc "Run Rubocop and Foodcritic style checks"
|
41
15
|
task style: [:rubocop, :foodcritic]
|
42
16
|
|
@@ -49,10 +49,6 @@ cookbook_file("#{kitchen_dir}/data_bags/ejson/keys.json") do
|
|
49
49
|
source "test/integration/data_bags/ejson/keys.json"
|
50
50
|
end
|
51
51
|
|
52
|
-
cookbook_file("#{kitchen_dir}/data_bags/ejson/keys.plaintext.json") do
|
53
|
-
source "test/integration/data_bags/ejson/keys.plaintext.json"
|
54
|
-
end
|
55
|
-
|
56
52
|
cookbook_file "#{kitchen_dir}/helpers/serverspec/spec_helper.rb" do
|
57
53
|
source "test/integration/helpers/serverspec/spec_helper.rb"
|
58
54
|
action :create_if_missing
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chef-flavor-flay
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- pseudomuto
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-01-
|
11
|
+
date: 2016-01-09 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-gen-flavors
|
@@ -61,6 +61,9 @@ files:
|
|
61
61
|
- cucumber.yml
|
62
62
|
- exe/flay
|
63
63
|
- flay.gemspec
|
64
|
+
- lib/chef/knife/data_bag_decrypt.rb
|
65
|
+
- lib/chef/knife/data_bag_encrypt.rb
|
66
|
+
- lib/chef/knife/flay_knife_helpers.rb
|
64
67
|
- lib/chef_gen/flavor/flay.rb
|
65
68
|
- lib/flay.rb
|
66
69
|
- lib/flay/cli.rb
|
@@ -80,7 +83,6 @@ files:
|
|
80
83
|
- shared/flavor/flay/files/default/test/chef/client.enc
|
81
84
|
- shared/flavor/flay/files/default/test/chef/knife.rb
|
82
85
|
- shared/flavor/flay/files/default/test/integration/data_bags/ejson/keys.json
|
83
|
-
- shared/flavor/flay/files/default/test/integration/data_bags/ejson/keys.plaintext.json
|
84
86
|
- shared/flavor/flay/files/default/test/integration/encrypted_data_bag_secret
|
85
87
|
- shared/flavor/flay/files/default/test/integration/helpers/serverspec/spec_helper.rb
|
86
88
|
- shared/flavor/flay/files/default/test/unit/spec_helper.rb
|