chef 16.3.38-universal-mingw32 → 16.5.64-universal-mingw32

data/lib/chef/resource/chef_client_launchd.rb

@@ -0,0 +1,194 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+require "chef-utils/dist" unless defined?(ChefUtils::Dist)
+class Chef
+  class Resource
+    class ChefClientLaunchd < Chef::Resource
+      unified_mode true
+
+      provides :chef_client_launchd
+
+      description "Use the **chef_client_launchd** resource to configure the #{ChefUtils::Dist::Infra::PRODUCT} to run on a schedule."
+      introduced "16.5"
+      examples <<~DOC
+        **Set the #{ChefUtils::Dist::Infra::PRODUCT} to run on a schedule**:
+
+        ```ruby
+        chef_client_launchd 'Setup the #{ChefUtils::Dist::Infra::PRODUCT} to run every 30 minutes' do
+          interval 30
+          action :enable
+        end
+        ```
+
+        **Disable the #{ChefUtils::Dist::Infra::PRODUCT} running on a schedule**:
+
+        ```ruby
+        chef_client_launchd 'Prevent the #{ChefUtils::Dist::Infra::PRODUCT} from running on a schedule' do
+          action :disable
+        end
+        ```
+      DOC
+
+      property :user, String,
+        description: "The name of the user that #{ChefUtils::Dist::Infra::PRODUCT} runs as.",
+        default: "root"
+
+      property :working_directory, String,
+        description: "The working directory to run the #{ChefUtils::Dist::Infra::PRODUCT} from.",
+        default: "/var/root"
+
+      property :interval, [Integer, String],
+        description: "Time in minutes between #{ChefUtils::Dist::Infra::PRODUCT} executions.",
+        coerce: proc { |x| Integer(x) },
+        callbacks: { "should be a positive number" => proc { |v| v > 0 } },
+        default: 30
+
+      property :splay, [Integer, String],
+        default: 300,
+        coerce: proc { |x| Integer(x) },
+        callbacks: { "should be a positive number" => proc { |v| v > 0 } },
+        description: "A random number of seconds between 0 and X to add to interval so that all #{ChefUtils::Dist::Infra::CLIENT} commands don't execute at the same time."
+
+      property :accept_chef_license, [true, false],
+        description: "Accept the Chef Online Master License and Services Agreement. See <https://www.chef.io/online-master-agreement/>",
+        default: false
+
+      property :config_directory, String,
+        description: "The path of the config directory.",
+        default: ChefConfig::Config.etc_chef_dir
+
+      property :log_directory, String,
+        description: "The path of the directory to create the log file in.",
+        default: "/Library/Logs/Chef"
+
+      property :log_file_name, String,
+        description: "The name of the log file to use.",
+        default: "client.log"
+
+      property :chef_binary_path, String,
+        description: "The path to the #{ChefUtils::Dist::Infra::CLIENT} binary.",
+        default: "/opt/#{ChefUtils::Dist::Infra::DIR_SUFFIX}/bin/#{ChefUtils::Dist::Infra::CLIENT}"
+
+      property :daemon_options, Array,
+        description: "An array of options to pass to the #{ChefUtils::Dist::Infra::CLIENT} command.",
+        default: lazy { [] }
+
+      property :environment, Hash,
+        description: "A Hash containing additional arbitrary environment variables under which the launchd daemon will be run in the form of `({'ENV_VARIABLE' => 'VALUE'})`.",
+        default: lazy { {} }
+
+      property :nice, [Integer, String],
+        description: "The process priority to run the #{ChefUtils::Dist::Infra::CLIENT} process at. A value of -20 is the highest priority and 19 is the lowest priority.",
+        coerce: proc { |x| Integer(x) },
+        callbacks: { "should be an Integer between -20 and 19" => proc { |v| v >= -20 && v <= 19 } }
+
+      property :low_priority_io, [true, false],
+        description: "Run the #{ChefUtils::Dist::Infra::CLIENT} process with low priority disk IO",
+        default: true
+
+      action :enable do
+        unless ::Dir.exist?(new_resource.log_directory)
+          directory new_resource.log_directory do
+            owner new_resource.user
+            mode "0750"
+            recursive true
+          end
+        end
+
+        launchd "com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}" do
+          username new_resource.user
+          working_directory new_resource.working_directory
+          start_interval new_resource.interval * 60
+          program_arguments ["/bin/bash", "-c", client_command]
+          environment_variables new_resource.environment unless new_resource.environment.empty?
+          nice new_resource.nice
+          low_priority_io true
+          notifies :sleep, "chef_sleep[Sleep before client restart]", :immediately
+          action :create # create only creates the file. No service restart triggering
+        end
+
+        # Launchd doesn't have the concept of a reload aka restart. Instead to update a daemon config you have
+        # to unload it and then reload the new plist. That's usually fine, but not if chef-client is trying
+        # to restart itself. If the chef-client process uses launchd or macosx_service resources to restart itself
+        # we'll end up with a stopped service that will never get started back up. Instead we use this daemon
+        # that triggers when the chef-client plist file is updated, and handles the restart outside the run.
+        launchd "com.#{ChefUtils::Dist::Infra::SHORT}.restarter" do
+          username "root"
+          watch_paths ["/Library/LaunchDaemons/com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}.plist"]
+          standard_out_path ::File.join(new_resource.log_directory, new_resource.log_file_name)
+          standard_error_path ::File.join(new_resource.log_directory, new_resource.log_file_name)
+          program_arguments ["/bin/bash",
+                             "-c",
+                             "echo; echo #{ChefUtils::Dist::Infra::PRODUCT} launchd daemon config has been updated. Manually unloading and reloading the daemon; echo Now unloading the daemon; launchctl unload /Library/LaunchDaemons/com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}.plist; sleep 2; echo Now loading the daemon; launchctl load /Library/LaunchDaemons/com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}.plist"]
+          action :enable # enable creates the plist & triggers service restarts on change
+        end
+
+        # We want to make sure that after we update the chef-client launchd config that we don't move on to another recipe
+        # before the restarter daemon can do its thing. This sleep avoids killing the client while it's doing something like
+        # installing a package, which could be problematic. It also makes it a bit more clear in the log that the killed process
+        # was intentional.
+        chef_sleep "Sleep before client restart" do
+          seconds 10
+          action :nothing
+        end
+      end
+
+      action :disable do
+        service ChefUtils::Dist::Infra::PRODUCT do
+          service_name "com.#{ChefUtils::Dist::Infra::SHORT}.#{ChefUtils::Dist::Infra::CLIENT}"
+          action :disable
+        end
+
+        service "com.#{ChefUtils::Dist::Infra::SHORT}.restarter" do
+          action :disable
+        end
+      end
+
+      action_class do
+        #
+        # Generate a uniformly distributed unique number to sleep from 0 to the splay time
+        #
+        # @param [Integer] splay The number of seconds to splay
+        #
+        # @return [Integer]
+        #
+        def splay_sleep_time(splay)
+          seed = node["shard_seed"] || Digest::MD5.hexdigest(node.name).to_s.hex
+          random = Random.new(seed.to_i)
+          random.rand(splay)
+        end
+
+        #
+        # random sleep time + chef-client + daemon option properties + license acceptance
+        #
+        # @return [String]
+        #
+        def client_command
+          cmd = ""
+          cmd << "/bin/sleep #{splay_sleep_time(new_resource.splay)};"
+          cmd << " #{new_resource.chef_binary_path}"
+          cmd << " #{new_resource.daemon_options.join(" ")}" unless new_resource.daemon_options.empty?
+          cmd << " -c #{::File.join(new_resource.config_directory, "client.rb")}"
+          cmd << " -L #{::File.join(new_resource.log_directory, new_resource.log_file_name)}"
+          cmd << " --chef-license accept" if new_resource.accept_chef_license
+          cmd
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/chef_client_scheduled_task.rb

@@ -15,7 +15,7 @@
 #
 
 require_relative "../resource"
-require_relative "../dist"
+require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 
 class Chef
   class Resource
@@ -24,24 +24,24 @@ class Chef
 
       provides :chef_client_scheduled_task
 
-      description "Use the **chef_client_scheduled_task** resource to setup the #{Chef::Dist::PRODUCT} to run as a Windows scheduled task. This resource will also create the specified log directory if it doesn't already exist."
+      description "Use the **chef_client_scheduled_task** resource to setup the #{ChefUtils::Dist::Infra::PRODUCT} to run as a Windows scheduled task. This resource will also create the specified log directory if it doesn't already exist."
       introduced "16.0"
       examples <<~DOC
-      **Setup #{Chef::Dist::PRODUCT} to run using the default 30 minute cadence**:
+      **Setup #{ChefUtils::Dist::Infra::PRODUCT} to run using the default 30 minute cadence**:
 
       ```ruby
-        chef_client_scheduled_task "Run #{Chef::Dist::PRODUCT} as a scheduled task"
+        chef_client_scheduled_task "Run #{ChefUtils::Dist::Infra::PRODUCT} as a scheduled task"
       ```
 
-      **Run #{Chef::Dist::PRODUCT} on system start**:
+      **Run #{ChefUtils::Dist::Infra::PRODUCT} on system start**:
 
       ```ruby
-        chef_client_scheduled_task '#{Chef::Dist::PRODUCT} on start' do
+        chef_client_scheduled_task '#{ChefUtils::Dist::Infra::PRODUCT} on start' do
           frequency 'onstart'
         end
       ```
 
-      **Run #{Chef::Dist::PRODUCT} with extra options passed to the client**:
+      **Run #{ChefUtils::Dist::Infra::PRODUCT} with extra options passed to the client**:
 
       ```ruby
         chef_client_scheduled_task "Run an override recipe" do
@@ -49,7 +49,7 @@ class Chef
         end
       ```
 
-      **Run #{Chef::Dist::PRODUCT} daily at 01:00 am, specifying a named run-list**:
+      **Run #{ChefUtils::Dist::Infra::PRODUCT} daily at 01:00 am, specifying a named run-list**:
 
       ```ruby
         chef_client_scheduled_task "Run chef-client named run-list daily" do
@@ -64,14 +64,15 @@ class Chef
 
       property :task_name, String,
         description: "The name of the scheduled task to create.",
-        default: Chef::Dist::CLIENT
+        default: ChefUtils::Dist::Infra::CLIENT
 
       property :user, String,
-        description: "The name of the user that #{Chef::Dist::PRODUCT} runs as.",
+        description: "The name of the user that #{ChefUtils::Dist::Infra::PRODUCT} runs as.",
         default: "System", sensitive: true
 
-      property :password, String, sensitive: true,
-        description: "The password for the user that #{Chef::Dist::PRODUCT} runs as."
+      property :password, String,
+        description: "The password for the user that #{ChefUtils::Dist::Infra::PRODUCT} runs as.",
+        sensitive: true
 
       property :frequency, String,
         description: "Frequency with which to run the task.",
@@ -100,16 +101,16 @@ class Chef
       property :splay, [Integer, String],
         coerce: proc { |x| Integer(x) },
         callbacks: { "should be a positive number" => proc { |v| v > 0 } },
-        description: "A random number of seconds between 0 and X to add to interval so that all #{Chef::Dist::CLIENT} commands don't execute at the same time.",
+        description: "A random number of seconds between 0 and X to add to interval so that all #{ChefUtils::Dist::Infra::CLIENT} commands don't execute at the same time.",
         default: 300
 
       property :run_on_battery, [true, false],
-        description: "Run the #{Chef::Dist::PRODUCT} task when the system is on batteries.",
+        description: "Run the #{ChefUtils::Dist::Infra::PRODUCT} task when the system is on batteries.",
         default: true
 
       property :config_directory, String,
         description: "The path of the config directory.",
-        default: Chef::Dist::CONF_DIR
+        default: ChefConfig::Config.etc_chef_dir
 
       property :log_directory, String,
         description: "The path of the directory to create the log file in.",
@@ -121,11 +122,11 @@ class Chef
         default: "client.log"
 
       property :chef_binary_path, String,
-        description: "The path to the #{Chef::Dist::CLIENT} binary.",
-        default: "C:/#{Chef::Dist::LEGACY_CONF_DIR}/#{Chef::Dist::DIR_SUFFIX}/bin/#{Chef::Dist::CLIENT}"
+        description: "The path to the #{ChefUtils::Dist::Infra::CLIENT} binary.",
+        default: "C:/#{ChefUtils::Dist::Org::LEGACY_CONF_DIR}/#{ChefUtils::Dist::Infra::DIR_SUFFIX}/bin/#{ChefUtils::Dist::Infra::CLIENT}"
 
       property :daemon_options, Array,
-        description: "An array of options to pass to the #{Chef::Dist::CLIENT} command.",
+        description: "An array of options to pass to the #{ChefUtils::Dist::Infra::CLIENT} command.",
         default: lazy { [] }
 
       action :add do
@@ -175,9 +176,11 @@ class Chef
           "#{cmd_path} /c \"#{client_cmd}\""
         end
 
+        #
         # Build command line to pass to cmd.exe
         #
         # @return [String]
+        #
         def client_cmd
           cmd = new_resource.chef_binary_path.dup
           cmd << " -L #{::File.join(new_resource.log_directory, new_resource.log_file_name)}"

data/lib/chef/resource/chef_client_systemd_timer.rb

@@ -15,7 +15,7 @@
 #
 
 require_relative "../resource"
-require_relative "../dist"
+require "chef-utils/dist" unless defined?(ChefUtils::Dist)
 
 class Chef
   class Resource
@@ -24,24 +24,24 @@ class Chef
 
       provides :chef_client_systemd_timer
 
-      description "Use the **chef_client_systemd_timer** resource to setup the #{Chef::Dist::PRODUCT} to run as a systemd timer."
+      description "Use the **chef_client_systemd_timer** resource to setup the #{ChefUtils::Dist::Infra::PRODUCT} to run as a systemd timer."
       introduced "16.0"
       examples <<~DOC
-      **Setup #{Chef::Dist::PRODUCT} to run using the default 30 minute cadence**:
+      **Setup #{ChefUtils::Dist::Infra::PRODUCT} to run using the default 30 minute cadence**:
 
       ```ruby
-      chef_client_systemd_timer "Run #{Chef::Dist::PRODUCT} as a systemd timer"
+      chef_client_systemd_timer "Run #{ChefUtils::Dist::Infra::PRODUCT} as a systemd timer"
       ```
 
-      **Run #{Chef::Dist::PRODUCT} every 1 hour**:
+      **Run #{ChefUtils::Dist::Infra::PRODUCT} every 1 hour**:
 
       ```ruby
-      chef_client_systemd_timer "Run #{Chef::Dist::PRODUCT} every 1 hour" do
+      chef_client_systemd_timer "Run #{ChefUtils::Dist::Infra::PRODUCT} every 1 hour" do
         interval "1hr"
       end
       ```
 
-      **Run #{Chef::Dist::PRODUCT} with extra options passed to the client**:
+      **Run #{ChefUtils::Dist::Infra::PRODUCT} with extra options passed to the client**:
 
       ```ruby
       chef_client_systemd_timer "Run an override recipe" do
@@ -52,14 +52,14 @@ class Chef
 
       property :job_name, String,
         description: "The name of the system timer to create.",
-        default: Chef::Dist::CLIENT
+        default: ChefUtils::Dist::Infra::CLIENT
 
       property :description, String,
         description: "The description to add to the systemd timer. This will be displayed when running `systemctl status` for the timer.",
-        default: "#{Chef::Dist::PRODUCT} periodic execution"
+        default: "#{ChefUtils::Dist::Infra::PRODUCT} periodic execution"
 
       property :user, String,
-        description: "The name of the user that #{Chef::Dist::PRODUCT} runs as.",
+        description: "The name of the user that #{ChefUtils::Dist::Infra::PRODUCT} runs as.",
         default: "root"
 
       property :delay_after_boot, String,
@@ -71,7 +71,7 @@ class Chef
         default: "30min"
 
       property :splay, String,
-        description: "A interval between 0 and X to add to the interval so that all #{Chef::Dist::CLIENT} commands don't execute at the same time. This is expressed as a systemd time span such as `300seconds`, `1hr`, or `1m`. See <https://www.freedesktop.org/software/systemd/man/systemd.time.html> for a complete list of allowed time span values.",
+        description: "A interval between 0 and X to add to the interval so that all #{ChefUtils::Dist::Infra::CLIENT} commands don't execute at the same time. This is expressed as a systemd time span such as `300seconds`, `1hr`, or `1m`. See <https://www.freedesktop.org/software/systemd/man/systemd.time.html> for a complete list of allowed time span values.",
         default: "5min"
 
       property :accept_chef_license, [true, false],
@@ -79,25 +79,31 @@ class Chef
         default: false
 
       property :run_on_battery, [true, false],
-        description: "Run the timer for #{Chef::Dist::PRODUCT} if the system is on battery.",
+        description: "Run the timer for #{ChefUtils::Dist::Infra::PRODUCT} if the system is on battery.",
         default: true
 
       property :config_directory, String,
         description: "The path of the config directory.",
-        default: Chef::Dist::CONF_DIR
+        default: ChefConfig::Config.etc_chef_dir
 
       property :chef_binary_path, String,
-        description: "The path to the #{Chef::Dist::CLIENT} binary.",
-        default: "/opt/#{Chef::Dist::DIR_SUFFIX}/bin/#{Chef::Dist::CLIENT}"
+        description: "The path to the #{ChefUtils::Dist::Infra::CLIENT} binary.",
+        default: "/opt/#{ChefUtils::Dist::Infra::DIR_SUFFIX}/bin/#{ChefUtils::Dist::Infra::CLIENT}"
 
       property :daemon_options, Array,
-        description: "An array of options to pass to the #{Chef::Dist::CLIENT} command.",
+        description: "An array of options to pass to the #{ChefUtils::Dist::Infra::CLIENT} command.",
         default: lazy { [] }
 
       property :environment, Hash,
         description: "A Hash containing additional arbitrary environment variables under which the systemd timer will be run in the form of `({'ENV_VARIABLE' => 'VALUE'})`.",
         default: lazy { {} }
 
+      property :cpu_quota, [Integer, String],
+        description: "The systemd CPUQuota to run the #{ChefUtils::Dist::Infra::CLIENT} process with. This is a percentage value of the total CPU time available on the system. If the system has more than 1 core this may be a value greater than 100.",
+        introduced: "16.5",
+        coerce: proc { |x| Integer(x) },
+        callbacks: { "should be a positive Integer" => proc { |v| v > 0 } }
+
       action :add do
         systemd_unit "#{new_resource.job_name}.service" do
           content service_content
@@ -112,11 +118,11 @@ class Chef
 
       action :remove do
         systemd_unit "#{new_resource.job_name}.service" do
-          action :remove
+          action :delete
         end
 
         systemd_unit "#{new_resource.job_name}.timer" do
-          action :remove
+          action :delete
         end
       end
 
@@ -127,7 +133,7 @@ class Chef
         # @return [String]
         #
         def chef_client_cmd
-          cmd = "#{new_resource.chef_binary_path}"
+          cmd = new_resource.chef_binary_path.dup
           cmd << " #{new_resource.daemon_options.join(" ")}" unless new_resource.daemon_options.empty?
           cmd << " --chef-license accept" if new_resource.accept_chef_license
           cmd << " -c #{::File.join(new_resource.config_directory, "client.rb")}"
@@ -171,6 +177,7 @@ class Chef
           }
 
           unit["Service"]["ConditionACPower"] = "true" unless new_resource.run_on_battery
+          unit["Service"]["CPUQuota"] = new_resource.cpu_quota if new_resource.cpu_quota
           unit["Service"]["Environment"] = new_resource.environment.collect { |k, v| "\"#{k}=#{v}\"" } unless new_resource.environment.empty?
           unit
         end

data/lib/chef/resource/chef_client_trusted_certificate.rb

@@ -0,0 +1,101 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+require "chef-utils/dist" unless defined?(ChefUtils::Dist)
+
+class Chef
+  class Resource
+    class ChefClientTrustedCertificate < Chef::Resource
+      unified_mode true
+
+      provides :chef_client_trusted_certificate
+
+      description "Use the **chef_client_trusted_certificate** resource to add certificates to #{ChefUtils::Dist::Infra::PRODUCT}'s trusted certificate directory. This allows the #{ChefUtils::Dist::Infra::PRODUCT} to communicate with internal encrypted resources without errors."
+      introduced "16.5"
+      examples <<~DOC
+      **Trust a self signed certificate**:
+
+      ```ruby
+      chef_client_trusted_certificate 'self-signed.badssl.com' do
+        certificate <<~CERT
+        -----BEGIN CERTIFICATE-----
+        MIIDeTCCAmGgAwIBAgIJAPziuikCTox4MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
+        BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
+        c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x
+        OTEwMDkyMzQxNTJaFw0yMTEwMDgyMzQxNTJaMGIxCzAJBgNVBAYTAlVTMRMwEQYD
+        VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK
+        DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
+        BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2
+        PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW
+        hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A
+        xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve
+        ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY
+        QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T
+        BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI
+        hvcNAQELBQADggEBAGlwCdbPxflZfYOaukZGCaxYK6gpincX4Lla4Ui2WdeQxE95
+        w7fChXvP3YkE3UYUE7mupZ0eg4ZILr/A0e7JQDsgIu/SRTUE0domCKgPZ8v99k3A
+        vka4LpLK51jHJJK7EFgo3ca2nldd97GM0MU41xHFk8qaK1tWJkfrrfcGwDJ4GQPI
+        iLlm6i0yHq1Qg1RypAXJy5dTlRXlCLd8ufWhhiwW0W75Va5AEnJuqpQrKwl3KQVe
+        wGj67WWRgLfSr+4QG1mNvCZb2CkjZWmxkGPuoP40/y7Yu5OFqxP5tAjj4YixCYTW
+        EVA0pmzIzgBg+JIe3PdRy27T0asgQW/F4TY61Yk=
+        -----END CERTIFICATE-----
+        CERT
+      end
+      ```
+      DOC
+
+      property :cert_name, String, name_property: true,
+        description: "The name to use for the certificate file on disk. If not provided the name of the resource block will be used instead."
+
+      property :certificate, String, required: [:add],
+        description: "The text of the certificate file including the BEGIN/END comment lines."
+
+      action :add do
+        unless ::Dir.exist?(Chef::Config[:trusted_certs_dir])
+          directory Chef::Config[:trusted_certs_dir] do
+            mode "0640"
+            recursive true
+          end
+        end
+
+        file cert_path do
+          content new_resource.certificate
+          mode "0640"
+        end
+      end
+
+      action :remove do
+        file cert_path do
+          action :delete
+        end
+      end
+
+      action_class do
+        #
+        # The path to the string on disk
+        #
+        # @return [String]
+        #
+        def cert_path
+          path = ::File.join(Chef::Config[:trusted_certs_dir], new_resource.cert_name)
+          path << ".pem" unless path.end_with?(".pem")
+          path
+        end
+      end
+    end
+  end
+end