RubyGems - cloud-mu - Versions diffs - 2.1.0beta → 3.0.0beta - Mend

cloud-mu 2.1.0beta → 3.0.0beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (291) hide show

checksums.yaml +5 -5
data/Berksfile +4 -5
data/Berksfile.lock +179 -0
data/README.md +1 -6
data/ansible/roles/geerlingguy.firewall/templates/firewall.bash.j2 +0 -0
data/ansible/roles/mu-installer/README.md +33 -0
data/ansible/roles/mu-installer/defaults/main.yml +2 -0
data/ansible/roles/mu-installer/handlers/main.yml +2 -0
data/ansible/roles/mu-installer/meta/main.yml +60 -0
data/ansible/roles/mu-installer/tasks/main.yml +13 -0
data/ansible/roles/mu-installer/tests/inventory +2 -0
data/ansible/roles/mu-installer/tests/test.yml +5 -0
data/ansible/roles/mu-installer/vars/main.yml +2 -0
data/bin/mu-adopt +125 -0
data/bin/mu-aws-setup +4 -4
data/bin/mu-azure-setup +265 -0
data/bin/mu-azure-tests +43 -0
data/bin/mu-cleanup +20 -8
data/bin/mu-configure +224 -98
data/bin/mu-deploy +8 -3
data/bin/mu-gcp-setup +16 -8
data/bin/mu-gen-docs +92 -8
data/bin/mu-load-config.rb +52 -12
data/bin/mu-momma-cat +36 -0
data/bin/mu-node-manage +34 -27
data/bin/mu-self-update +2 -2
data/bin/mu-ssh +12 -8
data/bin/mu-upload-chef-artifacts +11 -4
data/bin/mu-user-manage +3 -0
data/cloud-mu.gemspec +8 -11
data/cookbooks/firewall/libraries/helpers_iptables.rb +2 -2
data/cookbooks/firewall/metadata.json +1 -1
data/cookbooks/firewall/recipes/default.rb +5 -9
data/cookbooks/mu-firewall/attributes/default.rb +2 -0
data/cookbooks/mu-firewall/metadata.rb +1 -1
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +0 -0
data/cookbooks/mu-master/Berksfile +2 -2
data/cookbooks/mu-master/files/default/check_mem.pl +0 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/metadata.rb +5 -4
data/cookbooks/mu-master/recipes/389ds.rb +1 -1
data/cookbooks/mu-master/recipes/basepackages.rb +30 -10
data/cookbooks/mu-master/recipes/default.rb +59 -7
data/cookbooks/mu-master/recipes/firewall-holes.rb +1 -1
data/cookbooks/mu-master/recipes/init.rb +65 -47
data/cookbooks/mu-master/recipes/{eks-kubectl.rb → kubectl.rb} +4 -10
data/cookbooks/mu-master/recipes/sssd.rb +2 -1
data/cookbooks/mu-master/recipes/update_nagios_only.rb +6 -6
data/cookbooks/mu-master/templates/default/web_app.conf.erb +2 -2
data/cookbooks/mu-master/templates/mods/ldap.conf.erb +4 -0
data/cookbooks/mu-php54/Berksfile +1 -2
data/cookbooks/mu-php54/metadata.rb +4 -5
data/cookbooks/mu-php54/recipes/default.rb +1 -1
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +0 -0
data/cookbooks/mu-tools/Berksfile +3 -2
data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
data/cookbooks/mu-tools/libraries/helper.rb +20 -8
data/cookbooks/mu-tools/metadata.rb +5 -2
data/cookbooks/mu-tools/recipes/apply_security.rb +2 -3
data/cookbooks/mu-tools/recipes/eks.rb +1 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +5 -30
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/rsyslog.rb +1 -0
data/cookbooks/mu-tools/recipes/selinux.rb +19 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +0 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +256 -122
data/cookbooks/mu-tools/resources/disk.rb +3 -1
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +1 -1
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +1 -1
data/cookbooks/mu-tools/templates/default/{kubeconfig.erb → kubeconfig-eks.erb} +0 -0
data/cookbooks/mu-tools/templates/default/kubeconfig-gke.erb +27 -0
data/cookbooks/mu-tools/templates/windows-10/sshd_config.erb +137 -0
data/cookbooks/mu-utility/recipes/nat.rb +4 -0
data/extras/alpha.png +0 -0
data/extras/beta.png +0 -0
data/extras/clean-stock-amis +2 -2
data/extras/generate-stock-images +131 -0
data/extras/git-fix-permissions-hook +0 -0
data/extras/image-generators/AWS/centos6.yaml +17 -0
data/extras/image-generators/{aws → AWS}/centos7-govcloud.yaml +0 -0
data/extras/image-generators/{aws → AWS}/centos7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/rhel7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k12.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k16.yaml +0 -0
data/extras/image-generators/{aws → AWS}/windows.yaml +0 -0
data/extras/image-generators/{gcp → Google}/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +18 -0
data/extras/python_rpm/build.sh +0 -0
data/extras/release.png +0 -0
data/extras/ruby_rpm/build.sh +0 -0
data/extras/ruby_rpm/muby.spec +1 -1
data/install/README.md +43 -5
data/install/deprecated-bash-library.sh +0 -0
data/install/installer +1 -1
data/install/jenkinskeys.rb +0 -0
data/install/mu-master.yaml +55 -0
data/modules/mommacat.ru +41 -7
data/modules/mu.rb +444 -149
data/modules/mu/adoption.rb +500 -0
data/modules/mu/cleanup.rb +235 -158
data/modules/mu/cloud.rb +675 -138
data/modules/mu/clouds/aws.rb +156 -24
data/modules/mu/clouds/aws/alarm.rb +4 -14
data/modules/mu/clouds/aws/bucket.rb +60 -18
data/modules/mu/clouds/aws/cache_cluster.rb +8 -20
data/modules/mu/clouds/aws/collection.rb +12 -22
data/modules/mu/clouds/aws/container_cluster.rb +209 -118
data/modules/mu/clouds/aws/database.rb +120 -45
data/modules/mu/clouds/aws/dnszone.rb +7 -18
data/modules/mu/clouds/aws/endpoint.rb +5 -15
data/modules/mu/clouds/aws/firewall_rule.rb +144 -72
data/modules/mu/clouds/aws/folder.rb +4 -11
data/modules/mu/clouds/aws/function.rb +6 -16
data/modules/mu/clouds/aws/group.rb +4 -12
data/modules/mu/clouds/aws/habitat.rb +11 -13
data/modules/mu/clouds/aws/loadbalancer.rb +40 -28
data/modules/mu/clouds/aws/log.rb +5 -13
data/modules/mu/clouds/aws/msg_queue.rb +9 -24
data/modules/mu/clouds/aws/nosqldb.rb +4 -12
data/modules/mu/clouds/aws/notifier.rb +6 -13
data/modules/mu/clouds/aws/role.rb +69 -40
data/modules/mu/clouds/aws/search_domain.rb +17 -20
data/modules/mu/clouds/aws/server.rb +184 -94
data/modules/mu/clouds/aws/server_pool.rb +33 -38
data/modules/mu/clouds/aws/storage_pool.rb +5 -12
data/modules/mu/clouds/aws/user.rb +59 -33
data/modules/mu/clouds/aws/userdata/linux.erb +18 -30
data/modules/mu/clouds/aws/userdata/windows.erb +9 -9
data/modules/mu/clouds/aws/vpc.rb +214 -145
data/modules/mu/clouds/azure.rb +978 -44
data/modules/mu/clouds/azure/container_cluster.rb +413 -0
data/modules/mu/clouds/azure/firewall_rule.rb +500 -0
data/modules/mu/clouds/azure/habitat.rb +167 -0
data/modules/mu/clouds/azure/loadbalancer.rb +205 -0
data/modules/mu/clouds/azure/role.rb +211 -0
data/modules/mu/clouds/azure/server.rb +810 -0
data/modules/mu/clouds/azure/user.rb +257 -0
data/modules/mu/clouds/azure/userdata/README.md +4 -0
data/modules/mu/clouds/azure/userdata/linux.erb +137 -0
data/modules/mu/clouds/azure/userdata/windows.erb +275 -0
data/modules/mu/clouds/azure/vpc.rb +782 -0
data/modules/mu/clouds/cloudformation.rb +12 -9
data/modules/mu/clouds/cloudformation/firewall_rule.rb +5 -13
data/modules/mu/clouds/cloudformation/server.rb +10 -1
data/modules/mu/clouds/cloudformation/server_pool.rb +1 -0
data/modules/mu/clouds/cloudformation/vpc.rb +0 -2
data/modules/mu/clouds/google.rb +554 -117
data/modules/mu/clouds/google/bucket.rb +173 -32
data/modules/mu/clouds/google/container_cluster.rb +1112 -157
data/modules/mu/clouds/google/database.rb +24 -47
data/modules/mu/clouds/google/firewall_rule.rb +344 -89
data/modules/mu/clouds/google/folder.rb +156 -79
data/modules/mu/clouds/google/group.rb +272 -82
data/modules/mu/clouds/google/habitat.rb +177 -52
data/modules/mu/clouds/google/loadbalancer.rb +9 -34
data/modules/mu/clouds/google/role.rb +1211 -0
data/modules/mu/clouds/google/server.rb +491 -227
data/modules/mu/clouds/google/server_pool.rb +233 -48
data/modules/mu/clouds/google/user.rb +479 -125
data/modules/mu/clouds/google/userdata/linux.erb +3 -3
data/modules/mu/clouds/google/userdata/windows.erb +9 -9
data/modules/mu/clouds/google/vpc.rb +381 -223
data/modules/mu/config.rb +689 -214
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/cache_cluster.yml +0 -4
data/modules/mu/config/container_cluster.rb +18 -9
data/modules/mu/config/database.rb +6 -23
data/modules/mu/config/firewall_rule.rb +9 -15
data/modules/mu/config/folder.rb +22 -21
data/modules/mu/config/habitat.rb +22 -21
data/modules/mu/config/loadbalancer.rb +2 -2
data/modules/mu/config/role.rb +9 -40
data/modules/mu/config/server.rb +26 -5
data/modules/mu/config/server_pool.rb +1 -1
data/modules/mu/config/storage_pool.rb +2 -2
data/modules/mu/config/user.rb +4 -0
data/modules/mu/config/vpc.rb +350 -110
data/modules/mu/defaults/{amazon_images.yaml → AWS.yaml} +37 -39
data/modules/mu/defaults/Azure.yaml +17 -0
data/modules/mu/defaults/Google.yaml +24 -0
data/modules/mu/defaults/README.md +1 -1
data/modules/mu/deploy.rb +168 -125
data/modules/mu/groomer.rb +2 -1
data/modules/mu/groomers/ansible.rb +104 -32
data/modules/mu/groomers/chef.rb +96 -44
data/modules/mu/kittens.rb +20602 -0
data/modules/mu/logger.rb +38 -11
data/modules/mu/master.rb +90 -8
data/modules/mu/master/chef.rb +2 -3
data/modules/mu/master/ldap.rb +0 -1
data/modules/mu/master/ssl.rb +250 -0
data/modules/mu/mommacat.rb +917 -513
data/modules/scratchpad.erb +1 -1
data/modules/tests/super_complex_bok.yml +0 -0
data/modules/tests/super_simple_bok.yml +0 -0
data/roles/mu-master.json +2 -1
data/spec/azure_creds +5 -0
data/spec/mu.yaml +56 -0
data/spec/mu/clouds/azure_spec.rb +164 -27
data/spec/spec_helper.rb +5 -0
data/test/clean_up.py +0 -0
data/test/exec_inspec.py +0 -0
data/test/exec_mu_install.py +0 -0
data/test/exec_retry.py +0 -0
data/test/smoke_test.rb +0 -0
metadata +90 -118
data/cookbooks/mu-jenkins/Berksfile +0 -14
data/cookbooks/mu-jenkins/CHANGELOG.md +0 -13
data/cookbooks/mu-jenkins/LICENSE +0 -37
data/cookbooks/mu-jenkins/README.md +0 -105
data/cookbooks/mu-jenkins/attributes/default.rb +0 -42
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +0 -73
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +0 -44
data/cookbooks/mu-jenkins/metadata.rb +0 -21
data/cookbooks/mu-jenkins/recipes/default.rb +0 -195
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +0 -54
data/cookbooks/mu-jenkins/recipes/public_key.rb +0 -24
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +0 -24
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +0 -14
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +0 -6
data/cookbooks/nagios/Berksfile +0 -11
data/cookbooks/nagios/CHANGELOG.md +0 -589
data/cookbooks/nagios/CONTRIBUTING.md +0 -11
data/cookbooks/nagios/LICENSE +0 -37
data/cookbooks/nagios/README.md +0 -328
data/cookbooks/nagios/TESTING.md +0 -2
data/cookbooks/nagios/attributes/config.rb +0 -171
data/cookbooks/nagios/attributes/default.rb +0 -228
data/cookbooks/nagios/chefignore +0 -102
data/cookbooks/nagios/definitions/command.rb +0 -33
data/cookbooks/nagios/definitions/contact.rb +0 -33
data/cookbooks/nagios/definitions/contactgroup.rb +0 -33
data/cookbooks/nagios/definitions/host.rb +0 -33
data/cookbooks/nagios/definitions/hostdependency.rb +0 -33
data/cookbooks/nagios/definitions/hostescalation.rb +0 -34
data/cookbooks/nagios/definitions/hostgroup.rb +0 -33
data/cookbooks/nagios/definitions/nagios_conf.rb +0 -38
data/cookbooks/nagios/definitions/resource.rb +0 -33
data/cookbooks/nagios/definitions/service.rb +0 -33
data/cookbooks/nagios/definitions/servicedependency.rb +0 -33
data/cookbooks/nagios/definitions/serviceescalation.rb +0 -34
data/cookbooks/nagios/definitions/servicegroup.rb +0 -33
data/cookbooks/nagios/definitions/timeperiod.rb +0 -33
data/cookbooks/nagios/libraries/base.rb +0 -314
data/cookbooks/nagios/libraries/command.rb +0 -91
data/cookbooks/nagios/libraries/contact.rb +0 -230
data/cookbooks/nagios/libraries/contactgroup.rb +0 -112
data/cookbooks/nagios/libraries/custom_option.rb +0 -36
data/cookbooks/nagios/libraries/data_bag_helper.rb +0 -23
data/cookbooks/nagios/libraries/default.rb +0 -90
data/cookbooks/nagios/libraries/host.rb +0 -412
data/cookbooks/nagios/libraries/hostdependency.rb +0 -181
data/cookbooks/nagios/libraries/hostescalation.rb +0 -173
data/cookbooks/nagios/libraries/hostgroup.rb +0 -119
data/cookbooks/nagios/libraries/nagios.rb +0 -282
data/cookbooks/nagios/libraries/resource.rb +0 -59
data/cookbooks/nagios/libraries/service.rb +0 -455
data/cookbooks/nagios/libraries/servicedependency.rb +0 -215
data/cookbooks/nagios/libraries/serviceescalation.rb +0 -195
data/cookbooks/nagios/libraries/servicegroup.rb +0 -144
data/cookbooks/nagios/libraries/timeperiod.rb +0 -160
data/cookbooks/nagios/libraries/users_helper.rb +0 -54
data/cookbooks/nagios/metadata.rb +0 -25
data/cookbooks/nagios/recipes/_load_databag_config.rb +0 -153
data/cookbooks/nagios/recipes/_load_default_config.rb +0 -241
data/cookbooks/nagios/recipes/apache.rb +0 -48
data/cookbooks/nagios/recipes/default.rb +0 -204
data/cookbooks/nagios/recipes/nginx.rb +0 -82
data/cookbooks/nagios/recipes/pagerduty.rb +0 -143
data/cookbooks/nagios/recipes/server_package.rb +0 -40
data/cookbooks/nagios/recipes/server_source.rb +0 -164
data/cookbooks/nagios/templates/default/apache2.conf.erb +0 -96
data/cookbooks/nagios/templates/default/cgi.cfg.erb +0 -266
data/cookbooks/nagios/templates/default/commands.cfg.erb +0 -13
data/cookbooks/nagios/templates/default/contacts.cfg.erb +0 -37
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +0 -25
data/cookbooks/nagios/templates/default/hosts.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/htpasswd.users.erb +0 -6
data/cookbooks/nagios/templates/default/nagios.cfg.erb +0 -22
data/cookbooks/nagios/templates/default/nginx.conf.erb +0 -62
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +0 -185
data/cookbooks/nagios/templates/default/resource.cfg.erb +0 -27
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/services.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/templates.cfg.erb +0 -31
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +0 -13
data/extras/image-generators/aws/centos6.yaml +0 -18
data/modules/mu/defaults/google_images.yaml +0 -16
data/roles/mu-master-jenkins.json +0 -24

data/modules/mu/logger.rb CHANGED

@@ -36,21 +36,24 @@ module MU
     @verbosity = MU::Logger::NORMAL
     @quiet = false
     @html = false
+    @color = true
     @handle = STDOUT
     @@log_semaphere = Mutex.new
     # @param verbosity [Integer]: See {MU::Logger.QUIET}, {MU::Logger.NORMAL}, {MU::Logger.LOUD}
     # @param html [Boolean]: Enable web-friendly log output.
-    def initialize(verbosity=MU::Logger::NORMAL, html=false, handle=STDOUT)
+    def initialize(verbosity=MU::Logger::NORMAL, html=false, handle=STDOUT, color=true)
       @verbosity = verbosity
       @html = html
       @handle = handle
+      @color = color
       @summary = []
     end
     attr_reader :summary
     attr_accessor :verbosity
+    attr_accessor :color
     attr_accessor :quiet
     attr_accessor :html
     attr_accessor :handle
@@ -65,7 +68,8 @@ module MU
             details: nil,
             html: @html,
             verbosity: @verbosity,
-            handle: @handle
+            handle: @handle,
+            color: @color
     )
       verbosity = MU::Logger::NORMAL if verbosity.nil?
       return if verbosity == MU::Logger::SILENT
@@ -98,12 +102,14 @@ module MU
       # We get passed literal quoted newlines sometimes, fix 'em. Get Windows'
       # ugly line feeds too.
       if !details.nil?
+        details = details.dup # in case it's frozen or something
         details.gsub!(/\\n/, "\n")
         details.gsub!(/(\\r|\r)/, "")
       end
       msg = msg.first if msg.is_a?(Array)
       msg = "" if msg == nil
+      msg = msg.to_s if !msg.is_a?(String) and msg.respond_to?(:to_s)
       @@log_semaphere.synchronize {
         case level
@@ -114,9 +120,12 @@ module MU
               if @html
                 html_out "#{time} - #{caller_name} - #{msg}", "orange"
                 html_out "&nbsp;#{details}" if details
-              else
+              elsif color
                 handle.puts "#{time} - #{caller_name} - #{msg}".yellow.on_black
                 handle.puts "#{details}".white.on_black if details
+              else
+                handle.puts "#{time} - #{caller_name} - #{msg}"
+                handle.puts "#{details}" if details
               end
               Syslog.log(Syslog::LOG_DEBUG, msg.gsub(/%/, ''))
               Syslog.log(Syslog::LOG_DEBUG, details.gsub(/%/, '')) if details
@@ -125,14 +134,18 @@ module MU
             if verbosity >= MU::Logger::NORMAL
               if @html
                 html_out "#{time} - #{caller_name} - #{msg}", "green"
-              else
+              elsif color
                 handle.puts "#{time} - #{caller_name} - #{msg}".green.on_black
+              else
+                handle.puts "#{time} - #{caller_name} - #{msg}"
               end
               if verbosity >= MU::Logger::LOUD
                 if @html
                   html_out "&nbsp;#{details}"
-                else
+                elsif color
                   handle.puts "#{details}".white.on_black if details
+                else
+                  handle.puts "#{details}" if details
                 end
               end
               Syslog.log(Syslog::LOG_NOTICE, msg.gsub(/%/, ''))
@@ -141,14 +154,18 @@ module MU
           when NOTICE
             if @html
               html_out "#{time} - #{caller_name} - #{msg}", "yellow"
-            else
+            elsif color
               handle.puts "#{time} - #{caller_name} - #{msg}".yellow.on_black
+            else
+              handle.puts "#{time} - #{caller_name} - #{msg}"
             end
             if verbosity >= MU::Logger::LOUD
               if @html
                 html_out "#{caller_name} - #{msg}"
-              else
+              elsif color
                 handle.puts "#{details}".white.on_black if details
+              else
+                handle.puts "#{details}" if details
               end
             end
             Syslog.log(Syslog::LOG_NOTICE, msg.gsub(/%/, ''))
@@ -156,14 +173,18 @@ module MU
           when WARN
             if @html
               html_out "#{time} - #{caller_name} - #{msg}", "orange"
-            else
+            elsif color
               handle.puts "#{time} - #{caller_name} - #{msg}".light_red.on_black
+            else
+              handle.puts "#{time} - #{caller_name} - #{msg}"
             end
             if verbosity >= MU::Logger::LOUD
               if @html
                 html_out "#{caller_name} - #{msg}"
-              else
+              elsif color
                 handle.puts "#{details}".white.on_black if details
+              else
+                handle.puts "#{details}" if details
               end
             end
             Syslog.log(Syslog::LOG_WARNING, msg.gsub(/%/, ''))
@@ -172,9 +193,12 @@ module MU
             if @html
               html_out "#{time} - #{caller_name} - #{msg}", "red"
               html_out "&nbsp;#{details}" if details
-            else
+            elsif color
               handle.puts "#{time} - #{caller_name} - #{msg}".red.on_black
               handle.puts "#{details}".white.on_black if details
+            else
+              handle.puts "#{time} - #{caller_name} - #{msg}"
+              handle.puts "#{details}" if details
             end
             Syslog.log(Syslog::LOG_ERR, msg.gsub(/%/, ''))
             Syslog.log(Syslog::LOG_ERR, details.gsub(/%/, '')) if details
@@ -182,9 +206,12 @@ module MU
             if @html
               html_out "#{time} - #{caller_name} - #{msg}"
               html_out "&nbsp;#{details}" if details
-            else
+            elsif color
               handle.puts "#{time} - #{caller_name} - #{msg}".white.on_black
               handle.puts "#{details}".white.on_black if details
+            else
+              handle.puts "#{time} - #{caller_name} - #{msg}"
+              handle.puts "#{details}" if details
             end
             Syslog.log(Syslog::LOG_NOTICE, msg.gsub(/%/, ''))
             Syslog.log(Syslog::LOG_NOTICE, details.gsub(/%/, '')) if details

data/modules/mu/master.rb CHANGED

@@ -1,4 +1,3 @@
-#!/usr/local/ruby-current/bin/ruby
 # Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
 #
 # Licensed under the BSD-3 license (the "License");
@@ -23,6 +22,7 @@ module MU
     require 'fileutils'
     autoload :Chef, 'mu/master/chef'
     autoload :LDAP, 'mu/master/ldap'
+    autoload :SSL, 'mu/master/ssl'
     # @param users [Hash]: User metadata of the type returned by listUsers
     def self.printUsersToTerminal(users = MU::Master.listUsers)
@@ -169,7 +169,7 @@ module MU
           itemname = Password.pronounceable(32)
           # Make sure this itemname isn't already in use
           MU::Groomer::Chef.getSecret(vault: "scratchpad", item: itemname)
-        rescue MU::Groomer::Chef::MuNoSuchSecret
+        rescue MU::Groomer::MuNoSuchSecret
           MU::Groomer::Chef.saveSecret(vault: "scratchpad", item: itemname, data: data)
           return itemname
         end while true
@@ -195,7 +195,7 @@ module MU
         end
         alias_device = cryptfile ? "/dev/mapper/"+path.gsub(/[^0-9a-z_\-]/i, "_") : realdevice
-        if !File.exists?(realdevice)
+        if !File.exist?(realdevice)
           MU.log "Creating #{path} volume"
           if MU::Cloud::AWS.hosted?
             dummy_svr = MU::Cloud::AWS::Server.new(
@@ -250,7 +250,7 @@ module MU
           keyfile.close
           # we can assume that mu-master::init installed cryptsetup-luks
-          if !File.exists?(alias_device)
+          if !File.exist?(alias_device)
             MU.log "Initializing crypto on #{alias_device}", MU::NOTICE
             %x{/sbin/cryptsetup luksFormat #{realdevice} #{keyfile.path} --batch-mode}
             %x{/sbin/cryptsetup luksOpen #{realdevice} #{alias_device.gsub(/.*?\/([^\/]+)$/, '\1')} --key-file #{keyfile.path}}
@@ -264,7 +264,7 @@ module MU
           %x{/sbin/mkfs.xfs "#{alias_device}"}
           %x{/usr/sbin/xfs_admin -L "#{path.gsub(/[^0-9a-z_\-]/i, "_")}" "#{alias_device}"}
         end
-        Dir.mkdir(path, 0700) if !Dir.exists?(path) # XXX recursive
+        Dir.mkdir(path, 0700) if !Dir.exist?(path) # XXX recursive
         %x{/usr/sbin/xfs_info "#{alias_device}" > /dev/null 2>&1}
         if $?.exitstatus != 0
           MU.log "Mounting #{alias_device} to #{path}"
@@ -292,7 +292,7 @@ module MU
     # Remove Scratchpad entries which have exceeded their maximum age.
     def self.cleanExpiredScratchpads
-      return if !$MU_CFG['scratchpad'].has_key?('max_age') or $MU_CFG['scratchpad']['max_age'] < 1
+      return if !$MU_CFG['scratchpad'] or !$MU_CFG['scratchpad'].has_key?('max_age') or $MU_CFG['scratchpad']['max_age'] < 1
       @scratchpad_semaphore.synchronize {
         entries = MU::Groomer::Chef.getSecret(vault: "scratchpad")
         entries.each { |pad|
@@ -347,8 +347,8 @@ module MU
       ldap_users['mu'] = {}
       ldap_users['mu']['admin'] = true
       ldap_users['mu']['non_ldap'] = true
-      ldap_users.each_pair { |username, data|
-        key = username.to_s
+      ldap_users.each_pair { |uname, data|
+        key = uname.to_s
         all_user_data[key] = {}
         userdir = $MU_CFG['installdir']+"/var/users/#{key}"
         if !Dir.exist?(userdir)
@@ -369,6 +369,88 @@ module MU
       all_user_data
     end
+    @@kubectl_path = nil
+    # Locate a working +kubectl+ executable and return its fully-qualified
+    # path.
+    def self.kubectl
+      return @@kubectl_path if @@kubectl_path
+      paths = ["/opt/mu/bin"]+ENV['PATH'].split(/:/)
+      best = nil
+      best_version = nil
+      paths.uniq.each { |path|
+        if File.exist?(path+"/kubectl")
+          version = %x{#{path}/kubectl version --short --client}.chomp.sub(/.*Client version:\s+v/i, '')
+          next if !$?.success?
+          if !best_version or MU.version_sort(best_version, version) > 0
+            best_version = version
+            best = path+"/kubectl"
+          end
+        end
+      }
+      if !best
+        MU.log "Failed to find a working kubectl executable in any path", MU::WARN, details: paths.uniq.sort
+        return nil
+      else
+        MU.log "Kubernetes commands will use #{best} (#{best_version})"
+      end
+      @@kubectl_path = best
+      @@kubectl_path
+    end
+    # Given an array of hashes representing Kubernetes resources,
+    def self.applyKubernetesResources(name, blobs = [], kubeconfig: nil, outputdir: nil)
+      use_tmp = false
+      if !outputdir
+        require 'tempfile'
+        use_tmp = true
+      end
+      count = 0
+      blobs.each { |blob|
+        f = nil
+        blobfile = if use_tmp
+          f = Tempfile.new("k8s-resource-#{count.to_s}-#{name}")
+          f.puts blob.to_yaml
+          f.close
+          f.path
+        else
+          path = outputdir+"/k8s-resource-#{count.to_s}-#{name}"
+          File.open(path, "w") { |fh|
+            fh.puts blob.to_yaml
+          }
+          path
+        end
+        next if !kubectl
+        done = false
+        retries = 0
+        begin
+          %x{#{kubectl} --kubeconfig "#{kubeconfig}" get -f #{blobfile} > /dev/null 2>&1}
+          arg = $?.exitstatus == 0 ? "apply" : "create"
+          cmd = %Q{#{kubectl} --kubeconfig "#{kubeconfig}" #{arg} -f #{blobfile}}
+          MU.log "Applying Kubernetes resource #{count.to_s} with kubectl #{arg}", MU::NOTICE, details: cmd
+          output = %x{#{cmd} 2>&1}
+          if $?.exitstatus == 0
+            MU.log "Kubernetes resource #{count.to_s} #{arg} was successful: #{output}", details: blob.to_yaml
+            done = true
+          else
+            MU.log "Kubernetes resource #{count.to_s} #{arg} failed: #{output}", MU::WARN, details: blob.to_yaml
+            if retries < 5
+              sleep 5
+            else
+              MU.log "Giving up on Kubernetes resource #{count.to_s} #{arg}"
+              done = true
+            end
+            retries += 1
+          end
+          f.unlink if use_tmp
+        end while !done
+        count += 1
+      }
+    end
     # Update Mu's local cache/metadata for the given user, fixing permissions
     # and updating stored values. Create a single-user group for the user, as
     # well.

data/modules/mu/master/chef.rb CHANGED

@@ -1,4 +1,3 @@
-#!/usr/local/ruby-current/bin/ruby
 # Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
 #
 # Licensed under the BSD-3 license (the "License");
@@ -112,7 +111,7 @@ module MU
           f.puts "chef_server_url  'https://#{$MU_CFG["public_address"]}/organizations/#{chef_user}'"
           f.puts "validation_client_name '#{chef_user}-validator'"
         }
-        if !File.exists?("#{chefdir}/client.rb") or
+        if !File.exist?("#{chefdir}/client.rb") or
             File.read("#{chefdir}/client.rb") != File.read("#{chefdir}/client.rb.tmp.#{Process.pid}")
           File.rename(chefdir+"/client.rb.tmp.#{Process.pid}", chefdir+"/client.rb")
           FileUtils.chown_R(user, user+".mu-user", Etc.getpwnam(user).dir+"/.chef")
@@ -143,7 +142,7 @@ module MU
           # f.puts "verify_api_cert    false"
           # f.puts "ssl_verify_mode    :verify_none"
         }
-        if !File.exists?("#{chefdir}/knife.rb") or
+        if !File.exist?("#{chefdir}/knife.rb") or
             File.read("#{chefdir}/knife.rb") != File.read("#{chefdir}/knife.rb.tmp.#{Process.pid}")
           File.rename(chefdir+"/knife.rb.tmp.#{Process.pid}", chefdir+"/knife.rb")
           FileUtils.chown_R(user, user+".mu-user", Etc.getpwnam(user).dir+"/.chef")

data/modules/mu/master/ldap.rb CHANGED

@@ -1,4 +1,3 @@
-#!/usr/local/ruby-current/bin/ruby
 # Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
 #
 # Licensed under the BSD-3 license (the "License");

data/modules/mu/master/ssl.rb ADDED

@@ -0,0 +1,250 @@
+# Copyright:: Copyright (c) 2019 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#     http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+module MU
+  class Master
+    # Create and manage our own internal SSL signing authority
+    class SSL
+      # List of Mu services for which we'll generate SSL certs signed by our
+      # authority.
+      SERVICES = ["rsyslog", "mommacat", "ldap", "consul", "vault"]
+      # Exception class for when we can't find the +openssl+ command
+      class MuSSLNotFound < MU::MuError;end
+# TODO set file/dir ownerships to honor for_user if we were invoked as root
+      # @param for_user [String]
+      def self.bootstrap(for_user: MU.mu_user)
+        ssldir = MU.dataDir(for_user)+"/ssl"
+        Dir.mkdir(ssldir, 0755) if !Dir.exist?(ssldir)
+        alt_names = [MU.mu_public_ip, MU.my_private_ip, MU.mu_public_addr, Socket.gethostbyname(Socket.gethostname).first, "localhost", "127.0.0.1"].uniq
+        alt_names.reject! { |s| s.nil? }
+        getCert("Mu_CA", "/CN=#{MU.mu_public_addr}/OU=Mu Server at #{MU.mu_public_addr}/O=eGlobalTech/C=US", sans: alt_names, ca: true)
+        SERVICES.each { |service|
+          getCert(service, "/CN=#{MU.mu_public_addr}/OU=Mu #{service}/O=eGlobalTech/C=US", sans: alt_names)
+        }
+      end
+      # @param name [String]
+      # @param for_user [String]
+      # @return [OpenSSL::PKey::RSA]
+      def self.getKey(name, for_user: MU.mu_user, keysize: 4096)
+        ssldir = MU.dataDir(for_user)+"/ssl"
+        if !File.exist?(ssldir+"/"+name+".key")
+          key = OpenSSL::PKey::RSA.new keysize
+          File.write(ssldir+"/"+name+".key", key)
+        end
+        File.chmod(0400, ssldir+"/"+name+".key")
+        OpenSSL::PKey::RSA.new(File.read(ssldir+"/"+name+".key"))
+      end
+      # @param for_user [String]
+      # @return [Integer]
+      def self.incrementCASerial(for_user: MU.mu_user)
+        ssldir = MU.dataDir(for_user)+"/ssl"
+        cur = 0
+        if File.exist?(ssldir+"/serial")
+          cur = File.read(ssldir+"/serial").chomp.to_i
+        end
+        File.open("#{ssldir}/serial", File::CREAT|File::RDWR, 0600) { |f|
+          f.flock(File::LOCK_EX)
+          cur += 1
+          f.rewind
+          f.truncate(0)
+          f.puts cur
+          f.flush
+          f.flock(File::LOCK_UN)
+        }
+        cur
+      end
+      # Given a Certificate Signing Request, sign it with our internal CA and
+      # write the resulting signed certificate. Only works on local files.
+      # @param csr_path [String]: The CSR to sign, as a file.
+      def self.sign(csr_path, sans = [], for_user: MU.mu_user)
+        certdir = File.dirname(csr_path)
+        certname = File.basename(csr_path, ".csr")
+        if File.exist?("#{certdir}/#{certname}.crt")
+          MU.log "Not re-signing SSL certificate request #{csr_path}, #{certdir}/#{certname}.crt already exists", MU::DEBUG
+          return
+        end
+        MU.log "Signing SSL certificate request #{csr_path} with #{MU.mySSLDir}/Mu_CA.pem"
+        begin
+          csr = OpenSSL::X509::Request.new File.read csr_path
+        rescue Exception => e
+          MU.log e.message, MU::ERR, details: File.read(csr_path)
+          raise e
+        end
+        cakey = getKey("Mu_CA")
+        cacert = getCert("Mu_CA", ca: true).first
+        cert = OpenSSL::X509::Certificate.new
+        cert.serial = incrementCASerial(for_user: for_user)
+        cert.version = 0x2
+        cert.not_before = Time.now
+        cert.not_after = Time.now + 180000000
+        cert.subject = csr.subject
+        cert.public_key = csr.public_key
+        cert.issuer = cacert.subject
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.issuer_certificate = cacert
+        ef.subject_certificate = cert
+        ef.subject_request = csr
+        if !sans.nil? and !sans.empty? and
+           !formatSANS(sans).nil? and !formatSANS(sans).empty?
+          cert.add_extension(ef.create_extension("subjectAltName",formatSANS(sans),false))
+        end
+        cert.add_extension(ef.create_extension("keyUsage","nonRepudiation,digitalSignature,keyEncipherment", false))
+        cert.add_extension(ef.create_extension("extendedKeyUsage","clientAuth,serverAuth,codeSigning,emailProtection",false))
+        cert.sign cakey, OpenSSL::Digest::SHA256.new
+        File.open("#{certdir}/#{certname}.crt", 'w', 0644) { |f|
+          f.write cert.to_pem
+        }
+        cert
+      end
+      # @param name [String]
+      # @param cn_str [String]
+      # @param sans [Array<String>]
+      # @param ca [Array<String>]
+      # @param for_user [String]
+      # @return [OpenSSL::X509::Certificate]
+      def self.getReq(name, cn_str = nil, sans: [], ca: false, for_user: MU.mu_user)
+      end
+      # @param name [String]
+      # @param cn_str [String]
+      # @param sans [Array<String>]
+      # @param ca [Array<String>]
+      # @param for_user [String]
+      # @param pfx [Boolean]
+      # @return [OpenSSL::X509::Certificate]
+      def self.getCert(name, cn_str = nil, sans: [], ca: false, for_user: MU.mu_user, pfx: false)
+        ssldir = MU.dataDir(for_user)+"/ssl"
+        filename = ca ? "#{ssldir}/#{name}.pem" : "#{ssldir}/#{name}.crt"
+        keyfile = "#{ssldir}/#{name}.key"
+        pfxfile = "#{ssldir}/#{name}.pfx"
+        pfx_cert = nil
+        if File.exist?(filename)
+          pfx_cert = toPfx(filename, keyfile, pfxfile) if pfx
+          cert = OpenSSL::X509::Certificate.new(File.read(filename))
+          return [cert, pfx_cert]
+        end
+        if cn_str.nil?
+          raise MuError, "Can't generate an SSL cert for #{name} without a CN"
+        end
+        key = getKey(name, for_user: for_user)
+puts cn_str
+        cn = OpenSSL::X509::Name.parse(cn_str)
+        # If we're generating our local CA, we're not really doing a CSR, but
+        # the operation is close to identical.
+        csr = if ca
+          MU.log "Generating Mu CA certificate", MU::NOTICE, details: filename
+          csr = OpenSSL::X509::Certificate.new
+          csr.not_before = Time.now
+          csr.not_after = Time.now + 180000000
+          csr
+        else
+          MU.log "Generating Mu-signed certificate for #{name}", MU::NOTICE, details: filename
+          OpenSSL::X509::Request.new
+        end
+        csr.version = 0x2 # by which we mean '3'
+        csr.subject = cn
+        csr.public_key = key.public_key
+        # If we're the CA certificate, declare ourselves our own issuer and
+        # write, instead of going through the rest of the motions.
+        if ca
+          csr.issuer = csr.subject
+          ef = OpenSSL::X509::ExtensionFactory.new
+          csr.serial = 1
+          ef.subject_certificate = csr
+          ef.issuer_certificate = csr
+          csr.add_extension(ef.create_extension("subjectAltName",formatSANS(sans),false))
+          csr.add_extension(ef.create_extension("basicConstraints", "CA:TRUE", true))
+          csr.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
+          csr.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false))
+          csr.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
+        end
+        csr.sign key, OpenSSL::Digest::SHA256.new
+        cert = if !ca
+          File.open("#{ssldir}/#{name}.csr", 'w', 0644) { |f|
+            f.write csr.to_pem
+          }
+					sign("#{ssldir}/#{name}.csr", sans, for_user: for_user)
+        else
+          csr
+        end
+        File.open(filename, 'w', 0644) { |f|
+          f.write cert.to_pem
+        }
+        pfx_cert = toPfx(filename, keyfile, pfxfile) if pfx
+        if MU.mu_user != "mu" and Process.uid == 0
+          owner_uid = Etc.getpwnam(for_user).uid
+          File.chown(owner_uid, nil, filename)
+          File.chown(owner_uid, nil, pfxfile) if pfx
+        end
+        [cert, pfx_cert]
+      end
+      private
+      def self.toPfx(certfile, keyfile, pfxfile)
+        cacert = getCert("Mu_CA", ca: true).first
+        cert = OpenSSL::X509::Certificate.new(File.read(certfile))
+        key = OpenSSL::PKey::RSA.new(File.read(keyfile))
+        pfx = OpenSSL::PKCS12.create(nil, nil, key, cert, [cacert], nil, nil, nil, nil)
+        File.open(pfxfile, 'w', 0644) { |f|
+          f.write pfx.to_der
+        }
+        pfx
+      end
+      def self.formatSANS(sans)
+        sans.map { |s|
+          if s.match(/^\d+\.\d+\.\d+\.\d+$/)
+            "IP:"+s
+          else
+            "DNS:"+s
+          end
+        }.join(",")
+      end
+    end
+  end
+end