hybrid_platforms_conductor 32.18.0 → 33.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b724f6cb69633133e800d381ee1d0bfdd1a1107d7fc388fe1dcbcf423480ca9d
-  data.tar.gz: 3252bc11e083295c2694df60a9af790d8b01cbe851baebbe1d8e75b656e0acd3
+  metadata.gz: ae17e600c52586447071f6f463ee1525754327c0be4a147bec7d3ebcb13b018d
+  data.tar.gz: 9e4dc83a6d37fc9c17b99fd9a16eae20b73673dd492dde52679a159ed922a3d5
 SHA512:
-  metadata.gz: 43793a4b3f8ec9a1353b4c075289dfcd77574b64a481754db68e1affa1c599500a3c29d8fa12b31c13dd69b47c5a2840f52aef80045fbec8be7a363ca4eb90b7
-  data.tar.gz: 0451da97325093d7a59684de1ffc77856f4baf5c3a4c76853e6df4492c7cfb1d52cbf9405c0d44b1d8af643e61f64569fc305ed61204be26f081591bdccb6d43
+  metadata.gz: d9b89fc3f6ed1fe6e87f23aa1519b32dc62bdcf861b0332088909b1ac8945adf273425c97860c0df5131069921c6adfed60d265cbfe9c1d50a6e4cd5099cc420
+  data.tar.gz: d9b3d6d66250552aaec66672b2b9fc97843eb39fc5578a34b74c44f9a4511bccf7978ef59559a4a21b276557e6293418e3350b8151308000d478e22aba84ab56

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+# [v33.0.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v32.18.0...v33.0.0) (2021-06-15 16:10:47)
+
+### Breaking changes
+
+* [[Breaking] Add secrets reader plugins with 2 default plugins: cli and thycotic](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/2cfacebe8cfac57de40ef003877da5b99aca5b5e)
+
 # [v32.18.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v32.17.1...v32.18.0) (2021-06-14 15:01:02)
 
 ## Global changes

data/README.md

@@ -216,13 +216,13 @@ Connector ssh options:
         --ssh-gateways-conf
 
 Deployer options:
-    -e, --secrets SECRETS_LOCATION   Specify a secrets location. Can be specified several times. Location can be:
-                                     * Local path to a JSON file
-                                     * URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.
     -p, --parallel                   Execute the commands in parallel (put the standard output in files <hybrid-platforms-dir>/run_logs/*.stdout)
     -t, --timeout SECS               Timeout in seconds to wait for each chef run. Only used in why-run mode. (defaults to no timeout)
     -W, --why-run                    Use the why-run mode to see what would be the result of the deploy instead of deploying it for real.
         --retries-on-error NBR       Number of retries in case of non-deterministic errors (defaults to 0)
+
+Secrets reader cli options:
+    -e, --secrets JSON_FILE          Specify a secrets location from a local JSON file. Can be specified several times.
 ```
 
 All executables also have the `--debug` switch to display more verbose and debugging information.

data/docs/config_dsl.md

@@ -2,7 +2,7 @@
 
 The DSL used in configuration files is comprised of Ruby methods that can be called directly in the main `hpc_config.rb` file.
 
-This DSL can also be completed by plugins. Check [the plugins documentations](plugins) to know about DSL extensions brought by plugins.
+This DSL can also be completed by plugins. Check [the plugins documentations](plugins.md) to know about DSL extensions brought by plugins.
 
 # Table of Contents
   * [`<platform_type>_platform`](#platform_type_platform)
@@ -13,6 +13,7 @@ This DSL can also be completed by plugins. Check [the plugins documentations](pl
   * [`hybrid_platforms_dir`](#hybrid_platforms_dir)
   * [`tests_provisioner`](#tests_provisioner)
   * [`expect_tests_to_fail`](#expect_tests_to_fail)
+  * [`read_secrets_from`](#read_secrets_from)
   * [`send_logs_to`](#send_logs_to)
   * [`retry_deploy_for_errors_on_stdout`](#retry_deploy_for_errors_on_stdout)
   * [`retry_deploy_for_errors_on_stderr`](#retry_deploy_for_errors_on_stderr)
@@ -201,6 +202,27 @@ for_nodes('/tst/') do
 end
 ```
 
+<a name="read_secrets_from"></a>
+## `read_secrets_from`
+
+Set the list of [secrets reader plugins](plugins.md#secrets_reader) to use.
+By default (if no plugins is specifically set) the [secrets reader plugin `cli`](plugins/secrets_reader/cli.md) is being used.
+
+Takes the list of secrets reader plugin names, as symbols, as a parameter.
+
+Can be applied to subset of nodes using the [`for_nodes` DSL method](#for_nodes).
+
+Examples:
+```ruby
+# By default, get secrets from the command-line
+read_secrets_from :cli
+
+# All our production nodes also have their secrets stored on a secured Thycotic server
+for_nodes('/prd/') do
+  read_secrets_from :thycotic
+end
+```
+
 <a name="send_logs_to"></a>
 ## `send_logs_to`
 

data/docs/executables.md

@@ -132,25 +132,22 @@ The Deployer options are used to drive a deployment (be it in why-run mode or no
 
 ```
 Deployer options:
-    -e, --secrets SECRETS_LOCATION   Specify a secrets location. Can be specified several times. Location can be:
-                                     * Local path to a JSON file
-                                     * URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.
     -p, --parallel                   Execute the commands in parallel (put the standard output in files <hybrid-platforms-dir>/run_logs/*.stdout)
     -t, --timeout SECS               Timeout in seconds to wait for each chef run. Only used in why-run mode. (defaults to no timeout)
     -W, --why-run                    Use the why-run mode to see what would be the result of the deploy instead of deploying it for real.
         --retries-on-error NBR       Number of retries in case of non-deterministic errors (defaults to 0)
+
+Secrets reader cli options:
+    -e, --secrets JSON_FILE          Specify a secrets location from a local JSON file. Can be specified several times.
 ```
 
-* `--secrets SECRETS_LOCATION`: Specify a JSON file storing secrets that can be used by the deployment process. Secrets are values that are needed for deployment but that should not be part of the platforms repositories (such as passwords, API keys, SSL certificates...).
-  The location can be:
-  * A local file path (for example /path/to/file.json).
-  * A Thycotic Secret Server URL followed by a secret id (for example https://portal.muc.msp.my_company.net/SecretServer:8845).
 * `--parallel`: Specify that the deployment process should perform concurrently on the different nodes it has to deploy to.
 * `--timeout SECS`: Specify the timeout (in seconds) to apply while deploying. This can be set only in why-run mode.
 * `--why-run`: Specify the why-run mode. The why-run mode is used to simulate a deployment on the nodes, and report what a real deployment would have changed on the node.
 * `--retries-on-error NBR`: Specify the number of retries deploys can do in case of non-deterministic errors.
   Non-deterministic errors are matched using a set of strings or regular expressions that can be configured in the `hpc_config.rb` file of any platform, using the `retry_deploy_for_errors_on_stdout` and `retry_deploy_for_errors_on_stderr` properties:
   For example:
+
 ```ruby
 retry_deploy_for_errors_on_stdout [
   'This is a raw string error that will be matched against stdout',
@@ -161,6 +158,8 @@ retry_deploy_for_errors_on_stderr [
 ]
 ```
 
+* `--secrets SECRETS_LOCATION`: Specify a JSON file storing secrets that can be used by the deployment process. Secrets are values that are needed for deployment but that should not be part of the platforms repositories (such as passwords, API keys, SSL certificates...). This option is used by the [`cli` secrets reader plugin](plugins/secrets_reader/cli.md). See [secrets reader plugins](plugins.md#secrets_reader) for more info about secrets retrieval.
+
 ## JSON dump options
 
 The JSON dump options drive the way nodes' JSON information is being dumped.

data/docs/executables/check-node.md

@@ -65,11 +65,11 @@ Connector ssh options:
         --ssh-gateways-conf
 
 Deployer options:
-    -e, --secrets SECRETS_LOCATION   Specify a secrets location. Can be specified several times. Location can be:
-                                     * Local path to a JSON file
-                                     * URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.
     -t, --timeout SECS               Timeout in seconds to wait for each chef run. Only used in why-run mode. (defaults to no timeout)
         --retries-on-error NBR       Number of retries in case of non-deterministic errors (defaults to 0)
+
+Secrets reader cli options:
+    -e, --secrets JSON_FILE          Specify a secrets location from a local JSON file. Can be specified several times.
 ```
 
 ## Examples

data/docs/executables/deploy.md

@@ -82,13 +82,13 @@ Connector ssh options:
         --ssh-gateways-conf
 
 Deployer options:
-    -e, --secrets SECRETS_LOCATION   Specify a secrets location. Can be specified several times. Location can be:
-                                     * Local path to a JSON file
-                                     * URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.
     -p, --parallel                   Execute the commands in parallel (put the standard output in files <hybrid-platforms-dir>/run_logs/*.stdout)
     -t, --timeout SECS               Timeout in seconds to wait for each chef run. Only used in why-run mode. (defaults to no timeout)
     -W, --why-run                    Use the why-run mode to see what would be the result of the deploy instead of deploying it for real.
         --retries-on-error NBR       Number of retries in case of non-deterministic errors (defaults to 0)
+
+Secrets reader cli options:
+    -e, --secrets JSON_FILE          Specify a secrets location from a local JSON file. Can be specified several times.
 ```
 
 ## Examples

data/docs/executables/dump_nodes_json.md

@@ -54,13 +54,13 @@ Connector ssh options:
         --ssh-gateways-conf
 
 Deployer options:
-    -e, --secrets SECRETS_LOCATION   Specify a secrets location. Can be specified several times. Location can be:
-                                     * Local path to a JSON file
-                                     * URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.
     -t, --timeout SECS               Timeout in seconds to wait for each chef run. Only used in why-run mode. (defaults to 30)
     -W, --why-run                    Use the why-run mode to see what would be the result of the deploy instead of deploying it for real.
         --retries-on-error NBR       Number of retries in case of non-deterministic errors (defaults to 0)
 
+Secrets reader cli options:
+    -e, --secrets JSON_FILE          Specify a secrets location from a local JSON file. Can be specified several times.
+
 JSON dump options:
     -k, --skip-run                   Skip the actual gathering of dumps in run_logs. If set, the current run_logs content will be used.
     -j, --json-dir DIRECTORY         Specify the output directory in which JSON files are being written. Defaults to nodes_json.

data/docs/executables/test.md

@@ -93,11 +93,11 @@ Connector ssh options:
         --ssh-gateways-conf
 
 Deployer options:
-    -e, --secrets SECRETS_LOCATION   Specify a secrets location. Can be specified several times. Location can be:
-                                     * Local path to a JSON file
-                                     * URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.
         --retries-on-error NBR       Number of retries in case of non-deterministic errors (defaults to 0)
 
+Secrets reader cli options:
+    -e, --secrets JSON_FILE          Specify a secrets location from a local JSON file. Can be specified several times.
+
 Tests runner options:
     -i, --tests-list FILE_NAME       Specify a tests file name. The file should contain a list of tests name (1 per line). Can be used several times.
     -k, --skip-run                   Skip running the check-node commands for real, and just analyze existing run logs.

data/docs/executables/topograph.md

@@ -39,12 +39,12 @@ Connector ssh options:
         --ssh-gateways-conf
 
 Deployer options:
-    -e, --secrets SECRETS_LOCATION   Specify a secrets location. Can be specified several times. Location can be:
-                                     * Local path to a JSON file
-                                     * URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.
     -t, --timeout SECS               Timeout in seconds to wait for each chef run. Only used in why-run mode. (defaults to 30)
         --retries-on-error NBR       Number of retries in case of non-deterministic errors (defaults to 0)
 
+Secrets reader cli options:
+    -e, --secrets JSON_FILE          Specify a secrets location from a local JSON file. Can be specified several times.
+
 JSON dump options:
     -j, --json-dir DIRECTORY         Specify the output directory in which JSON files are being written. Defaults to nodes_json.
 

data/docs/plugins.md

@@ -14,6 +14,7 @@ Following are all possible plugin types and the plugins shipped by default with
   * [`platform_handler`](#platform_handler)
   * [`provisioner`](#provisioner)
   * [`report`](#report)
+  * [`secrets_reader`](#secrets_reader)
   * [`test`](#test)
   * [`test_report`](#test_report)
 
@@ -177,6 +178,26 @@ Plugins shipped by default:
 * [`mediawiki`](plugins/report/mediawiki.md)
 * [`stdout`](plugins/report/stdout.md)
 
+<a name="secrets_reader"></a>
+## Secrets readers
+
+Secrets reader are responsible for fetching secrets (passwords, private keys, API tokens...) needed during deployment from various sources (command line, environment, vaults, secrets servers...).
+
+Corresponding plugin type: `secrets_reader`.
+
+These plugins add new ways to retrieve secrets used by the [`Deployer`](../lib/hybrid_platforms_conductor/deployer.rb)
+
+Examples of secrets readers are:
+* Command-line: Give secrets from a local file.
+* Vault: Get secrets from vaults (encrypted databases).
+* Secrets servers: Query secrets servers to retrieve secrets.
+
+Check the [sample plugin file](../lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/my_secrets_reader_plugin.rb.sample) to know more about the API that needs to be implemented by such plugins.
+
+Plugins shipped by default:
+* [`cli`](plugins/secrets_reader/cli.md)
+* [`thycotic`](plugins/secrets_reader/thycotic.md)
+
 <a name="test"></a>
 ## Tests
 

data/docs/plugins/secrets_reader/cli.md

@@ -0,0 +1,31 @@
+# Secrets reader plugin: `cli`
+
+The `cli` secrets reader plugin reads secrets from a local JSON file that can be given through the `--secrets` command-line parameter.
+
+Example:
+```bash
+./bin/deploy --node my_node --secrets /path/to/my_secrets.json
+```
+
+## Config DSL extension
+
+None
+
+## Used credentials
+
+| Credential | Usage
+| --- | --- |
+
+## Used Metadata
+
+| Metadata | Type | Usage
+| --- | --- | --- |
+
+## Used environment variables
+
+| Variable | Usage
+| --- | --- |
+
+## External tools dependencies
+
+None

data/docs/plugins/secrets_reader/thycotic.md

@@ -0,0 +1,46 @@
+# Secrets reader plugin: `thycotic`
+
+The `thycotic` secrets reader plugin retrieves secrets from a [Thycotic secrets server](https://thycotic.com/products/secret-server-vdo/), using its SOAP API.
+
+It is configured using the `secrets_from_thycotic` (see below) config DSL and uses the `thycotic` credential ID to authenticate.
+
+## Config DSL extension
+
+### `secrets_from_thycotic`
+
+Define a Thycotic URL and Thycotic secret ID to fetch from a Thycotic server.
+The Thycotic secret should contain a JSON file that will be retrieved locally to be used as a secrets source. The local copy will then be removed after deployment.
+
+Can be applied to subset of nodes using the [`for_nodes` DSL method](/docs/config_dsl.md#for_nodes).
+
+It takes the following parameters:
+* **thycotic_url** (`String`): The Thycotic server URL.
+* **secret_id** (`Integer`): The Thycotic secret ID containing the secrets file to be used as secrets.
+
+Example:
+```ruby
+secrets_from_thycotic(
+  thycotic_url: 'https://my-thycotic-server.my-domain.com/SecretServer',
+  secret_id: 1107
+)
+```
+
+## Used credentials
+
+| Credential | Usage
+| --- | --- |
+| `thycotic` | Used to authenticate on the Thycotic server's SOAP API |
+
+## Used Metadata
+
+| Metadata | Type | Usage
+| --- | --- | --- |
+
+## Used environment variables
+
+| Variable | Usage
+| --- | --- |
+
+## External tools dependencies
+
+None

data/lib/hybrid_platforms_conductor/deployer.rb

@@ -11,7 +11,6 @@ require 'hybrid_platforms_conductor/logger_helpers'
 require 'hybrid_platforms_conductor/nodes_handler'
 require 'hybrid_platforms_conductor/services_handler'
 require 'hybrid_platforms_conductor/plugins'
-require 'hybrid_platforms_conductor/thycotic'
 
 module HybridPlatformsConductor
 
@@ -27,6 +26,12 @@ module HybridPlatformsConductor
       # Array< Hash<Symbol, Object> >
       attr_reader :deployment_logs
 
+      # List of secrets reader plugins. Each info has the following properties:
+      # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by this rule.
+      # * *secrets_readers* (Array<Symbol>): List of log plugins to be used to store deployment logs.
+      # Array< Hash<Symbol, Object> >
+      attr_reader :secrets_readers
+
       # Integer: Timeout (in seconds) for packaging repositories
       attr_reader :packaging_timeout_secs
 
@@ -34,6 +39,7 @@ module HybridPlatformsConductor
       def init_deployer_config
         @packaging_timeout_secs = 60
         @deployment_logs = []
+        @secrets_readers = []
       end
 
       # Set the packaging timeout
@@ -55,6 +61,17 @@ module HybridPlatformsConductor
         }
       end
 
+      # Set the secrets readers
+      #
+      # Parameters::
+      # * *secrets_readers* (Symbol or Array<Symbol>): The list of (or single) secrets readers plugins to be used
+      def read_secrets_from(*secrets_readers)
+        @secrets_readers << {
+          nodes_selectors_stack: current_nodes_selectors_stack,
+          secrets_readers: secrets_readers.flatten
+        }
+      end
+
     end
 
     include LoggerHelpers
@@ -73,10 +90,6 @@ module HybridPlatformsConductor
     #   Boolean
     attr_accessor :concurrent_execution
 
-    # The list of JSON secrets
-    #   Array<Hash>
-    attr_accessor :secrets
-
     # Are we deploying in a local environment?
     #   Boolean
     attr_accessor :local_environment
@@ -110,7 +123,21 @@ module HybridPlatformsConductor
       @nodes_handler = nodes_handler
       @actions_executor = actions_executor
       @services_handler = services_handler
-      @secrets = []
+      @override_secrets = nil
+      @secrets_readers = Plugins.new(
+        :secrets_reader,
+        logger: @logger,
+        logger_stderr: @logger_stderr,
+        init_plugin: proc do |plugin_class|
+          plugin_class.new(
+            logger: @logger,
+            logger_stderr: @logger_stderr,
+            config: @config,
+            cmd_runner: @cmd_runner,
+            nodes_handler: @nodes_handler
+          )
+        end
+      )
       @provisioners = Plugins.new(:provisioner, logger: @logger, logger_stderr: @logger_stderr)
       @log_plugins = Plugins.new(
         :log,
@@ -144,30 +171,6 @@ module HybridPlatformsConductor
     def options_parse(options_parser, parallel_switch: true, why_run_switch: false, timeout_options: true)
       options_parser.separator ''
       options_parser.separator 'Deployer options:'
-      options_parser.on(
-        '-e', '--secrets SECRETS_LOCATION',
-        'Specify a secrets location. Can be specified several times. Location can be:',
-        '* Local path to a JSON file',
-        '* URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.'
-      ) do |secrets_location|
-        @secrets << JSON.parse(
-          if secrets_location =~ /^(https?:\/\/.+):(\d+)$/
-            url = $1
-            secret_id = $2
-            secret = nil
-            Thycotic.with_thycotic(url, @logger, @logger_stderr) do |thycotic|
-              secret_file_item_id = thycotic.get_secret(secret_id).dig(:secret, :items, :secret_item, :id)
-              raise "Unable to fetch secret file ID #{secrets_location}" if secret_file_item_id.nil?
-              secret = thycotic.download_file_attachment_by_item_id(secret_id, secret_file_item_id)
-              raise "Unable to fetch secret file attachment from #{secrets_location}" if secret.nil?
-            end
-            secret
-          else
-            raise "Missing secret file: #{secrets_location}" unless File.exist?(secrets_location)
-            File.read(secrets_location)
-          end
-        )
-      end
       options_parser.on('-p', '--parallel', 'Execute the commands in parallel (put the standard output in files <hybrid-platforms-dir>/run_logs/*.stdout)') do
         @concurrent_execution = true
       end if parallel_switch
@@ -180,6 +183,14 @@ module HybridPlatformsConductor
       options_parser.on('--retries-on-error NBR', "Number of retries in case of non-deterministic errors (defaults to #{@nbr_retries_on_error})") do |nbr_retries|
         @nbr_retries_on_error = nbr_retries.to_i
       end
+      # Display options secrets readers might have
+      @secrets_readers.each do |secret_reader_name, secret_reader|
+        if secret_reader.respond_to?(:options_parse)
+          options_parser.separator ''
+          options_parser.separator "Secrets reader #{secret_reader_name} options:"
+          secret_reader.options_parse(options_parser)
+        end
+      end
     end
 
     # Validate that parsed parameters are valid
@@ -190,6 +201,16 @@ module HybridPlatformsConductor
     # String: File used as a Futex for packaging
     PACKAGING_FUTEX_FILE = "#{Dir.tmpdir}/hpc_packaging"
 
+    # Override the secrets with a given JSON.
+    # When using this method with a secrets Hash, further deployments will not query secrets readers, but will use those secrets directly.
+    # Useful to override secrets in test conditions when using dummy secrets for example.
+    #
+    # Parameters::
+    # * *secrets* (Hash or nil): Secrets to take into account in place of secrets readers, or nil to cancel a previous overriding and use secrets readers instead.
+    def override_secrets(secrets)
+      @override_secrets = secrets
+    end
+
     # Deploy on a given list of nodes selectors.
     # The workflow is the following:
     # 1. Package the services to be deployed, considering the nodes, services and context (options, secrets, environment...)
@@ -209,10 +230,20 @@ module HybridPlatformsConductor
 
       # Get the secrets to be deployed
       secrets = {}
-      @secrets.each do |secret_json|
-        secrets.merge!(secret_json) do |key, value1, value2|
-          raise "Secret #{key} has conflicting values between different secret JSON files." if value1 != value2
-          value1
+      if @override_secrets
+        secrets = @override_secrets
+      else
+        services_to_deploy.each do |node, services|
+          # If there is no config for secrets, just use cli
+          (@config.secrets_readers.empty? ? [{ secrets_readers: %i[cli] }] : @nodes_handler.select_confs_for_node(node, @config.secrets_readers)).inject([]) do |secrets_readers, secrets_readers_info|
+            secrets_readers + secrets_readers_info[:secrets_readers]
+          end.sort.uniq.each do |secrets_reader|
+            services.each do |service|
+              node_secrets = @secrets_readers[secrets_reader].secrets_for(node, service)
+              conflicting_path = safe_merge(secrets, node_secrets)
+              raise "Secret set at path #{conflicting_path.join('->')} by #{secrets_reader} for service #{service} on node #{node} has conflicting values (#{log_debug? ? "#{node_secrets.dig(*conflicting_path)} != #{secrets.dig(*conflicting_path)}" : 'set debug for value details'})." unless conflicting_path.nil?
+            end
+          end
         end
       end
 
@@ -370,7 +401,7 @@ module HybridPlatformsConductor
           deployer.local_environment = true
           # Ignore secrets that might have been given: in Docker containers we always use dummy secrets
           dummy_secrets_file = "#{@config.hybrid_platforms_dir}/dummy_secrets.json"
-          deployer.secrets = File.exist?(dummy_secrets_file) ? [JSON.parse(File.read(dummy_secrets_file))] : []
+          deployer.override_secrets(File.exist?(dummy_secrets_file) ? JSON.parse(File.read(dummy_secrets_file)) : {})
           yield deployer, instance
         end
       rescue
@@ -433,6 +464,35 @@ module HybridPlatformsConductor
 
     private
 
+    # Safe-merge 2 hashes.
+    # Safe-merging is done by:
+    # * Merging values that are hashes.
+    # * Reporting errors when values conflict.
+    # When values are conflicting, the initial hash won't modify those conflicting values and will stop the merge.
+    #
+    # Parameters::
+    # * *hash* (Hash): Hash to be modified merging hash_to_merge
+    # * *hash_to_merge* (Hash): Hash to be merged into hash
+    # Result::
+    # * nil or Array<Object>: nil in case of success, or the keys path leading to a conflicting value in case of error
+    def safe_merge(hash, hash_to_merge)
+      conflicting_path = nil
+      hash_to_merge.each do |key, value_to_merge|
+        if hash.key?(key)
+          if hash[key].is_a?(Hash) && value_to_merge.is_a?(Hash)
+            sub_conflicting_path = safe_merge(hash[key], value_to_merge)
+            conflicting_path = [key] + sub_conflicting_path unless sub_conflicting_path.nil?
+          elsif hash[key] != value_to_merge
+            conflicting_path = [key]
+          end
+        else
+          hash[key] = value_to_merge
+        end
+        break unless conflicting_path.nil?
+      end
+      conflicting_path
+    end
+
     # Get the list of retriable errors a node got from deployment logs.
     # Useful to know if an error is non-deterministic (due to external and temporary factors).
     #
@@ -485,7 +545,7 @@ module HybridPlatformsConductor
         Hash[services.map do |node, node_services|
           image_id = @nodes_handler.get_image_of(node)
           sudo = (ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} ")
-          # Install My_company corporate certificates if present
+          # Install corporate certificates if present
           certificate_actions =
             if @local_environment && ENV['hpc_certificates']
               if File.exist?(ENV['hpc_certificates'])