hybrid_platforms_conductor 32.18.0 → 33.0.4

data/lib/hybrid_platforms_conductor/config.rb

@@ -1,4 +1,5 @@
 require 'cleanroom'
+require 'hybrid_platforms_conductor/core_extensions/cleanroom/fix_kwargs'
 require 'git'
 require 'ice_cube'
 require 'hybrid_platforms_conductor/plugins'
@@ -8,7 +9,8 @@ module HybridPlatformsConductor
   # Object used to access the whole configuration
   class Config
 
-    include LoggerHelpers, Cleanroom
+    include Cleanroom
+    include LoggerHelpers
 
     class << self
 
@@ -35,6 +37,7 @@ module HybridPlatformsConductor
     # Directory of the definition of the platforms
     #   String
     attr_reader :hybrid_platforms_dir
+
     expose :hybrid_platforms_dir
 
     # List of expected failures info. Each info has the following properties:
@@ -60,7 +63,7 @@ module HybridPlatformsConductor
     # Parameters::
     # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
     # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
-    def initialize(logger: Logger.new(STDOUT), logger_stderr: Logger.new(STDERR))
+    def initialize(logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
       init_loggers(logger, logger_stderr)
       @hybrid_platforms_dir = File.expand_path(ENV['hpc_platforms'].nil? ? '.' : ENV['hpc_platforms'])
       # Stack of the nodes selectors scopes
@@ -94,7 +97,7 @@ module HybridPlatformsConductor
       end
       # Call initializers if needed
       Config.mixin_initializers.each do |mixin_init_method|
-        self.send(mixin_init_method)
+        send(mixin_init_method)
       end
       include_config_from "#{@hybrid_platforms_dir}/hpc_config.rb"
     end
@@ -105,7 +108,7 @@ module HybridPlatformsConductor
     # * *dsl_file* (String): Path to the DSL file
     def include_config_from(dsl_file)
       log_debug "Include config from #{dsl_file}"
-      self.evaluate_file(dsl_file)
+      evaluate_file(dsl_file)
     end
     expose :include_config_from
 
@@ -116,6 +119,7 @@ module HybridPlatformsConductor
     # * *dir* (String): Directory containing the Dockerfile defining the image
     def os_image(image, dir)
       raise "OS image #{image} already defined to #{@os_images[image]}" if @os_images.key?(image)
+
       @os_images[image] = dir
     end
     expose :os_image

data/lib/hybrid_platforms_conductor/confluence.rb

@@ -34,7 +34,7 @@ module HybridPlatformsConductor
     # * *confluence_password* (String): Confluence password to be used when querying the API
     # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
     # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
-    def initialize(confluence_url, confluence_user_name, confluence_password, logger: Logger.new(STDOUT), logger_stderr: Logger.new(STDERR))
+    def initialize(confluence_url, confluence_user_name, confluence_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
       init_loggers(logger, logger_stderr)
       @confluence_url = confluence_url
       @confluence_user_name = confluence_user_name

data/lib/hybrid_platforms_conductor/connector.rb

@@ -15,8 +15,8 @@ module HybridPlatformsConductor
     # * *cmd_runner* (CmdRunner): Command executor to be used. [default: CmdRunner.new]
     # * *nodes_handler* (NodesHandler): NodesHandler to be used. [default: NodesHandler.new]
     def initialize(
-      logger: Logger.new(STDOUT),
-      logger_stderr: Logger.new(STDERR),
+      logger: Logger.new($stdout),
+      logger_stderr: Logger.new($stderr),
       config: Config.new,
       cmd_runner: CmdRunner.new,
       nodes_handler: NodesHandler.new
@@ -45,8 +45,10 @@ module HybridPlatformsConductor
       @stderr_io = stderr_io
     end
 
+    # rubocop:disable Lint/UnusedMethodArgument
     # Prepare connections to a given set of nodes.
     # Useful to prefetch metadata or open bulk connections.
+    # This method is supposed to be overridden by sub-classes (hence the rubocop exception).
     #
     # Parameters::
     # * *nodes* (Array<String>): Nodes to prepare the connection to
@@ -57,6 +59,7 @@ module HybridPlatformsConductor
     def with_connection_to(nodes, no_exception: false)
       yield nodes
     end
+    # rubocop:enable Lint/UnusedMethodArgument
 
     private
 

data/lib/hybrid_platforms_conductor/core_extensions/cleanroom/fix_kwargs.rb

@@ -0,0 +1,116 @@
+# This is a patch of cleanroom Rubygem v1.0.0 that adds kwargs support for Ruby 3.
+# TODO: Remove this patch when the following code will be merged in a new version of cleanroom:
+# https://github.com/sethvargo/cleanroom/compare/master...Muriel-Salvan:handle_kwargs?expand=1
+
+module Cleanroom
+
+  # Add kwargs support
+  module ClassMethods
+
+    #
+    # Expose the given method to the DSL.
+    #
+    # @param [Symbol] name
+    #
+    def expose(name)
+      raise NameError, "undefined method `#{name}' for class `#{self.name}'" unless public_method_defined?(name)
+
+      exposed_methods_with_kwargs[name] = true if instance_method(name).parameters.any? { |(arg_type, _arg_name)| KWARGS_TYPES.include?(arg_type) }
+      exposed_methods[name] = true
+    end
+
+    private
+
+    # Define the types of argument types that point kwargs arguments.
+    # Useful to treat them differently as when defining a method with kwargs, Ruby will pass parameters having a to_hash method differently to such methods:
+    #
+    # See this example illustrating the difference in treatment with and without kwargs in the method definition:
+    # def without_kwargs(*args)
+    #   p args
+    # end
+    # def with_kwargs(*args, **kwargs)
+    #   p args
+    #   p kwargs
+    # end
+    # s_without_to_hash = 'Without to_hash'
+    # s_with_to_hash = 'With to_hash'
+    # s_with_to_hash.define_singleton_method(:to_hash) { { string: self.to_s } }
+    # without_kwargs(s_without_to_hash)
+    #   ["Without to_hash"]
+    # without_kwargs(s_with_to_hash)
+    #   ["With to_hash"]
+    # with_kwargs(s_without_to_hash)
+    #   ["Without to_hash"]
+    #   {}
+    # with_kwargs(s_with_to_hash)
+    #   []
+    #   {:string=>"With to_hash"}
+    KWARGS_TYPES = %i[key keyreq]
+
+    #
+    # The list of exposed methods with kwargs.
+    #
+    # @return [Hash]
+    #
+    def exposed_methods_with_kwargs
+      @exposed_methods_with_kwargs ||= from_superclass(:exposed_methods_with_kwargs, {}).dup
+    end
+
+    #
+    # The cleanroom instance for this class. This method is intentionally
+    # NOT cached!
+    #
+    # @return [Class]
+    #
+    def cleanroom
+      exposed = exposed_methods.keys
+      exposed_with_kwargs = exposed_methods_with_kwargs.keys
+      parent = name || 'Anonymous'
+
+      Class.new(Object) do
+        class << self
+
+          def class_eval
+            raise Cleanroom::InaccessibleError.new(:class_eval, self)
+          end
+
+          def instance_eval
+            raise Cleanroom::InaccessibleError.new(:instance_eval, self)
+          end
+
+        end
+
+        define_method(:initialize) do |instance|
+          define_singleton_method(:__instance__) do
+            raise Cleanroom::InaccessibleError.new(:__instance__, self) unless caller[0].include?(__FILE__)
+
+            instance
+          end
+        end
+
+        (exposed - exposed_with_kwargs).each do |exposed_method|
+          define_method(exposed_method) do |*args, &block|
+            __instance__.public_send(exposed_method, *args, &block)
+          end
+        end
+
+        exposed_with_kwargs.each do |exposed_method|
+          define_method(exposed_method) do |*args, **kwargs, &block|
+            __instance__.public_send(exposed_method, *args, **kwargs, &block)
+          end
+        end
+
+        define_method(:class_eval) do
+          raise Cleanroom::InaccessibleError.new(:class_eval, self)
+        end
+
+        define_method(:inspect) do
+          "#<#{parent} (Cleanroom)>"
+        end
+        alias_method :to_s, :inspect
+      end
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/core_extensions/symbol/zero.rb

@@ -0,0 +1,24 @@
+module HybridPlatformsConductor
+
+  module CoreExtensions
+
+    module Symbol
+
+      # As it is better to test status code 0 with zero? and as we use status codes as symbols in case of errors, make the zero? call return appropriately.
+      module Zero
+
+        # Does the symbol equal zero?
+        #
+        # Result::
+        # * false: It does not.
+        def zero?
+          false
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/credentials.rb

@@ -42,7 +42,7 @@ module HybridPlatformsConductor
     # * *url* (String or nil): The URL for which we want the credentials, or nil if not associated to a URL [default: nil]
     # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
     # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
-    def initialize(id, url: nil, logger: Logger.new(STDOUT), logger_stderr: Logger.new(STDERR))
+    def initialize(id, url: nil, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
       init_loggers(logger, logger_stderr)
       @id = id
       @url = url
@@ -54,7 +54,7 @@ module HybridPlatformsConductor
     # Provide a helper to clear password from memory for security.
     # To be used when the client knows it won't use the password anymore.
     def clear_password
-      @password.replace('gotyou!' * 100) unless @password.nil?
+      @password&.replace('gotyou!' * 100)
       GC.start
     end
 
@@ -82,46 +82,49 @@ module HybridPlatformsConductor
     # Do it only once.
     # Make sure the retrieved credentials are not linked to other objects in memory, so that we can remove any other trace of secrets.
     def retrieve_credentials
-      unless @retrieved
-        # Check environment variables
-        @user = ENV["hpc_user_for_#{@id}"].dup
-        @password = ENV["hpc_password_for_#{@id}"].dup
-        if @user.nil? || @user.empty? || @password.nil? || @password.empty?
-          log_debug "[ Credentials for #{@id} ] - Credentials not found from environment variables."
-          if @url.nil?
-            log_debug "[ Credentials for #{@id} ] - No URL associated to this credentials, so .netrc can't be used."
-          else
-            # Check Netrc
-            netrc = ::Netrc.read
-            begin
-              netrc_user, netrc_password = netrc[URI.parse(@url).host.downcase]
-              if netrc_user.nil?
-                log_debug "[ Credentials for #{@id} ] - No credentials retrieved from .netrc."
-                # TODO: Add more credentials source if needed here
-                log_warn "[ Credentials for #{@id} ] - Unable to get credentials for #{@id} (URL: #{@url})."
-              else
-                @user = netrc_user.dup
-                @password = netrc_password.dup
-                log_debug "[ Credentials for #{@id} ] - Credentials retrieved from .netrc using #{@url}."
-              end
-            ensure
-              # Make sure the password does not stay in Netrc memory
-              # Wipe out any memory trace that might contain passwords in clear
-              netrc.instance_variable_get(:@data).each do |data_line|
-                data_line.each do |data_string|
-                  data_string.replace('GotYou!!!' * 100)
-                end
+      return if @retrieved
+
+      # Check environment variables
+      @user = ENV["hpc_user_for_#{@id}"].dup
+      @password = ENV["hpc_password_for_#{@id}"].dup
+      if @user.nil? || @user.empty? || @password.nil? || @password.empty?
+        log_debug "[ Credentials for #{@id} ] - Credentials not found from environment variables."
+        if @url.nil?
+          log_debug "[ Credentials for #{@id} ] - No URL associated to this credentials, so .netrc can't be used."
+        else
+          # Check Netrc
+          netrc = ::Netrc.read
+          begin
+            netrc_user, netrc_password = netrc[URI.parse(@url).host.downcase]
+            if netrc_user.nil?
+              log_debug "[ Credentials for #{@id} ] - No credentials retrieved from .netrc."
+              # TODO: Add more credentials source if needed here
+              log_warn "[ Credentials for #{@id} ] - Unable to get credentials for #{@id} (URL: #{@url})."
+            else
+              @user = netrc_user.dup
+              @password = netrc_password.dup
+              log_debug "[ Credentials for #{@id} ] - Credentials retrieved from .netrc using #{@url}."
+            end
+          ensure
+            # Make sure the password does not stay in Netrc memory
+            # Wipe out any memory trace that might contain passwords in clear
+            netrc.instance_variable_get(:@data).each do |data_line|
+              data_line.each do |data_string|
+                data_string.replace('GotYou!!!' * 100)
               end
-              netrc = nil
             end
+            # We don this assignment on purpose so that GC can remove sensitive data later
+            # rubocop:disable Lint/UselessAssignment
+            netrc = nil
+            # rubocop:enable Lint/UselessAssignment
           end
-        else
-          log_debug "[ Credentials for #{@id} ] - Credentials retrieved from environment variables."
         end
-        GC.start
+      else
+        log_debug "[ Credentials for #{@id} ] - Credentials retrieved from environment variables."
       end
+      GC.start
     end
 
   end
 
-end
+end

data/lib/hybrid_platforms_conductor/current_dir_monitor.rb

@@ -1,5 +1,6 @@
 require 'monitor'
 
+# Decorate methods changing the process' current directory with a mutex to ensure they have an exclusive access
 module HybridPlatformsConductor
 
   # Implement a global monitor to protect accesses to the current directory.
@@ -7,7 +8,9 @@ module HybridPlatformsConductor
   module CurrentDirMonitor
 
     class << self
+
       attr_reader :monitor
+
     end
 
     @monitor = Monitor.new
@@ -24,7 +27,7 @@ module HybridPlatformsConductor
         result = nil
         CurrentDirMonitor.monitor.synchronize do
           # puts "TID #{Thread.current.object_id} from #{caller[2]} - Current dir monitor taken from #{Dir.pwd}"
-          result = self.send(original_method_name, *args, &block)
+          result = send(original_method_name, *args, &block)
           # puts "TID #{Thread.current.object_id} from #{caller[2]} - Current dir monitor released back to #{Dir.pwd}"
         end
         result

data/lib/hybrid_platforms_conductor/deployer.rb

@@ -3,15 +3,12 @@ require 'futex'
 require 'json'
 require 'securerandom'
 require 'time'
-require 'thread'
 require 'hybrid_platforms_conductor/actions_executor'
 require 'hybrid_platforms_conductor/cmd_runner'
-require 'hybrid_platforms_conductor/executable'
 require 'hybrid_platforms_conductor/logger_helpers'
 require 'hybrid_platforms_conductor/nodes_handler'
 require 'hybrid_platforms_conductor/services_handler'
 require 'hybrid_platforms_conductor/plugins'
-require 'hybrid_platforms_conductor/thycotic'
 
 module HybridPlatformsConductor
 
@@ -27,6 +24,12 @@ module HybridPlatformsConductor
       # Array< Hash<Symbol, Object> >
       attr_reader :deployment_logs
 
+      # List of secrets reader plugins. Each info has the following properties:
+      # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by this rule.
+      # * *secrets_readers* (Array<Symbol>): List of log plugins to be used to store deployment logs.
+      # Array< Hash<Symbol, Object> >
+      attr_reader :secrets_readers
+
       # Integer: Timeout (in seconds) for packaging repositories
       attr_reader :packaging_timeout_secs
 
@@ -34,6 +37,7 @@ module HybridPlatformsConductor
       def init_deployer_config
         @packaging_timeout_secs = 60
         @deployment_logs = []
+        @secrets_readers = []
       end
 
       # Set the packaging timeout
@@ -55,6 +59,17 @@ module HybridPlatformsConductor
         }
       end
 
+      # Set the secrets readers
+      #
+      # Parameters::
+      # * *secrets_readers* (Symbol or Array<Symbol>): The list of (or single) secrets readers plugins to be used
+      def read_secrets_from(*secrets_readers)
+        @secrets_readers << {
+          nodes_selectors_stack: current_nodes_selectors_stack,
+          secrets_readers: secrets_readers.flatten
+        }
+      end
+
     end
 
     include LoggerHelpers
@@ -73,10 +88,6 @@ module HybridPlatformsConductor
     #   Boolean
     attr_accessor :concurrent_execution
 
-    # The list of JSON secrets
-    #   Array<Hash>
-    attr_accessor :secrets
-
     # Are we deploying in a local environment?
     #   Boolean
     attr_accessor :local_environment
@@ -96,8 +107,8 @@ module HybridPlatformsConductor
     # * *actions_executor* (ActionsExecutor): Actions Executor to be used. [default: ActionsExecutor.new]
     # * *services_handler* (ServicesHandler): Services Handler to be used. [default: ServicesHandler.new]
     def initialize(
-      logger: Logger.new(STDOUT),
-      logger_stderr: Logger.new(STDERR),
+      logger: Logger.new($stdout),
+      logger_stderr: Logger.new($stderr),
       config: Config.new,
       cmd_runner: CmdRunner.new,
       nodes_handler: NodesHandler.new,
@@ -110,7 +121,21 @@ module HybridPlatformsConductor
       @nodes_handler = nodes_handler
       @actions_executor = actions_executor
       @services_handler = services_handler
-      @secrets = []
+      @override_secrets = nil
+      @secrets_readers = Plugins.new(
+        :secrets_reader,
+        logger: @logger,
+        logger_stderr: @logger_stderr,
+        init_plugin: proc do |plugin_class|
+          plugin_class.new(
+            logger: @logger,
+            logger_stderr: @logger_stderr,
+            config: @config,
+            cmd_runner: @cmd_runner,
+            nodes_handler: @nodes_handler
+          )
+        end
+      )
       @provisioners = Plugins.new(:provisioner, logger: @logger, logger_stderr: @logger_stderr)
       @log_plugins = Plugins.new(
         :log,
@@ -144,42 +169,32 @@ module HybridPlatformsConductor
     def options_parse(options_parser, parallel_switch: true, why_run_switch: false, timeout_options: true)
       options_parser.separator ''
       options_parser.separator 'Deployer options:'
-      options_parser.on(
-        '-e', '--secrets SECRETS_LOCATION',
-        'Specify a secrets location. Can be specified several times. Location can be:',
-        '* Local path to a JSON file',
-        '* URL of the form http[s]://<url>:<secret_id> to get a secret JSON file from a Thycotic Secret Server at the given URL.'
-      ) do |secrets_location|
-        @secrets << JSON.parse(
-          if secrets_location =~ /^(https?:\/\/.+):(\d+)$/
-            url = $1
-            secret_id = $2
-            secret = nil
-            Thycotic.with_thycotic(url, @logger, @logger_stderr) do |thycotic|
-              secret_file_item_id = thycotic.get_secret(secret_id).dig(:secret, :items, :secret_item, :id)
-              raise "Unable to fetch secret file ID #{secrets_location}" if secret_file_item_id.nil?
-              secret = thycotic.download_file_attachment_by_item_id(secret_id, secret_file_item_id)
-              raise "Unable to fetch secret file attachment from #{secrets_location}" if secret.nil?
-            end
-            secret
-          else
-            raise "Missing secret file: #{secrets_location}" unless File.exist?(secrets_location)
-            File.read(secrets_location)
-          end
-        )
+      if parallel_switch
+        options_parser.on('-p', '--parallel', 'Execute the commands in parallel (put the standard output in files <hybrid-platforms-dir>/run_logs/*.stdout)') do
+          @concurrent_execution = true
+        end
+      end
+      if timeout_options
+        options_parser.on('-t', '--timeout SECS', "Timeout in seconds to wait for each chef run. Only used in why-run mode. (defaults to #{@timeout.nil? ? 'no timeout' : @timeout})") do |nbr_secs|
+          @timeout = nbr_secs.to_i
+        end
+      end
+      if why_run_switch
+        options_parser.on('-W', '--why-run', 'Use the why-run mode to see what would be the result of the deploy instead of deploying it for real.') do
+          @use_why_run = true
+        end
       end
-      options_parser.on('-p', '--parallel', 'Execute the commands in parallel (put the standard output in files <hybrid-platforms-dir>/run_logs/*.stdout)') do
-        @concurrent_execution = true
-      end if parallel_switch
-      options_parser.on('-t', '--timeout SECS', "Timeout in seconds to wait for each chef run. Only used in why-run mode. (defaults to #{@timeout.nil? ? 'no timeout' : @timeout})") do |nbr_secs|
-        @timeout = nbr_secs.to_i
-      end if timeout_options
-      options_parser.on('-W', '--why-run', 'Use the why-run mode to see what would be the result of the deploy instead of deploying it for real.') do
-        @use_why_run = true
-      end if why_run_switch
       options_parser.on('--retries-on-error NBR', "Number of retries in case of non-deterministic errors (defaults to #{@nbr_retries_on_error})") do |nbr_retries|
         @nbr_retries_on_error = nbr_retries.to_i
       end
+      # Display options secrets readers might have
+      @secrets_readers.each do |secret_reader_name, secret_reader|
+        next unless secret_reader.respond_to?(:options_parse)
+
+        options_parser.separator ''
+        options_parser.separator "Secrets reader #{secret_reader_name} options:"
+        secret_reader.options_parse(options_parser)
+      end
     end
 
     # Validate that parsed parameters are valid
@@ -190,6 +205,16 @@ module HybridPlatformsConductor
     # String: File used as a Futex for packaging
     PACKAGING_FUTEX_FILE = "#{Dir.tmpdir}/hpc_packaging"
 
+    # Override the secrets with a given JSON.
+    # When using this method with a secrets Hash, further deployments will not query secrets readers, but will use those secrets directly.
+    # Useful to override secrets in test conditions when using dummy secrets for example.
+    #
+    # Parameters::
+    # * *secrets* (Hash or nil): Secrets to take into account in place of secrets readers, or nil to cancel a previous overriding and use secrets readers instead.
+    def override_secrets(secrets)
+      @override_secrets = secrets
+    end
+
     # Deploy on a given list of nodes selectors.
     # The workflow is the following:
     # 1. Package the services to be deployed, considering the nodes, services and context (options, secrets, environment...)
@@ -203,16 +228,26 @@ module HybridPlatformsConductor
     def deploy_on(*nodes_selectors)
       # Get the sorted list of services to be deployed, per node
       # Hash<String, Array<String> >
-      services_to_deploy = Hash[@nodes_handler.select_nodes(nodes_selectors.flatten).map do |node|
+      services_to_deploy = @nodes_handler.select_nodes(nodes_selectors.flatten).map do |node|
         [node, @nodes_handler.get_services_of(node)]
-      end]
+      end.to_h
 
       # Get the secrets to be deployed
       secrets = {}
-      @secrets.each do |secret_json|
-        secrets.merge!(secret_json) do |key, value1, value2|
-          raise "Secret #{key} has conflicting values between different secret JSON files." if value1 != value2
-          value1
+      if @override_secrets
+        secrets = @override_secrets
+      else
+        services_to_deploy.each do |node, services|
+          # If there is no config for secrets, just use cli
+          (@config.secrets_readers.empty? ? [{ secrets_readers: %i[cli] }] : @nodes_handler.select_confs_for_node(node, @config.secrets_readers)).inject([]) do |secrets_readers, secrets_readers_info|
+            secrets_readers + secrets_readers_info[:secrets_readers]
+          end.sort.uniq.each do |secrets_reader|
+            services.each do |service|
+              node_secrets = @secrets_readers[secrets_reader].secrets_for(node, service)
+              conflicting_path = safe_merge(secrets, node_secrets)
+              raise "Secret set at path #{conflicting_path.join('->')} by #{secrets_reader} for service #{service} on node #{node} has conflicting values (#{log_debug? ? "#{node_secrets.dig(*conflicting_path)} != #{secrets.dig(*conflicting_path)}" : 'set debug for value details'})." unless conflicting_path.nil?
+            end
+          end
         end
       end
 
@@ -220,7 +255,6 @@ module HybridPlatformsConductor
       unless @use_why_run
         reason_for_interdiction = @services_handler.deploy_allowed?(
           services: services_to_deploy,
-          secrets: secrets,
           local_environment: @local_environment
         )
         raise "Deployment not allowed: #{reason_for_interdiction}" unless reason_for_interdiction.nil?
@@ -258,51 +292,50 @@ module HybridPlatformsConductor
           remaining_nodes_to_deploy = services_to_deploy.keys
           while nbr_retries >= 0 && !remaining_nodes_to_deploy.empty?
             last_deploy_results = deploy(services_to_deploy.slice(*remaining_nodes_to_deploy))
-            if nbr_retries > 0
+            if nbr_retries.positive?
               # Check if we need to retry deployment on some nodes
               # Only parse the last deployment attempt logs
-              retriable_nodes = Hash[
-                remaining_nodes_to_deploy.
-                  map do |node|
-                    exit_status, stdout, stderr = last_deploy_results[node]
-                    if exit_status == 0
+              retriable_nodes = remaining_nodes_to_deploy.
+                map do |node|
+                  exit_status, stdout, stderr = last_deploy_results[node]
+                  if exit_status.zero?
+                    nil
+                  else
+                    retriable_errors = retriable_errors_from(node, exit_status, stdout, stderr)
+                    if retriable_errors.empty?
                       nil
                     else
-                      retriable_errors = retriable_errors_from(node, exit_status, stdout, stderr)
-                      if retriable_errors.empty?
-                        nil
-                      else
-                        # Log the issue in the stderr of the deployment
-                        stderr << "!!! #{retriable_errors.size} retriable errors detected in this deployment:\n#{retriable_errors.map { |error| "* #{error}" }.join("\n")}\n"
-                        [node, retriable_errors]
-                      end
+                      # Log the issue in the stderr of the deployment
+                      stderr << "!!! #{retriable_errors.size} retriable errors detected in this deployment:\n#{retriable_errors.map { |error| "* #{error}" }.join("\n")}\n"
+                      [node, retriable_errors]
                     end
-                  end.
-                  compact
-              ]
+                  end
+                end.
+                compact.
+                to_h
               unless retriable_nodes.empty?
-                log_warn <<~EOS.strip
+                log_warn <<~EO_LOG.strip
                   Retry deployment for #{retriable_nodes.size} nodes as they got non-deterministic errors (#{nbr_retries} retries remaining):
                   #{retriable_nodes.map { |node, retriable_errors| "  * #{node}:\n#{retriable_errors.map { |error| "    - #{error}" }.join("\n")}" }.join("\n")}
-                EOS
+                EO_LOG
               end
               remaining_nodes_to_deploy = retriable_nodes.keys
             end
             # Merge deployment results
-            results.merge!(last_deploy_results) do |node, (exit_status_1, stdout_1, stderr_1), (exit_status_2, stdout_2, stderr_2)|
+            results.merge!(last_deploy_results) do |_node, (exit_status_1, stdout_1, stderr_1), (exit_status_2, stdout_2, stderr_2)|
               [
                 exit_status_2,
-                <<~EOS,
+                <<~EO_STDOUT,
                   #{stdout_1}
                   Deployment exit status code: #{exit_status_1}
                   !!! Retry deployment due to non-deterministic error (#{nbr_retries} remaining attempts)...
                   #{stdout_2}
-                EOS
-                <<~EOS
+                EO_STDOUT
+                <<~EO_STDERR
                   #{stderr_1}
                   !!! Retry deployment due to non-deterministic error (#{nbr_retries} remaining attempts)...
                   #{stderr_2}
-                EOS
+                EO_STDERR
               ]
             end
             nbr_retries -= 1
@@ -357,7 +390,7 @@ module HybridPlatformsConductor
           sub_executable.config.sudo_procs.replace(sub_executable.config.sudo_procs.map do |sudo_proc_info|
             {
               nodes_selectors_stack: sudo_proc_info[:nodes_selectors_stack].map do |nodes_selector|
-                @nodes_handler.select_nodes(nodes_selector).select { |selected_node| selected_node != node }
+                @nodes_handler.select_nodes(nodes_selector).reject { |selected_node| selected_node == node }
               end,
               sudo_proc: sudo_proc_info[:sudo_proc]
             }
@@ -370,13 +403,13 @@ module HybridPlatformsConductor
           deployer.local_environment = true
           # Ignore secrets that might have been given: in Docker containers we always use dummy secrets
           dummy_secrets_file = "#{@config.hybrid_platforms_dir}/dummy_secrets.json"
-          deployer.secrets = File.exist?(dummy_secrets_file) ? [JSON.parse(File.read(dummy_secrets_file))] : []
+          deployer.override_secrets(File.exist?(dummy_secrets_file) ? JSON.parse(File.read(dummy_secrets_file)) : {})
           yield deployer, instance
         end
       rescue
         # Make sure Docker logs are being output to better investigate errors if we were not already outputing them in debug mode
         stdouts = sub_executable.stdouts_to_s
-        log_error "[ #{node}/#{environment} ] - Encountered unhandled exception #{$!}\n#{$!.backtrace.join("\n")}\n-----\n#{stdouts}" unless stdouts.nil?
+        log_error "[ #{node}/#{environment} ] - Encountered unhandled exception #{$ERROR_INFO}\n#{$ERROR_INFO.backtrace.join("\n")}\n-----\n#{stdouts}" unless stdouts.nil?
         raise
       end
     end
@@ -397,21 +430,21 @@ module HybridPlatformsConductor
       nodes = nodes.flatten
       @actions_executor.max_threads = 64
       read_actions_results = @actions_executor.execute_actions(
-        Hash[nodes.map do |node|
+        nodes.map do |node|
           master_log_plugin = @log_plugins[log_plugins_for(node).first]
           master_log_plugin.respond_to?(:actions_to_read_logs) ? [node, master_log_plugin.actions_to_read_logs(node)] : nil
-        end.compact],
+        end.compact.to_h,
         log_to_stdout: false,
         concurrent: true,
         timeout: 10,
         progress_name: 'Read deployment logs'
       )
-      Hash[nodes.map do |node|
+      nodes.map do |node|
         [
           node,
           @log_plugins[log_plugins_for(node).first].logs_for(node, *(read_actions_results[node] || [nil, nil, nil]))
         ]
-      end]
+      end.to_h
     end
 
     # Parse stdout and stderr of a given deploy run and get the list of tasks with their status
@@ -427,12 +460,41 @@ module HybridPlatformsConductor
     #     * *:changed*: The task has been changed
     #     * *:identical*: The task has not been changed
     #   * *diffs* (String): Differences, if any
-    def parse_deploy_output(node, stdout, stderr)
+    def parse_deploy_output(_node, stdout, stderr)
       @services_handler.parse_deploy_output(stdout, stderr).map { |deploy_info| deploy_info[:tasks] }.flatten
     end
 
     private
 
+    # Safe-merge 2 hashes.
+    # Safe-merging is done by:
+    # * Merging values that are hashes.
+    # * Reporting errors when values conflict.
+    # When values are conflicting, the initial hash won't modify those conflicting values and will stop the merge.
+    #
+    # Parameters::
+    # * *hash* (Hash): Hash to be modified merging hash_to_merge
+    # * *hash_to_merge* (Hash): Hash to be merged into hash
+    # Result::
+    # * nil or Array<Object>: nil in case of success, or the keys path leading to a conflicting value in case of error
+    def safe_merge(hash, hash_to_merge)
+      conflicting_path = nil
+      hash_to_merge.each do |key, value_to_merge|
+        if hash.key?(key)
+          if hash[key].is_a?(Hash) && value_to_merge.is_a?(Hash)
+            sub_conflicting_path = safe_merge(hash[key], value_to_merge)
+            conflicting_path = [key] + sub_conflicting_path unless sub_conflicting_path.nil?
+          elsif hash[key] != value_to_merge
+            conflicting_path = [key]
+          end
+        else
+          hash[key] = value_to_merge
+        end
+        break unless conflicting_path.nil?
+      end
+      conflicting_path
+    end
+
     # Get the list of retriable errors a node got from deployment logs.
     # Useful to know if an error is non-deterministic (due to external and temporary factors).
     #
@@ -443,7 +505,7 @@ module HybridPlatformsConductor
     # * *stderr* (String): Deployment stderr
     # Result::
     # * Array<String>: List of retriable errors that have been matched
-    def retriable_errors_from(node, exit_status, stdout, stderr)
+    def retriable_errors_from(node, _exit_status, stdout, stderr)
       # List of retriable errors for this node, as exact string match or regexps.
       # Array<String or Regexp>
       retriable_errors_on_stdout = []
@@ -474,59 +536,55 @@ module HybridPlatformsConductor
     # Result::
     # * Hash<String, [Integer or Symbol, String, String]>: Exit status code (or Symbol in case of error or dry run), standard output and error for each node.
     def deploy(services)
-      outputs = {}
-
       # Get the ssh user directly from the connector
       ssh_user = @actions_executor.connector(:ssh).ssh_user
 
       # Deploy for real
       @nodes_handler.prefetch_metadata_of services.keys, :image
       outputs = @actions_executor.execute_actions(
-        Hash[services.map do |node, node_services|
+        services.map do |node, node_services|
           image_id = @nodes_handler.get_image_of(node)
           sudo = (ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} ")
-          # Install My_company corporate certificates if present
+          # Install corporate certificates if present
           certificate_actions =
             if @local_environment && ENV['hpc_certificates']
-              if File.exist?(ENV['hpc_certificates'])
-                log_debug "Deploy certificates from #{ENV['hpc_certificates']}"
-                case image_id
-                when 'debian_9', 'debian_10'
-                  [
-                    {
-                      remote_bash: "#{sudo}apt update && #{sudo}apt install -y ca-certificates"
-                    },
-                    {
-                      scp: {
-                        ENV['hpc_certificates'] => '/usr/local/share/ca-certificates',
-                        :sudo => ssh_user != 'root'
-                      },
-                      remote_bash: "#{sudo}update-ca-certificates"
-                    }
-                  ]
-                when 'centos_7'
-                  [
-                    {
-                      remote_bash: "#{sudo}yum install -y ca-certificates"
+              raise "Missing path referenced by the hpc_certificates environment variable: #{ENV['hpc_certificates']}" unless File.exist?(ENV['hpc_certificates'])
+
+              log_debug "Deploy certificates from #{ENV['hpc_certificates']}"
+              case image_id
+              when 'debian_9', 'debian_10'
+                [
+                  {
+                    remote_bash: "#{sudo}apt update && #{sudo}apt install -y ca-certificates"
+                  },
+                  {
+                    scp: {
+                      ENV['hpc_certificates'] => '/usr/local/share/ca-certificates',
+                      :sudo => ssh_user != 'root'
                     },
-                    {
-                      scp: Hash[Dir.glob("#{ENV['hpc_certificates']}/*.crt").map do |cert_file|
-                        [
-                          cert_file,
-                          '/etc/pki/ca-trust/source/anchors'
-                        ]
-                      end].merge(sudo: ssh_user != 'root'),
-                      remote_bash: [
-                        "#{sudo}update-ca-trust enable",
-                        "#{sudo}update-ca-trust extract"
+                    remote_bash: "#{sudo}update-ca-certificates"
+                  }
+                ]
+              when 'centos_7'
+                [
+                  {
+                    remote_bash: "#{sudo}yum install -y ca-certificates"
+                  },
+                  {
+                    scp: Dir.glob("#{ENV['hpc_certificates']}/*.crt").map do |cert_file|
+                      [
+                        cert_file,
+                        '/etc/pki/ca-trust/source/anchors'
                       ]
-                    }
-                  ]
-                else
-                  raise "Unknown image ID for node #{node}: #{image_id}. Check metadata for this node."
-                end
+                    end.to_h.merge(sudo: ssh_user != 'root'),
+                    remote_bash: [
+                      "#{sudo}update-ca-trust enable",
+                      "#{sudo}update-ca-trust extract"
+                    ]
+                  }
+                ]
               else
-                raise "Missing path referenced by the hpc_certificates environment variable: #{ENV['hpc_certificates']}"
+                raise "Unknown image ID for node #{node}: #{image_id}. Check metadata for this node."
               end
             else
               []
@@ -543,19 +601,19 @@ module HybridPlatformsConductor
               certificate_actions +
               @services_handler.actions_to_deploy_on(node, node_services, @use_why_run)
           ]
-        end],
+        end.to_h,
         timeout: @timeout,
         concurrent: @concurrent_execution,
         log_to_stdout: !@concurrent_execution
       )
       # Free eventual locks
       @actions_executor.execute_actions(
-        Hash[services.keys.map do |node|
+        services.keys.map do |node|
           [
             node,
             { remote_bash: "#{ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} "}./mutex_dir unlock /tmp/hybrid_platforms_conductor_deploy_lock" }
           ]
-        end],
+        end.to_h,
         timeout: 10,
         concurrent: true,
         log_to_dir: nil
@@ -577,7 +635,7 @@ module HybridPlatformsConductor
       section "Saving deployment logs for #{logs.size} nodes" do
         ssh_user = @actions_executor.connector(:ssh).ssh_user
         @actions_executor.execute_actions(
-          Hash[logs.map do |node, (exit_status, stdout, stderr)|
+          logs.map do |node, (exit_status, stdout, stderr)|
             [
               node,
               log_plugins_for(node).
@@ -596,7 +654,7 @@ module HybridPlatformsConductor
                 end.
                 flatten(1)
             ]
-          end],
+          end.to_h,
           timeout: 10,
           concurrent: true,
           log_to_dir: nil,