kitchen-puppet 1.45.3 → 1.46.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cf7a2a60c11e9a20415c8fcfc8172075ad8ea7b5
-  data.tar.gz: cb579c531f8582c9959f5f6478958145709d0f65
+  metadata.gz: ef7e2c88b2f9768c5f94b3dda97a0c01ca6eee9b
+  data.tar.gz: 12fef1171a39194defd3d86904516ca2b7ff0bbf
 SHA512:
-  metadata.gz: efac3f00213d07f2870a003ad45c7a2a1a05002da6e8d76841ef32cda1d3d5db333851b030f5b44ca6273323db67c6f829e737be0a4b0d54af486ff875cc84b5
-  data.tar.gz: d663a3526270cec9dbc62d694bda9e618a4f5b9dbcd551ce4ca3f4240a9b5a9826f837dd3664a4944e7320502c550af7105df65257e55c82dd92019f9c2d50a9
+  metadata.gz: 6199b18e4a75c6e463902972c72906e89a166a05e53bfcd44cc7f3bd582823aec26ffb031576a81e53cc0e3b4079a29d5afdb8b262da43379357eb25db4faf5b
+  data.tar.gz: 093dbd817731157fe9852e78653c7af8af44fc0163312fddb9fb6b02c8d0a11e4c068d229c72bad815fd0f325dda19a1261a9ca37ad8a277df0cb444a1ecf443

data/kitchen-puppet.gemspec

@@ -29,7 +29,7 @@ Puppet Provisioner for Test Kitchen
 
 == FEATURES:
 
-Supports puppet apply, puppet agent, hiera, hiera-eyaml, custom facts, librarian-puppet, puppet collections (v4)
+Supports puppet apply, puppet agent, hiera, hiera-eyaml, hiera-eyaml-gpg, custom facts, librarian-puppet, puppet collections (v4)
 
 EOF
 end

data/lib/kitchen-puppet/version.rb

@@ -2,6 +2,6 @@
 
 module Kitchen
   module Puppet
-    VERSION = '1.45.3'.freeze
+    VERSION = '1.46.0'.freeze
   end
 end

data/lib/kitchen/provisioner/puppet_apply.rb

@@ -153,6 +153,12 @@ module Kitchen
       default_config :hiera_eyaml, false
       default_config :hiera_eyaml_key_remote_path, '/etc/puppet/secure/keys'
 
+      default_config :hiera_eyaml_gpg, false
+      default_config :hiera_eyaml_gpg_recipients, false
+      default_config :hiera_eyaml_gpg_secring, false
+      default_config :hiera_eyaml_gpg_pubring, false
+      default_config :hiera_eyaml_gpg_remote_path, '/home/vagrant/.gnupg'
+
       default_config :hiera_eyaml_key_path do |provisioner|
         provisioner.calculate_path('hiera_keys')
       end
@@ -199,6 +205,7 @@ module Kitchen
                 #{install_hiera}
               fi
               #{install_eyaml}
+              #{install_eyaml_gpg}
               #{install_deep_merge}
               #{install_busser}
               #{custom_install_command}
@@ -213,6 +220,7 @@ module Kitchen
                 #{install_puppet_yum_repo}
               fi
               #{install_eyaml}
+              #{install_eyaml_gpg}
               #{install_deep_merge}
               #{install_busser}
               #{custom_install_command}
@@ -260,6 +268,7 @@ module Kitchen
                 fi
               fi
               #{install_eyaml}
+              #{install_eyaml_gpg}
               #{install_deep_merge}
               #{install_busser}
               #{custom_install_command}
@@ -287,6 +296,7 @@ module Kitchen
             #{sudo_env('apt-get')} -y install puppet-agent#{puppet_debian_version}
           fi
           #{install_eyaml("#{config[:puppet_coll_remote_path]}/puppet/bin/gem")}
+          #{install_eyaml_gpg("#{config[:puppet_coll_remote_path]}/puppet/bin/gem")}
           #{install_deep_merge}
           #{install_busser}
           #{custom_install_command}
@@ -302,6 +312,7 @@ module Kitchen
             #{sudo_env('yum')} -y install puppet-agent#{puppet_redhat_version}
           fi
           #{install_eyaml("#{config[:puppet_coll_remote_path]}/puppet/bin/gem")}
+          #{install_eyaml_gpg("#{config[:puppet_coll_remote_path]}/puppet/bin/gem")}
           #{install_deep_merge}
           #{install_busser}
           #{custom_install_command}
@@ -345,6 +356,7 @@ module Kitchen
               fi
             fi
             #{install_eyaml("#{config[:puppet_coll_remote_path]}/puppet/bin/gem")}
+            #{install_eyaml_gpg("#{config[:puppet_coll_remote_path]}/puppet/bin/gem")}
             #{install_deep_merge}
             #{install_busser}
             #{custom_install_command}
@@ -375,6 +387,20 @@ module Kitchen
         INSTALL
       end
 
+      def install_eyaml_gpg(gem_cmd = 'gem')
+        return unless config[:hiera_eyaml_gpg]
+        <<-INSTALL
+          # A backend for Hiera that provides per-value asymmetric encryption of sensitive data
+          if [[ $(#{sudo(gem_cmd)} list hiera-eyaml-gpg -i) == 'false' ]]; then
+            echo '-----> Installing hiera-eyaml-gpg to provide encryption of hiera data'
+            #{sudo(gem_cmd)} install #{gem_proxy_parm} --no-ri --no-rdoc highline -v 1.6.21
+            #{sudo(gem_cmd)} install #{gem_proxy_parm} --no-ri --no-rdoc hiera-eyaml
+            #{sudo(gem_cmd)} install #{gem_proxy_parm} --no-ri --no-rdoc hiera-eyaml-gpg
+            #{sudo(gem_cmd)} install #{gem_proxy_parm} --no-ri --no-rdoc ruby_gpg
+          fi
+        INSTALL
+      end
+
       def install_busser
         return unless config[:require_chef_for_busser]
         info("Install busser on #{puppet_platform}")
@@ -601,6 +627,21 @@ module Kitchen
           ].join(' ')
         end
 
+        if hiera_eyaml_gpg
+          commands << [
+            sudo('mkdir -p'), hiera_eyaml_gpg_remote_path
+          ].join(' ')
+          commands << [
+            sudo('cp -r'), File.join(config[:root_path], hiera_eyaml_gpg_recipients), hiera_eyaml_gpg_remote_path
+          ].join(' ')
+          commands << [
+            sudo('cp -r'), File.join(config[:root_path], hiera_eyaml_gpg_secring), hiera_eyaml_gpg_remote_path
+          ].join(' ')
+          commands << [
+            sudo('cp -r'), File.join(config[:root_path], hiera_eyaml_gpg_pubring), hiera_eyaml_gpg_remote_path
+          ].join(' ')
+        end
+
         if puppet_environment
           commands << [
             sudo('ln -s '), config[:root_path], File.join(puppet_dir, config[:puppet_environment])
@@ -742,6 +783,26 @@ module Kitchen
         config[:hiera_eyaml]
       end
 
+      def hiera_eyaml_gpg
+        config[:hiera_eyaml_gpg]
+      end
+
+      def hiera_eyaml_gpg_recipients
+        config[:hiera_eyaml_gpg_recipients]
+      end
+
+      def hiera_eyaml_gpg_secring
+        config[:hiera_eyaml_gpg_secring]
+      end
+
+      def hiera_eyaml_gpg_pubring
+        config[:hiera_eyaml_gpg_pubring]
+      end
+
+      def hiera_eyaml_gpg_remote_path
+        config[:hiera_eyaml_gpg_remote_path]
+      end
+
       def hiera_eyaml_key_path
         config[:hiera_eyaml_key_path]
       end

data/provisioner_options.md

@@ -43,6 +43,10 @@ hiera_data_path | | puppet repo hiera data directory
 hiera_data_remote_path | "/var/lib/hiera" | Hiera data directory on server
 hiera_deep_merge | false | install the deep_merge gem to support hiera deep merge mode
 hiera_eyaml | false | use hiera-eyaml to encrypt hiera data
+hiera_eyaml_gpg | false | use GPG encryption backend for hiera-eyaml
+hiera_eyaml_gpg_recipients | false | recipients eg ehiera/hiera-eyaml-gpg.recipients
+hiera_eyaml_gpg_secring | false | eg hiera/secring.gpg
+hiera_eyaml_gpg_pubring | false | eg hiera/pubring.gpg
 hiera_eyaml_key_remote_path | "/etc/puppet/secure/keys" | directory of hiera-eyaml keys on server
 hiera_eyaml_key_path  | "hiera_keys" | directory of hiera-eyaml keys on workstation
 hiera_package | 'hiera-puppet' | Only used if `install_hiera` is set
@@ -56,7 +60,7 @@ install_hiera | false | Installs `hiera-puppet` package. Not needed for puppet >
 librarian_puppet_ssl_file | nil | ssl certificate file for librarian-puppet
 manifest | 'site.pp' | manifest for puppet apply to run
 manifests_path | | puppet repo manifests directory
-max_retries| 1 | maximum number of retry attempts of converge command 
+max_retries| 1 | maximum number of retry attempts of converge command
 modules_path | | puppet repo manifests directory. Can be multiple directories separated by colons and then they will be merged
 platform | platform_name kitchen.yml parameter | OS platform of server
 puppet_apply_command | nil | Overwrite the puppet apply command. Needs "sudo -E puppet apply" as a prefix.
@@ -93,7 +97,7 @@ require_puppet_repo | true | Set if using a puppet install from yum or apt repo
 resolve_with_librarian_puppet | true | Use librarian_puppet to resolve modules if a Puppetfile is found
 retry_on_exit_code| [] | Array of exit codes to retry converge command against
 update_package_repos| true| update OS repository metadata
-wait_for_retry| 30 | number of seconds to wait before retrying converge command 
+wait_for_retry| 30 | number of seconds to wait before retrying converge command
 
 ## Puppet Apply Configuring Provisioner Options
 
@@ -176,6 +180,13 @@ no idea why Puppet versioned their repository with a trailing
 "-1puppetlabs1", but there it is.
 
 
+### eyaml
+
+See https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
+
+See https://blog.benroberts.net/2014/12/setting-up-hiera-eyaml-gpg for using GPG backend allowing secrets to be protected using asymmetric keys.
+
+
 # Puppet Agent Provisioner Options
 
 key | default value | Notes
@@ -296,11 +307,11 @@ Beware: kitchen-shell-verifier is not yet merged into test-kitchen upstream so u
 
 ## Checking puppet apply success (with puppet_detailed_exitcodes)
 
-If you do not enable puppet_detailed_exitcodes, the provisioner only failes if the manifest can not be compiled. If the manifest contains errors (some manifests can not be executed) puppet will return exit 0 and thus the provisioner will be successfull, altought your catalog has not been fully applied. Probably this is not what you want. 
+If you do not enable puppet_detailed_exitcodes, the provisioner only failes if the manifest can not be compiled. If the manifest contains errors (some manifests can not be executed) puppet will return exit 0 and thus the provisioner will be successfull, altought your catalog has not been fully applied. Probably this is not what you want.
 
 When you enable `puppet_detailed_exitcodes`, you can specify the error conditions to check for with `puppet_whitelist_exit_code` also, otherwise the provisioner will fail altought everything is fine (and changes have been made).
 
-Puppet will return with one of the following codes (see https://docs.puppet.com/puppet/latest/man/agent.html) when `puppet_detailed_exitcodes` is true: 
+Puppet will return with one of the following codes (see https://docs.puppet.com/puppet/latest/man/agent.html) when `puppet_detailed_exitcodes` is true:
 
 * 0: The run succeeded with no changes or failures; the system was already in the desired state.
 * 1: The run failed, or wasn't attempted due to another run already in progress.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kitchen-puppet
 version: !ruby/object:Gem::Version
-  version: 1.45.3
+  version: 1.46.0
 platform: ruby
 authors:
 - Neill Turner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-15 00:00:00.000000000 Z
+date: 2016-12-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-kitchen
@@ -45,7 +45,7 @@ description: |+
 
   == FEATURES:
 
-  Supports puppet apply, puppet agent, hiera, hiera-eyaml, custom facts, librarian-puppet, puppet collections (v4)
+  Supports puppet apply, puppet agent, hiera, hiera-eyaml, hiera-eyaml-gpg, custom facts, librarian-puppet, puppet collections (v4)
 
 email:
 - neillwturner@gmail.com