octocatalog-diff 1.5.0 → 1.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.version +1 -1
- data/doc/CHANGELOG.md +9 -0
- data/doc/configuration-puppetdb.md +22 -8
- data/doc/optionsref.md +3 -3
- data/lib/octocatalog-diff/cli/options.rb +11 -1
- data/lib/octocatalog-diff/cli/options/puppet_master_ssl_ca.rb +1 -0
- data/lib/octocatalog-diff/cli/options/puppet_master_ssl_client_cert.rb +1 -0
- data/lib/octocatalog-diff/cli/options/puppet_master_ssl_client_key.rb +1 -0
- data/lib/octocatalog-diff/cli/options/puppetdb_ssl_ca.rb +1 -0
- data/lib/octocatalog-diff/cli/options/puppetdb_ssl_client_cert.rb +1 -0
- data/lib/octocatalog-diff/cli/options/puppetdb_ssl_client_key.rb +1 -0
- data/lib/octocatalog-diff/cli/options/puppetdb_ssl_client_password.rb +1 -0
- data/lib/octocatalog-diff/cli/options/puppetdb_ssl_client_password_file.rb +1 -0
- data/lib/octocatalog-diff/cli/options/puppetdb_url.rb +1 -0
- data/lib/octocatalog-diff/puppetdb.rb +10 -1
- metadata +2 -16
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 42b664636f99089e0838f35914f5cd0a89a60fe6
|
4
|
+
data.tar.gz: a6e77f9e6f1d50c6f9ea8219b580891574dbc31e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 223c4d52d3d7e424d28c42fb52e5185fe1dac46d9ea2dea9be7eebbace60b7d13ae376367abc29e58341f3a82f2c84cf640e540c389badf0c9e4811065b9e2a4
|
7
|
+
data.tar.gz: 0a821cf5bd95a83df9309de24141e21d3fadc21cb4d74b2344edcdb194c501bdb8c13bcd0db808d32ec07359fba5df6a559bdfc5c45077f7681e0d130d187b9c
|
data/.version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.5.
|
1
|
+
1.5.1
|
data/doc/CHANGELOG.md
CHANGED
@@ -7,6 +7,15 @@
|
|
7
7
|
<th>Description / Changes</th>
|
8
8
|
</tr>
|
9
9
|
</thead><tbody>
|
10
|
+
|
11
|
+
<tr valign=top>
|
12
|
+
<td>1.5.1</td>
|
13
|
+
<td>2017-11-16</td>
|
14
|
+
<td>
|
15
|
+
<li><a href="https://github.com/github/octocatalog-diff/pull/159">#159</a>: (Enhancement) Add support for puppetdb behind basic auth</li>
|
16
|
+
</td>
|
17
|
+
</tr>
|
18
|
+
|
10
19
|
<tr valign=top>
|
11
20
|
<td>1.5.0</td>
|
12
21
|
<td>2017-10-18</td>
|
@@ -8,13 +8,19 @@ octocatalog-diff can interact with PuppetDB in the following ways:
|
|
8
8
|
|
9
9
|
For this to work, you will need to configure or provide information about your PuppetDB server to octocatalog-diff. You can provide this information via a [configuration file](/doc/configuration.md), via environment variables, or via command line parameters.
|
10
10
|
|
11
|
-
|
11
|
+
# Required information
|
12
12
|
|
13
13
|
- **Version of PuppetDB**: octocatalog-diff supports PuppetDB's query API v4, which requires that you be running PuppetDB 2.3 or higher.
|
14
14
|
|
15
15
|
- **URL to PuppetDB**: This is the URL with the host name and port number to reach your PuppetDB instance. If you have already set up your Puppet master to communicate with PuppetDB, you can see the URL by reviewing `/etc/puppetlabs/puppet/puppetdb.conf` (on Puppet Server) or `/etc/puppet/puppetdb.conf` (on Puppet Master 3.x). The URL (or URLs) to your PuppetDB installation are visible in the `server_urls` configuration setting.
|
16
16
|
|
17
|
-
|
17
|
+
To use basic authentication, place the username and password in the URL, e.g.:
|
18
|
+
|
19
|
+
```
|
20
|
+
https://username:password@puppetdb.example.net:8081
|
21
|
+
```
|
22
|
+
|
23
|
+
- **SSL Authentication Information**: Whether your PuppetDB instance requires clients to authenticate via SSL certificates. Unless you have made a special effort to configure your PuppetDB instance not to require client certificates, it is likely that client certificate authentication is required. Please see the separate section below concerning SSL certificates.
|
18
24
|
|
19
25
|
NOTE: In certain situations, you may need to define or alter the `certificate-whitelist` setting in your PuppetDB configuration to whitelist the certificate used by octocatalog-diff. Please see [Configuring PuppetDB](https://docs.puppet.com/puppetdb/latest/configure.html#certificate-whitelist) in the Puppet documentation for additional information.
|
20
26
|
|
@@ -25,9 +31,9 @@ The following settings can be used in a [configuration file](/doc/configuration.
|
|
25
31
|
| Setting | Description |
|
26
32
|
| --- | --- |
|
27
33
|
| `settings[:puppetdb_url]` | PuppetDB URL settings. If this is a string, it will set a single PuppetDB URL. If it is an array, it will set multiple URLs, which will be tried in a random order until one responds. |
|
28
|
-
| `settings[:puppetdb_ssl_ca]` | Path to the certificate of the CA that signed PuppetDB's certificate. This file
|
29
|
-
| `settings[:puppetdb_ssl_client_cert]` | TEXT of the certificate of the client SSL keypair
|
30
|
-
| `settings[:puppetdb_ssl_client_key]` |
|
34
|
+
| `settings[:puppetdb_ssl_ca]` | Path to the certificate of the CA that signed PuppetDB's certificate. This file should contain only the public certificate, so it is safe to distribute to developer workstations or CI environments. |
|
35
|
+
| `settings[:puppetdb_ssl_client_cert]` | TEXT of the certificate of the client SSL keypair used to authenticate to PuppetDB. Note: This variable is not set to a file path, which means you will likely want to use `File.read(...)` if you are configuring this to be read from a file. |
|
36
|
+
| `settings[:puppetdb_ssl_client_key]` | TEXT of the private key of the client SSL keypair used to authenticate to PuppetDB. Note: This variable is not set to a file path, which means you will likely want to use means you will likely want to use `File.read(...)` if you are configuring this to be read from a file. |
|
31
37
|
| `settings[:puppetdb_ssl_client_pem]` | Concatenation of the text of `puppetdb_ssl_client_key` and `puppetdb_ssl_client_cert` as previously described. This is a good alternative if your certificate chain is complex and it's easier just to put everything in a single place. Note: this option is second in precedence; if `settings[:puppetdb_ssl_client_cert]` and `settings[:puppetdb_ssl_client_key]` are both set, this will be ignored. |
|
32
38
|
| `settings[:puppetdb_ssl_client_password]` | Plain text string containing the password to unlock the private key. For keys generated by the Puppet Master CA, this is not required and should be left undefined. |
|
33
39
|
|
@@ -38,9 +44,9 @@ The following arguments can be used on the command line.
|
|
38
44
|
| Setting | Description |
|
39
45
|
| --- | --- |
|
40
46
|
| --puppetdb-url https://puppetdb.example.net:8081 | PuppetDB URL. The argument should match the `server_urls` configuration setting as described previously. Please note that only one URL is supported via the command line method, so if you have multiple `server_urls` URLs specified, you can only choose one. To use multiple URLs for failover purposes, please configure via configuration files. |
|
41
|
-
| --puppetdb-ssl-ca FILENAME | Path to the certificate of the CA that signed PuppetDB's certificate. This file
|
42
|
-
| --puppetdb-ssl-client-cert FILENAME | Path to the certificate of the client SSL keypair.
|
43
|
-
| --puppetdb-ssl-client-key FILENAME | Path to the private key of the client SSL keypair.
|
47
|
+
| --puppetdb-ssl-ca FILENAME | Path to the certificate of the CA that signed PuppetDB's certificate. This file should contain only the public certificate, so it is safe to distribute to developer workstations or CI environments. |
|
48
|
+
| --puppetdb-ssl-client-cert FILENAME | Path to the certificate of the client SSL keypair. |
|
49
|
+
| --puppetdb-ssl-client-key FILENAME | Path to the private key of the client SSL keypair. |
|
44
50
|
| --puppetdb-ssl-client-password PASSWORD_STRING | Plain text string containing the password to unlock the private key. For keys generated by the Puppet Master CA, this is not required. |
|
45
51
|
|
46
52
|
## Supplying necessary information via the environment
|
@@ -50,3 +56,11 @@ The following arguments can be used on the command line.
|
|
50
56
|
Set the environment variable `PUPPETDB_URL` to match the `server_urls` configuration setting as described previously. Please note that only one URL is supported via the environment variable method, so if you have multiple `server_urls` URLs specified, you can only choose one. To use multiple URLs for failover purposes, please configure via configuration files.
|
51
57
|
|
52
58
|
Environment variable support is not currently available for SSL client authentication settings.
|
59
|
+
|
60
|
+
# Notes about SSL certificates
|
61
|
+
|
62
|
+
SSL support is enabled via any of the `--puppetdb-ssl-...` command line options or `puppetdb_ssl_...` configuration settings as described above. Please note the following concerning these SSL certificates.
|
63
|
+
|
64
|
+
- The CA certificate should be the public certificate of the CA that signed your PuppetDB server's certificate. This file can be found in `/etc/puppetlabs/puppetdb/ssl/ca.pem` on a PuppetDB server. Since this is a public certificate, it is safe (and recommended) to distribute this file to any clients that may connect to this PuppetDB instance.
|
65
|
+
|
66
|
+
- The client keypair (key, certificate, and optionally password) should be generated individually for each client. You should NOT copy SSL keypairs from your PuppetDB server (or anywhere else) to your clients. If you are using `octocatalog-diff` on a system that is managed by Puppet, you may wish to use the same SSL credentials that the system uses to authenticate to Puppet. With recent versions of the Puppet agent, those certificates are found in `/etc/puppetlabs/puppet/ssl`.
|
data/doc/optionsref.md
CHANGED
@@ -87,16 +87,16 @@ Usage: octocatalog-diff [command line options]
|
|
87
87
|
--to-puppet-binary STRING Full path to puppet binary for the to branch
|
88
88
|
--from-puppet-binary STRING Full path to puppet binary for the from branch
|
89
89
|
--facts-terminus STRING Facts terminus: one of yaml, facter
|
90
|
+
--puppetdb-url URL PuppetDB base URL
|
90
91
|
--puppetdb-ssl-ca FILENAME CA certificate that signed the PuppetDB certificate
|
91
92
|
--puppetdb-ssl-client-cert FILENAME
|
92
93
|
SSL client certificate to connect to PuppetDB
|
93
|
-
--puppetdb-ssl-client-password PASSWORD
|
94
|
-
Password for SSL client key to connect to PuppetDB
|
95
94
|
--puppetdb-ssl-client-key FILENAME
|
96
95
|
SSL client key to connect to PuppetDB
|
96
|
+
--puppetdb-ssl-client-password PASSWORD
|
97
|
+
Password for SSL client key to connect to PuppetDB
|
97
98
|
--puppetdb-ssl-client-password-file FILENAME
|
98
99
|
Read password for SSL client key from a file
|
99
|
-
--puppetdb-url URL PuppetDB base URL
|
100
100
|
--puppetdb-api-version N Version of PuppetDB API (3 or 4)
|
101
101
|
--fact-override STRING1[,STRING2[,...]]
|
102
102
|
Override fact globally
|
@@ -28,8 +28,18 @@ module OctocatalogDiff
|
|
28
28
|
@weight = w
|
29
29
|
end
|
30
30
|
|
31
|
+
def self.order_within_weight(w) # rubocop:disable Style/TrivialAccessors
|
32
|
+
@order_within_weight = w
|
33
|
+
end
|
34
|
+
|
31
35
|
def self.weight
|
32
|
-
@weight
|
36
|
+
if @weight && @order_within_weight
|
37
|
+
@weight + (@order_within_weight / 100.0)
|
38
|
+
elsif @weight
|
39
|
+
@weight
|
40
|
+
else
|
41
|
+
DEFAULT_WEIGHT
|
42
|
+
end
|
33
43
|
end
|
34
44
|
|
35
45
|
def self.name
|
@@ -7,6 +7,7 @@
|
|
7
7
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
8
8
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppet_master_ssl_ca) do
|
9
9
|
has_weight 320
|
10
|
+
order_within_weight 30
|
10
11
|
|
11
12
|
def parse(parser, options)
|
12
13
|
OctocatalogDiff::Cli::Options.option_globally_or_per_branch(
|
@@ -6,6 +6,7 @@
|
|
6
6
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
7
7
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppet_master_ssl_client_cert) do
|
8
8
|
has_weight 320
|
9
|
+
order_within_weight 40
|
9
10
|
|
10
11
|
def parse(parser, options)
|
11
12
|
OctocatalogDiff::Cli::Options.option_globally_or_per_branch(
|
@@ -6,6 +6,7 @@
|
|
6
6
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
7
7
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppet_master_ssl_client_key) do
|
8
8
|
has_weight 320
|
9
|
+
order_within_weight 50
|
9
10
|
|
10
11
|
def parse(parser, options)
|
11
12
|
OctocatalogDiff::Cli::Options.option_globally_or_per_branch(
|
@@ -7,6 +7,7 @@
|
|
7
7
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
8
8
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_ca) do
|
9
9
|
has_weight 310
|
10
|
+
order_within_weight 10
|
10
11
|
|
11
12
|
def parse(parser, options)
|
12
13
|
parser.on('--puppetdb-ssl-ca FILENAME', 'CA certificate that signed the PuppetDB certificate') do |x|
|
@@ -6,6 +6,7 @@
|
|
6
6
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
7
7
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_client_cert) do
|
8
8
|
has_weight 310
|
9
|
+
order_within_weight 20
|
9
10
|
|
10
11
|
def parse(parser, options)
|
11
12
|
parser.on('--puppetdb-ssl-client-cert FILENAME', 'SSL client certificate to connect to PuppetDB') do |x|
|
@@ -6,6 +6,7 @@
|
|
6
6
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
7
7
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_client_key) do
|
8
8
|
has_weight 310
|
9
|
+
order_within_weight 30
|
9
10
|
|
10
11
|
def parse(parser, options)
|
11
12
|
parser.on('--puppetdb-ssl-client-key FILENAME', 'SSL client key to connect to PuppetDB') do |x|
|
@@ -7,6 +7,7 @@
|
|
7
7
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
8
8
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_client_cert) do
|
9
9
|
has_weight 310
|
10
|
+
order_within_weight 35
|
10
11
|
|
11
12
|
def parse(parser, options)
|
12
13
|
parser.on('--puppetdb-ssl-client-password PASSWORD', 'Password for SSL client key to connect to PuppetDB') do |x|
|
@@ -5,6 +5,7 @@
|
|
5
5
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
6
6
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_ssl_client_password_file) do
|
7
7
|
has_weight 310
|
8
|
+
order_within_weight 37
|
8
9
|
|
9
10
|
def parse(parser, options)
|
10
11
|
parser.on('--puppetdb-ssl-client-password-file FILENAME', 'Read password for SSL client key from a file') do |x|
|
@@ -7,6 +7,7 @@ require 'uri'
|
|
7
7
|
# @param options [Hash] Options hash being constructed; this is modified in this method.
|
8
8
|
OctocatalogDiff::Cli::Options::Option.newoption(:puppetdb_url) do
|
9
9
|
has_weight 310
|
10
|
+
order_within_weight 1
|
10
11
|
|
11
12
|
def parse(parser, options)
|
12
13
|
parser.on('--puppetdb-url URL', 'PuppetDB base URL') do |url|
|
@@ -108,6 +108,9 @@ module OctocatalogDiff
|
|
108
108
|
|
109
109
|
begin
|
110
110
|
more_options = { headers: { 'Accept' => 'application/json' }, timeout: @timeout }
|
111
|
+
if connection[:username] || connection[:password]
|
112
|
+
more_options[:basic_auth] = { username: connection[:username], password: connection[:password] }
|
113
|
+
end
|
111
114
|
response = OctocatalogDiff::Util::HTTParty.get(complete_url, @options.merge(more_options), 'puppetdb')
|
112
115
|
|
113
116
|
# Handle all non-200's from PuppetDB
|
@@ -153,7 +156,13 @@ module OctocatalogDiff
|
|
153
156
|
end
|
154
157
|
|
155
158
|
raise ArgumentError, "URL #{url} has invalid scheme" unless uri.scheme =~ /^https?$/
|
156
|
-
{ ssl: uri.scheme == 'https', host: uri.host, port: uri.port }
|
159
|
+
parsed_url = { ssl: uri.scheme == 'https', host: uri.host, port: uri.port }
|
160
|
+
if uri.user || uri.password
|
161
|
+
parsed_url[:username] = uri.user
|
162
|
+
parsed_url[:password] = uri.password
|
163
|
+
end
|
164
|
+
|
165
|
+
parsed_url
|
157
166
|
rescue URI::InvalidURIError => exc
|
158
167
|
raise exc.class, "Invalid URL: #{url} (#{exc.message})"
|
159
168
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: octocatalog-diff
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.5.
|
4
|
+
version: 1.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- GitHub, Inc.
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2017-
|
12
|
+
date: 2017-11-16 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: diffy
|
@@ -67,20 +67,6 @@ dependencies:
|
|
67
67
|
- - ">="
|
68
68
|
- !ruby/object:Gem::Version
|
69
69
|
version: 0.25.0b2
|
70
|
-
- !ruby/object:Gem::Dependency
|
71
|
-
name: bundler
|
72
|
-
requirement: !ruby/object:Gem::Requirement
|
73
|
-
requirements:
|
74
|
-
- - '='
|
75
|
-
- !ruby/object:Gem::Version
|
76
|
-
version: 1.15.4
|
77
|
-
type: :development
|
78
|
-
prerelease: false
|
79
|
-
version_requirements: !ruby/object:Gem::Requirement
|
80
|
-
requirements:
|
81
|
-
- - '='
|
82
|
-
- !ruby/object:Gem::Version
|
83
|
-
version: 1.15.4
|
84
70
|
- !ruby/object:Gem::Dependency
|
85
71
|
name: rspec
|
86
72
|
requirement: !ruby/object:Gem::Requirement
|