sambot 0.1.178 → 0.1.179
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/sambot.rb +1 -0
- data/lib/sambot/chef/cookbook.rb +12 -10
- data/lib/sambot/chef/generator.rb +4 -4
- data/lib/sambot/cli.rb +6 -11
- data/lib/sambot/config.rb +8 -16
- data/lib/sambot/template.rb +1 -1
- data/lib/sambot/templates/.env +4 -0
- data/lib/sambot/templates/.rubocop.yml +1 -1
- data/lib/sambot/templates/bootstrap_scripts/google/bootstrap.ps1.erb +51 -0
- data/lib/sambot/templates/bootstrap_scripts/google/bootstrap.sh.erb +47 -0
- data/lib/sambot/templates/bootstrap_scripts/local/docker/bootstrap.ps1.erb +94 -0
- data/lib/sambot/templates/bootstrap_scripts/local/docker/bootstrap.sh.erb +80 -0
- data/lib/sambot/templates/bootstrap_scripts/local/vagrant/bootstrap.ps1.erb +99 -0
- data/lib/sambot/templates/bootstrap_scripts/local/vagrant/bootstrap.sh.erb +90 -0
- data/lib/sambot/templates/docker-compose.yml +10 -0
- data/lib/sambot/templates/test_kitchen/local.yml.erb +0 -3
- data/lib/sambot/templates/vault-config +0 -0
- data/lib/sambot/testing/consul_helper.rb +1 -1
- data/lib/sambot/testing/fixtures.rb +17 -0
- data/lib/sambot/testing/vault_helper.rb +21 -15
- data/lib/sambot/version.rb +1 -1
- metadata +10 -8
- data/lib/sambot/templates/.consul.yml +0 -0
- data/lib/sambot/templates/.vault.yml +0 -0
- data/lib/sambot/templates/bootstrap_scripts/local/sidecar_vault/bootstrap.ps1.erb +0 -33
- data/lib/sambot/templates/bootstrap_scripts/local/sidecar_vault/bootstrap.sh.erb +0 -45
- data/lib/sambot/templates/bootstrap_scripts/local/standalone_vault/bootstrap.ps1.erb +0 -33
- data/lib/sambot/templates/bootstrap_scripts/local/standalone_vault/bootstrap.sh.erb +0 -24
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a0e07b3e1bac4b8ba2285c15bb23b2a8548289be
|
|
4
|
+
data.tar.gz: 836a12b7924d4996e8b50585071493ec96eb564d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bbf7ee2e814fb8c4aca795c0782b3709253219c669d59b894164dc4a3dc19179e0d5c0cad9478b45f3ca96a3e6dc131c40410583fc235b15bebc4c114156edc5
|
|
7
|
+
data.tar.gz: a298786b80ced0a64ed2226d69d5fa01025c38a9179de710dc09144fff99a185bf23af4aaf2f024ba9ecfc89c38b72ef826e23a42bdac69a1fc0a4e30d354b23
|
data/lib/sambot.rb
CHANGED
|
@@ -10,6 +10,7 @@ require_relative 'sambot/fs'
|
|
|
10
10
|
|
|
11
11
|
require_relative 'sambot/testing/consul_helper'
|
|
12
12
|
require_relative 'sambot/testing/vault_helper'
|
|
13
|
+
require_relative 'sambot/testing/fixtures'
|
|
13
14
|
|
|
14
15
|
require_relative 'sambot/chef/kitchen'
|
|
15
16
|
require_relative 'sambot/chef/metadata'
|
data/lib/sambot/chef/cookbook.rb
CHANGED
|
@@ -9,6 +9,8 @@ module Sambot
|
|
|
9
9
|
GENERATED_FILES = {
|
|
10
10
|
'teamcity.sh.erb': {eruby: true, dest: 'teamcity.sh', platform: [:windows, :centos]},
|
|
11
11
|
'chefignore': {eruby: false, dest: 'chefignore', platform: [:windows, :centos]},
|
|
12
|
+
'docker-compose.yml': {eruby: false, dest: 'chefignore', platform: [:windows, :centos]},
|
|
13
|
+
'.env': {eruby: false, dest: 'chefignore', platform: [:windows, :centos]},
|
|
12
14
|
'Berksfile': {eruby: false, dest: 'Berksfile', platform: [:windows, :centos]},
|
|
13
15
|
'.rubocop.yml': {eruby: false, dest: '.rubocop.yml', platform: [:windows, :centos]},
|
|
14
16
|
'.gitignore.sample': {eruby: false, dest: '.gitignore', platform: [:windows, :centos]},
|
|
@@ -18,10 +20,10 @@ module Sambot
|
|
|
18
20
|
|
|
19
21
|
class << self
|
|
20
22
|
|
|
21
|
-
def build(config, cloud,
|
|
22
|
-
create_files(config
|
|
23
|
-
Generator.from_templates(config, cloud,
|
|
24
|
-
Kitchen.setup(cloud, config,
|
|
23
|
+
def build(config, cloud, local_workflow)
|
|
24
|
+
create_files(config)
|
|
25
|
+
Generator.from_templates(config, cloud, local_workflow, GENERATED_FILES)
|
|
26
|
+
Kitchen.setup(cloud, config, local_workflow)
|
|
25
27
|
Metadata.generate(config)
|
|
26
28
|
Hooks.copy()
|
|
27
29
|
UI.info('The cookbook has been successfully built.')
|
|
@@ -54,14 +56,14 @@ module Sambot
|
|
|
54
56
|
|
|
55
57
|
private
|
|
56
58
|
|
|
57
|
-
def create_files(config
|
|
58
|
-
['
|
|
59
|
-
['spec', 'test', 'attributes', '
|
|
60
|
-
Dir.chdir('attributes') { FileUtils.touch('default.rb') unless
|
|
61
|
-
Dir.chdir('spec') { FS.copy('spec_helper.rb') unless FS.exist?('spec_helper.rb')
|
|
59
|
+
def create_files(config)
|
|
60
|
+
['README.md'].each { |resource| FS.copy(resource) unless FS.exist?(resource) }
|
|
61
|
+
['spec', 'test', 'attributes', 'local_testing'].each { |resource| FS.mkdir(resource) unless FS.exist?(resource) }
|
|
62
|
+
Dir.chdir('attributes') { FileUtils.touch('default.rb') unless FS.exist?('default.rb') }
|
|
63
|
+
Dir.chdir('spec') { FS.copy('spec_helper.rb') unless FS.exist?('spec_helper.rb') }
|
|
62
64
|
['recipes', 'libraries', 'resources', 'files', 'templates'].each { |target| FS.mkdir(target) unless FS.exist?(target) }
|
|
63
65
|
Dir.chdir('recipes') do
|
|
64
|
-
FileUtils.touch('default.rb') unless FS.exist?('default.rb')
|
|
66
|
+
FileUtils.touch('default.rb') unless FS.exist?('default.rb')
|
|
65
67
|
end
|
|
66
68
|
unless FS.exist?('.config.yml')
|
|
67
69
|
Template.new('.config.yml.erb').write({config: config}, '.config.yml')
|
|
@@ -5,9 +5,9 @@ module Sambot
|
|
|
5
5
|
module Chef
|
|
6
6
|
class Generator
|
|
7
7
|
|
|
8
|
-
def self.from_templates(config, cloud,
|
|
8
|
+
def self.from_templates(config, cloud, local_workflow, generated_files)
|
|
9
9
|
generated_files.each { |template_name, opts| generate_from_template(template_name.to_s, opts, config) }
|
|
10
|
-
generate_bootstrap_scripts(config, cloud,
|
|
10
|
+
generate_bootstrap_scripts(config, cloud, local_workflow)
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
private
|
|
@@ -29,8 +29,8 @@ module Sambot
|
|
|
29
29
|
Template.new("bootstrap_scripts/#{path}/bootstrap.#{suffix}.erb").process({eruby: true, dest: "bootstrap.#{suffix}"})
|
|
30
30
|
end
|
|
31
31
|
|
|
32
|
-
def self.generate_bootstrap_scripts(config, cloud,
|
|
33
|
-
cloud != 'local'? bootstrap(config, cloud) : bootstrap(config, "local/#{
|
|
32
|
+
def self.generate_bootstrap_scripts(config, cloud, local_workflow)
|
|
33
|
+
cloud != 'local'? bootstrap(config, cloud) : bootstrap(config, "local/#{local_workflow}")
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
def self.exists!(path)
|
data/lib/sambot/cli.rb
CHANGED
|
@@ -10,17 +10,11 @@ module Sambot
|
|
|
10
10
|
execute { Chef::Cookbook.clean() }
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
desc 'populate', 'Populates
|
|
14
|
-
option :vault, :type => :boolean
|
|
15
|
-
option :consul, :type => :boolean
|
|
13
|
+
desc 'populate', 'Populates Vault and Consul with seed data'
|
|
16
14
|
def populate
|
|
17
15
|
execute do
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
exit
|
|
21
|
-
end
|
|
22
|
-
Sambot::Testing::VaultHelper.load_secrets if options[:vault]
|
|
23
|
-
Sambot::Testing::ConsulHelper.load_values if options[:consul]
|
|
16
|
+
Sambot::Testing::VaultHelper.load_secrets(Config.read)
|
|
17
|
+
Sambot::Testing::ConsulHelper.load_values(Config.read)
|
|
24
18
|
end
|
|
25
19
|
end
|
|
26
20
|
|
|
@@ -33,7 +27,7 @@ module Sambot
|
|
|
33
27
|
option :local, :type => :boolean
|
|
34
28
|
option :google, :type => :boolean
|
|
35
29
|
option :rackspace, :type => :boolean
|
|
36
|
-
option :
|
|
30
|
+
option :docker, :type => :boolean
|
|
37
31
|
def build
|
|
38
32
|
execute do
|
|
39
33
|
cloud = nil
|
|
@@ -44,7 +38,8 @@ module Sambot
|
|
|
44
38
|
UI.error('Please select which environment this is building for using one of the following flags: --local, --rackspace or --google')
|
|
45
39
|
exit
|
|
46
40
|
end
|
|
47
|
-
|
|
41
|
+
local_workflow = options[:docker] ? 'docker' : 'vagrant'
|
|
42
|
+
Chef::Cookbook.build(Config.read, cloud, local_workflow)
|
|
48
43
|
end
|
|
49
44
|
end
|
|
50
45
|
|
data/lib/sambot/config.rb
CHANGED
|
@@ -56,32 +56,24 @@ module Sambot
|
|
|
56
56
|
end
|
|
57
57
|
|
|
58
58
|
def dependencies=(value)
|
|
59
|
-
@opts['dependencies'] =
|
|
59
|
+
@opts['dependencies'] = value
|
|
60
60
|
end
|
|
61
61
|
|
|
62
62
|
def transform_hashes(obj)
|
|
63
63
|
obj.is_a?(Hash) ? "#{obj.keys.first}', '#{obj.values.first}" : obj
|
|
64
64
|
end
|
|
65
65
|
|
|
66
|
-
def description
|
|
67
|
-
@opts['description'] || @opts[:description]
|
|
68
|
-
end
|
|
66
|
+
def description; @opts['description']; end
|
|
69
67
|
|
|
70
|
-
def identifier
|
|
71
|
-
@opts['identifier'] || @opts[:identifier]
|
|
72
|
-
end
|
|
68
|
+
def identifier; @opts['identifier']; end
|
|
73
69
|
|
|
74
|
-
def suites
|
|
75
|
-
@opts['suites'] || @opts[:suites]
|
|
76
|
-
end
|
|
70
|
+
def suites; @opts['suites']; end
|
|
77
71
|
|
|
78
|
-
def version
|
|
79
|
-
@opts['version'] || @opts[:version]
|
|
80
|
-
end
|
|
72
|
+
def version; @opts['version']; end
|
|
81
73
|
|
|
82
|
-
def
|
|
83
|
-
|
|
84
|
-
end
|
|
74
|
+
def secrets; @opts['secrets']; end
|
|
75
|
+
|
|
76
|
+
def name; @opts['name']; end
|
|
85
77
|
|
|
86
78
|
def runs_on_centos?
|
|
87
79
|
available_platforms.include?('centos')
|
data/lib/sambot/template.rb
CHANGED
|
@@ -22,7 +22,7 @@ module Sambot
|
|
|
22
22
|
File.delete(opts[:dest]) if File.exist?(opts[:dest])
|
|
23
23
|
if opts[:eruby]
|
|
24
24
|
UI.debug("Parsing #{self.path} using Erubis")
|
|
25
|
-
self.write(
|
|
25
|
+
self.write(opts, opts[:dest])
|
|
26
26
|
else
|
|
27
27
|
FileUtils.cp(self.path, opts[:dest].to_s)
|
|
28
28
|
end
|
|
@@ -1,3 +1,28 @@
|
|
|
1
|
+
#################################################################################
|
|
2
|
+
# PROVISIONING A WINDOWS BOX #
|
|
3
|
+
#################################################################################
|
|
4
|
+
# #
|
|
5
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
|
6
|
+
# credentials or certificates. #
|
|
7
|
+
# #
|
|
8
|
+
# This bootstrap script provides the capability to do so. #
|
|
9
|
+
# #
|
|
10
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
|
11
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
|
12
|
+
# is also generated - present in ENV['GCP_VAULT_TOKEN'] - which is used by #
|
|
13
|
+
# the instance to obtain the real token it needs from Vault. #
|
|
14
|
+
# #
|
|
15
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
|
16
|
+
# as-vault-token tool. #
|
|
17
|
+
# #
|
|
18
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
|
19
|
+
# #
|
|
20
|
+
#################################################################################
|
|
21
|
+
|
|
22
|
+
#################################################################################
|
|
23
|
+
# Miscellaneous Windows configuration. #
|
|
24
|
+
#################################################################################
|
|
25
|
+
|
|
1
26
|
netsh advfirewall firewall add rule name="winrm" dir=in action=allow protocol=TCP localport=5985
|
|
2
27
|
winrm quickconfig -q
|
|
3
28
|
winrm set winrm/config/service @{AllowUnencrypted="true"}
|
|
@@ -6,6 +31,21 @@ winrm set winrm/config/service/auth @{Basic="true"}
|
|
|
6
31
|
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
|
7
32
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
8
33
|
|
|
34
|
+
#################################################################################
|
|
35
|
+
# Install Hashicorp Vault. #
|
|
36
|
+
#################################################################################
|
|
37
|
+
|
|
38
|
+
$wc = New-Object System.Net.WebClient
|
|
39
|
+
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
|
40
|
+
$output = "C:\Program Files\vault"
|
|
41
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
42
|
+
$wc.DownloadFile($url, "$zipfile")
|
|
43
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
44
|
+
|
|
45
|
+
#################################################################################
|
|
46
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
|
47
|
+
#################################################################################
|
|
48
|
+
|
|
9
49
|
$output = "C:\Program Files\vault"
|
|
10
50
|
New-Item $output -ItemType Directory -Force
|
|
11
51
|
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>/windows_amd64.zip"
|
|
@@ -13,6 +53,10 @@ $zipfile = "$output\$($url.Split('/')[-1])"
|
|
|
13
53
|
$wc.DownloadFile($url, $zipfile)
|
|
14
54
|
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
15
55
|
|
|
56
|
+
#################################################################################
|
|
57
|
+
# Create the tokens.json file containing the Vault access token. #
|
|
58
|
+
#################################################################################
|
|
59
|
+
|
|
16
60
|
$json = @"
|
|
17
61
|
{
|
|
18
62
|
"vault-addr": "<%= ENV['GCP_VAULT_ADDR'] %>",
|
|
@@ -25,4 +69,11 @@ $json = @"
|
|
|
25
69
|
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
|
26
70
|
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
|
27
71
|
|
|
72
|
+
###### TODO - NEED TO ADD GROUPS STUFF!!!!!
|
|
73
|
+
|
|
74
|
+
#################################################################################
|
|
75
|
+
# Get the real token from the wrapped token and store it in the #
|
|
76
|
+
# tokens.json file. #
|
|
77
|
+
#################################################################################
|
|
78
|
+
|
|
28
79
|
& "$output\as-vault-tool" tokenrenew
|
|
@@ -1,6 +1,37 @@
|
|
|
1
1
|
#!/bin/bash -e
|
|
2
2
|
|
|
3
|
+
#################################################################################
|
|
4
|
+
# PROVISIONING A LINUX BOX #
|
|
5
|
+
#################################################################################
|
|
6
|
+
# #
|
|
7
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
|
8
|
+
# credentials or certificates. #
|
|
9
|
+
# #
|
|
10
|
+
# This bootstrap script provides the capability to do so. #
|
|
11
|
+
# #
|
|
12
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
|
13
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
|
14
|
+
# is also generated - present in ENV['GCP_VAULT_TOKEN'] - which is used by #
|
|
15
|
+
# the instance to obtain the real token it needs from Vault. #
|
|
16
|
+
# #
|
|
17
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
|
18
|
+
# as-vault-token tool. #
|
|
19
|
+
# #
|
|
20
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
|
21
|
+
# #
|
|
22
|
+
#################################################################################
|
|
23
|
+
|
|
24
|
+
#################################################################################
|
|
25
|
+
# Miscellaneous Linux configuration. #
|
|
26
|
+
#################################################################################
|
|
27
|
+
|
|
3
28
|
yum install -y unzip wget
|
|
29
|
+
|
|
30
|
+
#################################################################################
|
|
31
|
+
# Create the tokens.json file so that Chef and other applications can access #
|
|
32
|
+
# the Vault server. #
|
|
33
|
+
#################################################################################.
|
|
34
|
+
|
|
4
35
|
if [ ! -d /etc/vault ]; then mkdir /etc/vault; fi
|
|
5
36
|
|
|
6
37
|
cat << EOF > /etc/vault/tokens.json
|
|
@@ -12,9 +43,25 @@ cat << EOF > /etc/vault/tokens.json
|
|
|
12
43
|
}
|
|
13
44
|
EOF
|
|
14
45
|
|
|
46
|
+
groupadd -fg 9897 vault-tokens
|
|
47
|
+
usermod -aG vault-tokens root
|
|
48
|
+
|
|
49
|
+
chmod 0640 /etc/vault/tokens.json
|
|
50
|
+
chown root:vault-tokens /etc/vault/tokens.json
|
|
51
|
+
|
|
52
|
+
#################################################################################
|
|
53
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
|
54
|
+
#################################################################################
|
|
55
|
+
|
|
15
56
|
if [ ! -d /opt/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %> ]; then
|
|
16
57
|
mkdir -p /opt/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>
|
|
17
58
|
fi
|
|
18
59
|
wget https://storage.googleapis.com/ads-devops-chef/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>/linux_amd64.zip
|
|
19
60
|
unzip linux_amd64 -d /opt/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>/
|
|
61
|
+
|
|
62
|
+
#################################################################################
|
|
63
|
+
# Get the real token from the wrapped token and store it in the #
|
|
64
|
+
# tokens.json file. #
|
|
65
|
+
#################################################################################
|
|
66
|
+
|
|
20
67
|
/opt/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>/as-vault-tool tokenrenew
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
#################################################################################
|
|
2
|
+
# PROVISIONING A WINDOWS BOX #
|
|
3
|
+
#################################################################################
|
|
4
|
+
# #
|
|
5
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
|
6
|
+
# credentials or certificates. #
|
|
7
|
+
# #
|
|
8
|
+
# This bootstrap script provides the capability to do so. #
|
|
9
|
+
# #
|
|
10
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
|
11
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
|
12
|
+
# is also generated which is used by the instance to obtain the real token #
|
|
13
|
+
# it needs from Vault. #
|
|
14
|
+
# #
|
|
15
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
|
16
|
+
# as-vault-token tool. #
|
|
17
|
+
# #
|
|
18
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
|
19
|
+
# #
|
|
20
|
+
# When testing a cookbook using the 'sidecar' method this periodic renewal #
|
|
21
|
+
# along with the added security provided by the wrapper token is not required #
|
|
22
|
+
# given the Vault instance is located on the test instance. #
|
|
23
|
+
# #
|
|
24
|
+
# The token used by the test instance is therefore simply the root token and #
|
|
25
|
+
# no unwrapping takes place. #
|
|
26
|
+
# #
|
|
27
|
+
#################################################################################
|
|
28
|
+
|
|
29
|
+
#################################################################################
|
|
30
|
+
# Miscellaneous Windows configuration. #
|
|
31
|
+
#################################################################################
|
|
32
|
+
|
|
33
|
+
$env:VAULT_ADDR="http://127.0.0.1:8200"
|
|
34
|
+
$env:VAULT_TOKEN="root"
|
|
35
|
+
|
|
36
|
+
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
|
37
|
+
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
38
|
+
|
|
39
|
+
#################################################################################
|
|
40
|
+
# Install Hashicorp Vault #
|
|
41
|
+
#################################################################################
|
|
42
|
+
|
|
43
|
+
New-Item 'C:\Program Files\vault' -ItemType Directory -Force
|
|
44
|
+
$wc = New-Object System.Net.WebClient
|
|
45
|
+
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
|
46
|
+
$output = "C:\Program Files\vault"
|
|
47
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
48
|
+
$wc.DownloadFile($url, "$zipfile")
|
|
49
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
50
|
+
|
|
51
|
+
#################################################################################
|
|
52
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
|
53
|
+
#################################################################################
|
|
54
|
+
|
|
55
|
+
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/windows_amd64.zip"
|
|
56
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
57
|
+
$wc.DownloadFile($url, $zipfile)
|
|
58
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
59
|
+
|
|
60
|
+
#################################################################################
|
|
61
|
+
#################################################################################
|
|
62
|
+
# Everything above this marker in pre-installed on the #
|
|
63
|
+
# adstudio/windows-provisioned/v* boxes. #
|
|
64
|
+
#################################################################################
|
|
65
|
+
#################################################################################
|
|
66
|
+
|
|
67
|
+
#################################################################################
|
|
68
|
+
# Create the tokens.json file containing the Vault access token. #
|
|
69
|
+
#################################################################################
|
|
70
|
+
|
|
71
|
+
$json = @"
|
|
72
|
+
{
|
|
73
|
+
"vault-addr": "$env:VAULT_ADDR",
|
|
74
|
+
"skip-verify": true,
|
|
75
|
+
"wrapped": "",
|
|
76
|
+
"access": "$env:VAULT_TOKEN"
|
|
77
|
+
}
|
|
78
|
+
"@
|
|
79
|
+
|
|
80
|
+
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
|
81
|
+
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
|
82
|
+
|
|
83
|
+
#################################################################################
|
|
84
|
+
# Create the 'vault-tokens' group so other services/applications apart from #
|
|
85
|
+
# 'root' can access the file. #
|
|
86
|
+
#################################################################################
|
|
87
|
+
|
|
88
|
+
XXXXX
|
|
89
|
+
|
|
90
|
+
#################################################################################
|
|
91
|
+
# Populate Vault with test secrets using the Chef embedded Ruby. #
|
|
92
|
+
#################################################################################
|
|
93
|
+
|
|
94
|
+
XXXXX
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
#!/bin/bash -e
|
|
2
|
+
|
|
3
|
+
#################################################################################
|
|
4
|
+
# PROVISIONING A LINUX BOX #
|
|
5
|
+
#################################################################################
|
|
6
|
+
# #
|
|
7
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
|
8
|
+
# credentials or certificates. #
|
|
9
|
+
# #
|
|
10
|
+
# This bootstrap script provides the capability to do so. #
|
|
11
|
+
# #
|
|
12
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
|
13
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
|
14
|
+
# is also generated which is used by the instance to obtain the real token #
|
|
15
|
+
# it needs from Vault. #
|
|
16
|
+
# #
|
|
17
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
|
18
|
+
# as-vault-token tool. #
|
|
19
|
+
# #
|
|
20
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
|
21
|
+
# #
|
|
22
|
+
# When testing a cookbook using the 'sidecar' method this periodic renewal #
|
|
23
|
+
# along with the added security provided by the wrapper token is not required #
|
|
24
|
+
# given the Vault instance is located on the test instance. #
|
|
25
|
+
# #
|
|
26
|
+
# The token used by the test instance is therefore simply the root token and #
|
|
27
|
+
# no unwrapping takes place. #
|
|
28
|
+
# #
|
|
29
|
+
#################################################################################
|
|
30
|
+
|
|
31
|
+
#################################################################################
|
|
32
|
+
# Download and install Hashicorp Vault. #
|
|
33
|
+
#################################################################################
|
|
34
|
+
|
|
35
|
+
wget "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip"
|
|
36
|
+
unzip vault_0.6.5_linux_amd64.zip -d /usr/bin
|
|
37
|
+
sudo mkdir /etc/vault
|
|
38
|
+
|
|
39
|
+
#################################################################################
|
|
40
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
|
41
|
+
#################################################################################
|
|
42
|
+
|
|
43
|
+
echo "Download and install as-vault-tool"
|
|
44
|
+
if [ ! -d "/opt/as-vault-tool/1.0.2" ]; then sudo mkdir -p /opt/as-vault-tool/1.0.2; fi
|
|
45
|
+
if [ ! -f /opt/as-vault-tool/1.0.2/as-vault-tool ]; then
|
|
46
|
+
curl --fail -sSO https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/linux_amd64.zip > /dev/null 2>&1
|
|
47
|
+
sudo unzip linux_amd64 -d /opt/as-vault-tool/1.0.2/
|
|
48
|
+
fi
|
|
49
|
+
|
|
50
|
+
#################################################################################
|
|
51
|
+
# Use the Vault server on the host machine running under Docker. #
|
|
52
|
+
#################################################################################
|
|
53
|
+
|
|
54
|
+
export VAULT_ADDR=http://10.0.2.2:8200
|
|
55
|
+
export VAULT_TOKEN=root
|
|
56
|
+
|
|
57
|
+
#################################################################################
|
|
58
|
+
# Create the tokens.json file so that Chef and other applications can access #
|
|
59
|
+
# the Vault server. #
|
|
60
|
+
#################################################################################
|
|
61
|
+
|
|
62
|
+
echo "Create the addressing file so that Chef and other applications can access the Vault server"
|
|
63
|
+
cat << EOF > /etc/vault/tokens.json
|
|
64
|
+
{
|
|
65
|
+
"vault-addr": "${VAULT_ADDR}",
|
|
66
|
+
"skip-verify": true,
|
|
67
|
+
"wrapped": "",
|
|
68
|
+
"access": "root"
|
|
69
|
+
}
|
|
70
|
+
EOF
|
|
71
|
+
|
|
72
|
+
#################################################################################
|
|
73
|
+
# Create the 'vault-tokens' group so other services/applications apart from #
|
|
74
|
+
# 'root' can access the file. #
|
|
75
|
+
#################################################################################
|
|
76
|
+
|
|
77
|
+
groupadd -fg 9897 vault-tokens
|
|
78
|
+
usermod -aG vault-tokens root
|
|
79
|
+
chmod 0640 /etc/vault/tokens.json
|
|
80
|
+
chown root:vault-tokens /etc/vault/tokens.json
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
#################################################################################
|
|
2
|
+
# PROVISIONING A WINDOWS BOX #
|
|
3
|
+
#################################################################################
|
|
4
|
+
# #
|
|
5
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
|
6
|
+
# credentials or certificates. #
|
|
7
|
+
# #
|
|
8
|
+
# This bootstrap script provides the capability to do so. #
|
|
9
|
+
# #
|
|
10
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
|
11
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
|
12
|
+
# is also generated which is used by the instance to obtain the real token #
|
|
13
|
+
# it needs from Vault. #
|
|
14
|
+
# #
|
|
15
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
|
16
|
+
# as-vault-token tool. #
|
|
17
|
+
# #
|
|
18
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
|
19
|
+
# #
|
|
20
|
+
# Given this script is for local Test-Kitchen use only, the wrapped token is #
|
|
21
|
+
# generated on the test instance and then unwrapped immediately. No renewal #
|
|
22
|
+
# takes place when testing - except when testing the as-vault-token #
|
|
23
|
+
# cookbook of course!
|
|
24
|
+
# #
|
|
25
|
+
#################################################################################
|
|
26
|
+
|
|
27
|
+
#################################################################################
|
|
28
|
+
# Miscellaneous Windows configuration. #
|
|
29
|
+
#################################################################################
|
|
30
|
+
|
|
31
|
+
$env:VAULT_ADDR="http://192.168.255.5:8200"
|
|
32
|
+
$env:VAULT_TOKEN="root"
|
|
33
|
+
|
|
34
|
+
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
|
35
|
+
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
36
|
+
|
|
37
|
+
#################################################################################
|
|
38
|
+
# Install Hashicorp Vault. #
|
|
39
|
+
#################################################################################
|
|
40
|
+
|
|
41
|
+
New-Item 'C:\Program Files\vault' -ItemType Directory -Force
|
|
42
|
+
$wc = New-Object System.Net.WebClient
|
|
43
|
+
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
|
44
|
+
$output = "C:\Program Files\vault"
|
|
45
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
46
|
+
$wc.DownloadFile($url, "$zipfile")
|
|
47
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
48
|
+
|
|
49
|
+
#################################################################################
|
|
50
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
|
51
|
+
#################################################################################
|
|
52
|
+
|
|
53
|
+
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/windows_amd64.zip"
|
|
54
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
55
|
+
$wc.DownloadFile($url, $zipfile)
|
|
56
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
57
|
+
|
|
58
|
+
#################################################################################
|
|
59
|
+
# Generate the wrapped token which is normally provided by the bootstrapping #
|
|
60
|
+
# system. #
|
|
61
|
+
#################################################################################
|
|
62
|
+
|
|
63
|
+
$token = ($(& "$output\vault" token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h) -match '^wrapping_token:').Split(' ')[-1].Trim()
|
|
64
|
+
|
|
65
|
+
#################################################################################
|
|
66
|
+
# Create the tokens.json file containing the Vault access token. #
|
|
67
|
+
#################################################################################
|
|
68
|
+
|
|
69
|
+
$json = @"
|
|
70
|
+
{
|
|
71
|
+
"vault-addr": "$env:VAULT_ADDR",
|
|
72
|
+
"skip-verify": true,
|
|
73
|
+
"wrapped": "$token",
|
|
74
|
+
"access": ""
|
|
75
|
+
}
|
|
76
|
+
"@
|
|
77
|
+
|
|
78
|
+
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
|
79
|
+
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
|
80
|
+
|
|
81
|
+
#################################################################################
|
|
82
|
+
# Create the 'vault-tokens' group so other services/applications apart from #
|
|
83
|
+
# 'root' can access the file. #
|
|
84
|
+
#################################################################################
|
|
85
|
+
|
|
86
|
+
###### TODO - NEED TO ADD GROUPS STUFF!!!!!
|
|
87
|
+
|
|
88
|
+
#################################################################################
|
|
89
|
+
# Get the real token from the wrapped token and store it in the #
|
|
90
|
+
# tokens.json file. #
|
|
91
|
+
#################################################################################
|
|
92
|
+
|
|
93
|
+
& "$output\as-vault-tool" tokenrenew
|
|
94
|
+
|
|
95
|
+
#################################################################################
|
|
96
|
+
# Populate Vault with test secrets using the Chef embedded Ruby. #
|
|
97
|
+
#################################################################################
|
|
98
|
+
|
|
99
|
+
XXXXX
|
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
#!/bin/bash -e
|
|
2
|
+
|
|
3
|
+
#################################################################################
|
|
4
|
+
# PROVISIONING A LINUX BOX #
|
|
5
|
+
#################################################################################
|
|
6
|
+
# #
|
|
7
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
|
8
|
+
# credentials or certificates. #
|
|
9
|
+
# #
|
|
10
|
+
# This bootstrap script provides the capability to do so. #
|
|
11
|
+
# #
|
|
12
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
|
13
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
|
14
|
+
# is also generated which is used by the instance to obtain the real token #
|
|
15
|
+
# it needs from Vault. #
|
|
16
|
+
# #
|
|
17
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
|
18
|
+
# as-vault-token tool. #
|
|
19
|
+
# #
|
|
20
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
|
21
|
+
# #
|
|
22
|
+
# Given this script is for local Test-Kitchen use only, the wrapped token is #
|
|
23
|
+
# generated on the test instance and then unwrapped immediately. No renewal #
|
|
24
|
+
# takes place when testing - except when testing the as-vault-token #
|
|
25
|
+
# cookbook of course!
|
|
26
|
+
# #
|
|
27
|
+
#################################################################################
|
|
28
|
+
|
|
29
|
+
#################################################################################
|
|
30
|
+
# Miscellaneous Windows configuration. #
|
|
31
|
+
#################################################################################
|
|
32
|
+
|
|
33
|
+
export VAULT_ADDR=http://192.168.255.5:8200
|
|
34
|
+
export VAULT_TOKEN=root
|
|
35
|
+
|
|
36
|
+
sudo yum install -y unzip
|
|
37
|
+
|
|
38
|
+
#################################################################################
|
|
39
|
+
# Download and install Hashicorp Vault. #
|
|
40
|
+
#################################################################################
|
|
41
|
+
|
|
42
|
+
wget "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip"
|
|
43
|
+
unzip vault_0.6.5_linux_amd64.zip -d /usr/bin
|
|
44
|
+
sudo mkdir /etc/vault
|
|
45
|
+
|
|
46
|
+
#################################################################################
|
|
47
|
+
# Generate the wrapped token which is normally provided by the bootstrapping #
|
|
48
|
+
# system. #
|
|
49
|
+
#################################################################################
|
|
50
|
+
|
|
51
|
+
token=$(vault token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h | awk '/^wrapping_token:/ {print $2}')
|
|
52
|
+
|
|
53
|
+
#################################################################################
|
|
54
|
+
# Create the tokens.json file so that Chef and other applications can access #
|
|
55
|
+
# the Vault server. #
|
|
56
|
+
#################################################################################
|
|
57
|
+
|
|
58
|
+
cat << EOF > /etc/vault/tokens.json
|
|
59
|
+
{
|
|
60
|
+
"vault-addr": "${VAULT_ADDR}",
|
|
61
|
+
"skip-verify": true,
|
|
62
|
+
"wrapped": "${token}",
|
|
63
|
+
"access": ""
|
|
64
|
+
}
|
|
65
|
+
EOF
|
|
66
|
+
|
|
67
|
+
#################################################################################
|
|
68
|
+
# Create the 'vault-tokens' group so other services/applications apart from #
|
|
69
|
+
# 'root' can access the file. #
|
|
70
|
+
#################################################################################
|
|
71
|
+
|
|
72
|
+
groupadd -fg 9897 vault-tokens
|
|
73
|
+
usermod -aG vault-tokens root
|
|
74
|
+
chmod 0640 /etc/vault/tokens.json
|
|
75
|
+
chown root:vault-tokens /etc/vault/tokens.json
|
|
76
|
+
|
|
77
|
+
#################################################################################
|
|
78
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
|
79
|
+
#################################################################################
|
|
80
|
+
|
|
81
|
+
sudo mkdir -p /opt/as-vault-tool/1.0.2
|
|
82
|
+
wget https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/linux_amd64.zip
|
|
83
|
+
sudo unzip linux_amd64 -d /opt/as-vault-tool/1.0.2/
|
|
84
|
+
|
|
85
|
+
#################################################################################
|
|
86
|
+
# Get the real token from the wrapped token and store it in the #
|
|
87
|
+
# tokens.json file. #
|
|
88
|
+
#################################################################################
|
|
89
|
+
|
|
90
|
+
sudo /opt/as-vault-tool/1.0.2/as-vault-tool tokenrenew
|
|
@@ -17,9 +17,6 @@ platforms:
|
|
|
17
17
|
<!--% if @platforms.include?('centos') %-->
|
|
18
18
|
- name: centos-7.2
|
|
19
19
|
driver:
|
|
20
|
-
<!--% if @vault_setup == 'sidecar' %-->
|
|
21
|
-
box: adstudio/centos-provisioned-v5
|
|
22
|
-
<!--% end %-->
|
|
23
20
|
network:
|
|
24
21
|
- ["private_network", {ip: "192.168.255.10"}]
|
|
25
22
|
<!--% end %-->
|
|
Binary file
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
|
|
2
|
+
module Sambot
|
|
3
|
+
module Testing
|
|
4
|
+
class Fixtures
|
|
5
|
+
|
|
6
|
+
class << self
|
|
7
|
+
|
|
8
|
+
def get_path(spec, fixture_file)
|
|
9
|
+
parts = spec.split('spec')
|
|
10
|
+
File.join(parts[0], 'spec/fixtures', parts[1] + 'spec', fixture_file)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'yaml'
|
|
2
2
|
require 'vault'
|
|
3
|
+
require 'fileutils'
|
|
3
4
|
|
|
4
5
|
module Sambot
|
|
5
6
|
module Testing
|
|
@@ -7,30 +8,35 @@ module Sambot
|
|
|
7
8
|
|
|
8
9
|
class << self
|
|
9
10
|
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
11
|
+
VAULT_CONFIG_BINARY = 'vault-config'
|
|
12
|
+
WORKING_DIR = '/tmp/sambot/testing/vault'
|
|
13
|
+
VAULT_POLICIES_REPO = 'git@github.exacttarget.com:ads-devops/vault-policies.git'
|
|
14
|
+
|
|
15
|
+
def setup
|
|
16
|
+
FileUtils.rm_r(WORKING_DIR) if Dir.exist?(WORKING_DIR)
|
|
17
|
+
FileUtils.mkpath WORKING_DIR
|
|
18
|
+
Dir.chdir WORKING_DIR do
|
|
19
|
+
`git clone --depth=1 --single-branch -q #{VAULT_POLICIES_REPO}`
|
|
20
|
+
Dir.chdir 'vault-policies/dev/vault-config' do
|
|
21
|
+
FS.copy(VAULT_CONFIG_BINARY)
|
|
22
|
+
`./#{VAULT_CONFIG_BINARY} config`
|
|
23
|
+
end
|
|
16
24
|
end
|
|
17
25
|
end
|
|
18
26
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
UI.info("Reading the secrets configuration file")
|
|
23
|
-
contents = File.read(filename)
|
|
24
|
-
if contents.empty?
|
|
27
|
+
def load_secrets(config, src = 'local_testing')
|
|
28
|
+
UI.info("Reading secrets from the configuration file")
|
|
29
|
+
if config.secrets.empty?
|
|
25
30
|
UI.info("No secrets were found in the secrets configuration file")
|
|
26
31
|
return 0
|
|
27
32
|
else
|
|
28
|
-
store_secrets(
|
|
33
|
+
store_secrets(config.secrets, src)
|
|
29
34
|
end
|
|
30
35
|
end
|
|
31
36
|
|
|
32
|
-
|
|
33
|
-
|
|
37
|
+
private
|
|
38
|
+
|
|
39
|
+
def store_secrets(secrets, src)
|
|
34
40
|
counter = 0
|
|
35
41
|
secrets.each do |secret|
|
|
36
42
|
secret['keys'].each do |item|
|
data/lib/sambot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sambot
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.179
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Olivier Kouame
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-07-
|
|
11
|
+
date: 2017-07-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor-hollaback
|
|
@@ -405,20 +405,20 @@ files:
|
|
|
405
405
|
- lib/sambot/runtime.rb
|
|
406
406
|
- lib/sambot/template.rb
|
|
407
407
|
- lib/sambot/templates/.config.yml.erb
|
|
408
|
-
- lib/sambot/templates/.
|
|
408
|
+
- lib/sambot/templates/.env
|
|
409
409
|
- lib/sambot/templates/.gitignore.sample
|
|
410
410
|
- lib/sambot/templates/.rubocop.yml
|
|
411
|
-
- lib/sambot/templates/.vault.yml
|
|
412
411
|
- lib/sambot/templates/Berksfile
|
|
413
412
|
- lib/sambot/templates/README.md
|
|
414
413
|
- lib/sambot/templates/Vagrantfile.erb
|
|
415
414
|
- lib/sambot/templates/bootstrap_scripts/google/bootstrap.ps1.erb
|
|
416
415
|
- lib/sambot/templates/bootstrap_scripts/google/bootstrap.sh.erb
|
|
417
|
-
- lib/sambot/templates/bootstrap_scripts/local/
|
|
418
|
-
- lib/sambot/templates/bootstrap_scripts/local/
|
|
419
|
-
- lib/sambot/templates/bootstrap_scripts/local/
|
|
420
|
-
- lib/sambot/templates/bootstrap_scripts/local/
|
|
416
|
+
- lib/sambot/templates/bootstrap_scripts/local/docker/bootstrap.ps1.erb
|
|
417
|
+
- lib/sambot/templates/bootstrap_scripts/local/docker/bootstrap.sh.erb
|
|
418
|
+
- lib/sambot/templates/bootstrap_scripts/local/vagrant/bootstrap.ps1.erb
|
|
419
|
+
- lib/sambot/templates/bootstrap_scripts/local/vagrant/bootstrap.sh.erb
|
|
421
420
|
- lib/sambot/templates/chefignore
|
|
421
|
+
- lib/sambot/templates/docker-compose.yml
|
|
422
422
|
- lib/sambot/templates/git_hooks/pre-commit
|
|
423
423
|
- lib/sambot/templates/git_hooks/pre-push
|
|
424
424
|
- lib/sambot/templates/metadata.rb.erb
|
|
@@ -427,9 +427,11 @@ files:
|
|
|
427
427
|
- lib/sambot/templates/test_kitchen/google.yml.erb
|
|
428
428
|
- lib/sambot/templates/test_kitchen/local.yml.erb
|
|
429
429
|
- lib/sambot/templates/test_kitchen/rackspace.yml.erb
|
|
430
|
+
- lib/sambot/templates/vault-config
|
|
430
431
|
- lib/sambot/templates/vault_helper.rb
|
|
431
432
|
- lib/sambot/templates/winrm_config
|
|
432
433
|
- lib/sambot/testing/consul_helper.rb
|
|
434
|
+
- lib/sambot/testing/fixtures.rb
|
|
433
435
|
- lib/sambot/testing/vault_helper.rb
|
|
434
436
|
- lib/sambot/ui.rb
|
|
435
437
|
- lib/sambot/version.rb
|
|
File without changes
|
|
File without changes
|
|
@@ -1,33 +0,0 @@
|
|
|
1
|
-
$env:VAULT_ADDR="http://127.0.0.1:8200"
|
|
2
|
-
$env:VAULT_TOKEN="root"
|
|
3
|
-
|
|
4
|
-
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
|
5
|
-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
6
|
-
|
|
7
|
-
New-Item 'C:\Program Files\vault' -ItemType Directory -Force
|
|
8
|
-
$wc = New-Object System.Net.WebClient
|
|
9
|
-
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
|
10
|
-
$output = "C:\Program Files\vault"
|
|
11
|
-
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
12
|
-
$wc.DownloadFile($url, "$zipfile")
|
|
13
|
-
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
14
|
-
|
|
15
|
-
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/windows_amd64.zip"
|
|
16
|
-
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
17
|
-
$wc.DownloadFile($url, $zipfile)
|
|
18
|
-
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
19
|
-
|
|
20
|
-
$token = ($(& "$output\vault" token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h) -match '^wrapping_token:').Split(' ')[-1].Trim()
|
|
21
|
-
$json = @"
|
|
22
|
-
{
|
|
23
|
-
"vault-addr": "$env:VAULT_ADDR",
|
|
24
|
-
"skip-verify": true,
|
|
25
|
-
"wrapped": "$token",
|
|
26
|
-
"access": ""
|
|
27
|
-
}
|
|
28
|
-
"@
|
|
29
|
-
|
|
30
|
-
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
|
31
|
-
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
|
32
|
-
|
|
33
|
-
& "$output\as-vault-tool" tokenrenew
|
|
@@ -1,45 +0,0 @@
|
|
|
1
|
-
#!/bin/bash -e
|
|
2
|
-
|
|
3
|
-
echo "Install required tools"
|
|
4
|
-
sudo yum install -y unzip wget epel-release zlib-devel bzip2 openssl-devel libyaml-devel libffi-devel readline-devel gdbm-devel ncurses-devel gcc gcc-c++ make
|
|
5
|
-
|
|
6
|
-
echo "Download and install Hashicorp Vault"
|
|
7
|
-
if [ ! -f /usr/bin/vault ]; then
|
|
8
|
-
curl --fail -sSO "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip" > /dev/null 2>&1
|
|
9
|
-
unzip vault_0.6.5_linux_amd64.zip -d /usr/bin;
|
|
10
|
-
fi
|
|
11
|
-
if [ ! -d "/etc/vault" ]; then sudo mkdir /etc/vault; fi
|
|
12
|
-
|
|
13
|
-
echo "Download and install Hashicorp Consul"
|
|
14
|
-
if [ ! -f /usr/bin/consul ]; then
|
|
15
|
-
curl --fail -sSO "https://releases.hashicorp.com/consul/0.8.5/consul_0.8.5_linux_amd64.zip" > /dev/null 2>&1
|
|
16
|
-
unzip consul_0.8.5_linux_amd64.zip -d /usr/bin;
|
|
17
|
-
fi
|
|
18
|
-
if [ ! -d "/etc/consul" ]; then sudo mkdir /etc/consul; fi
|
|
19
|
-
|
|
20
|
-
########## Everything above this line is pre-installed on the 'adstudio-centos-provisioned-v*' box ############
|
|
21
|
-
|
|
22
|
-
echo "Launch the Consul Agent in Development mode"
|
|
23
|
-
consul agent -dev -server -bootstrap < /dev/null &> /dev/null &
|
|
24
|
-
|
|
25
|
-
echo "Launch the Vault Server in Development mode"
|
|
26
|
-
export VAULT_ADDR="http://127.0.0.1:8200"
|
|
27
|
-
export VAULT_TOKEN="root"
|
|
28
|
-
vault server -dev -dev-root-token-id=${VAULT_TOKEN} -dev-listen-address=0.0.0.0:8200 < /dev/null &> /dev/null &
|
|
29
|
-
sleep 5
|
|
30
|
-
vault mount -path=dev generic
|
|
31
|
-
|
|
32
|
-
echo "Create the addressing file so that Chef and other applications can access the Vault server"
|
|
33
|
-
cat << EOF > /etc/vault/tokens.json
|
|
34
|
-
{
|
|
35
|
-
"vault-addr": "${VAULT_ADDR}",
|
|
36
|
-
"skip-verify": true,
|
|
37
|
-
"wrapped": "",
|
|
38
|
-
"access": "root"
|
|
39
|
-
}
|
|
40
|
-
EOF
|
|
41
|
-
|
|
42
|
-
echo "Populate Vault with test secrets using the Chef embedded Ruby"
|
|
43
|
-
/opt/chef/embedded/bin/gem install sambot --no-ri --no-doc
|
|
44
|
-
cd /vagrant
|
|
45
|
-
/opt/chef/embedded/bin/sambot populate --vault
|
|
@@ -1,33 +0,0 @@
|
|
|
1
|
-
$env:VAULT_ADDR="http://192.168.255.5:8200"
|
|
2
|
-
$env:VAULT_TOKEN="root"
|
|
3
|
-
|
|
4
|
-
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
|
5
|
-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
6
|
-
|
|
7
|
-
New-Item 'C:\Program Files\vault' -ItemType Directory -Force
|
|
8
|
-
$wc = New-Object System.Net.WebClient
|
|
9
|
-
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
|
10
|
-
$output = "C:\Program Files\vault"
|
|
11
|
-
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
12
|
-
$wc.DownloadFile($url, "$zipfile")
|
|
13
|
-
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
14
|
-
|
|
15
|
-
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/windows_amd64.zip"
|
|
16
|
-
$zipfile = "$output\$($url.Split('/')[-1])"
|
|
17
|
-
$wc.DownloadFile($url, $zipfile)
|
|
18
|
-
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
|
19
|
-
|
|
20
|
-
$token = ($(& "$output\vault" token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h) -match '^wrapping_token:').Split(' ')[-1].Trim()
|
|
21
|
-
$json = @"
|
|
22
|
-
{
|
|
23
|
-
"vault-addr": "$env:VAULT_ADDR",
|
|
24
|
-
"skip-verify": true,
|
|
25
|
-
"wrapped": "$token",
|
|
26
|
-
"access": ""
|
|
27
|
-
}
|
|
28
|
-
"@
|
|
29
|
-
|
|
30
|
-
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
|
31
|
-
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
|
32
|
-
|
|
33
|
-
& "$output\as-vault-tool" tokenrenew
|
|
@@ -1,24 +0,0 @@
|
|
|
1
|
-
#!/bin/bash -e
|
|
2
|
-
|
|
3
|
-
export VAULT_ADDR=http://192.168.255.5:8200
|
|
4
|
-
export VAULT_TOKEN=root
|
|
5
|
-
|
|
6
|
-
sudo yum install -y unzip
|
|
7
|
-
wget "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip"
|
|
8
|
-
unzip vault_0.6.5_linux_amd64.zip -d /usr/bin
|
|
9
|
-
sudo mkdir /etc/vault
|
|
10
|
-
|
|
11
|
-
token=$(vault token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h | awk '/^wrapping_token:/ {print $2}')
|
|
12
|
-
cat << EOF > /etc/vault/tokens.json
|
|
13
|
-
{
|
|
14
|
-
"vault-addr": "${VAULT_ADDR}",
|
|
15
|
-
"skip-verify": true,
|
|
16
|
-
"wrapped": "${token}",
|
|
17
|
-
"access": ""
|
|
18
|
-
}
|
|
19
|
-
EOF
|
|
20
|
-
|
|
21
|
-
sudo mkdir -p /opt/as-vault-tool/1.0.2
|
|
22
|
-
wget https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/linux_amd64.zip
|
|
23
|
-
sudo unzip linux_amd64 -d /opt/as-vault-tool/1.0.2/
|
|
24
|
-
sudo /opt/as-vault-tool/1.0.2/as-vault-tool tokenrenew
|