sambot 0.1.178 → 0.1.179
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/sambot.rb +1 -0
- data/lib/sambot/chef/cookbook.rb +12 -10
- data/lib/sambot/chef/generator.rb +4 -4
- data/lib/sambot/cli.rb +6 -11
- data/lib/sambot/config.rb +8 -16
- data/lib/sambot/template.rb +1 -1
- data/lib/sambot/templates/.env +4 -0
- data/lib/sambot/templates/.rubocop.yml +1 -1
- data/lib/sambot/templates/bootstrap_scripts/google/bootstrap.ps1.erb +51 -0
- data/lib/sambot/templates/bootstrap_scripts/google/bootstrap.sh.erb +47 -0
- data/lib/sambot/templates/bootstrap_scripts/local/docker/bootstrap.ps1.erb +94 -0
- data/lib/sambot/templates/bootstrap_scripts/local/docker/bootstrap.sh.erb +80 -0
- data/lib/sambot/templates/bootstrap_scripts/local/vagrant/bootstrap.ps1.erb +99 -0
- data/lib/sambot/templates/bootstrap_scripts/local/vagrant/bootstrap.sh.erb +90 -0
- data/lib/sambot/templates/docker-compose.yml +10 -0
- data/lib/sambot/templates/test_kitchen/local.yml.erb +0 -3
- data/lib/sambot/templates/vault-config +0 -0
- data/lib/sambot/testing/consul_helper.rb +1 -1
- data/lib/sambot/testing/fixtures.rb +17 -0
- data/lib/sambot/testing/vault_helper.rb +21 -15
- data/lib/sambot/version.rb +1 -1
- metadata +10 -8
- data/lib/sambot/templates/.consul.yml +0 -0
- data/lib/sambot/templates/.vault.yml +0 -0
- data/lib/sambot/templates/bootstrap_scripts/local/sidecar_vault/bootstrap.ps1.erb +0 -33
- data/lib/sambot/templates/bootstrap_scripts/local/sidecar_vault/bootstrap.sh.erb +0 -45
- data/lib/sambot/templates/bootstrap_scripts/local/standalone_vault/bootstrap.ps1.erb +0 -33
- data/lib/sambot/templates/bootstrap_scripts/local/standalone_vault/bootstrap.sh.erb +0 -24
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a0e07b3e1bac4b8ba2285c15bb23b2a8548289be
|
4
|
+
data.tar.gz: 836a12b7924d4996e8b50585071493ec96eb564d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bbf7ee2e814fb8c4aca795c0782b3709253219c669d59b894164dc4a3dc19179e0d5c0cad9478b45f3ca96a3e6dc131c40410583fc235b15bebc4c114156edc5
|
7
|
+
data.tar.gz: a298786b80ced0a64ed2226d69d5fa01025c38a9179de710dc09144fff99a185bf23af4aaf2f024ba9ecfc89c38b72ef826e23a42bdac69a1fc0a4e30d354b23
|
data/lib/sambot.rb
CHANGED
@@ -10,6 +10,7 @@ require_relative 'sambot/fs'
|
|
10
10
|
|
11
11
|
require_relative 'sambot/testing/consul_helper'
|
12
12
|
require_relative 'sambot/testing/vault_helper'
|
13
|
+
require_relative 'sambot/testing/fixtures'
|
13
14
|
|
14
15
|
require_relative 'sambot/chef/kitchen'
|
15
16
|
require_relative 'sambot/chef/metadata'
|
data/lib/sambot/chef/cookbook.rb
CHANGED
@@ -9,6 +9,8 @@ module Sambot
|
|
9
9
|
GENERATED_FILES = {
|
10
10
|
'teamcity.sh.erb': {eruby: true, dest: 'teamcity.sh', platform: [:windows, :centos]},
|
11
11
|
'chefignore': {eruby: false, dest: 'chefignore', platform: [:windows, :centos]},
|
12
|
+
'docker-compose.yml': {eruby: false, dest: 'chefignore', platform: [:windows, :centos]},
|
13
|
+
'.env': {eruby: false, dest: 'chefignore', platform: [:windows, :centos]},
|
12
14
|
'Berksfile': {eruby: false, dest: 'Berksfile', platform: [:windows, :centos]},
|
13
15
|
'.rubocop.yml': {eruby: false, dest: '.rubocop.yml', platform: [:windows, :centos]},
|
14
16
|
'.gitignore.sample': {eruby: false, dest: '.gitignore', platform: [:windows, :centos]},
|
@@ -18,10 +20,10 @@ module Sambot
|
|
18
20
|
|
19
21
|
class << self
|
20
22
|
|
21
|
-
def build(config, cloud,
|
22
|
-
create_files(config
|
23
|
-
Generator.from_templates(config, cloud,
|
24
|
-
Kitchen.setup(cloud, config,
|
23
|
+
def build(config, cloud, local_workflow)
|
24
|
+
create_files(config)
|
25
|
+
Generator.from_templates(config, cloud, local_workflow, GENERATED_FILES)
|
26
|
+
Kitchen.setup(cloud, config, local_workflow)
|
25
27
|
Metadata.generate(config)
|
26
28
|
Hooks.copy()
|
27
29
|
UI.info('The cookbook has been successfully built.')
|
@@ -54,14 +56,14 @@ module Sambot
|
|
54
56
|
|
55
57
|
private
|
56
58
|
|
57
|
-
def create_files(config
|
58
|
-
['
|
59
|
-
['spec', 'test', 'attributes', '
|
60
|
-
Dir.chdir('attributes') { FileUtils.touch('default.rb') unless
|
61
|
-
Dir.chdir('spec') { FS.copy('spec_helper.rb') unless FS.exist?('spec_helper.rb')
|
59
|
+
def create_files(config)
|
60
|
+
['README.md'].each { |resource| FS.copy(resource) unless FS.exist?(resource) }
|
61
|
+
['spec', 'test', 'attributes', 'local_testing'].each { |resource| FS.mkdir(resource) unless FS.exist?(resource) }
|
62
|
+
Dir.chdir('attributes') { FileUtils.touch('default.rb') unless FS.exist?('default.rb') }
|
63
|
+
Dir.chdir('spec') { FS.copy('spec_helper.rb') unless FS.exist?('spec_helper.rb') }
|
62
64
|
['recipes', 'libraries', 'resources', 'files', 'templates'].each { |target| FS.mkdir(target) unless FS.exist?(target) }
|
63
65
|
Dir.chdir('recipes') do
|
64
|
-
FileUtils.touch('default.rb') unless FS.exist?('default.rb')
|
66
|
+
FileUtils.touch('default.rb') unless FS.exist?('default.rb')
|
65
67
|
end
|
66
68
|
unless FS.exist?('.config.yml')
|
67
69
|
Template.new('.config.yml.erb').write({config: config}, '.config.yml')
|
@@ -5,9 +5,9 @@ module Sambot
|
|
5
5
|
module Chef
|
6
6
|
class Generator
|
7
7
|
|
8
|
-
def self.from_templates(config, cloud,
|
8
|
+
def self.from_templates(config, cloud, local_workflow, generated_files)
|
9
9
|
generated_files.each { |template_name, opts| generate_from_template(template_name.to_s, opts, config) }
|
10
|
-
generate_bootstrap_scripts(config, cloud,
|
10
|
+
generate_bootstrap_scripts(config, cloud, local_workflow)
|
11
11
|
end
|
12
12
|
|
13
13
|
private
|
@@ -29,8 +29,8 @@ module Sambot
|
|
29
29
|
Template.new("bootstrap_scripts/#{path}/bootstrap.#{suffix}.erb").process({eruby: true, dest: "bootstrap.#{suffix}"})
|
30
30
|
end
|
31
31
|
|
32
|
-
def self.generate_bootstrap_scripts(config, cloud,
|
33
|
-
cloud != 'local'? bootstrap(config, cloud) : bootstrap(config, "local/#{
|
32
|
+
def self.generate_bootstrap_scripts(config, cloud, local_workflow)
|
33
|
+
cloud != 'local'? bootstrap(config, cloud) : bootstrap(config, "local/#{local_workflow}")
|
34
34
|
end
|
35
35
|
|
36
36
|
def self.exists!(path)
|
data/lib/sambot/cli.rb
CHANGED
@@ -10,17 +10,11 @@ module Sambot
|
|
10
10
|
execute { Chef::Cookbook.clean() }
|
11
11
|
end
|
12
12
|
|
13
|
-
desc 'populate', 'Populates
|
14
|
-
option :vault, :type => :boolean
|
15
|
-
option :consul, :type => :boolean
|
13
|
+
desc 'populate', 'Populates Vault and Consul with seed data'
|
16
14
|
def populate
|
17
15
|
execute do
|
18
|
-
|
19
|
-
|
20
|
-
exit
|
21
|
-
end
|
22
|
-
Sambot::Testing::VaultHelper.load_secrets if options[:vault]
|
23
|
-
Sambot::Testing::ConsulHelper.load_values if options[:consul]
|
16
|
+
Sambot::Testing::VaultHelper.load_secrets(Config.read)
|
17
|
+
Sambot::Testing::ConsulHelper.load_values(Config.read)
|
24
18
|
end
|
25
19
|
end
|
26
20
|
|
@@ -33,7 +27,7 @@ module Sambot
|
|
33
27
|
option :local, :type => :boolean
|
34
28
|
option :google, :type => :boolean
|
35
29
|
option :rackspace, :type => :boolean
|
36
|
-
option :
|
30
|
+
option :docker, :type => :boolean
|
37
31
|
def build
|
38
32
|
execute do
|
39
33
|
cloud = nil
|
@@ -44,7 +38,8 @@ module Sambot
|
|
44
38
|
UI.error('Please select which environment this is building for using one of the following flags: --local, --rackspace or --google')
|
45
39
|
exit
|
46
40
|
end
|
47
|
-
|
41
|
+
local_workflow = options[:docker] ? 'docker' : 'vagrant'
|
42
|
+
Chef::Cookbook.build(Config.read, cloud, local_workflow)
|
48
43
|
end
|
49
44
|
end
|
50
45
|
|
data/lib/sambot/config.rb
CHANGED
@@ -56,32 +56,24 @@ module Sambot
|
|
56
56
|
end
|
57
57
|
|
58
58
|
def dependencies=(value)
|
59
|
-
@opts['dependencies'] =
|
59
|
+
@opts['dependencies'] = value
|
60
60
|
end
|
61
61
|
|
62
62
|
def transform_hashes(obj)
|
63
63
|
obj.is_a?(Hash) ? "#{obj.keys.first}', '#{obj.values.first}" : obj
|
64
64
|
end
|
65
65
|
|
66
|
-
def description
|
67
|
-
@opts['description'] || @opts[:description]
|
68
|
-
end
|
66
|
+
def description; @opts['description']; end
|
69
67
|
|
70
|
-
def identifier
|
71
|
-
@opts['identifier'] || @opts[:identifier]
|
72
|
-
end
|
68
|
+
def identifier; @opts['identifier']; end
|
73
69
|
|
74
|
-
def suites
|
75
|
-
@opts['suites'] || @opts[:suites]
|
76
|
-
end
|
70
|
+
def suites; @opts['suites']; end
|
77
71
|
|
78
|
-
def version
|
79
|
-
@opts['version'] || @opts[:version]
|
80
|
-
end
|
72
|
+
def version; @opts['version']; end
|
81
73
|
|
82
|
-
def
|
83
|
-
|
84
|
-
end
|
74
|
+
def secrets; @opts['secrets']; end
|
75
|
+
|
76
|
+
def name; @opts['name']; end
|
85
77
|
|
86
78
|
def runs_on_centos?
|
87
79
|
available_platforms.include?('centos')
|
data/lib/sambot/template.rb
CHANGED
@@ -22,7 +22,7 @@ module Sambot
|
|
22
22
|
File.delete(opts[:dest]) if File.exist?(opts[:dest])
|
23
23
|
if opts[:eruby]
|
24
24
|
UI.debug("Parsing #{self.path} using Erubis")
|
25
|
-
self.write(
|
25
|
+
self.write(opts, opts[:dest])
|
26
26
|
else
|
27
27
|
FileUtils.cp(self.path, opts[:dest].to_s)
|
28
28
|
end
|
@@ -1,3 +1,28 @@
|
|
1
|
+
#################################################################################
|
2
|
+
# PROVISIONING A WINDOWS BOX #
|
3
|
+
#################################################################################
|
4
|
+
# #
|
5
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
6
|
+
# credentials or certificates. #
|
7
|
+
# #
|
8
|
+
# This bootstrap script provides the capability to do so. #
|
9
|
+
# #
|
10
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
11
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
12
|
+
# is also generated - present in ENV['GCP_VAULT_TOKEN'] - which is used by #
|
13
|
+
# the instance to obtain the real token it needs from Vault. #
|
14
|
+
# #
|
15
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
16
|
+
# as-vault-token tool. #
|
17
|
+
# #
|
18
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
19
|
+
# #
|
20
|
+
#################################################################################
|
21
|
+
|
22
|
+
#################################################################################
|
23
|
+
# Miscellaneous Windows configuration. #
|
24
|
+
#################################################################################
|
25
|
+
|
1
26
|
netsh advfirewall firewall add rule name="winrm" dir=in action=allow protocol=TCP localport=5985
|
2
27
|
winrm quickconfig -q
|
3
28
|
winrm set winrm/config/service @{AllowUnencrypted="true"}
|
@@ -6,6 +31,21 @@ winrm set winrm/config/service/auth @{Basic="true"}
|
|
6
31
|
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
7
32
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
8
33
|
|
34
|
+
#################################################################################
|
35
|
+
# Install Hashicorp Vault. #
|
36
|
+
#################################################################################
|
37
|
+
|
38
|
+
$wc = New-Object System.Net.WebClient
|
39
|
+
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
40
|
+
$output = "C:\Program Files\vault"
|
41
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
42
|
+
$wc.DownloadFile($url, "$zipfile")
|
43
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
44
|
+
|
45
|
+
#################################################################################
|
46
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
47
|
+
#################################################################################
|
48
|
+
|
9
49
|
$output = "C:\Program Files\vault"
|
10
50
|
New-Item $output -ItemType Directory -Force
|
11
51
|
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>/windows_amd64.zip"
|
@@ -13,6 +53,10 @@ $zipfile = "$output\$($url.Split('/')[-1])"
|
|
13
53
|
$wc.DownloadFile($url, $zipfile)
|
14
54
|
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
15
55
|
|
56
|
+
#################################################################################
|
57
|
+
# Create the tokens.json file containing the Vault access token. #
|
58
|
+
#################################################################################
|
59
|
+
|
16
60
|
$json = @"
|
17
61
|
{
|
18
62
|
"vault-addr": "<%= ENV['GCP_VAULT_ADDR'] %>",
|
@@ -25,4 +69,11 @@ $json = @"
|
|
25
69
|
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
26
70
|
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
27
71
|
|
72
|
+
###### TODO - NEED TO ADD GROUPS STUFF!!!!!
|
73
|
+
|
74
|
+
#################################################################################
|
75
|
+
# Get the real token from the wrapped token and store it in the #
|
76
|
+
# tokens.json file. #
|
77
|
+
#################################################################################
|
78
|
+
|
28
79
|
& "$output\as-vault-tool" tokenrenew
|
@@ -1,6 +1,37 @@
|
|
1
1
|
#!/bin/bash -e
|
2
2
|
|
3
|
+
#################################################################################
|
4
|
+
# PROVISIONING A LINUX BOX #
|
5
|
+
#################################################################################
|
6
|
+
# #
|
7
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
8
|
+
# credentials or certificates. #
|
9
|
+
# #
|
10
|
+
# This bootstrap script provides the capability to do so. #
|
11
|
+
# #
|
12
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
13
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
14
|
+
# is also generated - present in ENV['GCP_VAULT_TOKEN'] - which is used by #
|
15
|
+
# the instance to obtain the real token it needs from Vault. #
|
16
|
+
# #
|
17
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
18
|
+
# as-vault-token tool. #
|
19
|
+
# #
|
20
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
21
|
+
# #
|
22
|
+
#################################################################################
|
23
|
+
|
24
|
+
#################################################################################
|
25
|
+
# Miscellaneous Linux configuration. #
|
26
|
+
#################################################################################
|
27
|
+
|
3
28
|
yum install -y unzip wget
|
29
|
+
|
30
|
+
#################################################################################
|
31
|
+
# Create the tokens.json file so that Chef and other applications can access #
|
32
|
+
# the Vault server. #
|
33
|
+
#################################################################################.
|
34
|
+
|
4
35
|
if [ ! -d /etc/vault ]; then mkdir /etc/vault; fi
|
5
36
|
|
6
37
|
cat << EOF > /etc/vault/tokens.json
|
@@ -12,9 +43,25 @@ cat << EOF > /etc/vault/tokens.json
|
|
12
43
|
}
|
13
44
|
EOF
|
14
45
|
|
46
|
+
groupadd -fg 9897 vault-tokens
|
47
|
+
usermod -aG vault-tokens root
|
48
|
+
|
49
|
+
chmod 0640 /etc/vault/tokens.json
|
50
|
+
chown root:vault-tokens /etc/vault/tokens.json
|
51
|
+
|
52
|
+
#################################################################################
|
53
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
54
|
+
#################################################################################
|
55
|
+
|
15
56
|
if [ ! -d /opt/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %> ]; then
|
16
57
|
mkdir -p /opt/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>
|
17
58
|
fi
|
18
59
|
wget https://storage.googleapis.com/ads-devops-chef/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>/linux_amd64.zip
|
19
60
|
unzip linux_amd64 -d /opt/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>/
|
61
|
+
|
62
|
+
#################################################################################
|
63
|
+
# Get the real token from the wrapped token and store it in the #
|
64
|
+
# tokens.json file. #
|
65
|
+
#################################################################################
|
66
|
+
|
20
67
|
/opt/as-vault-tool/<%= ENV['AS_VAULT_TOOL_VERSION'] %>/as-vault-tool tokenrenew
|
@@ -0,0 +1,94 @@
|
|
1
|
+
#################################################################################
|
2
|
+
# PROVISIONING A WINDOWS BOX #
|
3
|
+
#################################################################################
|
4
|
+
# #
|
5
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
6
|
+
# credentials or certificates. #
|
7
|
+
# #
|
8
|
+
# This bootstrap script provides the capability to do so. #
|
9
|
+
# #
|
10
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
11
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
12
|
+
# is also generated which is used by the instance to obtain the real token #
|
13
|
+
# it needs from Vault. #
|
14
|
+
# #
|
15
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
16
|
+
# as-vault-token tool. #
|
17
|
+
# #
|
18
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
19
|
+
# #
|
20
|
+
# When testing a cookbook using the 'sidecar' method this periodic renewal #
|
21
|
+
# along with the added security provided by the wrapper token is not required #
|
22
|
+
# given the Vault instance is located on the test instance. #
|
23
|
+
# #
|
24
|
+
# The token used by the test instance is therefore simply the root token and #
|
25
|
+
# no unwrapping takes place. #
|
26
|
+
# #
|
27
|
+
#################################################################################
|
28
|
+
|
29
|
+
#################################################################################
|
30
|
+
# Miscellaneous Windows configuration. #
|
31
|
+
#################################################################################
|
32
|
+
|
33
|
+
$env:VAULT_ADDR="http://127.0.0.1:8200"
|
34
|
+
$env:VAULT_TOKEN="root"
|
35
|
+
|
36
|
+
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
37
|
+
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
38
|
+
|
39
|
+
#################################################################################
|
40
|
+
# Install Hashicorp Vault #
|
41
|
+
#################################################################################
|
42
|
+
|
43
|
+
New-Item 'C:\Program Files\vault' -ItemType Directory -Force
|
44
|
+
$wc = New-Object System.Net.WebClient
|
45
|
+
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
46
|
+
$output = "C:\Program Files\vault"
|
47
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
48
|
+
$wc.DownloadFile($url, "$zipfile")
|
49
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
50
|
+
|
51
|
+
#################################################################################
|
52
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
53
|
+
#################################################################################
|
54
|
+
|
55
|
+
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/windows_amd64.zip"
|
56
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
57
|
+
$wc.DownloadFile($url, $zipfile)
|
58
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
59
|
+
|
60
|
+
#################################################################################
|
61
|
+
#################################################################################
|
62
|
+
# Everything above this marker in pre-installed on the #
|
63
|
+
# adstudio/windows-provisioned/v* boxes. #
|
64
|
+
#################################################################################
|
65
|
+
#################################################################################
|
66
|
+
|
67
|
+
#################################################################################
|
68
|
+
# Create the tokens.json file containing the Vault access token. #
|
69
|
+
#################################################################################
|
70
|
+
|
71
|
+
$json = @"
|
72
|
+
{
|
73
|
+
"vault-addr": "$env:VAULT_ADDR",
|
74
|
+
"skip-verify": true,
|
75
|
+
"wrapped": "",
|
76
|
+
"access": "$env:VAULT_TOKEN"
|
77
|
+
}
|
78
|
+
"@
|
79
|
+
|
80
|
+
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
81
|
+
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
82
|
+
|
83
|
+
#################################################################################
|
84
|
+
# Create the 'vault-tokens' group so other services/applications apart from #
|
85
|
+
# 'root' can access the file. #
|
86
|
+
#################################################################################
|
87
|
+
|
88
|
+
XXXXX
|
89
|
+
|
90
|
+
#################################################################################
|
91
|
+
# Populate Vault with test secrets using the Chef embedded Ruby. #
|
92
|
+
#################################################################################
|
93
|
+
|
94
|
+
XXXXX
|
@@ -0,0 +1,80 @@
|
|
1
|
+
#!/bin/bash -e
|
2
|
+
|
3
|
+
#################################################################################
|
4
|
+
# PROVISIONING A LINUX BOX #
|
5
|
+
#################################################################################
|
6
|
+
# #
|
7
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
8
|
+
# credentials or certificates. #
|
9
|
+
# #
|
10
|
+
# This bootstrap script provides the capability to do so. #
|
11
|
+
# #
|
12
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
13
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
14
|
+
# is also generated which is used by the instance to obtain the real token #
|
15
|
+
# it needs from Vault. #
|
16
|
+
# #
|
17
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
18
|
+
# as-vault-token tool. #
|
19
|
+
# #
|
20
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
21
|
+
# #
|
22
|
+
# When testing a cookbook using the 'sidecar' method this periodic renewal #
|
23
|
+
# along with the added security provided by the wrapper token is not required #
|
24
|
+
# given the Vault instance is located on the test instance. #
|
25
|
+
# #
|
26
|
+
# The token used by the test instance is therefore simply the root token and #
|
27
|
+
# no unwrapping takes place. #
|
28
|
+
# #
|
29
|
+
#################################################################################
|
30
|
+
|
31
|
+
#################################################################################
|
32
|
+
# Download and install Hashicorp Vault. #
|
33
|
+
#################################################################################
|
34
|
+
|
35
|
+
wget "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip"
|
36
|
+
unzip vault_0.6.5_linux_amd64.zip -d /usr/bin
|
37
|
+
sudo mkdir /etc/vault
|
38
|
+
|
39
|
+
#################################################################################
|
40
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
41
|
+
#################################################################################
|
42
|
+
|
43
|
+
echo "Download and install as-vault-tool"
|
44
|
+
if [ ! -d "/opt/as-vault-tool/1.0.2" ]; then sudo mkdir -p /opt/as-vault-tool/1.0.2; fi
|
45
|
+
if [ ! -f /opt/as-vault-tool/1.0.2/as-vault-tool ]; then
|
46
|
+
curl --fail -sSO https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/linux_amd64.zip > /dev/null 2>&1
|
47
|
+
sudo unzip linux_amd64 -d /opt/as-vault-tool/1.0.2/
|
48
|
+
fi
|
49
|
+
|
50
|
+
#################################################################################
|
51
|
+
# Use the Vault server on the host machine running under Docker. #
|
52
|
+
#################################################################################
|
53
|
+
|
54
|
+
export VAULT_ADDR=http://10.0.2.2:8200
|
55
|
+
export VAULT_TOKEN=root
|
56
|
+
|
57
|
+
#################################################################################
|
58
|
+
# Create the tokens.json file so that Chef and other applications can access #
|
59
|
+
# the Vault server. #
|
60
|
+
#################################################################################
|
61
|
+
|
62
|
+
echo "Create the addressing file so that Chef and other applications can access the Vault server"
|
63
|
+
cat << EOF > /etc/vault/tokens.json
|
64
|
+
{
|
65
|
+
"vault-addr": "${VAULT_ADDR}",
|
66
|
+
"skip-verify": true,
|
67
|
+
"wrapped": "",
|
68
|
+
"access": "root"
|
69
|
+
}
|
70
|
+
EOF
|
71
|
+
|
72
|
+
#################################################################################
|
73
|
+
# Create the 'vault-tokens' group so other services/applications apart from #
|
74
|
+
# 'root' can access the file. #
|
75
|
+
#################################################################################
|
76
|
+
|
77
|
+
groupadd -fg 9897 vault-tokens
|
78
|
+
usermod -aG vault-tokens root
|
79
|
+
chmod 0640 /etc/vault/tokens.json
|
80
|
+
chown root:vault-tokens /etc/vault/tokens.json
|
@@ -0,0 +1,99 @@
|
|
1
|
+
#################################################################################
|
2
|
+
# PROVISIONING A WINDOWS BOX #
|
3
|
+
#################################################################################
|
4
|
+
# #
|
5
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
6
|
+
# credentials or certificates. #
|
7
|
+
# #
|
8
|
+
# This bootstrap script provides the capability to do so. #
|
9
|
+
# #
|
10
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
11
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
12
|
+
# is also generated which is used by the instance to obtain the real token #
|
13
|
+
# it needs from Vault. #
|
14
|
+
# #
|
15
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
16
|
+
# as-vault-token tool. #
|
17
|
+
# #
|
18
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
19
|
+
# #
|
20
|
+
# Given this script is for local Test-Kitchen use only, the wrapped token is #
|
21
|
+
# generated on the test instance and then unwrapped immediately. No renewal #
|
22
|
+
# takes place when testing - except when testing the as-vault-token #
|
23
|
+
# cookbook of course!
|
24
|
+
# #
|
25
|
+
#################################################################################
|
26
|
+
|
27
|
+
#################################################################################
|
28
|
+
# Miscellaneous Windows configuration. #
|
29
|
+
#################################################################################
|
30
|
+
|
31
|
+
$env:VAULT_ADDR="http://192.168.255.5:8200"
|
32
|
+
$env:VAULT_TOKEN="root"
|
33
|
+
|
34
|
+
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
35
|
+
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
36
|
+
|
37
|
+
#################################################################################
|
38
|
+
# Install Hashicorp Vault. #
|
39
|
+
#################################################################################
|
40
|
+
|
41
|
+
New-Item 'C:\Program Files\vault' -ItemType Directory -Force
|
42
|
+
$wc = New-Object System.Net.WebClient
|
43
|
+
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
44
|
+
$output = "C:\Program Files\vault"
|
45
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
46
|
+
$wc.DownloadFile($url, "$zipfile")
|
47
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
48
|
+
|
49
|
+
#################################################################################
|
50
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
51
|
+
#################################################################################
|
52
|
+
|
53
|
+
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/windows_amd64.zip"
|
54
|
+
$zipfile = "$output\$($url.Split('/')[-1])"
|
55
|
+
$wc.DownloadFile($url, $zipfile)
|
56
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
57
|
+
|
58
|
+
#################################################################################
|
59
|
+
# Generate the wrapped token which is normally provided by the bootstrapping #
|
60
|
+
# system. #
|
61
|
+
#################################################################################
|
62
|
+
|
63
|
+
$token = ($(& "$output\vault" token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h) -match '^wrapping_token:').Split(' ')[-1].Trim()
|
64
|
+
|
65
|
+
#################################################################################
|
66
|
+
# Create the tokens.json file containing the Vault access token. #
|
67
|
+
#################################################################################
|
68
|
+
|
69
|
+
$json = @"
|
70
|
+
{
|
71
|
+
"vault-addr": "$env:VAULT_ADDR",
|
72
|
+
"skip-verify": true,
|
73
|
+
"wrapped": "$token",
|
74
|
+
"access": ""
|
75
|
+
}
|
76
|
+
"@
|
77
|
+
|
78
|
+
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
79
|
+
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
80
|
+
|
81
|
+
#################################################################################
|
82
|
+
# Create the 'vault-tokens' group so other services/applications apart from #
|
83
|
+
# 'root' can access the file. #
|
84
|
+
#################################################################################
|
85
|
+
|
86
|
+
###### TODO - NEED TO ADD GROUPS STUFF!!!!!
|
87
|
+
|
88
|
+
#################################################################################
|
89
|
+
# Get the real token from the wrapped token and store it in the #
|
90
|
+
# tokens.json file. #
|
91
|
+
#################################################################################
|
92
|
+
|
93
|
+
& "$output\as-vault-tool" tokenrenew
|
94
|
+
|
95
|
+
#################################################################################
|
96
|
+
# Populate Vault with test secrets using the Chef embedded Ruby. #
|
97
|
+
#################################################################################
|
98
|
+
|
99
|
+
XXXXX
|
@@ -0,0 +1,90 @@
|
|
1
|
+
#!/bin/bash -e
|
2
|
+
|
3
|
+
#################################################################################
|
4
|
+
# PROVISIONING A LINUX BOX #
|
5
|
+
#################################################################################
|
6
|
+
# #
|
7
|
+
# All our instances need to access Vault in order to retrieve secrets such as #
|
8
|
+
# credentials or certificates. #
|
9
|
+
# #
|
10
|
+
# This bootstrap script provides the capability to do so. #
|
11
|
+
# #
|
12
|
+
# When an instance is created through Terraform or Rundeck, this script is #
|
13
|
+
# provided to bootstrap the box. When the script is generated a wrapper token #
|
14
|
+
# is also generated which is used by the instance to obtain the real token #
|
15
|
+
# it needs from Vault. #
|
16
|
+
# #
|
17
|
+
# Once the real token has been obtained, it is periodicially renewed by the #
|
18
|
+
# as-vault-token tool. #
|
19
|
+
# #
|
20
|
+
# The periodic running of this task is managed by the as-vault-token cookbook. #
|
21
|
+
# #
|
22
|
+
# Given this script is for local Test-Kitchen use only, the wrapped token is #
|
23
|
+
# generated on the test instance and then unwrapped immediately. No renewal #
|
24
|
+
# takes place when testing - except when testing the as-vault-token #
|
25
|
+
# cookbook of course!
|
26
|
+
# #
|
27
|
+
#################################################################################
|
28
|
+
|
29
|
+
#################################################################################
|
30
|
+
# Miscellaneous Windows configuration. #
|
31
|
+
#################################################################################
|
32
|
+
|
33
|
+
export VAULT_ADDR=http://192.168.255.5:8200
|
34
|
+
export VAULT_TOKEN=root
|
35
|
+
|
36
|
+
sudo yum install -y unzip
|
37
|
+
|
38
|
+
#################################################################################
|
39
|
+
# Download and install Hashicorp Vault. #
|
40
|
+
#################################################################################
|
41
|
+
|
42
|
+
wget "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip"
|
43
|
+
unzip vault_0.6.5_linux_amd64.zip -d /usr/bin
|
44
|
+
sudo mkdir /etc/vault
|
45
|
+
|
46
|
+
#################################################################################
|
47
|
+
# Generate the wrapped token which is normally provided by the bootstrapping #
|
48
|
+
# system. #
|
49
|
+
#################################################################################
|
50
|
+
|
51
|
+
token=$(vault token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h | awk '/^wrapping_token:/ {print $2}')
|
52
|
+
|
53
|
+
#################################################################################
|
54
|
+
# Create the tokens.json file so that Chef and other applications can access #
|
55
|
+
# the Vault server. #
|
56
|
+
#################################################################################
|
57
|
+
|
58
|
+
cat << EOF > /etc/vault/tokens.json
|
59
|
+
{
|
60
|
+
"vault-addr": "${VAULT_ADDR}",
|
61
|
+
"skip-verify": true,
|
62
|
+
"wrapped": "${token}",
|
63
|
+
"access": ""
|
64
|
+
}
|
65
|
+
EOF
|
66
|
+
|
67
|
+
#################################################################################
|
68
|
+
# Create the 'vault-tokens' group so other services/applications apart from #
|
69
|
+
# 'root' can access the file. #
|
70
|
+
#################################################################################
|
71
|
+
|
72
|
+
groupadd -fg 9897 vault-tokens
|
73
|
+
usermod -aG vault-tokens root
|
74
|
+
chmod 0640 /etc/vault/tokens.json
|
75
|
+
chown root:vault-tokens /etc/vault/tokens.json
|
76
|
+
|
77
|
+
#################################################################################
|
78
|
+
# Install Advertising Studio's as-vault-tool binary. #
|
79
|
+
#################################################################################
|
80
|
+
|
81
|
+
sudo mkdir -p /opt/as-vault-tool/1.0.2
|
82
|
+
wget https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/linux_amd64.zip
|
83
|
+
sudo unzip linux_amd64 -d /opt/as-vault-tool/1.0.2/
|
84
|
+
|
85
|
+
#################################################################################
|
86
|
+
# Get the real token from the wrapped token and store it in the #
|
87
|
+
# tokens.json file. #
|
88
|
+
#################################################################################
|
89
|
+
|
90
|
+
sudo /opt/as-vault-tool/1.0.2/as-vault-tool tokenrenew
|
@@ -17,9 +17,6 @@ platforms:
|
|
17
17
|
<!--% if @platforms.include?('centos') %-->
|
18
18
|
- name: centos-7.2
|
19
19
|
driver:
|
20
|
-
<!--% if @vault_setup == 'sidecar' %-->
|
21
|
-
box: adstudio/centos-provisioned-v5
|
22
|
-
<!--% end %-->
|
23
20
|
network:
|
24
21
|
- ["private_network", {ip: "192.168.255.10"}]
|
25
22
|
<!--% end %-->
|
Binary file
|
@@ -0,0 +1,17 @@
|
|
1
|
+
|
2
|
+
module Sambot
|
3
|
+
module Testing
|
4
|
+
class Fixtures
|
5
|
+
|
6
|
+
class << self
|
7
|
+
|
8
|
+
def get_path(spec, fixture_file)
|
9
|
+
parts = spec.split('spec')
|
10
|
+
File.join(parts[0], 'spec/fixtures', parts[1] + 'spec', fixture_file)
|
11
|
+
end
|
12
|
+
|
13
|
+
end
|
14
|
+
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
@@ -1,5 +1,6 @@
|
|
1
1
|
require 'yaml'
|
2
2
|
require 'vault'
|
3
|
+
require 'fileutils'
|
3
4
|
|
4
5
|
module Sambot
|
5
6
|
module Testing
|
@@ -7,30 +8,35 @@ module Sambot
|
|
7
8
|
|
8
9
|
class << self
|
9
10
|
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
11
|
+
VAULT_CONFIG_BINARY = 'vault-config'
|
12
|
+
WORKING_DIR = '/tmp/sambot/testing/vault'
|
13
|
+
VAULT_POLICIES_REPO = 'git@github.exacttarget.com:ads-devops/vault-policies.git'
|
14
|
+
|
15
|
+
def setup
|
16
|
+
FileUtils.rm_r(WORKING_DIR) if Dir.exist?(WORKING_DIR)
|
17
|
+
FileUtils.mkpath WORKING_DIR
|
18
|
+
Dir.chdir WORKING_DIR do
|
19
|
+
`git clone --depth=1 --single-branch -q #{VAULT_POLICIES_REPO}`
|
20
|
+
Dir.chdir 'vault-policies/dev/vault-config' do
|
21
|
+
FS.copy(VAULT_CONFIG_BINARY)
|
22
|
+
`./#{VAULT_CONFIG_BINARY} config`
|
23
|
+
end
|
16
24
|
end
|
17
25
|
end
|
18
26
|
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
UI.info("Reading the secrets configuration file")
|
23
|
-
contents = File.read(filename)
|
24
|
-
if contents.empty?
|
27
|
+
def load_secrets(config, src = 'local_testing')
|
28
|
+
UI.info("Reading secrets from the configuration file")
|
29
|
+
if config.secrets.empty?
|
25
30
|
UI.info("No secrets were found in the secrets configuration file")
|
26
31
|
return 0
|
27
32
|
else
|
28
|
-
store_secrets(
|
33
|
+
store_secrets(config.secrets, src)
|
29
34
|
end
|
30
35
|
end
|
31
36
|
|
32
|
-
|
33
|
-
|
37
|
+
private
|
38
|
+
|
39
|
+
def store_secrets(secrets, src)
|
34
40
|
counter = 0
|
35
41
|
secrets.each do |secret|
|
36
42
|
secret['keys'].each do |item|
|
data/lib/sambot/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sambot
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.179
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Olivier Kouame
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-07-
|
11
|
+
date: 2017-07-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor-hollaback
|
@@ -405,20 +405,20 @@ files:
|
|
405
405
|
- lib/sambot/runtime.rb
|
406
406
|
- lib/sambot/template.rb
|
407
407
|
- lib/sambot/templates/.config.yml.erb
|
408
|
-
- lib/sambot/templates/.
|
408
|
+
- lib/sambot/templates/.env
|
409
409
|
- lib/sambot/templates/.gitignore.sample
|
410
410
|
- lib/sambot/templates/.rubocop.yml
|
411
|
-
- lib/sambot/templates/.vault.yml
|
412
411
|
- lib/sambot/templates/Berksfile
|
413
412
|
- lib/sambot/templates/README.md
|
414
413
|
- lib/sambot/templates/Vagrantfile.erb
|
415
414
|
- lib/sambot/templates/bootstrap_scripts/google/bootstrap.ps1.erb
|
416
415
|
- lib/sambot/templates/bootstrap_scripts/google/bootstrap.sh.erb
|
417
|
-
- lib/sambot/templates/bootstrap_scripts/local/
|
418
|
-
- lib/sambot/templates/bootstrap_scripts/local/
|
419
|
-
- lib/sambot/templates/bootstrap_scripts/local/
|
420
|
-
- lib/sambot/templates/bootstrap_scripts/local/
|
416
|
+
- lib/sambot/templates/bootstrap_scripts/local/docker/bootstrap.ps1.erb
|
417
|
+
- lib/sambot/templates/bootstrap_scripts/local/docker/bootstrap.sh.erb
|
418
|
+
- lib/sambot/templates/bootstrap_scripts/local/vagrant/bootstrap.ps1.erb
|
419
|
+
- lib/sambot/templates/bootstrap_scripts/local/vagrant/bootstrap.sh.erb
|
421
420
|
- lib/sambot/templates/chefignore
|
421
|
+
- lib/sambot/templates/docker-compose.yml
|
422
422
|
- lib/sambot/templates/git_hooks/pre-commit
|
423
423
|
- lib/sambot/templates/git_hooks/pre-push
|
424
424
|
- lib/sambot/templates/metadata.rb.erb
|
@@ -427,9 +427,11 @@ files:
|
|
427
427
|
- lib/sambot/templates/test_kitchen/google.yml.erb
|
428
428
|
- lib/sambot/templates/test_kitchen/local.yml.erb
|
429
429
|
- lib/sambot/templates/test_kitchen/rackspace.yml.erb
|
430
|
+
- lib/sambot/templates/vault-config
|
430
431
|
- lib/sambot/templates/vault_helper.rb
|
431
432
|
- lib/sambot/templates/winrm_config
|
432
433
|
- lib/sambot/testing/consul_helper.rb
|
434
|
+
- lib/sambot/testing/fixtures.rb
|
433
435
|
- lib/sambot/testing/vault_helper.rb
|
434
436
|
- lib/sambot/ui.rb
|
435
437
|
- lib/sambot/version.rb
|
File without changes
|
File without changes
|
@@ -1,33 +0,0 @@
|
|
1
|
-
$env:VAULT_ADDR="http://127.0.0.1:8200"
|
2
|
-
$env:VAULT_TOKEN="root"
|
3
|
-
|
4
|
-
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
5
|
-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
6
|
-
|
7
|
-
New-Item 'C:\Program Files\vault' -ItemType Directory -Force
|
8
|
-
$wc = New-Object System.Net.WebClient
|
9
|
-
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
10
|
-
$output = "C:\Program Files\vault"
|
11
|
-
$zipfile = "$output\$($url.Split('/')[-1])"
|
12
|
-
$wc.DownloadFile($url, "$zipfile")
|
13
|
-
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
14
|
-
|
15
|
-
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/windows_amd64.zip"
|
16
|
-
$zipfile = "$output\$($url.Split('/')[-1])"
|
17
|
-
$wc.DownloadFile($url, $zipfile)
|
18
|
-
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
19
|
-
|
20
|
-
$token = ($(& "$output\vault" token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h) -match '^wrapping_token:').Split(' ')[-1].Trim()
|
21
|
-
$json = @"
|
22
|
-
{
|
23
|
-
"vault-addr": "$env:VAULT_ADDR",
|
24
|
-
"skip-verify": true,
|
25
|
-
"wrapped": "$token",
|
26
|
-
"access": ""
|
27
|
-
}
|
28
|
-
"@
|
29
|
-
|
30
|
-
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
31
|
-
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
32
|
-
|
33
|
-
& "$output\as-vault-tool" tokenrenew
|
@@ -1,45 +0,0 @@
|
|
1
|
-
#!/bin/bash -e
|
2
|
-
|
3
|
-
echo "Install required tools"
|
4
|
-
sudo yum install -y unzip wget epel-release zlib-devel bzip2 openssl-devel libyaml-devel libffi-devel readline-devel gdbm-devel ncurses-devel gcc gcc-c++ make
|
5
|
-
|
6
|
-
echo "Download and install Hashicorp Vault"
|
7
|
-
if [ ! -f /usr/bin/vault ]; then
|
8
|
-
curl --fail -sSO "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip" > /dev/null 2>&1
|
9
|
-
unzip vault_0.6.5_linux_amd64.zip -d /usr/bin;
|
10
|
-
fi
|
11
|
-
if [ ! -d "/etc/vault" ]; then sudo mkdir /etc/vault; fi
|
12
|
-
|
13
|
-
echo "Download and install Hashicorp Consul"
|
14
|
-
if [ ! -f /usr/bin/consul ]; then
|
15
|
-
curl --fail -sSO "https://releases.hashicorp.com/consul/0.8.5/consul_0.8.5_linux_amd64.zip" > /dev/null 2>&1
|
16
|
-
unzip consul_0.8.5_linux_amd64.zip -d /usr/bin;
|
17
|
-
fi
|
18
|
-
if [ ! -d "/etc/consul" ]; then sudo mkdir /etc/consul; fi
|
19
|
-
|
20
|
-
########## Everything above this line is pre-installed on the 'adstudio-centos-provisioned-v*' box ############
|
21
|
-
|
22
|
-
echo "Launch the Consul Agent in Development mode"
|
23
|
-
consul agent -dev -server -bootstrap < /dev/null &> /dev/null &
|
24
|
-
|
25
|
-
echo "Launch the Vault Server in Development mode"
|
26
|
-
export VAULT_ADDR="http://127.0.0.1:8200"
|
27
|
-
export VAULT_TOKEN="root"
|
28
|
-
vault server -dev -dev-root-token-id=${VAULT_TOKEN} -dev-listen-address=0.0.0.0:8200 < /dev/null &> /dev/null &
|
29
|
-
sleep 5
|
30
|
-
vault mount -path=dev generic
|
31
|
-
|
32
|
-
echo "Create the addressing file so that Chef and other applications can access the Vault server"
|
33
|
-
cat << EOF > /etc/vault/tokens.json
|
34
|
-
{
|
35
|
-
"vault-addr": "${VAULT_ADDR}",
|
36
|
-
"skip-verify": true,
|
37
|
-
"wrapped": "",
|
38
|
-
"access": "root"
|
39
|
-
}
|
40
|
-
EOF
|
41
|
-
|
42
|
-
echo "Populate Vault with test secrets using the Chef embedded Ruby"
|
43
|
-
/opt/chef/embedded/bin/gem install sambot --no-ri --no-doc
|
44
|
-
cd /vagrant
|
45
|
-
/opt/chef/embedded/bin/sambot populate --vault
|
@@ -1,33 +0,0 @@
|
|
1
|
-
$env:VAULT_ADDR="http://192.168.255.5:8200"
|
2
|
-
$env:VAULT_TOKEN="root"
|
3
|
-
|
4
|
-
Add-Type -AssemblyName "System.IO.Compression.FileSystem"
|
5
|
-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
6
|
-
|
7
|
-
New-Item 'C:\Program Files\vault' -ItemType Directory -Force
|
8
|
-
$wc = New-Object System.Net.WebClient
|
9
|
-
$url = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_windows_amd64.zip"
|
10
|
-
$output = "C:\Program Files\vault"
|
11
|
-
$zipfile = "$output\$($url.Split('/')[-1])"
|
12
|
-
$wc.DownloadFile($url, "$zipfile")
|
13
|
-
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
14
|
-
|
15
|
-
$url = "https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/windows_amd64.zip"
|
16
|
-
$zipfile = "$output\$($url.Split('/')[-1])"
|
17
|
-
$wc.DownloadFile($url, $zipfile)
|
18
|
-
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $output)
|
19
|
-
|
20
|
-
$token = ($(& "$output\vault" token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h) -match '^wrapping_token:').Split(' ')[-1].Trim()
|
21
|
-
$json = @"
|
22
|
-
{
|
23
|
-
"vault-addr": "$env:VAULT_ADDR",
|
24
|
-
"skip-verify": true,
|
25
|
-
"wrapped": "$token",
|
26
|
-
"access": ""
|
27
|
-
}
|
28
|
-
"@
|
29
|
-
|
30
|
-
New-Item 'C:\ProgramData\vault' -ItemType Directory -Force
|
31
|
-
Set-Content -Path 'C:\ProgramData\vault\tokens.json' -Value $json
|
32
|
-
|
33
|
-
& "$output\as-vault-tool" tokenrenew
|
@@ -1,24 +0,0 @@
|
|
1
|
-
#!/bin/bash -e
|
2
|
-
|
3
|
-
export VAULT_ADDR=http://192.168.255.5:8200
|
4
|
-
export VAULT_TOKEN=root
|
5
|
-
|
6
|
-
sudo yum install -y unzip
|
7
|
-
wget "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip"
|
8
|
-
unzip vault_0.6.5_linux_amd64.zip -d /usr/bin
|
9
|
-
sudo mkdir /etc/vault
|
10
|
-
|
11
|
-
token=$(vault token-create -policy=nightswatch-ro -role=nightswatch-ro -wrap-ttl=72h | awk '/^wrapping_token:/ {print $2}')
|
12
|
-
cat << EOF > /etc/vault/tokens.json
|
13
|
-
{
|
14
|
-
"vault-addr": "${VAULT_ADDR}",
|
15
|
-
"skip-verify": true,
|
16
|
-
"wrapped": "${token}",
|
17
|
-
"access": ""
|
18
|
-
}
|
19
|
-
EOF
|
20
|
-
|
21
|
-
sudo mkdir -p /opt/as-vault-tool/1.0.2
|
22
|
-
wget https://storage.googleapis.com/ads-devops-chef/as-vault-tool/1.0.2/linux_amd64.zip
|
23
|
-
sudo unzip linux_amd64 -d /opt/as-vault-tool/1.0.2/
|
24
|
-
sudo /opt/as-vault-tool/1.0.2/as-vault-tool tokenrenew
|