talos 0.1.4 → 0.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/.travis.yml +17 -0
- data/README.md +14 -4
- data/lib/talos.rb +7 -2
- data/spec/fixtures/master +1 -0
- data/talos.gemspec +7 -6
- metadata +47 -31
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: a8f0efd69cc2ac6c66c14f6eacb00b8aab5728b6f42d075b6434074c0765a8ae
|
4
|
+
data.tar.gz: 81fc691b4ccf9728449262103e748a397d399ca0900c62253c05be2dc612eb8f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 96090bf35cdbe9ca0057f13b8c88e6013a5f97c4b4555e49c6e6a6c1c3b66e2780fef4130dea5fd5731a38ddb123cda9b7fa6e26c124aecf5c31c30de388247f
|
7
|
+
data.tar.gz: 8d260417b450c139b2ce9eeed458f0448c5ac49ce273ff42f149e62ac8b1e36b7cd0806266ea14f7f51eb61e30c872c9f572b21ed7be996cbb868fc7506dcc0b
|
data/.travis.yml
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
language: ruby
|
2
|
+
rvm:
|
3
|
+
- 2.4.9
|
4
|
+
- 2.5.3
|
5
|
+
- 2.5.7
|
6
|
+
- 2.6.5
|
7
|
+
- 2.7.0
|
8
|
+
- jruby-19mode
|
9
|
+
|
10
|
+
deploy:
|
11
|
+
provider: rubygems
|
12
|
+
on:
|
13
|
+
tags: true
|
14
|
+
rvm: 2.6.5
|
15
|
+
api_key:
|
16
|
+
secure: Y2LlE9bODO/j7iL4ycLKaOo1HjqzRXe8E6fPkjF2lWZvjbmYVZRCKky5+xJYO8OoAweAeEa9rYiujpDfUzBWfC3U3rRMkcxcfPePT169PGvosAsHVEl6FXXvo9ra3NJpXVLkNBpToKktQ7nlWfyj/AQeh3l7aQdW9ttfoAXKAoLpFaJpkGWCB9vFVlncWsM9ND8Gj5CgUjxuVN1TUksghlGFq7hEeFUOLJcy09e6EzaIdLSpy4SgyDnwiJrSkiDDGVqwc0rCoEgRyHKrw3xbrBB/IVKSoFaBAkZgyIBGPIQKhM890/Ho6GkA9R+Qu7P4FBd5HMziCJCKZhq4rbRZkiT1cnq04SIwCxySy31iIUI+M+eHPijECqDP4SkLELpa0uZV6xWU+zTHix/3StXKbIxMGuHcb5kF12wnSK6eCw+BJpZugI27FRsP3oPxX4CVSSMtV9PG14uie6Qnq7CWmAsTKXS983cPLIbhGojSedU8I8bIDF2uHXTwjNInMkpOQuHeGFaI4LAcTHS7byjisc0t4mIaSWn4w966kUUsnJm1IkpS6xQy7DtcLockkzei7+HpyIFnMMce5S1Pwd5wRfLPXOQontVTd5ERZxbAd2Q5Vej2E+zbxxJCKaQdKulFgX6DIs6BBhp3gI8LO+9W5tgtkaHEgxUnEzELqXgM7i4=
|
17
|
+
dist: bionic
|
data/README.md
CHANGED
@@ -4,8 +4,9 @@ Talos
|
|
4
4
|
[](http://badge.fury.io/rb/talos)
|
5
5
|
[](https://travis-ci.org/spotify/talos)
|
6
6
|
|
7
|
-
Talos is a rack application which
|
8
|
-
It authorizes clients based on the SSL certificates issued by the Puppet CA and returns only the files in the
|
7
|
+
Talos is a rack application which serves Hiera yaml files over HTTP.
|
8
|
+
It authorizes clients based on the SSL certificates issued by the Puppet CA and returns only the files in the
|
9
|
+
[Hiera scope](https://docs.puppetlabs.com/hiera/3.0/command_line.html#json-and-yaml-scopes).
|
9
10
|
|
10
11
|
Talos is used to store and distribute secrets via Hiera to the masterless puppet clients.
|
11
12
|
|
@@ -54,6 +55,7 @@ scopes:
|
|
54
55
|
environment: testing
|
55
56
|
|
56
57
|
unsafe_scopes: true
|
58
|
+
ssl: true
|
57
59
|
```
|
58
60
|
|
59
61
|
When receiving a request, Talos iterates over `scopes` list and matches
|
@@ -70,6 +72,9 @@ scope on collision.
|
|
70
72
|
If `unsafe_scopes` option is enabled, Talos will also add all the parameters
|
71
73
|
passed by the client to the Hiera scope.
|
72
74
|
|
75
|
+
The `ssl` option defaults to enabled. When disabled, the `fqdn` query parameter
|
76
|
+
is used to determine scopes rather than the client certificate.
|
77
|
+
|
73
78
|
Hiera
|
74
79
|
-----
|
75
80
|
You need to provide `/etc/talos/hiera.yaml` file to configure Hiera
|
@@ -98,6 +103,11 @@ will return only the files that match the Hiera scope of the clients.
|
|
98
103
|
Installing
|
99
104
|
----------
|
100
105
|
|
106
|
+
You can use [spotify/talos](https://github.com/spotify/puppet-talos)
|
107
|
+
puppet module to install Talos.
|
108
|
+
|
109
|
+
### Manual installation
|
110
|
+
|
101
111
|
First, install talos using rubygems:
|
102
112
|
|
103
113
|
$ gem install talos
|
@@ -125,7 +135,7 @@ You can run Talos using Passenger or any other application server. Make
|
|
125
135
|
sure you use Puppet SSL keys to validate the client certificates and to
|
126
136
|
forward `SSL_CLIENT_S_DN_CN` header:
|
127
137
|
|
128
|
-
```
|
138
|
+
```apacheconf
|
129
139
|
<VirtualHost *:443>
|
130
140
|
DocumentRoot "/var/lib/talos/public"
|
131
141
|
|
@@ -159,7 +169,7 @@ participating, you are expected to honor this code.
|
|
159
169
|
https://github.com/spotify/code-of-conduct/blob/master/code-of-conduct.md
|
160
170
|
|
161
171
|
License
|
162
|
-
|
172
|
+
-------
|
163
173
|
```text
|
164
174
|
Copyright 2013-2016 Spotify AB
|
165
175
|
|
data/lib/talos.rb
CHANGED
@@ -24,9 +24,11 @@ require 'archive/tar/minitar'
|
|
24
24
|
require 'pathname'
|
25
25
|
include Archive::Tar
|
26
26
|
|
27
|
+
|
27
28
|
class Talos < Sinatra::Base
|
28
29
|
def self.prepare_config(path)
|
29
30
|
set :talos, YAML.load_file(path)
|
31
|
+
settings.talos['ssl'] = true if settings.talos['ssl'].nil?
|
30
32
|
settings.talos['scopes'].each do |scope_config|
|
31
33
|
begin
|
32
34
|
scope_config['regexp'] = Regexp.new(scope_config['match'])
|
@@ -36,7 +38,7 @@ class Talos < Sinatra::Base
|
|
36
38
|
end
|
37
39
|
end
|
38
40
|
|
39
|
-
configure :development do
|
41
|
+
configure :development, :test do
|
40
42
|
require 'sinatra/reloader'
|
41
43
|
register Sinatra::Reloader
|
42
44
|
set :hiera, Hiera::Config::load(File.expand_path('spec/fixtures/hiera.yaml'))
|
@@ -47,6 +49,7 @@ class Talos < Sinatra::Base
|
|
47
49
|
configure :production do
|
48
50
|
set :hiera, Hiera::Config::load(File.expand_path('/etc/talos/hiera.yaml'))
|
49
51
|
prepare_config('/etc/talos/talos.yaml')
|
52
|
+
warn("SECURITY WARNING: use of ssl is disabled, client requests cannot be authenticated") if !settings.talos['ssl']
|
50
53
|
warn("SECURITY WARNING: unsafe_scopes are enabled, SSL authentication bypass is possible") if settings.talos['unsafe_scopes']
|
51
54
|
end
|
52
55
|
|
@@ -97,11 +100,13 @@ class Talos < Sinatra::Base
|
|
97
100
|
end
|
98
101
|
|
99
102
|
get '/' do
|
100
|
-
|
103
|
+
fqdn_env = request.env['HTTP_SSL_CLIENT_S_DN_CN'] ? request.env['HTTP_SSL_CLIENT_S_DN_CN'] : request.env['SSL_CLIENT_S_DN_CN']
|
104
|
+
fqdn = (settings.development? || !settings.talos['ssl']) ? params[:fqdn] : fqdn_env
|
101
105
|
scope = get_scope(fqdn)
|
102
106
|
files_to_pack = files_in_scope(scope)
|
103
107
|
archive = compress_files(files_to_pack)
|
104
108
|
content_type 'application/x-gzip'
|
109
|
+
headers['content-encoding'] = 'gzip'
|
105
110
|
archive.string
|
106
111
|
end
|
107
112
|
|
@@ -0,0 +1 @@
|
|
1
|
+
spec/fixtures/master.3fa3fd97848a72ae539b75bccd6028cd1d4e92e3
|
data/talos.gemspec
CHANGED
@@ -1,23 +1,24 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
|
-
s.version = '0.1.
|
2
|
+
s.version = '0.1.12'
|
3
3
|
s.name = 'talos'
|
4
4
|
s.authors = ['Alexey Lapitsky', 'Johan Haals']
|
5
5
|
s.email = 'alexey@spotify.com'
|
6
6
|
s.summary = %q{Hiera secrets distribution over HTTP}
|
7
7
|
s.description = %q{Distribute compressed hiera yaml files to authenticated puppet clients over HTTP}
|
8
8
|
s.homepage = 'https://github.com/spotify/talos'
|
9
|
-
s.license = 'Apache
|
9
|
+
s.license = 'Apache-2.0'
|
10
10
|
|
11
11
|
s.files = `git ls-files`.split($\)
|
12
12
|
s.executables = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
13
13
|
s.test_files = s.files.grep(%r{^(test|spec|features)/})
|
14
14
|
s.require_paths = ['lib']
|
15
15
|
|
16
|
-
s.add_dependency 'rack', '
|
17
|
-
s.add_dependency 'sinatra'
|
18
|
-
s.add_dependency 'hiera'
|
19
|
-
s.add_dependency 'archive-tar-minitar'
|
16
|
+
s.add_dependency 'rack', '2.2.3'
|
17
|
+
s.add_dependency 'sinatra', '~> 2.0.8'
|
18
|
+
s.add_dependency 'hiera', '~> 3.6.0'
|
19
|
+
s.add_dependency 'archive-tar-minitar', '~> 0.5.2'
|
20
20
|
s.add_development_dependency 'rake'
|
21
|
+
s.add_development_dependency 'rack-test', '~> 1.1.0'
|
21
22
|
s.add_development_dependency 'sinatra-contrib'
|
22
23
|
s.add_development_dependency 'rspec', '>= 2.9'
|
23
24
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: talos
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.12
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Alexey Lapitsky
|
@@ -9,104 +9,118 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2020-08-13 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: rack
|
16
16
|
requirement: !ruby/object:Gem::Requirement
|
17
17
|
requirements:
|
18
|
-
- -
|
18
|
+
- - '='
|
19
19
|
- !ruby/object:Gem::Version
|
20
|
-
version:
|
20
|
+
version: 2.2.3
|
21
21
|
type: :runtime
|
22
22
|
prerelease: false
|
23
23
|
version_requirements: !ruby/object:Gem::Requirement
|
24
24
|
requirements:
|
25
|
-
- -
|
25
|
+
- - '='
|
26
26
|
- !ruby/object:Gem::Version
|
27
|
-
version:
|
27
|
+
version: 2.2.3
|
28
28
|
- !ruby/object:Gem::Dependency
|
29
29
|
name: sinatra
|
30
30
|
requirement: !ruby/object:Gem::Requirement
|
31
31
|
requirements:
|
32
|
-
- -
|
32
|
+
- - "~>"
|
33
33
|
- !ruby/object:Gem::Version
|
34
|
-
version:
|
34
|
+
version: 2.0.8
|
35
35
|
type: :runtime
|
36
36
|
prerelease: false
|
37
37
|
version_requirements: !ruby/object:Gem::Requirement
|
38
38
|
requirements:
|
39
|
-
- -
|
39
|
+
- - "~>"
|
40
40
|
- !ruby/object:Gem::Version
|
41
|
-
version:
|
41
|
+
version: 2.0.8
|
42
42
|
- !ruby/object:Gem::Dependency
|
43
43
|
name: hiera
|
44
44
|
requirement: !ruby/object:Gem::Requirement
|
45
45
|
requirements:
|
46
|
-
- -
|
46
|
+
- - "~>"
|
47
47
|
- !ruby/object:Gem::Version
|
48
|
-
version:
|
48
|
+
version: 3.6.0
|
49
49
|
type: :runtime
|
50
50
|
prerelease: false
|
51
51
|
version_requirements: !ruby/object:Gem::Requirement
|
52
52
|
requirements:
|
53
|
-
- -
|
53
|
+
- - "~>"
|
54
54
|
- !ruby/object:Gem::Version
|
55
|
-
version:
|
55
|
+
version: 3.6.0
|
56
56
|
- !ruby/object:Gem::Dependency
|
57
57
|
name: archive-tar-minitar
|
58
58
|
requirement: !ruby/object:Gem::Requirement
|
59
59
|
requirements:
|
60
|
-
- -
|
60
|
+
- - "~>"
|
61
61
|
- !ruby/object:Gem::Version
|
62
|
-
version:
|
62
|
+
version: 0.5.2
|
63
63
|
type: :runtime
|
64
64
|
prerelease: false
|
65
65
|
version_requirements: !ruby/object:Gem::Requirement
|
66
66
|
requirements:
|
67
|
-
- -
|
67
|
+
- - "~>"
|
68
68
|
- !ruby/object:Gem::Version
|
69
|
-
version:
|
69
|
+
version: 0.5.2
|
70
70
|
- !ruby/object:Gem::Dependency
|
71
71
|
name: rake
|
72
72
|
requirement: !ruby/object:Gem::Requirement
|
73
73
|
requirements:
|
74
|
-
- -
|
74
|
+
- - ">="
|
75
75
|
- !ruby/object:Gem::Version
|
76
76
|
version: '0'
|
77
77
|
type: :development
|
78
78
|
prerelease: false
|
79
79
|
version_requirements: !ruby/object:Gem::Requirement
|
80
80
|
requirements:
|
81
|
-
- -
|
81
|
+
- - ">="
|
82
82
|
- !ruby/object:Gem::Version
|
83
83
|
version: '0'
|
84
|
+
- !ruby/object:Gem::Dependency
|
85
|
+
name: rack-test
|
86
|
+
requirement: !ruby/object:Gem::Requirement
|
87
|
+
requirements:
|
88
|
+
- - "~>"
|
89
|
+
- !ruby/object:Gem::Version
|
90
|
+
version: 1.1.0
|
91
|
+
type: :development
|
92
|
+
prerelease: false
|
93
|
+
version_requirements: !ruby/object:Gem::Requirement
|
94
|
+
requirements:
|
95
|
+
- - "~>"
|
96
|
+
- !ruby/object:Gem::Version
|
97
|
+
version: 1.1.0
|
84
98
|
- !ruby/object:Gem::Dependency
|
85
99
|
name: sinatra-contrib
|
86
100
|
requirement: !ruby/object:Gem::Requirement
|
87
101
|
requirements:
|
88
|
-
- -
|
102
|
+
- - ">="
|
89
103
|
- !ruby/object:Gem::Version
|
90
104
|
version: '0'
|
91
105
|
type: :development
|
92
106
|
prerelease: false
|
93
107
|
version_requirements: !ruby/object:Gem::Requirement
|
94
108
|
requirements:
|
95
|
-
- -
|
109
|
+
- - ">="
|
96
110
|
- !ruby/object:Gem::Version
|
97
111
|
version: '0'
|
98
112
|
- !ruby/object:Gem::Dependency
|
99
113
|
name: rspec
|
100
114
|
requirement: !ruby/object:Gem::Requirement
|
101
115
|
requirements:
|
102
|
-
- -
|
116
|
+
- - ">="
|
103
117
|
- !ruby/object:Gem::Version
|
104
118
|
version: '2.9'
|
105
119
|
type: :development
|
106
120
|
prerelease: false
|
107
121
|
version_requirements: !ruby/object:Gem::Requirement
|
108
122
|
requirements:
|
109
|
-
- -
|
123
|
+
- - ">="
|
110
124
|
- !ruby/object:Gem::Version
|
111
125
|
version: '2.9'
|
112
126
|
description: Distribute compressed hiera yaml files to authenticated puppet clients
|
@@ -116,8 +130,9 @@ executables: []
|
|
116
130
|
extensions: []
|
117
131
|
extra_rdoc_files: []
|
118
132
|
files:
|
119
|
-
- .gitignore
|
120
|
-
- .rspec
|
133
|
+
- ".gitignore"
|
134
|
+
- ".rspec"
|
135
|
+
- ".travis.yml"
|
121
136
|
- Gemfile
|
122
137
|
- LICENSE
|
123
138
|
- README.md
|
@@ -125,6 +140,7 @@ files:
|
|
125
140
|
- config.ru
|
126
141
|
- lib/talos.rb
|
127
142
|
- spec/fixtures/hiera.yaml
|
143
|
+
- spec/fixtures/master
|
128
144
|
- spec/fixtures/master.3fa3fd97848a72ae539b75bccd6028cd1d4e92e3/common.yaml
|
129
145
|
- spec/fixtures/master.3fa3fd97848a72ae539b75bccd6028cd1d4e92e3/fqdn/foo.bar.yaml
|
130
146
|
- spec/fixtures/master.3fa3fd97848a72ae539b75bccd6028cd1d4e92e3/role/foobar/testing.yaml
|
@@ -137,7 +153,7 @@ files:
|
|
137
153
|
- talos.gemspec
|
138
154
|
homepage: https://github.com/spotify/talos
|
139
155
|
licenses:
|
140
|
-
- Apache
|
156
|
+
- Apache-2.0
|
141
157
|
metadata: {}
|
142
158
|
post_install_message:
|
143
159
|
rdoc_options: []
|
@@ -145,22 +161,22 @@ require_paths:
|
|
145
161
|
- lib
|
146
162
|
required_ruby_version: !ruby/object:Gem::Requirement
|
147
163
|
requirements:
|
148
|
-
- -
|
164
|
+
- - ">="
|
149
165
|
- !ruby/object:Gem::Version
|
150
166
|
version: '0'
|
151
167
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
152
168
|
requirements:
|
153
|
-
- -
|
169
|
+
- - ">="
|
154
170
|
- !ruby/object:Gem::Version
|
155
171
|
version: '0'
|
156
172
|
requirements: []
|
157
|
-
|
158
|
-
rubygems_version: 2.0.14
|
173
|
+
rubygems_version: 3.0.6
|
159
174
|
signing_key:
|
160
175
|
specification_version: 4
|
161
176
|
summary: Hiera secrets distribution over HTTP
|
162
177
|
test_files:
|
163
178
|
- spec/fixtures/hiera.yaml
|
179
|
+
- spec/fixtures/master
|
164
180
|
- spec/fixtures/master.3fa3fd97848a72ae539b75bccd6028cd1d4e92e3/common.yaml
|
165
181
|
- spec/fixtures/master.3fa3fd97848a72ae539b75bccd6028cd1d4e92e3/fqdn/foo.bar.yaml
|
166
182
|
- spec/fixtures/master.3fa3fd97848a72ae539b75bccd6028cd1d4e92e3/role/foobar/testing.yaml
|