From 66743d3bfd42a8d48f0b4a030c3604aa9bc95b22 Mon Sep 17 00:00:00 2001 From: Alexander Fisher Date: Wed, 6 Apr 2016 16:31:38 +0100 Subject: [PATCH] Add new eyaml_pkcs7_public/private_key params This commit adds two new optional parameters. These are eyaml_pkcs7_public_key and eyaml_pkcs7_private_key. If specified, the values will be used in the generated hiera.yaml file. If not given, behaviour remains unchanged and the keys are assumed to be in the 'keysdir' directory. This change allows more complicated hiera eyaml configuration. For example, my current manually configured hiera.yaml contains... ``` :eyaml: :pkcs7_private_key: /etc/puppet/keys/%{::product}/private_key.pkcs7.pem :pkcs7_public_key: /etc/puppet/keys/public/%{::product}_key.pkcs7.pem ``` I have multiple sets of keys, (one pair per 'product'), and the private and public keys aren't in the same directory. --- Gemfile | 2 +- manifests/init.pp | 88 ++++++++++++++++++++++---------------- spec/classes/hiera_spec.rb | 55 ++++++++++++++++++++++++ templates/hiera.yaml.erb | 4 +- 4 files changed, 109 insertions(+), 40 deletions(-) diff --git a/Gemfile b/Gemfile index 9d54f01..a3ebc62 100644 --- a/Gemfile +++ b/Gemfile @@ -13,7 +13,7 @@ group :test do gem "puppetlabs_spec_helper" gem "metadata-json-lint" gem "rspec-puppet-facts" - gem 'rubocop', '0.38.0' + gem 'rubocop', '0.33.0' gem 'simplecov' gem 'simplecov-console' diff --git a/manifests/init.pp b/manifests/init.pp index 59f92f8..268976d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,45 +39,47 @@ # Copyright (C) 2014 Terri Haber, unless otherwise noted. # class hiera ( - $hierarchy = $hiera::params::hierarchy, - $backends = ['yaml'], - $hiera_yaml = $hiera::params::hiera_yaml, - $create_symlink = true, - $datadir = $hiera::params::datadir, - $datadir_manage = true, - $owner = $hiera::params::owner, - $group = $hiera::params::group, - $provider = $hiera::params::provider, - $eyaml = false, - $eyaml_name = 'hiera-eyaml', - $eyaml_version = undef, - $eyaml_source = undef, - $eyaml_datadir = undef, - $eyaml_extension = undef, - $confdir = $hiera::params::confdir, - $puppet_conf_manage = true, - $logger = 'console', - $cmdpath = $hiera::params::cmdpath, - $create_keys = true, - $keysdir = undef, - $deep_merge_name = 'deep_merge', - $deep_merge_version = undef, - $deep_merge_source = undef, - $deep_merge_options = {}, - $merge_behavior = undef, - $extra_config = '', - $master_service = $hiera::params::master_service, - $manage_package = $hiera::params::manage_package, - $package_name = $hiera::params::package_name, - $package_ensure = $hiera::params::package_ensure, - $eyaml_gpg_name = 'hiera-eyaml-gpg', - $eyaml_gpg_version = undef, - $eyaml_gpg_source = undef, - $eyaml_gpg = false, - $eyaml_gpg_recipients = undef, + $hierarchy = $hiera::params::hierarchy, + $backends = ['yaml'], + $hiera_yaml = $hiera::params::hiera_yaml, + $create_symlink = true, + $datadir = $hiera::params::datadir, + $datadir_manage = true, + $owner = $hiera::params::owner, + $group = $hiera::params::group, + $provider = $hiera::params::provider, + $eyaml = false, + $eyaml_name = 'hiera-eyaml', + $eyaml_version = undef, + $eyaml_source = undef, + $eyaml_datadir = undef, + $eyaml_extension = undef, + $confdir = $hiera::params::confdir, + $puppet_conf_manage = true, + $logger = 'console', + $cmdpath = $hiera::params::cmdpath, + $create_keys = true, + $keysdir = undef, + $deep_merge_name = 'deep_merge', + $deep_merge_version = undef, + $deep_merge_source = undef, + $deep_merge_options = {}, + $merge_behavior = undef, + $extra_config = '', + $master_service = $hiera::params::master_service, + $manage_package = $hiera::params::manage_package, + $package_name = $hiera::params::package_name, + $package_ensure = $hiera::params::package_ensure, + $eyaml_gpg_name = 'hiera-eyaml-gpg', + $eyaml_gpg_version = undef, + $eyaml_gpg_source = undef, + $eyaml_gpg = false, + $eyaml_gpg_recipients = undef, + $eyaml_pkcs7_private_key = undef, + $eyaml_pkcs7_public_key = undef, #Deprecated - $gem_source = undef, + $gem_source = undef, ) inherits hiera::params { if $keysdir { @@ -86,6 +88,18 @@ $_keysdir = "${confdir}/keys" } + if $eyaml_pkcs7_private_key { + $_eyaml_pkcs7_private_key = $eyaml_pkcs7_private_key + } else { + $_eyaml_pkcs7_private_key = "${_keysdir}/private_key.pkcs7.pem" + } + + if $eyaml_pkcs7_public_key { + $_eyaml_pkcs7_public_key = $eyaml_pkcs7_public_key + } else { + $_eyaml_pkcs7_public_key = "${_keysdir}/public_key.pkcs7.pem" + } + if $eyaml_source { $_eyaml_source = $eyaml_source } else { diff --git a/spec/classes/hiera_spec.rb b/spec/classes/hiera_spec.rb index b0ac5ee..5ad9a6c 100644 --- a/spec/classes/hiera_spec.rb +++ b/spec/classes/hiera_spec.rb @@ -18,6 +18,61 @@ it { should contain_class("hiera::deep_merge") } it { should contain_package("hiera") } end + describe 'hiera.yaml template' do + context 'when eyaml = false' do + it 'should not contain :eyaml: section' do + content = catalogue.resource('file', '/etc/puppet/hiera.yaml').send(:parameters)[:content] + expect(content).not_to include(':eyaml:') + end + it do + content = catalogue.resource('file', '/etc/puppet/hiera.yaml').send(:parameters)[:content] + expect(content).not_to include('pkcs7_private_key') + end + it do + content = catalogue.resource('file', '/etc/puppet/hiera.yaml').send(:parameters)[:content] + expect(content).not_to include('pkcs7_public_key') + end + end + context 'when eyaml = true' do + let(:params) { { :eyaml => true } } + it 'should contain an :eyaml: section' do + content = catalogue.resource('file', '/etc/puppet/hiera.yaml').send(:parameters)[:content] + expect(content).to include(':eyaml:') + end + context 'when eyaml_pkcs7_private_key not set (default)' do + it do + content = catalogue.resource('file', '/etc/puppet/hiera.yaml').send(:parameters)[:content] + expect(content).to match(/:pkcs7_private_key: \/etc\/puppet\/keys\/private_key\.pkcs7\.pem/) + end + end + context 'when eyaml_pkcs7_private_key set' do + let(:params) { { + :eyaml => true, + :eyaml_pkcs7_private_key => '/path/to/private.key' + } } + it 'should use the provided private key path' do + content = catalogue.resource('file', '/etc/puppet/hiera.yaml').send(:parameters)[:content] + expect(content).to match(/:pkcs7_private_key: \/path\/to\/private\.key/) + end + end + context 'when eyaml_pkcs7_public_key not set (default)' do + it do + content = catalogue.resource('file', '/etc/puppet/hiera.yaml').send(:parameters)[:content] + expect(content).to match(/:pkcs7_public_key: \/etc\/puppet\/keys\/public_key\.pkcs7\.pem/) + end + end + context 'when eyaml_pkcs7_public_key set' do + let(:params) { { + :eyaml => true, + :eyaml_pkcs7_public_key => '/path/to/public.key' + } } + it 'should use the provided public key path' do + content = catalogue.resource('file', '/etc/puppet/hiera.yaml').send(:parameters)[:content] + expect(content).to match(/:pkcs7_public_key: \/path\/to\/public\.key/) + end + end + end + end end context "pe puppet 3" do let(:facts) do diff --git a/templates/hiera.yaml.erb b/templates/hiera.yaml.erb index 72551cd..762d141 100644 --- a/templates/hiera.yaml.erb +++ b/templates/hiera.yaml.erb @@ -21,8 +21,8 @@ end -%> <% if @eyaml_extension -%> :extension: <%= @eyaml_extension %> <% end -%> - :pkcs7_private_key: <%= @_keysdir %>/private_key.pkcs7.pem - :pkcs7_public_key: <%= @_keysdir %>/public_key.pkcs7.pem + :pkcs7_private_key: <%= @_eyaml_pkcs7_private_key %> + :pkcs7_public_key: <%= @_eyaml_pkcs7_public_key %> <% end -%> <% if @eyaml_gpg -%> :encrypt_method: "gpg"