PR for issue #34, use salt api for minion key accept #43
Conversation
.kitchen.yml
Outdated
| @@ -38,11 +38,16 @@ suites: | |||
| includes: | |||
| - centos-7.2 | |||
| - name: salt-api | |||
| data_bags_path: "test/integration/default/data_bags" | |||
There was a problem hiding this comment.
integration/default => fixtures
.kitchen.yml
Outdated
| @@ -38,11 +38,16 @@ suites: | |||
| includes: | |||
| - centos-7.2 | |||
| - name: salt-api | |||
| data_bags_path: "test/integration/default/data_bags" | |||
| encrypted_data_bag_secret_key_path: "test/integration/default/encrypted_data_bag_secret" | |||
attributes/minion.rb
Outdated
| @@ -24,3 +24,17 @@ | |||
| 'id' => node.name, | |||
| 'grains' => {}, | |||
| } | |||
|
|
|||
| default['salt']['minion']['api'] = { | |||
There was a problem hiding this comment.
api => master_api? (since minion doesn't have the concept of an api)
libraries/helpers.rb
Outdated
| begin | ||
| Chef::Log.info("Connecting to host=#{host}, port=#{port}, use_ssl=#{options['use_ssl']}, verify=#{options['verify']}") | ||
|
|
||
| https = Net::HTTP.new(host, port) |
There was a problem hiding this comment.
any reason to do this yourself and not use the salt-api gem?
There was a problem hiding this comment.
thank you for pointing out, will use salt-api gem
recipes/master.rb
Outdated
| @@ -20,6 +20,15 @@ | |||
| action :enable | |||
| end | |||
|
|
|||
| user node['salt']['master']['api']['user']['name'] do | |||
There was a problem hiding this comment.
This should be left up to a wrapper cookbook. People may want to use existing users and adding it here would cause resource cloning (which will break in April)
There was a problem hiding this comment.
I am inclined to make the user setup optional to avoid such an issue rather than left it to a wrapper cookbook. If cookbook requires a user to function, user resource should be included in the cookbook itself with option to enable/disable.
There was a problem hiding this comment.
Putting the user resource here assumes that someone doesn't already have the needed user. A lot of people, including me, create service users separate with quite different properties listed. Also, if a user named saltapi is already created somewhere else, this will break in Chef13 unless someone explicitly sets the name even if they don't use the resource.
I could see this staying if it was actually put into an if block instead of using an only_if. Then doing the following
node['salt']['master']['api']['user'].tap{ |x| x.delete('enable') }.each do |config, value|
send(config.to_sym, value) unless value.nil?
end
There was a problem hiding this comment.
Agreed to put user resource in a block if default['salt']['master']['api']['user']['enable'] == true in favor of Chef13.
For scenarios where user already exists, it is still possible to change the user name by setting default['salt']['master']['api']['user']['name']. But, it would not matter if wrapped around an if block.
recipes/master.rb
Outdated
| @@ -87,6 +98,28 @@ | |||
| end | |||
| end | |||
|
|
|||
| # salt-api default user acl | |||
| # TODO: to be replaced by LWRP `external_auth` | |||
| default_user_acl = { | |||
There was a problem hiding this comment.
This should be part of node['salt']['master']['config'] and not broken out into a separate file
recipes/master.rb
Outdated
| default_user_acl = { | ||
| 'external_auth' => { | ||
| 'pam' => { | ||
| 'saltapi' => [ |
There was a problem hiding this comment.
user should not be hardcoded here
recipes/master.rb
Outdated
| }, | ||
| }.to_yaml | ||
|
|
||
| file 'default-api-user.conf' do |
There was a problem hiding this comment.
do you mean file[default-api-user.conf user? I will also add a check to remove this file if api is not enabled.
There was a problem hiding this comment.
It is not needed since this partially duplicates what is in the main yaml conf
recipes/minion.rb
Outdated
| @@ -75,3 +76,29 @@ | |||
| ohai 'salt' do | |||
| action :nothing | |||
| end if defined?(ChefSpec) | |||
|
|
|||
| api_password = node['salt']['key_accept_method'] == 'api_key_accept' ? Chef::EncryptedDataBagItem.load(node['salt']['minion']['api']['databag']['name'], node['salt']['minion']['api']['databag']['item'])[node['salt']['minion']['api']['databag']['key']] : nil | |||
There was a problem hiding this comment.
This should be put into a helper method
recipes/minion.rb
Outdated
| block do | ||
| salt_accept_key(options) | ||
| end | ||
| only_if { node['salt']['key_accept_method'] == 'api_key_accept' && Mixlib::ShellOut.new('salt-call test.ping').run_command.exitstatus != 0 } |
There was a problem hiding this comment.
if the test.ping fails, then a warning should be output saying the api call to the master is being skipped
|
@shortdudey123 Sound reasonable. I will give it one more try. |
|
@vkhatri hows it going on your end with the feedback? anything i can do on my end? |
|
@shortdudey123 will submit a revised PR over the weekend. |
|
Sounds good |
|
@shortdudey123 Got all the changes in place, just finishing up specs. |
|
Sounds good :) |
|
Travis is failing because of an issue with https://travis-ci.org/shortdudey123/chef-salt/jobs/210111392#L488 +---
+external_auth:
+ pam:
+ saltapi: !ruby/array:Chef::Node::ImmutableArray
+ internal:
+ - "@wheel"
+ ivars:
+ :@__path__: []
+ :@__root__:
+ :@__node__:
+ :@__precedence__: It would be great if you could merge this PR. |
| include_recipe 'salt::_setup' | ||
|
|
||
| node.default['salt']['master']['config']['external_auth'] = { | ||
| 'pam' => { | ||
| node['salt']['master']['api']['user']['name'] => [ |
There was a problem hiding this comment.
need to add .to_s at the end of the node attribute, otherwise it stores a Chef::Node::ImmutableArray instead of a String
|
The new changes look fine in a quick skim over of them. I will review them in more detail this week. |
No description provided.