• R/O
  • HTTP
  • SSH
  • HTTPS

grid-chef-repo: Commit

Grid環境構築用のChefリポジトリです。


Commit MetaInfo

Revisionbb4ec6abb8940d0687b6ba3d842d5a687c908dea (tree)
Zeit2016-01-20 21:53:52
Autorwhitestar <whitestar@gaea...>
Commiterwhitestar

Log Message

add ssh_utils cookbook.

Ändern Zusammenfassung

Diff

--- /dev/null
+++ b/cookbooks/ssh_utils/CHANGELOG.md
@@ -0,0 +1,7 @@
1+ssh_utils CHANGELOG
2+===================
3+
4+0.1.0
5+-----
6+- Initial release of ssh_utils
7+
--- /dev/null
+++ b/cookbooks/ssh_utils/README.md
@@ -0,0 +1,56 @@
1+ssh_utils Cookbook
2+==================
3+
4+This cookbook sets up OpenSSH Server.
5+
6+Requirements
7+------------
8+
9+#### packages
10+- none.
11+
12+#### cookbooks
13+- `ssl_cert` - to deploy SSH-CA public key.
14+
15+Attributes
16+----------
17+
18+#### ssh_utils::default
19+
20+|Key|Type|Description, example|Default|
21+|:--|:--|:--|:--|
22+|`['ssh_utils']['with_ssl_cert_cookbook']`|Boolean|works with `ssl_cert` cookbook.|`false`|
23+|`['ssh_utils']['ssl_cert']['ca_pubkey_name']`|String|deployed SSH-CA public key name.|`nil`|
24+|`['ssh_utils']['sshd_config']['extra_props']['<property_name>']`|String of Array|properties for sshd_config.|empty|
25+
26+Usage
27+-----
28+#### ssh_utils::default
29+- do nothing.
30+
31+#### ssh_utils::server
32+- set up OpenSSH server.
33+- If `node['ssh_utils']['with_ssl_cert_cookbook']` is true,
34+`node['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys']` is overridden
35+ by the file path based on `node['ssh_utils']['ssl_cert']['ca_pubkey_name']` attributes.
36+
37+License and Authors
38+-------------------
39+- Author:: whitestar at osdn.jp
40+
41+```text
42+Copyright 2016, whitestar
43+
44+Licensed under the Apache License, Version 2.0 (the "License");
45+you may not use this file except in compliance with the License.
46+You may obtain a copy of the License at
47+
48+ http://www.apache.org/licenses/LICENSE-2.0
49+
50+Unless required by applicable law or agreed to in writing, software
51+distributed under the License is distributed on an "AS IS" BASIS,
52+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
53+See the License for the specific language governing permissions and
54+limitations under the License.
55+```
56+
--- /dev/null
+++ b/cookbooks/ssh_utils/attributes/default.rb
@@ -0,0 +1,34 @@
1+#
2+# Cookbook Name:: ssh_utils
3+# Attributes:: default
4+#
5+# Copyright 2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+default['ssh_utils']['with_ssl_cert_cookbook'] = false
21+# If node['ssh_utils']['with_ssl_cert_cookbook'] is true,
22+# node['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys']
23+# is overridden by the following 'ca_pubkey_name' attributes.
24+default['ssh_utils']['ssl_cert']['ca_pubkey_name'] = nil
25+
26+# server
27+default['ssh_utils']['sshd_config'] = {
28+ 'extra_props' => {
29+ # e.g.
30+ #'Banner' => '/etc/issue.net',
31+ #'TrustedUserCAKeys' => '/path/to/ca_public_keys.pub',
32+ },
33+}
34+
--- /dev/null
+++ b/cookbooks/ssh_utils/metadata.rb
@@ -0,0 +1,10 @@
1+name 'ssh_utils'
2+maintainer 'whitestar'
3+maintainer_email ''
4+license 'Apache 2.0'
5+description 'Installs/Configures ssh_utils'
6+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7+version '0.1.0'
8+
9+depends 'ssl_cert', '>= 0.2.0'
10+
--- /dev/null
+++ b/cookbooks/ssh_utils/recipes/default.rb
@@ -0,0 +1,18 @@
1+#
2+# Cookbook Name:: ssh_utils
3+# Recipe:: default
4+#
5+# Copyright 2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
--- /dev/null
+++ b/cookbooks/ssh_utils/recipes/server.rb
@@ -0,0 +1,57 @@
1+#
2+# Cookbook Name:: ssh_utils
3+# Recipe:: server
4+#
5+# Copyright 2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+if node['ssh_utils']['with_ssl_cert_cookbook'] \
21+ && !node['ssh_utils']['ssl_cert']['ca_pubkey_name'].nil? then
22+ node.override['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys'] \
23+ = node['ssl_cert']["#{node['ssh_utils']['ssl_cert']['ca_pubkey_name']}_pubkey_path"]
24+end
25+
26+[
27+ 'openssh-server',
28+].each {|pkg|
29+ resources(:package => pkg) rescue package pkg do
30+ action :install
31+ end
32+}
33+
34+srv = 'sshd'
35+conf_mode = '0600'
36+
37+case node[:platform_family]
38+ when 'debian'
39+ srv = 'ssh'
40+ conf_mode = '0644'
41+ when 'rhel'
42+ srv = 'sshd'
43+ conf_mode = '0600'
44+end
45+
46+resources(:service => srv) rescue service srv do
47+ action [:enable, :start]
48+end
49+
50+template "/etc/ssh/sshd_config" do
51+ source "etc/ssh/sshd_config"
52+ owner 'root'
53+ group 'root'
54+ mode conf_mode
55+ notifies :restart, "service[#{srv}]"
56+end
57+
--- /dev/null
+++ b/cookbooks/ssh_utils/spec/recipes/default_spec.rb
@@ -0,0 +1,20 @@
1+require_relative '../spec_helper'
2+
3+describe 'ssh_utils::default' do
4+ subject { ChefSpec::Runner.new.converge(described_recipe) }
5+
6+ # Write quick specs using `it` blocks with implied subjects
7+ it { should do_something('...') }
8+
9+ # Write full examples using the `expect` syntax
10+ it 'does something' do
11+ expect(subject).to do_something('...')
12+ end
13+
14+ # Use an explicit subject
15+ let(:chef_run) { ChefSpec::Runner.new.converge(described_recipe) }
16+
17+ it 'does something' do
18+ expect(chef_run).to do_something('...')
19+ end
20+end
--- /dev/null
+++ b/cookbooks/ssh_utils/spec/spec_helper.rb
@@ -0,0 +1,25 @@
1+# Added by ChefSpec
2+require 'chefspec'
3+
4+# Uncomment to use ChefSpec's Berkshelf extension
5+# require 'chefspec/berkshelf'
6+
7+RSpec.configure do |config|
8+ # Specify the path for Chef Solo to find cookbooks
9+ # config.cookbook_path = '/var/cookbooks'
10+
11+ # Specify the path for Chef Solo to find roles
12+ # config.role_path = '/var/roles'
13+
14+ # Specify the Chef log_level (default: :warn)
15+ # config.log_level = :debug
16+
17+ # Specify the path to a local JSON file with Ohai data
18+ # config.path = 'ohai.json'
19+
20+ # Specify the operating platform to mock Ohai data from
21+ # config.platform = 'ubuntu'
22+
23+ # Specify the operating version to mock Ohai data from
24+ # config.version = '12.04'
25+end
--- /dev/null
+++ b/cookbooks/ssh_utils/templates/centos/etc/ssh/sshd_config
@@ -0,0 +1,154 @@
1+# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
2+
3+# This is the sshd server system-wide configuration file. See
4+# sshd_config(5) for more information.
5+
6+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
7+
8+# The strategy used for options in the default sshd_config shipped with
9+# OpenSSH is to specify options with their default value where
10+# possible, but leave them commented. Uncommented options change a
11+# default value.
12+
13+#Port 22
14+#AddressFamily any
15+#ListenAddress 0.0.0.0
16+#ListenAddress ::
17+
18+# Disable legacy (protocol version 1) support in the server for new
19+# installations. In future the default will change to require explicit
20+# activation of protocol 1
21+Protocol 2
22+
23+# HostKey for protocol version 1
24+#HostKey /etc/ssh/ssh_host_key
25+# HostKeys for protocol version 2
26+#HostKey /etc/ssh/ssh_host_rsa_key
27+#HostKey /etc/ssh/ssh_host_dsa_key
28+
29+# Lifetime and size of ephemeral version 1 server key
30+#KeyRegenerationInterval 1h
31+#ServerKeyBits 1024
32+
33+# Logging
34+# obsoletes QuietMode and FascistLogging
35+#SyslogFacility AUTH
36+SyslogFacility AUTHPRIV
37+#LogLevel INFO
38+
39+# Authentication:
40+
41+#LoginGraceTime 2m
42+#PermitRootLogin yes
43+#StrictModes yes
44+#MaxAuthTries 6
45+#MaxSessions 10
46+
47+#RSAAuthentication yes
48+#PubkeyAuthentication yes
49+#AuthorizedKeysFile .ssh/authorized_keys
50+#AuthorizedKeysCommand none
51+#AuthorizedKeysCommandRunAs nobody
52+
53+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
54+#RhostsRSAAuthentication no
55+# similar for protocol version 2
56+#HostbasedAuthentication no
57+# Change to yes if you don't trust ~/.ssh/known_hosts for
58+# RhostsRSAAuthentication and HostbasedAuthentication
59+#IgnoreUserKnownHosts no
60+# Don't read the user's ~/.rhosts and ~/.shosts files
61+#IgnoreRhosts yes
62+
63+# To disable tunneled clear text passwords, change to no here!
64+#PasswordAuthentication yes
65+#PermitEmptyPasswords no
66+PasswordAuthentication yes
67+
68+# Change to no to disable s/key passwords
69+#ChallengeResponseAuthentication yes
70+ChallengeResponseAuthentication no
71+
72+# Kerberos options
73+#KerberosAuthentication no
74+#KerberosOrLocalPasswd yes
75+#KerberosTicketCleanup yes
76+#KerberosGetAFSToken no
77+#KerberosUseKuserok yes
78+
79+# GSSAPI options
80+#GSSAPIAuthentication no
81+GSSAPIAuthentication yes
82+#GSSAPICleanupCredentials yes
83+GSSAPICleanupCredentials yes
84+#GSSAPIStrictAcceptorCheck yes
85+#GSSAPIKeyExchange no
86+
87+# Set this to 'yes' to enable PAM authentication, account processing,
88+# and session processing. If this is enabled, PAM authentication will
89+# be allowed through the ChallengeResponseAuthentication and
90+# PasswordAuthentication. Depending on your PAM configuration,
91+# PAM authentication via ChallengeResponseAuthentication may bypass
92+# the setting of "PermitRootLogin without-password".
93+# If you just want the PAM account and session checks to run without
94+# PAM authentication, then enable this but set PasswordAuthentication
95+# and ChallengeResponseAuthentication to 'no'.
96+#UsePAM no
97+UsePAM yes
98+
99+# Accept locale-related environment variables
100+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
101+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
102+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
103+AcceptEnv XMODIFIERS
104+
105+#AllowAgentForwarding yes
106+#AllowTcpForwarding yes
107+#GatewayPorts no
108+#X11Forwarding no
109+X11Forwarding yes
110+#X11DisplayOffset 10
111+#X11UseLocalhost yes
112+#PrintMotd yes
113+#PrintLastLog yes
114+#TCPKeepAlive yes
115+#UseLogin no
116+#UsePrivilegeSeparation yes
117+#PermitUserEnvironment no
118+#Compression delayed
119+#ClientAliveInterval 0
120+#ClientAliveCountMax 3
121+#ShowPatchLevel no
122+#UseDNS yes
123+#PidFile /var/run/sshd.pid
124+#MaxStartups 10:30:100
125+#PermitTunnel no
126+#ChrootDirectory none
127+
128+# no default banner path
129+#Banner none
130+
131+# override default of no subsystems
132+Subsystem sftp /usr/libexec/openssh/sftp-server
133+
134+# Example of overriding settings on a per-user basis
135+#Match User anoncvs
136+# X11Forwarding no
137+# AllowTcpForwarding no
138+# ForceCommand cvs server
139+
140+<%
141+node['ssh_utils']['sshd_config']['extra_props'].each {|key, value|
142+ if value.is_a?(String) then
143+-%>
144+<%= key %> <%= value %>
145+<%
146+ elsif value.is_a?(Array) then
147+ value.each {|elm|
148+-%>
149+<%= key %> <%= elm %>
150+<%
151+ }
152+ end
153+}
154+-%>
--- /dev/null
+++ b/cookbooks/ssh_utils/templates/debian/etc/ssh/sshd_config
@@ -0,0 +1,93 @@
1+# Package generated configuration file
2+# See the sshd(8) manpage for details
3+
4+# What ports, IPs and protocols we listen for
5+Port 22
6+# Use these options to restrict which interfaces/protocols sshd will bind to
7+#ListenAddress ::
8+#ListenAddress 0.0.0.0
9+Protocol 2
10+# HostKeys for protocol version 2
11+HostKey /etc/ssh/ssh_host_rsa_key
12+HostKey /etc/ssh/ssh_host_dsa_key
13+#Privilege Separation is turned on for security
14+UsePrivilegeSeparation yes
15+
16+# Lifetime and size of ephemeral version 1 server key
17+KeyRegenerationInterval 3600
18+ServerKeyBits 1024
19+
20+# Logging
21+SyslogFacility AUTH
22+LogLevel INFO
23+
24+# Authentication:
25+LoginGraceTime 120
26+PermitRootLogin without-password
27+StrictModes yes
28+
29+RSAAuthentication yes
30+PubkeyAuthentication yes
31+#AuthorizedKeysFile %h/.ssh/authorized_keys
32+
33+# Don't read the user's ~/.rhosts and ~/.shosts files
34+IgnoreRhosts yes
35+# For this to work you will also need host keys in /etc/ssh_known_hosts
36+RhostsRSAAuthentication no
37+# similar for protocol version 2
38+HostbasedAuthentication no
39+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
40+#IgnoreUserKnownHosts yes
41+
42+# To enable empty passwords, change to yes (NOT RECOMMENDED)
43+PermitEmptyPasswords no
44+
45+# Change to yes to enable challenge-response passwords (beware issues with
46+# some PAM modules and threads)
47+ChallengeResponseAuthentication no
48+
49+# Change to no to disable tunnelled clear text passwords
50+#PasswordAuthentication yes
51+
52+# Kerberos options
53+#KerberosAuthentication no
54+#KerberosGetAFSToken no
55+#KerberosOrLocalPasswd yes
56+#KerberosTicketCleanup yes
57+
58+# GSSAPI options
59+#GSSAPIAuthentication no
60+#GSSAPICleanupCredentials yes
61+
62+X11Forwarding yes
63+X11DisplayOffset 10
64+PrintMotd no
65+PrintLastLog yes
66+TCPKeepAlive yes
67+#UseLogin no
68+
69+#MaxStartups 10:30:60
70+#Banner /etc/issue.net
71+
72+# Allow client to pass locale environment variables
73+AcceptEnv LANG LC_*
74+
75+Subsystem sftp /usr/lib/openssh/sftp-server
76+
77+UsePAM yes
78+
79+<%
80+node['ssh_utils']['sshd_config']['extra_props'].each {|key, value|
81+ if value.is_a?(String) then
82+-%>
83+<%= key %> <%= value %>
84+<%
85+ elsif value.is_a?(Array) then
86+ value.each {|elm|
87+-%>
88+<%= key %> <%= elm %>
89+<%
90+ }
91+ end
92+}
93+-%>
--- /dev/null
+++ b/cookbooks/ssh_utils/templates/default/etc/ssh/sshd_config
@@ -0,0 +1,93 @@
1+# Package generated configuration file
2+# See the sshd(8) manpage for details
3+
4+# What ports, IPs and protocols we listen for
5+Port 22
6+# Use these options to restrict which interfaces/protocols sshd will bind to
7+#ListenAddress ::
8+#ListenAddress 0.0.0.0
9+Protocol 2
10+# HostKeys for protocol version 2
11+HostKey /etc/ssh/ssh_host_rsa_key
12+HostKey /etc/ssh/ssh_host_dsa_key
13+#Privilege Separation is turned on for security
14+UsePrivilegeSeparation yes
15+
16+# Lifetime and size of ephemeral version 1 server key
17+KeyRegenerationInterval 3600
18+ServerKeyBits 1024
19+
20+# Logging
21+SyslogFacility AUTH
22+LogLevel INFO
23+
24+# Authentication:
25+LoginGraceTime 120
26+PermitRootLogin without-password
27+StrictModes yes
28+
29+RSAAuthentication yes
30+PubkeyAuthentication yes
31+#AuthorizedKeysFile %h/.ssh/authorized_keys
32+
33+# Don't read the user's ~/.rhosts and ~/.shosts files
34+IgnoreRhosts yes
35+# For this to work you will also need host keys in /etc/ssh_known_hosts
36+RhostsRSAAuthentication no
37+# similar for protocol version 2
38+HostbasedAuthentication no
39+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
40+#IgnoreUserKnownHosts yes
41+
42+# To enable empty passwords, change to yes (NOT RECOMMENDED)
43+PermitEmptyPasswords no
44+
45+# Change to yes to enable challenge-response passwords (beware issues with
46+# some PAM modules and threads)
47+ChallengeResponseAuthentication no
48+
49+# Change to no to disable tunnelled clear text passwords
50+#PasswordAuthentication yes
51+
52+# Kerberos options
53+#KerberosAuthentication no
54+#KerberosGetAFSToken no
55+#KerberosOrLocalPasswd yes
56+#KerberosTicketCleanup yes
57+
58+# GSSAPI options
59+#GSSAPIAuthentication no
60+#GSSAPICleanupCredentials yes
61+
62+X11Forwarding yes
63+X11DisplayOffset 10
64+PrintMotd no
65+PrintLastLog yes
66+TCPKeepAlive yes
67+#UseLogin no
68+
69+#MaxStartups 10:30:60
70+#Banner /etc/issue.net
71+
72+# Allow client to pass locale environment variables
73+AcceptEnv LANG LC_*
74+
75+Subsystem sftp /usr/lib/openssh/sftp-server
76+
77+UsePAM yes
78+
79+<%
80+node['ssh_utils']['sshd_config']['extra_props'].each {|key, value|
81+ if value.is_a?(String) then
82+-%>
83+<%= key %> <%= value %>
84+<%
85+ elsif value.is_a?(Array) then
86+ value.each {|elm|
87+-%>
88+<%= key %> <%= elm %>
89+<%
90+ }
91+ end
92+}
93+-%>
--- /dev/null
+++ b/cookbooks/ssh_utils/templates/ubuntu/etc/ssh/sshd_config
@@ -0,0 +1,104 @@
1+# Package generated configuration file
2+# See the sshd_config(5) manpage for details
3+
4+# What ports, IPs and protocols we listen for
5+Port 22
6+# Use these options to restrict which interfaces/protocols sshd will bind to
7+#ListenAddress ::
8+#ListenAddress 0.0.0.0
9+Protocol 2
10+# HostKeys for protocol version 2
11+HostKey /etc/ssh/ssh_host_rsa_key
12+HostKey /etc/ssh/ssh_host_dsa_key
13+HostKey /etc/ssh/ssh_host_ecdsa_key
14+HostKey /etc/ssh/ssh_host_ed25519_key
15+#Privilege Separation is turned on for security
16+UsePrivilegeSeparation yes
17+
18+# Lifetime and size of ephemeral version 1 server key
19+KeyRegenerationInterval 3600
20+ServerKeyBits 1024
21+
22+# Logging
23+SyslogFacility AUTH
24+LogLevel INFO
25+
26+# Authentication:
27+LoginGraceTime 120
28+PermitRootLogin without-password
29+StrictModes yes
30+
31+RSAAuthentication yes
32+PubkeyAuthentication yes
33+#AuthorizedKeysFile %h/.ssh/authorized_keys
34+
35+# Don't read the user's ~/.rhosts and ~/.shosts files
36+IgnoreRhosts yes
37+# For this to work you will also need host keys in /etc/ssh_known_hosts
38+RhostsRSAAuthentication no
39+# similar for protocol version 2
40+HostbasedAuthentication no
41+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
42+#IgnoreUserKnownHosts yes
43+
44+# To enable empty passwords, change to yes (NOT RECOMMENDED)
45+PermitEmptyPasswords no
46+
47+# Change to yes to enable challenge-response passwords (beware issues with
48+# some PAM modules and threads)
49+ChallengeResponseAuthentication no
50+
51+# Change to no to disable tunnelled clear text passwords
52+#PasswordAuthentication yes
53+
54+# Kerberos options
55+#KerberosAuthentication no
56+#KerberosGetAFSToken no
57+#KerberosOrLocalPasswd yes
58+#KerberosTicketCleanup yes
59+
60+# GSSAPI options
61+#GSSAPIAuthentication no
62+#GSSAPICleanupCredentials yes
63+
64+X11Forwarding yes
65+X11DisplayOffset 10
66+PrintMotd no
67+PrintLastLog yes
68+TCPKeepAlive yes
69+#UseLogin no
70+
71+#MaxStartups 10:30:60
72+#Banner /etc/issue.net
73+
74+# Allow client to pass locale environment variables
75+AcceptEnv LANG LC_*
76+
77+Subsystem sftp /usr/lib/openssh/sftp-server
78+
79+# Set this to 'yes' to enable PAM authentication, account processing,
80+# and session processing. If this is enabled, PAM authentication will
81+# be allowed through the ChallengeResponseAuthentication and
82+# PasswordAuthentication. Depending on your PAM configuration,
83+# PAM authentication via ChallengeResponseAuthentication may bypass
84+# the setting of "PermitRootLogin without-password".
85+# If you just want the PAM account and session checks to run without
86+# PAM authentication, then enable this but set PasswordAuthentication
87+# and ChallengeResponseAuthentication to 'no'.
88+UsePAM yes
89+
90+<%
91+node['ssh_utils']['sshd_config']['extra_props'].each {|key, value|
92+ if value.is_a?(String) then
93+-%>
94+<%= key %> <%= value %>
95+<%
96+ elsif value.is_a?(Array) then
97+ value.each {|elm|
98+-%>
99+<%= key %> <%= elm %>
100+<%
101+ }
102+ end
103+}
104+-%>
--- a/cookbooks/ssl_cert/CHANGELOG.md
+++ b/cookbooks/ssl_cert/CHANGELOG.md
@@ -1,9 +1,13 @@
11 ssl_cert CHANGELOG
22 ==================
33
4+0.2.0
5+-----
6+- add `ca_pubkeys` recipe for SSH-CA, ...
7+
48 0.1.5
59 -----
6-- add ['ssl_cert']['rhel']['key_access_group'] attribute.
10+- add `['ssl_cert']['rhel']['key_access_group']` attribute.
711
812 0.1.4
913 -----
@@ -11,7 +15,7 @@ ssl_cert CHANGELOG
1115
1216 0.1.3
1317 -----
14-- add {ca_cert,server_key,server_cert}_file_prefix attributes.
18+- add `{ca_cert,server_key,server_cert}_file_prefix` attributes.
1519
1620 0.1.2
1721 -----
--- a/cookbooks/ssl_cert/README.md
+++ b/cookbooks/ssl_cert/README.md
@@ -7,7 +7,7 @@ Requirements
77 ------------
88
99 #### packages
10-- nothing.
10+- none.
1111
1212 Attributes
1313 ----------
@@ -17,6 +17,7 @@ Attributes
1717 |Key|Type|Description, example|Default|
1818 |:--|:--|:--|:--|
1919 |`['ssl_cert']['ca_names']`|Array|deployed CA certificates from chef-vault|empty|
20+|`['ssl_cert']['ca_pubkey_names']`|Array|deployed CA public keys from chef-vault (0.2.0 or later)|empty|
2021 |`['ssl_cert']['common_names']`|Array|deployed server keys and/or certificates from chef-vault|empty|
2122 |`['ssl_cert']['rhel']['key_access_group']`|String|RHEL family's key access group (ver. 0.1.5 or later)|`'ssl-cert'`|
2223 |`['ssl_cert']['chef_gem']['clear_sources']`|Boolean|chef_gem resource's clear_sources property.|`false`|
@@ -28,6 +29,9 @@ Attributes
2829 |`['ssl_cert']['ca_cert_vault']`|String|CA certificate stored vault name.|`'ca_certs'`|
2930 |`['ssl_cert']['ca_cert_vault_item_key']`|String|CA certificate stored vault item key name. (single key or nested hash key path delimited by slash)|`'public'`|
3031 |`['ssl_cert']['ca_cert_file_prefix']`|String|CA certificate file name's prefix.|`''`|
32+|`['ssl_cert']['ca_pubkey_vault']`|String|CA public key stored vault name. (0.2.0 or later)|`'ca_pubkeys'`|
33+|`['ssl_cert']['ca_pubkey_vault_item_key']`|String|CA public key stored vault item key name. (single key or nested hash key path delimited by slash. 0.2.0 or later)|`'public'`|
34+|`['ssl_cert']['ca_pubkey_file_prefix']`|String|CA public key file name's prefix. (0.2.0 or later)|`''`|
3135 |`['ssl_cert']['server_key_vault']`|String|SSL server key stored vault name.|`'ssl_server_keys'`|
3236 |`['ssl_cert']['server_key_vault_item_key']`|String|SSL server key stored vault item key name. (single key or nested hash key path delimited by slash)|`'private'`|
3337 |`['ssl_cert']['server_key_file_prefix']`|String|SSL server key file name's prefix.|`''`|
@@ -35,6 +39,7 @@ Attributes
3539 |`['ssl_cert']['server_cert_vault_item_key']`|String|SSL server certificate stored vault item key name. (single key or nested hash key path delimited by slash)|`'public'`|
3640 |`['ssl_cert']['server_cert_file_prefix']`|String|SSL server certificate file name's prefix.|`''`|
3741 |`['ssl_cert']["#{ca}_cert_path"]`|String|deployed CA certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.crt"`|
42+|`['ssl_cert']["#{ca}_pubkey_path"]`|String|deployed CA public key file path. (0.2.0 or later)|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.pub"`|
3843 |`['ssl_cert']["#{undotted_cn}_key_path"]`|String|deployed SSL server key file path.|`"#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{undotted_cn}.key"`|
3944 |`['ssl_cert']["#{undotted_cn}_cert_path"]`|String|deployed SSL server certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{undotted_cn}.crt"`|
4045
@@ -44,6 +49,7 @@ Usage
4449 ### recipes
4550 - `ssl_cert::default` - deploys CA certificates, SSL server keys and/or certificates.
4651 - `ssl_cert::ca_certs` - deploys CA certificates.
52+- `ssl_cert::ca_pubkeys` - deploys CA public keys for SSH-CA, ... (0.2.0 or later)
4753 - `ssl_cert::server_key_pairs` - deploys SSL server keys and certificates.
4854 - `ssl_cert::server_keys` - deploys SSL server keys.
4955 - `ssl_cert::server_certs` - deploys SSL server certificates.
@@ -75,6 +81,31 @@ override_attributes(
7581 )
7682 ```
7783
84+#### CA public keys (0.2.0 or later)
85+
86+- create vault items.
87+
88+```text
89+$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.pub")})' \
90+> > ~/tmp/grid_ssh_ca.prod.pub.json
91+
92+$ knife vault create ca_pubkeys grid_ssh_ca.prod \
93+> --json ~/tmp/grid_ssh_ca.prod.pub.json
94+```
95+
96+- add cookbook attributes.
97+
98+```ruby
99+override_attributes(
100+ 'ssl_cert' => {
101+ 'ca_pubkey_names' => [
102+ 'grid_ssh_ca',
103+ # ...
104+ ],
105+ },
106+)
107+```
108+
78109 #### SSL server keys and certificates
79110
80111 - create vault items.
@@ -109,6 +140,7 @@ override_attributes(
109140 ### References of deployed key and certificate file paths (with default attributes)
110141
111142 - `node['ssl_cert']["#{ca}_cert_path"]` - e.g. `node['ssl_cert']['grid_ca_cert_path']`
143+- `node['ssl_cert']["#{ca}_pubkey_path"]` - e.g. `node['ssl_cert']['grid_ssh_ca_pubkey_path']`
112144 - `node['ssl_cert']["#{undotted_cn}_key_path"]` - e.g. `node['ssl_cert']['node_example_com_key_path']`
113145 - `node['ssl_cert']["#{undotted_cn}_cert_path"]` - e.g. `node['ssl_cert']['node_example_com_cert_path']`
114146
--- a/cookbooks/ssl_cert/attributes/default.rb
+++ b/cookbooks/ssl_cert/attributes/default.rb
@@ -22,6 +22,12 @@ default['ssl_cert']['ca_names'] = [
2222 #'grid_ca',
2323 ]
2424
25+# deployed CA public keys from chef-vault
26+# for SSH-CA, ...
27+default['ssl_cert']['ca_pubkey_names'] = [
28+ #'grid_ssh_ca',
29+]
30+
2531 # deployed server keys and/or certificates from chef-vault
2632 default['ssl_cert']['common_names'] = [
2733 #'ldap.grid.example.com',
@@ -57,6 +63,22 @@ default['ssl_cert']['ca_cert_file_prefix'] = ''
5763 > --json ~/tmp/grid_ca.prod.crt.json
5864 =end
5965
66+default['ssl_cert']['ca_pubkey_vault'] = 'ca_pubkeys'
67+default['ssl_cert']['ca_pubkey_vault_item_key'] = 'public'
68+default['ssl_cert']['ca_pubkey_file_prefix'] = ''
69+=begin
70+ CA public key vault item name is
71+ each CA name + ".#{node['ssl_cert']['vault_item_suffix']}".
72+ valut item key is 'public'.
73+
74+ * vault item management
75+
76+ $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.pub")})' \
77+ > > ~/tmp/grid_ssh_ca.prod.pub.json
78+ $ knife vault create ca_pubkeys grid_ssh_ca.prod \
79+ > --json ~/tmp/grid_ssh_ca.prod.pub.json
80+=end
81+
6082 default['ssl_cert']['server_key_vault'] = 'ssl_server_keys'
6183 default['ssl_cert']['server_key_vault_item_key'] = 'private'
6284 default['ssl_cert']['server_key_file_prefix'] = ''
@@ -108,6 +130,11 @@ node['ssl_cert']['ca_names'].each {|ca|
108130 = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.crt"
109131 }
110132
133+node['ssl_cert']['ca_pubkey_names'].each {|ca|
134+ default['ssl_cert']["#{ca}_pubkey_path"] \
135+ = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.pub"
136+}
137+
111138 undotted_cns.each {|cn|
112139 default['ssl_cert']["#{cn}_key_path"] \
113140 = "#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{cn}.key"
--- a/cookbooks/ssl_cert/libraries/helper.rb
+++ b/cookbooks/ssl_cert/libraries/helper.rb
@@ -105,6 +105,27 @@ module Helper
105105 end
106106
107107
108+ def ca_public_key(ca)
109+ undotted_ca = ca.gsub('.', '_')
110+
111+ chef_gem_chef_vault
112+ require 'chef-vault'
113+ pubkey = ChefVault::Item.load(
114+ node['ssl_cert']['ca_pubkey_vault'], "#{ca}#{vault_item_suffix}")
115+ node['ssl_cert']['ca_pubkey_vault_item_key'].split('/').each {|elm|
116+ pubkey = pubkey[elm]
117+ }
118+
119+ pubkey_path = node['ssl_cert']["#{undotted_ca}_pubkey_path"]
120+ resources(:file => pubkey_path) rescue file pubkey_path do
121+ content pubkey
122+ owner 'root'
123+ group 'root'
124+ mode 0644
125+ end
126+ end
127+
128+
108129 def server_certificate(cn)
109130 undotted_cn = cn.gsub('.', '_')
110131
--- a/cookbooks/ssl_cert/metadata.rb
+++ b/cookbooks/ssl_cert/metadata.rb
@@ -4,5 +4,5 @@ maintainer_email ''
44 license 'Apache 2.0'
55 description 'Installs/Configures ssl_cert'
66 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7-version '0.1.5'
7+version '0.2.0'
88
--- /dev/null
+++ b/cookbooks/ssl_cert/recipes/ca_pubkeys.rb
@@ -0,0 +1,25 @@
1+#
2+# Cookbook Name:: ssl_cert
3+# Recipe:: ca_pubkeys
4+#
5+# Copyright 2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+::Chef::Recipe.send(:include, SSLCert::Helper)
21+
22+node['ssl_cert']['ca_pubkey_names'].each {|ca|
23+ ca_public_key(ca)
24+}
25+
Show on old repository browser