From 42f955e42a3cd7bab95c2eb743ff2c913498bbc2 Mon Sep 17 00:00:00 2001 From: kitchen-porter Date: Wed, 2 Feb 2022 18:03:35 +0000 Subject: [PATCH 1/5] Standardise files with files in sous-chefs/repo-management Signed-off-by: kitchen-porter --- .overcommit.yml | 4 ---- CHANGELOG.md | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.overcommit.yml b/.overcommit.yml index 1d27ed8d..cd8682a0 100644 --- a/.overcommit.yml +++ b/.overcommit.yml @@ -11,10 +11,6 @@ PreCommit: enabled: true required_executable: 'cookstyle' command: ["cookstyle"] - Delivery: - enabled: true - required_executable: 'delivery' - flags: ['local', 'all'] CommitMsg: HardTabs: enabled: true diff --git a/CHANGELOG.md b/CHANGELOG.md index b0908bbb..37c3582b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ This file is used to list changes made in each version of the openvpn cookbook. ## Unreleased +Standardise files with files in sous-chefs/repo-management + ## 5.4.0 - *2022-01-18* - resolved cookstyle error: recipes/server.rb:88:3 refactor: `Chef/RedundantCode/UseCreateIfMissing` From 54bcddfef45e94e0c15a8cfd37e7c1a53840bf5b Mon Sep 17 00:00:00 2001 From: Lance Albertson Date: Fri, 4 Feb 2022 15:59:19 -0800 Subject: [PATCH 2/5] Remove delivery and move to calling RSpec directly via a reusable workflow Signed-off-by: Lance Albertson --- .delivery/project.toml | 9 --------- .github/workflows/ci.yml | 29 +++-------------------------- CHANGELOG.md | 2 +- 3 files changed, 4 insertions(+), 36 deletions(-) delete mode 100644 .delivery/project.toml diff --git a/.delivery/project.toml b/.delivery/project.toml deleted file mode 100644 index 0d6f0ae9..00000000 --- a/.delivery/project.toml +++ /dev/null @@ -1,9 +0,0 @@ -[local_phases] -unit = "rspec spec/" -lint = 'cookstyle --display-cop-names --extra-details' -syntax = "echo skipping" -provision = "echo skipping" -deploy = "echo skipping" -smoke = "echo skipping" -functional = "echo skipping" -cleanup = "echo skipping" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dd4809cf..7837c027 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,34 +8,11 @@ name: ci - main jobs: - delivery: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v2 - - name: Run Chef Delivery - uses: actionshub/chef-delivery@main - env: - CHEF_LICENSE: accept-no-persist - - yamllint: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v2 - - name: Run yaml Lint - uses: actionshub/yamllint@main - - mdl: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v2 - - name: Run Markdown Lint - uses: actionshub/markdownlint@main + lint-unit: + uses: sous-chefs/.github/.github/workflows/lint-unit.yml@0.0.3 integration: - needs: [mdl, yamllint, delivery] + needs: lint-unit runs-on: ubuntu-latest strategy: matrix: diff --git a/CHANGELOG.md b/CHANGELOG.md index 37c3582b..261aa0b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ This file is used to list changes made in each version of the openvpn cookbook. ## Unreleased -Standardise files with files in sous-chefs/repo-management +- Remove delivery and move to calling RSpec directly via a reusable workflow ## 5.4.0 - *2022-01-18* From 6dd0919c937b4006f6d612c2036ecf9d7782762a Mon Sep 17 00:00:00 2001 From: Lance Albertson Date: Fri, 4 Feb 2022 16:04:06 -0800 Subject: [PATCH 3/5] Update tested platforms Signed-off-by: Lance Albertson --- .github/workflows/ci.yml | 10 ++++-- CHANGELOG.md | 2 ++ kitchen.yml | 45 ++++++++++++-------------- recipes/service.rb | 4 +-- resources/conf.rb | 2 +- test/integration/server/server_test.rb | 14 ++++---- 6 files changed, 38 insertions(+), 39 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7837c027..134b5b14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,12 +17,16 @@ jobs: strategy: matrix: os: + - 'almalinux-8' - 'amazonlinux-2' - 'centos-7' - - 'centos-8' - - 'debian-9' - - 'ubuntu-1604' + - 'centos-stream-8' + - 'debian-10' + - 'debian-11' + - 'fedora-latest' + - 'rockylinux-8' - 'ubuntu-1804' + - 'ubuntu-2004' suite: - 'server' - 'server-verification' diff --git a/CHANGELOG.md b/CHANGELOG.md index 261aa0b8..5b2ed123 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ This file is used to list changes made in each version of the openvpn cookbook. ## Unreleased - Remove delivery and move to calling RSpec directly via a reusable workflow +- Update tested platforms +- Fix Fedora ## 5.4.0 - *2022-01-18* diff --git a/kitchen.yml b/kitchen.yml index 0fb973a8..58b17fd9 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -18,40 +18,34 @@ verifier: # currently only support 2 last major revs of distros (at the most) platforms: + - name: almalinux-8 + driver: + image: dokken/almalinux-8 + pid_one_command: /usr/lib/systemd/systemd + - name: amazonlinux-2 driver: image: dokken/amazonlinux-2 pid_one_command: /usr/lib/systemd/systemd - - name: debian-8 + - name: debian-10 driver: - image: dokken/debian-8 + image: dokken/debian-10 pid_one_command: /bin/systemd - intermediate_instructions: - - RUN /usr/bin/apt-get update - - name: debian-9 + - name: debian-11 driver: - image: dokken/debian-9 + image: dokken/debian-11 pid_one_command: /bin/systemd - intermediate_instructions: - - RUN /usr/bin/apt-get update - - - name: debian-10 - driver: - image: dokken/debian-10 - pid_one_command: /bin/systemd - intermediate_instructions: - - RUN /usr/bin/apt-get update - name: centos-7 driver: image: dokken/centos-7 pid_one_command: /usr/lib/systemd/systemd - - name: centos-8 + - name: centos-stream-8 driver: - image: dokken/centos-8 + image: dokken/centos-stream-8 pid_one_command: /usr/lib/systemd/systemd - name: fedora-latest @@ -59,19 +53,20 @@ platforms: image: dokken/fedora-latest pid_one_command: /usr/lib/systemd/systemd - - name: ubuntu-16.04 + - name: ubuntu-18.04 driver: - image: dokken/ubuntu-16.04 + image: dokken/ubuntu-18.04 pid_one_command: /bin/systemd - intermediate_instructions: - - RUN /usr/bin/apt-get update - - name: ubuntu-18.04 + - name: ubuntu-20.04 driver: - image: dokken/ubuntu-18.04 + image: dokken/ubuntu-20.04 pid_one_command: /bin/systemd - intermediate_instructions: - - RUN /usr/bin/apt-get update + + - name: rockylinux-8 + driver: + image: dokken/rockylinux-8 + pid_one_command: /usr/lib/systemd/systemd suites: - name: server diff --git a/recipes/service.rb b/recipes/service.rb index 6274af60..38d12125 100644 --- a/recipes/service.rb +++ b/recipes/service.rb @@ -36,10 +36,10 @@ service_name = 'openvpn' end when 'fedora' - link "/etc/systemd/system/multi-user.target.wants/openvpn@#{node['openvpn']['type']}.service" do + link "/etc/systemd/system/multi-user.target.wants/openvpn-#{node['openvpn']['type']}@#{node['openvpn']['type']}.service" do to '/usr/lib/systemd/system/openvpn@.service' end - service_name = "openvpn@#{node['openvpn']['type']}.service" + service_name = "openvpn-#{node['openvpn']['type']}@#{node['openvpn']['type']}.service" when 'amazon' case node['platform_version'].to_i when 2 diff --git a/resources/conf.rb b/resources/conf.rb index 1d66082c..e218c9b1 100644 --- a/resources/conf.rb +++ b/resources/conf.rb @@ -23,7 +23,7 @@ property :push_options, Array action :create do - conf_location = if platform_family?('rhel') && node['platform_version'].to_i >= 8 + conf_location = if (platform_family?('rhel') && node['platform_version'].to_i >= 8) || platform_family?('fedora') "/etc/openvpn/#{new_resource.name}/#{new_resource.name}.conf" else "/etc/openvpn/#{new_resource.name}.conf" diff --git a/test/integration/server/server_test.rb b/test/integration/server/server_test.rb index 1bdae1ee..b2874a35 100644 --- a/test/integration/server/server_test.rb +++ b/test/integration/server/server_test.rb @@ -1,17 +1,15 @@ # this is done in a similar fashion to # https://github.com/xhost-cookbooks/openvpn/blob/master/recipes/service.rb -if (os[:name] == 'redhat' && os[:release] >= '7') || - (os[:name] == 'centos' && os[:release] < '8') || - (os[:name] == 'debian' && os[:release] >= '8') || - (os[:name] == 'ubuntu' && os[:release] >= '15.04') || - (os[:name] == 'amazon' && os[:release] >= '2') || - (os[:name] == 'fedora') +if (os[:family] == 'redhat' && os[:release].to_i < 8) || + (os[:name] == 'debian') || + (os[:name] == 'ubuntu') || + (os[:name] == 'amazon') describe service('openvpn@server') do it { is_expected.to be_enabled } it { is_expected.to be_running } end -elsif os[:name] == 'centos' && os[:release] >= '8' +elsif (os[:family] == 'redhat' && os[:release] >= '8') || os[:family] == 'fedora' describe service('openvpn-server@server') do it { is_expected.to be_enabled } it { is_expected.to be_running } @@ -23,7 +21,7 @@ end end -conf_location = if os[:name] == 'centos' && os[:release] >= '8' +conf_location = if (os[:family] == 'redhat' && os[:release] >= '8') || os[:family] == 'fedora' '/etc/openvpn/server/server.conf' else '/etc/openvpn/server.conf' From f28f8fa0fd61bab1e070ac9ba0888cfafdc0782b Mon Sep 17 00:00:00 2001 From: Lance Albertson Date: Mon, 7 Feb 2022 09:07:21 -0800 Subject: [PATCH 4/5] Enable unified_mode and require Chef >= 15.3 Standardize kitchen settings Signed-off-by: Lance Albertson --- CHANGELOG.md | 2 ++ kitchen.yml | 4 ++++ metadata.rb | 2 +- resources/conf.rb | 1 + resources/user.rb | 2 ++ 5 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b2ed123..f2edf0fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ This file is used to list changes made in each version of the openvpn cookbook. - Remove delivery and move to calling RSpec directly via a reusable workflow - Update tested platforms - Fix Fedora +- Standardize kitchen settings +- Enable unified_mode and require Chef >= 15.3 ## 5.4.0 - *2022-01-18* diff --git a/kitchen.yml b/kitchen.yml index 58b17fd9..089ee6e5 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -10,6 +10,10 @@ transport: provisioner: name: dokken + enforce_idempotency: true + multiple_converge: 2 + deprecations_as_errors: true + chef_log_level: <%= ENV['CHEF_LOG_LEVEL'] || 'auto' %> chef_license: accept-no-persist verifier: diff --git a/metadata.rb b/metadata.rb index 6789ccf0..f0027c36 100644 --- a/metadata.rb +++ b/metadata.rb @@ -6,7 +6,7 @@ description 'Installs and configures openvpn and includes rake tasks for managing certs.' source_url 'https://github.com/sous-chefs/openvpn' issues_url 'https://github.com/sous-chefs/openvpn/issues' -chef_version '>= 14' +chef_version '>= 15.3' supports 'arch' supports 'centos' diff --git a/resources/conf.rb b/resources/conf.rb index e218c9b1..59e0c551 100644 --- a/resources/conf.rb +++ b/resources/conf.rb @@ -21,6 +21,7 @@ property :template_source, String, default: 'server.conf.erb' property :push_routes, Array property :push_options, Array +unified_mode true action :create do conf_location = if (platform_family?('rhel') && node['platform_version'].to_i >= 8) || platform_family?('fedora') diff --git a/resources/user.rb b/resources/user.rb index baa0eaa4..d5873c31 100644 --- a/resources/user.rb +++ b/resources/user.rb @@ -9,6 +9,8 @@ property :destination, String property :additional_vars, Hash, default: {} +unified_mode true + # TODO: this action will not recreate if the client configuration data has # changed. Requires manual intervention. From dd0fd064b17826c1b1b2921ed1ce29e5234eff89 Mon Sep 17 00:00:00 2001 From: Lance Albertson Date: Mon, 7 Feb 2022 11:02:06 -0800 Subject: [PATCH 5/5] Fix various idempotency issues Signed-off-by: Lance Albertson --- CHANGELOG.md | 3 +++ recipes/server.rb | 6 +++++- resources/user.rb | 6 ++++-- spec/unit/recipes/server_spec.rb | 2 +- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2edf0fc..ed52fa25 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,9 @@ This file is used to list changes made in each version of the openvpn cookbook. - Fix Fedora - Standardize kitchen settings - Enable unified_mode and require Chef >= 15.3 +- Fix various idempotency issues + - Set umask to 077 to match file permissions we expect + - Trigger various resources to run during first converge phase ## 5.4.0 - *2022-01-18* diff --git a/recipes/server.rb b/recipes/server.rb index e89430d6..a30cd0c1 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -101,6 +101,7 @@ bash 'openvpn-initca' do environment('KEY_CN' => "#{node['openvpn']['key']['org']} CA") code <<-EOF + umask 077 && \ openssl req -batch -days #{node['openvpn']['key']['ca_expire']} \ -nodes -new -newkey rsa:#{key_size} -#{message_digest} -x509 \ -keyout #{node['openvpn']['signing_ca_key']} \ @@ -113,6 +114,7 @@ bash 'openvpn-server-key' do environment('KEY_CN' => 'server') code <<-EOF + umask 077 && \ openssl req -batch -days #{node['openvpn']['key']['expire']} \ -nodes -new -newkey rsa:#{key_size} -keyout #{key_dir}/server.key \ -out #{key_dir}/server.csr -extensions server \ @@ -136,7 +138,8 @@ execute 'gencrl' do environment('KEY_CN' => "#{node['openvpn']['key']['org']} CA") - command "openssl ca -config #{[node['openvpn']['fs_prefix'], '/etc/openvpn/easy-rsa/openssl.cnf'].join} " \ + command 'umask 077 && ' \ + "openssl ca -config #{[node['openvpn']['fs_prefix'], '/etc/openvpn/easy-rsa/openssl.cnf'].join} " \ '-gencrl ' \ '-crlexts crl_ext ' \ "-md #{node['openvpn']['key']['message_digest']} " \ @@ -158,6 +161,7 @@ generate end action :run + notifies :create, "remote_file[#{[node['openvpn']['fs_prefix'], '/etc/openvpn/crl.pem'].join}]" end # Make a world readable copy of the CRL diff --git a/resources/user.rb b/resources/user.rb index d5873c31..f7c9e876 100644 --- a/resources/user.rb +++ b/resources/user.rb @@ -26,7 +26,7 @@ bundle_full_path = ::File.expand_path(::File.join(destination_path, bundle_filename)) execute "generate-openvpn-#{new_resource.client_name}" do - command "./pkitool #{new_resource.client_name}" + command "umask 077 && ./pkitool #{new_resource.client_name}" cwd '/etc/openvpn/easy-rsa' environment( 'EASY_RSA' => '/etc/openvpn/easy-rsa', @@ -42,6 +42,8 @@ 'KEY_EMAIL' => node['openvpn']['key']['email'] ) creates cert_path unless new_resource.force + notifies :run, 'execute[gencrl]', :immediately + notifies :create, "remote_file[#{[node['openvpn']['fs_prefix'], '/etc/openvpn/crl.pem'].join}]", :immediately end cleanup_name = "cleanup-old-bundle-#{new_resource.client_name}" @@ -85,7 +87,7 @@ cwd destination_path filelist = "ca.crt #{new_resource.client_name}.crt #{new_resource.client_name}.key #{client_file_basename}.ovpn" filelist += " #{client_file_basename}.conf" if new_resource.create_bundle - command "tar zcf #{bundle_filename} #{filelist}" + command "umask 077 && tar zcf #{bundle_filename} #{filelist}" creates bundle_full_path unless new_resource.force end end diff --git a/spec/unit/recipes/server_spec.rb b/spec/unit/recipes/server_spec.rb index 776957e8..27f650db 100644 --- a/spec/unit/recipes/server_spec.rb +++ b/spec/unit/recipes/server_spec.rb @@ -39,7 +39,7 @@ it 'executes gencrl with correction parameters' do expect(chef_run).to run_execute('gencrl').with( environment: { 'KEY_CN' => 'Fort Funston CA' }, - command: 'openssl ca -config /etc/openvpn/easy-rsa/openssl.cnf ' \ + command: 'umask 077 && openssl ca -config /etc/openvpn/easy-rsa/openssl.cnf ' \ '-gencrl ' \ '-crlexts crl_ext ' \ '-md sha256 ' \