Automated PR: Standardising Files

.github/workflows/ci.yml

@@ -8,44 +8,25 @@ name: ci
       - main
 
 jobs:
-  delivery:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-      - name: Run Chef Delivery
-        uses: actionshub/chef-delivery@main
-        env:
-          CHEF_LICENSE: accept-no-persist
-
-  yamllint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-      - name: Run yaml Lint
-        uses: actionshub/yamllint@main
-
-  mdl:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-      - name: Run Markdown Lint
-        uses: actionshub/markdownlint@main
+  lint-unit:
+    uses: sous-chefs/.github/.github/workflows/[email protected]
 
   integration:
-    needs: [mdl, yamllint, delivery]
+    needs: lint-unit
     runs-on: ubuntu-latest
     strategy:
       matrix:
         os:
+          - 'almalinux-8'
           - 'amazonlinux-2'
           - 'centos-7'
-          - 'centos-8'
-          - 'debian-9'
-          - 'ubuntu-1604'
+          - 'centos-stream-8'
+          - 'debian-10'
+          - 'debian-11'
+          - 'fedora-latest'
+          - 'rockylinux-8'
           - 'ubuntu-1804'
+          - 'ubuntu-2004'
         suite:
           - 'server'
           - 'server-verification'

.overcommit.yml

@@ -11,10 +11,6 @@ PreCommit:
     enabled: true
     required_executable: 'cookstyle'
     command: ["cookstyle"]
-  Delivery:
-    enabled: true
-    required_executable: 'delivery'
-    flags: ['local', 'all']
 CommitMsg:
   HardTabs:
     enabled: true

CHANGELOG.md

@@ -4,6 +4,15 @@ This file is used to list changes made in each version of the openvpn cookbook.
 
 ## Unreleased
 
+- Remove delivery and move to calling RSpec directly via a reusable workflow
+- Update tested platforms
+- Fix Fedora
+- Standardize kitchen settings
+- Enable unified_mode and require Chef >= 15.3
+- Fix various idempotency issues
+  - Set umask to 077 to match file permissions we expect
+  - Trigger various resources to run during first converge phase
+
 ## 5.4.0 - *2022-01-18*
 
 - resolved cookstyle error: recipes/server.rb:88:3 refactor: `Chef/RedundantCode/UseCreateIfMissing`

kitchen.yml

@@ -10,6 +10,10 @@ transport:
 
 provisioner:
   name: dokken
+  enforce_idempotency: true
+  multiple_converge: 2
+  deprecations_as_errors: true
+  chef_log_level: <%= ENV['CHEF_LOG_LEVEL'] || 'auto' %>
   chef_license: accept-no-persist
 
 verifier:
@@ -18,60 +22,55 @@ verifier:
 
 # currently only support 2 last major revs of distros (at the most)
 platforms:
-  - name: amazonlinux-2
+  - name: almalinux-8
     driver:
-      image: dokken/amazonlinux-2
+      image: dokken/almalinux-8
       pid_one_command: /usr/lib/systemd/systemd
 
-  - name: debian-8
+  - name: amazonlinux-2
     driver:
-      image: dokken/debian-8
-      pid_one_command: /bin/systemd
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get update
+      image: dokken/amazonlinux-2
+      pid_one_command: /usr/lib/systemd/systemd
 
-  - name: debian-9
+  - name: debian-10
     driver:
-      image: dokken/debian-9
+      image: dokken/debian-10
       pid_one_command: /bin/systemd
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get update
 
-  - name: debian-10
+  - name: debian-11
     driver:
-      image: dokken/debian-10
+      image: dokken/debian-11
       pid_one_command: /bin/systemd
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get update
 
   - name: centos-7
     driver:
       image: dokken/centos-7
       pid_one_command: /usr/lib/systemd/systemd
 
-  - name: centos-8
+  - name: centos-stream-8
     driver:
-      image: dokken/centos-8
+      image: dokken/centos-stream-8
       pid_one_command: /usr/lib/systemd/systemd
 
   - name: fedora-latest
     driver:
       image: dokken/fedora-latest
       pid_one_command: /usr/lib/systemd/systemd
 
-  - name: ubuntu-16.04
+  - name: ubuntu-18.04
     driver:
-      image: dokken/ubuntu-16.04
+      image: dokken/ubuntu-18.04
       pid_one_command: /bin/systemd
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get update
 
-  - name: ubuntu-18.04
+  - name: ubuntu-20.04
     driver:
-      image: dokken/ubuntu-18.04
+      image: dokken/ubuntu-20.04
       pid_one_command: /bin/systemd
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get update
+
+  - name: rockylinux-8
+    driver:
+      image: dokken/rockylinux-8
+      pid_one_command: /usr/lib/systemd/systemd
 
 suites:
   - name: server

metadata.rb

@@ -6,7 +6,7 @@
 description       'Installs and configures openvpn and includes rake tasks for managing certs.'
 source_url        'https://github.com/sous-chefs/openvpn'
 issues_url        'https://github.com/sous-chefs/openvpn/issues'
-chef_version      '>= 14'
+chef_version      '>= 15.3'
 
 supports 'arch'
 supports 'centos'

recipes/server.rb

@@ -101,6 +101,7 @@
 bash 'openvpn-initca' do
   environment('KEY_CN' => "#{node['openvpn']['key']['org']} CA")
   code <<-EOF
+    umask 077 && \
     openssl req -batch -days #{node['openvpn']['key']['ca_expire']} \
       -nodes -new -newkey rsa:#{key_size} -#{message_digest} -x509 \
       -keyout #{node['openvpn']['signing_ca_key']} \
@@ -113,6 +114,7 @@
 bash 'openvpn-server-key' do
   environment('KEY_CN' => 'server')
   code <<-EOF
+    umask 077 && \
     openssl req -batch -days #{node['openvpn']['key']['expire']} \
       -nodes -new -newkey rsa:#{key_size} -keyout #{key_dir}/server.key \
       -out #{key_dir}/server.csr -extensions server \
@@ -136,7 +138,8 @@
 
 execute 'gencrl' do
   environment('KEY_CN' => "#{node['openvpn']['key']['org']} CA")
-  command "openssl ca -config #{[node['openvpn']['fs_prefix'], '/etc/openvpn/easy-rsa/openssl.cnf'].join} " \
+  command 'umask 077 && ' \
+          "openssl ca -config #{[node['openvpn']['fs_prefix'], '/etc/openvpn/easy-rsa/openssl.cnf'].join} " \
           '-gencrl ' \
           '-crlexts crl_ext ' \
           "-md #{node['openvpn']['key']['message_digest']} " \
@@ -158,6 +161,7 @@
     generate
   end
   action :run
+  notifies :create, "remote_file[#{[node['openvpn']['fs_prefix'], '/etc/openvpn/crl.pem'].join}]"
 end
 
 # Make a world readable copy of the CRL

recipes/service.rb

@@ -36,10 +36,10 @@
     service_name = 'openvpn'
   end
 when 'fedora'
-  link "/etc/systemd/system/multi-user.target.wants/openvpn@#{node['openvpn']['type']}.service" do
+  link "/etc/systemd/system/multi-user.target.wants/openvpn-#{node['openvpn']['type']}@#{node['openvpn']['type']}.service" do
     to '/usr/lib/systemd/system/[email protected]'
   end
-  service_name = "openvpn@#{node['openvpn']['type']}.service"
+  service_name = "openvpn-#{node['openvpn']['type']}@#{node['openvpn']['type']}.service"
 when 'amazon'
   case node['platform_version'].to_i
   when 2

resources/conf.rb

@@ -21,9 +21,10 @@
 property :template_source, String, default: 'server.conf.erb'
 property :push_routes, Array
 property :push_options, Array
+unified_mode true
 
 action :create do
-  conf_location = if platform_family?('rhel') && node['platform_version'].to_i >= 8
+  conf_location = if (platform_family?('rhel') && node['platform_version'].to_i >= 8) || platform_family?('fedora')
                     "/etc/openvpn/#{new_resource.name}/#{new_resource.name}.conf"
                   else
                     "/etc/openvpn/#{new_resource.name}.conf"

resources/user.rb

@@ -9,6 +9,8 @@
 property :destination, String
 property :additional_vars, Hash, default: {}
 
+unified_mode true
+
 # TODO: this action will not recreate if the client configuration data has
 #       changed. Requires manual intervention.
 
@@ -24,7 +26,7 @@
   bundle_full_path = ::File.expand_path(::File.join(destination_path, bundle_filename))
 
   execute "generate-openvpn-#{new_resource.client_name}" do
-    command "./pkitool #{new_resource.client_name}"
+    command "umask 077 && ./pkitool #{new_resource.client_name}"
     cwd '/etc/openvpn/easy-rsa'
     environment(
       'EASY_RSA' => '/etc/openvpn/easy-rsa',
@@ -40,6 +42,8 @@
       'KEY_EMAIL' => node['openvpn']['key']['email']
     )
     creates cert_path unless new_resource.force
+    notifies :run, 'execute[gencrl]', :immediately
+    notifies :create, "remote_file[#{[node['openvpn']['fs_prefix'], '/etc/openvpn/crl.pem'].join}]", :immediately
   end
 
   cleanup_name = "cleanup-old-bundle-#{new_resource.client_name}"
@@ -83,7 +87,7 @@
     cwd destination_path
     filelist = "ca.crt #{new_resource.client_name}.crt #{new_resource.client_name}.key #{client_file_basename}.ovpn"
     filelist += " #{client_file_basename}.conf" if new_resource.create_bundle
-    command "tar zcf #{bundle_filename} #{filelist}"
+    command "umask 077 && tar zcf #{bundle_filename} #{filelist}"
     creates bundle_full_path unless new_resource.force
   end
 end

spec/unit/recipes/server_spec.rb

@@ -39,7 +39,7 @@
     it 'executes gencrl with correction parameters' do
       expect(chef_run).to run_execute('gencrl').with(
         environment: { 'KEY_CN' => 'Fort Funston CA' },
-        command: 'openssl ca -config /etc/openvpn/easy-rsa/openssl.cnf ' \
+        command: 'umask 077 && openssl ca -config /etc/openvpn/easy-rsa/openssl.cnf ' \
                  '-gencrl ' \
                  '-crlexts crl_ext ' \
                  '-md sha256 ' \

test/integration/server/server_test.rb

@@ -1,17 +1,15 @@
 # this is done in a similar fashion to
 # https://github.com/xhost-cookbooks/openvpn/blob/master/recipes/service.rb
 
-if (os[:name] == 'redhat' && os[:release] >= '7') ||
-   (os[:name] == 'centos' && os[:release] < '8') ||
-   (os[:name] == 'debian' && os[:release] >= '8') ||
-   (os[:name] == 'ubuntu' && os[:release] >= '15.04') ||
-   (os[:name] == 'amazon' && os[:release] >= '2') ||
-   (os[:name] == 'fedora')
+if (os[:family] == 'redhat' && os[:release].to_i < 8) ||
+   (os[:name] == 'debian') ||
+   (os[:name] == 'ubuntu') ||
+   (os[:name] == 'amazon')
   describe service('openvpn@server') do
     it { is_expected.to be_enabled }
     it { is_expected.to be_running }
   end
-elsif os[:name] == 'centos' && os[:release] >= '8'
+elsif (os[:family] == 'redhat' && os[:release] >= '8') || os[:family] == 'fedora'
   describe service('openvpn-server@server') do
     it { is_expected.to be_enabled }
     it { is_expected.to be_running }
@@ -23,7 +21,7 @@
   end
 end
 
-conf_location = if os[:name] == 'centos' && os[:release] >= '8'
+conf_location = if (os[:family] == 'redhat' && os[:release] >= '8') || os[:family] == 'fedora'
                   '/etc/openvpn/server/server.conf'
                 else
                   '/etc/openvpn/server.conf'