search

sensu / sensu-chef

Sensu Chef cookbook.
https://supermarket.chef.io/cookbooks/sensu
Apache License 2.0
221 stars 280 forks source link

WIP: allow injecting of arbitrary env variables #629

Open majormoses opened 5 years ago

majormoses commented 5 years ago

As these variables could contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly recommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like git-crypt or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes any sudoer as they can run sudo chef-shell -z and then query the attribute. If you do need this functionality for secrets you should probably use node['sensu']['etc_default_sensu']['cookbook'] and override it with a template in your wrapper. You should leverage node.run_state object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence.

Signed-off-by: Ben Abrams me@benabrams.it

Description

Enable people to inject arbitrary key value pairs to be sent to the sensu process by means of /etc/default/sensu .

As these variables could contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly recommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like git-crypt or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes any sudoer as they can run sudo chef-shell -z and then query the attribute. If you do need this functionality for secrets you should probably use node['sensu']['etc_default_sensu']['cookbook'] and override it with a template in your wrapper. You should leverage node.run_state object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence.

Motivation and Context

Someone requested this a while back in slack, unfortunately I did not have them file an issue and I forgot that I had most of the code ready to go uncommitted until today.

How Has This Been Tested?

This has not been properly tested.

Screenshots (if appropriate):

Types of changes

Checklist:

majormoses commented 5 years ago

I locally converged via vagrant, if unit tests pass we should be good to go.

majormoses commented 5 years ago

Not sure why tests are failing on travis but are working locally maybe the version of chefdk?

Running Locally ```bash $ /opt/chefdk/embedded/bin/chef --version Chef Development Kit Version: 2.5.13 chef-client version: 13.10.4 delivery version: master (6862f27aba89109a9630f0b6c6798efec56b4efe) berks version: 6.3.4 kitchen version: 1.22.1 inspec version: 1.51.25 $ /opt/chefdk/embedded/bin/chef exec rake !!!!!! The `berkshelf' gem is missing and must be installed or cannot be properly activated. Run `gem install berkshelf` or add the following to your Gemfile if you are using Bundler: `gem 'berkshelf'`. >>> Gem load error: Could not load or activate Berkshelf (Unable to activate berkshelf-6.3.4, because thor-0.20.3 conflicts with thor (< 0.19.2, ~> 0.19)), omitting /opt/chefdk/embedded/bin/ruby -I/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-support-3.7.1/lib:/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.1/lib /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.1/exe/rspec test/unit/check_spec.rb test/unit/client_service_spec.rb test/unit/default_spec.rb test/unit/libraries/sensu_helpers_spec.rb test/unit/libraries/sensu_helpers_spec.rb test/unit/libraries/sensu_json_file_spec.rb test/unit/libraries/sensu_json_file_spec.rb test/unit/lwrps/base_config_spec.rb test/unit/lwrps/base_config_spec.rb test/unit/lwrps/client_spec.rb test/unit/lwrps/client_spec.rb test/unit/lwrps/filter_spec.rb test/unit/lwrps/filter_spec.rb test/unit/lwrps/gem_spec.rb test/unit/lwrps/gem_spec.rb test/unit/lwrps/json_file_spec.rb test/unit/lwrps/json_file_spec.rb sensu-test::good_checks creates valid_check_with_default_interval creates valid_cron_check creates valid_standalone_check sensu_check creates valid_pubsub_check sensu_check deletes removed_check without specifying subscriptions/standalone sensu-test::bad_check_name raises an exception when the check name contains invalid characters sensu-test::bad_check_attributes raises an exception when the check has neither subscribers nor standalone attributes sensu-test::bad_cron_and_interval raises an exception when the check has both cron and interval attributes sensu-test::bad_check_no_interval_or_cron raises an exception when in check both cron and interval are false sensu-test::bad_check_invalid_interval raises an exception when in check interval is equal or less than 0 sensu::client_service enables the sensu-client service in ubuntu 14.04 starts the sensu-client service in ubuntu 14.04 sensu::client_service enables the sensu-client service in ubuntu 16.04 starts the sensu-client service in ubuntu 16.04 sensu::default when running on unix-like platforms when running on ubuntu linux includes the sensu::_linux recipe installs the sensu package configures the apt repo definition with the default codename behaves like sensu default recipe creates the log directory creates the conf.d directory creates the plugins directory creates the handlers directory creates the extensions directory writes a base sensu configuration using sensu_base_config ssl is enabled writes the certificate chain file writes the private key file ssl is disabled [2019-03-13T19:09:51-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL. does not write the certificate chain file [2019-03-13T19:09:53-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL. does not write the private key file when overriding the apt repository codename configures the apt repo definition with the provided codename when running on rhel linux includes the sensu::_linux recipe installs the sensu package configures the yum repo definition behaves like sensu default recipe creates the log directory creates the conf.d directory creates the plugins directory creates the handlers directory creates the extensions directory writes a base sensu configuration using sensu_base_config ssl is enabled writes the certificate chain file writes the private key file ssl is disabled [2019-03-13T19:10:16-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL. does not write the certificate chain file [2019-03-13T19:10:20-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL. does not write the private key file when overriding the yum repository releasever configures the yum repo definition with the provided releasever when running on aix includes the sensu::_aix recipe installs the sensu package behaves like sensu default recipe creates the log directory creates the conf.d directory creates the plugins directory creates the handlers directory creates the extensions directory writes a base sensu configuration using sensu_base_config ssl is enabled writes the certificate chain file writes the private key file ssl is disabled [2019-03-13T19:10:41-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL. does not write the certificate chain file [2019-03-13T19:10:43-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL. does not write the private key file when running on windows platform includes the sensu::_windows recipe installs the Sensu package when install_dotnet is true includes the appropriate recipe from the ms_dotnet cookbook when install_dotnet is false does not include a recipe from the ms_dotnet cookbook behaves like sensu default recipe creates the log directory creates the conf.d directory creates the plugins directory creates the handlers directory creates the extensions directory writes a base sensu configuration using sensu_base_config ssl is enabled writes the certificate chain file writes the private key file ssl is disabled [2019-03-13T19:11:09-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL. does not write the certificate chain file [2019-03-13T19:11:11-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL. does not write the private key file Sensu::Helpers .select_attributes when the requested attribute exists returns the requested key/value pair when the requested attribute does not exist returns an empty hash when multiple attributes are requested and all exist returns a hash containing the requested key/value pairs when multiple attributes are requested and only a subset exist returns a hash containing the existing key/value pairs .gem_binary on unix-like platforms with omnibus ruby available returns the full path to the omnibus ruby gem binary without omnibus ruby available returns an unqualified path to the gem binary on windows platforms with omnibus ruby available returns the full path to the omnibus ruby gem binary without omnibus ruby available returns an unqualified path to the gem binary .redhat_version_string the desired version is prior to 0.27 returns the version string unaltered the desired version is 0.27.0 or newer returns the version string with the Redhat platform major version suffix when a suffix override is provided returns the version string with the custom suffix .amazon_linux_2_rhel_version returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 6 returns the rhel version 7 throws an exception throws an exception throws an exception .amazon_linux_2_version_string the desired version is prior to 0.27 returns the version string unaltered the desired version is 0.27.0 or newer returns the version string with the Redhat platform major version suffix when a suffix override is provided returns the version string with the custom suffix Sensu::JSONFile .load_json returns a non-empty hash returns a hash containing the expected keys .dump_json returns a non-empty string, terminated with a new line .to_mash converts a hash into a mash .compare_content returns false when comparing the content of a file to a non-matching hash returns true when comparing the content of a file to a matching hash sensu_base_config [2019-03-13T19:11:11-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: # creates a base sensu configuration at /etc/sensu/config.json base configuration is derived from node attributes [2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: # transport node attributes are present in base configuration [2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: # redis node attributes are present in base configuration [2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: # api node attributes are present in base configuration single rabbitmq host provided [2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: # yields a rabbitmq array with a single hash multiple rabbitmq hosts provided [2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: # [2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: # yields a rabbitmq array containing multiple brokers sensu_client with minimum required attributes renders client.json to directory defined by attributes configures client name configures client address configures client subscriptions does not provide configuration for unconfigured optional attributes sensu_client with optional attributes renders client.json to directory defined by attributes configures client name configures client address configures client subscriptions configures client keepalives configures client keepalive behavior configures client safe_mode configures client socket configures attributes for client redaction configures client registration configures client to deregister configures client deregistration configures custom client attributes specified as additional sensu_filter defaults to action :create action :create creates the specified filter definition negate specified creates the specified filter definition days specified with symbol hash keys creates the specified filter definition with string hash keys creates the specified filter definition action :delete deletes the specified filter deletes the specified filter definition sensu_gem defaults to action :install action :install installs the specified gem package version specified installs the specified version of the gem package source specified installs the specified gem package from the specified source upgrades the specified gem package from the specified source action :remove removes the specified gem package action :upgrade installs or upgrades the specified gem package to the specified version sensu_json_file creates the /etc/sensu directory using value of directory_mode attribute creates a "pretty" json file with the provided content Finished in 1 minute 57.05 seconds (files took 2 seconds to load) 146 examples, 0 failures ```