Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: allow injecting of arbitrary env variables #629

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

WIP: allow injecting of arbitrary env variables #629

wants to merge 2 commits into from

Conversation

majormoses
Copy link
Contributor

@majormoses majormoses commented Mar 14, 2019
edited
Loading

As these variables could contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly recommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like git-crypt or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes any sudoer as they can run sudo chef-shell -z and then query the attribute. If you do need this functionality for secrets you should probably use node['sensu']['etc_default_sensu']['cookbook'] and override it with a template in your wrapper. You should leverage node.run_state object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence.

Signed-off-by: Ben Abrams [email protected]

Description

Enable people to inject arbitrary key value pairs to be sent to the sensu process by means of /etc/default/sensu .

As these variables could contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly recommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like git-crypt or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes any sudoer as they can run sudo chef-shell -z and then query the attribute. If you do need this functionality for secrets you should probably use node['sensu']['etc_default_sensu']['cookbook'] and override it with a template in your wrapper. You should leverage node.run_state object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence.

Motivation and Context

Someone requested this a while back in slack, unfortunately I did not have them file an issue and I forgot that I had most of the code ready to go uncommitted until today.

How Has This Been Tested?

This has not been properly tested.

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.

@majormoses majormoses self-assigned this Mar 14, 2019
@majormoses
llow injecting of arbitrary env variables
a6aaec7 
As these variables _could_ contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly reccommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like `git-crypt` or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes any `sudoer` as they can run `sudo chef-shell -z` and then query the attribute. If you do need this functionality for secrets you should probably use `node['sensu']['etc_default_sensu']['cookbook']` and override it with a template in your wrapper. You should leverage `node.run_state` object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence.

Signed-off-by: Ben Abrams <[email protected]>
@majormoses
Copy link
Contributor Author

I locally converged via vagrant, if unit tests pass we should be good to go.

@majormoses
Copy link
Contributor Author

Not sure why tests are failing on travis but are working locally maybe the version of chefdk?

Running Locally 
$ /opt/chefdk/embedded/bin/chef --version
Chef Development Kit Version: 2.5.13
chef-client version: 13.10.4
delivery version: master (6862f27aba89109a9630f0b6c6798efec56b4efe)
berks version: 6.3.4
kitchen version: 1.22.1
inspec version: 1.51.25

$ /opt/chefdk/embedded/bin/chef exec rake
!!!!!! The `berkshelf' gem is missing and must be installed or cannot be properly activated. Run `gem install berkshelf` or add the following to your Gemfile if you are using Bundler: `gem 'berkshelf'`.
>>> Gem load error: Could not load or activate Berkshelf (Unable to activate berkshelf-6.3.4, because thor-0.20.3 conflicts with thor (< 0.19.2, ~> 0.19)), omitting 
/opt/chefdk/embedded/bin/ruby -I/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-support-3.7.1/lib:/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.1/lib /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.1/exe/rspec test/unit/check_spec.rb test/unit/client_service_spec.rb test/unit/default_spec.rb test/unit/libraries/sensu_helpers_spec.rb test/unit/libraries/sensu_helpers_spec.rb test/unit/libraries/sensu_json_file_spec.rb test/unit/libraries/sensu_json_file_spec.rb test/unit/lwrps/base_config_spec.rb test/unit/lwrps/base_config_spec.rb test/unit/lwrps/client_spec.rb test/unit/lwrps/client_spec.rb test/unit/lwrps/filter_spec.rb test/unit/lwrps/filter_spec.rb test/unit/lwrps/gem_spec.rb test/unit/lwrps/gem_spec.rb test/unit/lwrps/json_file_spec.rb test/unit/lwrps/json_file_spec.rb

sensu-test::good_checks
  creates valid_check_with_default_interval
  creates valid_cron_check
  creates valid_standalone_check sensu_check
  creates valid_pubsub_check sensu_check
  deletes removed_check without specifying subscriptions/standalone

sensu-test::bad_check_name
  raises an exception when the check name contains invalid characters

sensu-test::bad_check_attributes
  raises an exception when the check has neither subscribers nor standalone attributes

sensu-test::bad_cron_and_interval
  raises an exception when the check has both cron and interval attributes

sensu-test::bad_check_no_interval_or_cron
  raises an exception when in check both cron and interval are false

sensu-test::bad_check_invalid_interval
  raises an exception when in check interval is equal or less than 0

sensu::client_service
  enables the sensu-client service in ubuntu 14.04
  starts the sensu-client service in ubuntu 14.04

sensu::client_service
  enables the sensu-client service in ubuntu 16.04
  starts the sensu-client service in ubuntu 16.04

sensu::default
  when running on unix-like platforms
    when running on ubuntu linux
      includes the sensu::_linux recipe
      installs the sensu package
      configures the apt repo definition with the default codename
      behaves like sensu default recipe
        creates the log directory
        creates the conf.d directory
        creates the plugins directory
        creates the handlers directory
        creates the extensions directory
        writes a base sensu configuration using sensu_base_config
        ssl is enabled
          writes the certificate chain file
          writes the private key file
        ssl is disabled
[2019-03-13T19:09:51-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
          does not write the certificate chain file
[2019-03-13T19:09:53-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
          does not write the private key file
      when overriding the apt repository codename
        configures the apt repo definition with the provided codename
    when running on rhel linux
      includes the sensu::_linux recipe
      installs the sensu package
      configures the yum repo definition
      behaves like sensu default recipe
        creates the log directory
        creates the conf.d directory
        creates the plugins directory
        creates the handlers directory
        creates the extensions directory
        writes a base sensu configuration using sensu_base_config
        ssl is enabled
          writes the certificate chain file
          writes the private key file
        ssl is disabled
[2019-03-13T19:10:16-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
          does not write the certificate chain file
[2019-03-13T19:10:20-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
          does not write the private key file
      when overriding the yum repository releasever
        configures the yum repo definition with the provided releasever
    when running on aix
      includes the sensu::_aix recipe
      installs the sensu package
      behaves like sensu default recipe
        creates the log directory
        creates the conf.d directory
        creates the plugins directory
        creates the handlers directory
        creates the extensions directory
        writes a base sensu configuration using sensu_base_config
        ssl is enabled
          writes the certificate chain file
          writes the private key file
        ssl is disabled
[2019-03-13T19:10:41-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
          does not write the certificate chain file
[2019-03-13T19:10:43-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
          does not write the private key file
  when running on windows platform
    includes the sensu::_windows recipe
    installs the Sensu package
    when install_dotnet is true
      includes the appropriate recipe from the ms_dotnet cookbook
    when install_dotnet is false
      does not include a recipe from the ms_dotnet cookbook
    behaves like sensu default recipe
      creates the log directory
      creates the conf.d directory
      creates the plugins directory
      creates the handlers directory
      creates the extensions directory
      writes a base sensu configuration using sensu_base_config
      ssl is enabled
        writes the certificate chain file
        writes the private key file
      ssl is disabled
[2019-03-13T19:11:09-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
        does not write the certificate chain file
[2019-03-13T19:11:11-07:00] WARN: Setting Sensu RabbitMQ port to 5672 as you have disabled SSL.
        does not write the private key file

Sensu::Helpers
  .select_attributes
    when the requested attribute exists
      returns the requested key/value pair
    when the requested attribute does not exist
      returns an empty hash
    when multiple attributes are requested and all exist
      returns a hash containing the requested key/value pairs
    when multiple attributes are requested and only a subset exist
      returns a hash containing the existing key/value pairs
  .gem_binary
    on unix-like platforms
      with omnibus ruby available
        returns the full path to the omnibus ruby gem binary
      without omnibus ruby available
        returns an unqualified path to the gem binary
    on windows platforms
      with omnibus ruby available
        returns the full path to the omnibus ruby gem binary
      without omnibus ruby available
        returns an unqualified path to the gem binary
  .redhat_version_string
    the desired version is prior to 0.27
      returns the version string unaltered
    the desired version is 0.27.0 or newer
      returns the version string with the Redhat platform major version suffix
      when a suffix override is provided
        returns the version string with the custom suffix
  .amazon_linux_2_rhel_version
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 6
    returns the rhel version 7
    throws an exception
    throws an exception
    throws an exception
  .amazon_linux_2_version_string
    the desired version is prior to 0.27
      returns the version string unaltered
    the desired version is 0.27.0 or newer
      returns the version string with the Redhat platform major version suffix
      when a suffix override is provided
        returns the version string with the custom suffix

Sensu::JSONFile
  .load_json
    returns a non-empty hash
    returns a hash containing the expected keys
  .dump_json
    returns a non-empty string, terminated with a new line
  .to_mash
    converts a hash into a mash
  .compare_content
    returns false when comparing the content of a file to a non-matching hash
    returns true when comparing the content of a file to a matching hash

sensu_base_config
[2019-03-13T19:11:11-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
  creates a base sensu configuration at /etc/sensu/config.json
  base configuration is derived from node attributes
[2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
    transport node attributes are present in base configuration
[2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
    redis node attributes are present in base configuration
[2019-03-13T19:11:12-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
    api node attributes are present in base configuration
  single rabbitmq host provided
[2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
    yields a rabbitmq array with a single hash
  multiple rabbitmq hosts provided
[2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
[2019-03-13T19:11:13-07:00] WARN: Failed to populate Sensu state with ssl credentials from data bag: #<Chef::Exceptions::InvalidDataBagPath: Data bag path '/tmp/d20190313-7270-1d19xln/data_bags' is invalid>
    yields a rabbitmq array containing multiple brokers

sensu_client with minimum required attributes
  renders client.json to directory defined by attributes
  configures client name
  configures client address
  configures client subscriptions
  does not provide configuration for unconfigured optional attributes

sensu_client with optional attributes
  renders client.json to directory defined by attributes
  configures client name
  configures client address
  configures client subscriptions
  configures client keepalives
  configures client keepalive behavior
  configures client safe_mode
  configures client socket
  configures attributes for client redaction
  configures client registration
  configures client to deregister
  configures client deregistration
  configures custom client attributes specified as additional

sensu_filter
  defaults to action :create
  action :create
    creates the specified filter definition
    negate specified
      creates the specified filter definition
    days specified
      with symbol hash keys
        creates the specified filter definition
      with string hash keys
        creates the specified filter definition
  action :delete
    deletes the specified filter
    deletes the specified filter definition

sensu_gem
  defaults to action :install
  action :install
    installs the specified gem package
    version specified
      installs the specified version of the gem package
    source specified
      installs the specified gem package from the specified source
      upgrades the specified gem package from the specified source
  action :remove
    removes the specified gem package
  action :upgrade
    installs or upgrades the specified gem package to the specified version

sensu_json_file
  creates the /etc/sensu directory using value of directory_mode attribute
  creates a "pretty" json file with the provided content

Finished in 1 minute 57.05 seconds (files took 2 seconds to load)
146 examples, 0 failures

@majormoses majormoses changed the title allow injecting of arbitrary env variables WIP: allow injecting of arbitrary env variables Mar 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@majormoses majormoses

Labels
Type: Enhancement Type: Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@majormoses