--- /dev/null
+#
+# Copyright 2018 whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+source 'https://supermarket.chef.io'
+
+metadata
ssl_cert CHANGELOG
==================
+0.5.0
+-----
+- adds wildcard common name support. e.g. `*.example.com`
+
0.4.2
-----
- adds the `['ssl_cert']['ca_name_symlinks']` attribute.
--- /dev/null
+GEM
+ remote: https://rubygems.org/
+ specs:
+ chef-api (0.8.0)
+ logify (~> 0.1)
+ mime-types
+ logify (0.2.0)
+ mime-types (3.2.2)
+ mime-types-data (~> 3.2015)
+ mime-types-data (3.2018.0812)
+ stove (6.0.0)
+ chef-api (~> 0.5)
+ logify (~> 0.2)
+
+PLATFORMS
+ ruby
+
+DEPENDENCIES
+ stove
+
+BUNDLED WITH
+ 1.16.0
> --json ~/tmp/node_example_com.prod.crt.json
```
+Note: You must translate wildcard character `'*'` of common name into `'_'`, because Data Bag items must have an id matching `/^[\.\-[:alnum:]_]+$/`. e.g. `'*.example.com'` => `'_.example.com'`
+
- grant reference permission to the appropriate nodes
```text
### References of deployed key and certificate file paths (with default attributes)
+`undotted_cn`: `'*'` and `'.'` of common name are translated into `'_'`. e.g. `'*.example.com'` => `'__example_com'`
+
- `node['ssl_cert']["#{ca}_cert_path"]`: e.g. `node['ssl_cert']['grid_ca_cert_path']`
- `node['ssl_cert']["#{ca}_pubkey_path"]`: e.g. `node['ssl_cert']['grid_ssh_ca_pubkey_path']`
- `node['ssl_cert']["#{ca}_krl_path"]`: e.g. `node['ssl_cert']['grid_ssh_ca_krl_path']`
-- `node['ssl_cert']["#{undotted_cn}_key_path"]`: e.g. `node['ssl_cert']['node_example_com_key_path']`
-- `node['ssl_cert']["#{undotted_cn}_cert_path"]`: e.g. `node['ssl_cert']['node_example_com_cert_path']`
+- `node['ssl_cert']["#{undotted_cn}_key_path"]`: e.g. `node['ssl_cert']['node_example_com_key_path']`, `node['ssl_cert']['__example_com_key_path']`
+- `node['ssl_cert']["#{undotted_cn}_cert_path"]`: e.g. `node['ssl_cert']['node_example_com_cert_path']`, `node['ssl_cert']['__example_com_cert_path']`
### Helper methods
grid_ca_cert_path = ca_cert_path('grid_ca')
ldap_key_path = server_key_path('ldap.grid.example.com')
ldap_cert_path = server_cert_path('ldap.grid.example.com')
+wildcard_cn_key_path = server_key_path('*.grid.example.com')
+wildcard_cn_cert_path = server_cert_path('*.grid.example.com')
```
## License and Authors
- Author:: whitestar at osdn.jp
```text
-Copyright 2016, whitestar
+Copyright 2016-2018, whitestar
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
require 'foodcritic'
require 'stove/rake_task'
+tpl_cookbook = '00cookbook'
+cookbook_name = File.basename(Dir.pwd)
+
+desc 'Initialize project'
+task :init do
+ next if cookbook_name == tpl_cookbook
+
+ [
+ '.foodcritic',
+ '.rubocop.yml',
+ 'Berksfile',
+ 'chefignore',
+ 'concourse.yml',
+ 'fly-vars.yml',
+ 'fly-vars.local.yml',
+ 'Gemfile',
+ 'Gemfile.lock',
+ 'version',
+ ].each {|conf|
+ sh "cp ../#{tpl_cookbook}/#{conf} ./" unless File.exist?(conf)
+ }
+
+ ruby [
+ %(-pne '$_.gsub!(/^cookbook-name: .*$/, "cookbook-name: #{cookbook_name}")'),
+ '-i fly-vars.local.yml',
+ ].join(' ')
+end
+
+desc 'Update project'
+task :update do
+ next if cookbook_name == tpl_cookbook
+
+ [
+ 'Rakefile',
+ 'chefignore',
+ 'concourse.yml',
+ 'fly-vars.yml',
+ 'Gemfile',
+ 'Gemfile.lock',
+ ].each {|conf|
+ sh "cp ../#{tpl_cookbook}/#{conf} ./"
+ }
+end
+
+desc 'fly set-pipeline'
task :'set-pipeline' do
sh [
- "fly -t $CC_TARGET sp -p #{File.basename(Dir.pwd)}-cookbook -c concourse.yml",
- '-l fly-vars.yml -l ~/sec/credentials-prod.yml',
+ "fly -t $CC_TARGET sp -p #{cookbook_name}-cookbook -c concourse.yml",
+ '-l fly-vars.yml -l fly-vars.local.yml -l ~/sec/credentials-prod.yml',
].join(' ')
end
+desc 'rake set-pipeline alias'
task sp: 'set-pipeline'
namespace :style do
=end
undotted_cns = node['ssl_cert']['common_names'].map {|item|
- item.tr('.', '_')
+ item.tr('*.', '__') # '*': wildcard
}
default['ssl_cert']['certs_src_dir'] = node.value_for_platform_family(
--- /dev/null
+# Put files/directories that should be ignored in this file.
+# Lines that start with '# ' are comments.
+
+Berksfile.lock
+
+# concourse
+concourse.yml
+fly-vars.yml
+fly-vars.local.yml
+
+# emacs
+*~
+
+.rubocop_todo.yml
+
+# vim
+*.sw[a-z]
+
+# subversion
+*/.svn/*
---
-# $ fly -t $CC_TARGET sp -p ssl_cert-cookbook -c concourse.yml -l fly-vars.yml -l ~/sec/credentials-prod.yml
resources:
- name: src-git
type: git
--- /dev/null
+---
+cookbook-name: ssl_cert
---
-cookbook-name: ssl_cert
chefdk-version: 1.6.11
# Cookbook Name:: ssl_cert
# Library:: Helper
#
-# Copyright 2016, whitestar
+# Copyright 2016-2018, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
end
def server_cert_path(cn)
- undotted_cn = cn.tr('.', '_')
+ undotted_cn = cn.tr('*.', '__') # '*': wildcard
node['ssl_cert']["#{undotted_cn}_cert_path"]
end
require 'chef-vault'
cert = ChefVault::Item.load(
- node['ssl_cert']['server_cert_vault'], "#{cn}#{vault_item_suffix}"
+ node['ssl_cert']['server_cert_vault'],
+ # Note: Data Bag items must have an id matching /^[\.\-[:alnum:]_]+$/
+ "#{cn.tr('*', '_')}#{vault_item_suffix}"
)
node['ssl_cert']['server_cert_vault_item_key'].split('/').each {|elm|
cert = cert[elm]
end
def server_key_path(cn)
- undotted_cn = cn.tr('.', '_')
+ undotted_cn = cn.tr('*.', '__') # '*': wildcard
node['ssl_cert']["#{undotted_cn}_key_path"]
end
require 'chef-vault'
secret = ChefVault::Item.load(
- node['ssl_cert']['server_key_vault'], "#{cn}#{vault_item_suffix}"
+ node['ssl_cert']['server_key_vault'],
+ # Note: Data Bag items must have an id matching /^[\.\-[:alnum:]_]+$/
+ "#{cn.tr('*', '_')}#{vault_item_suffix}"
)
node['ssl_cert']['server_key_vault_item_key'].split('/').each {|elm|
secret = secret[elm]