Merge pull request #54 from myii/feat/add-freebsd-support

feat(freebsd): add FreeBSD support (recover abandoned PR #32)

Author: dafyddj

.github/workflows/kitchen.vagrant.yml

@@ -0,0 +1,38 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+name: 'Kitchen Vagrant (FreeBSD)'
+'on': ['push', 'pull_request']
+
+env:
+  KITCHEN_LOCAL_YAML: 'kitchen.vagrant.yml'
+
+jobs:
+  test:
+    runs-on: 'macos-10.15'
+    strategy:
+      fail-fast: false
+      matrix:
+        instance:
+          # - prod-server-freebsd-130-master-py3
+          - freebsd-130-master-py3
+          # - prod-server-freebsd-123-master-py3
+          - freebsd-123-master-py3
+          # - prod-server-freebsd-130-3004-0-py3
+          # - prod-server-freebsd-123-3004-0-py3
+    steps:
+      - name: 'Check out code'
+        uses: 'actions/checkout@v2'
+      - name: 'Set up Bundler cache'
+        uses: 'actions/cache@v1'
+        with:
+          path: 'vendor/bundle'
+          key: "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}"
+          restore-keys: "${{ runner.os }}-gems-"
+      - name: 'Run Bundler'
+        run: |
+          ruby --version
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+      - name: 'Run Test Kitchen'
+        run: 'bundle exec kitchen verify ${{ matrix.instance }}'

.salt-lint

@@ -2,7 +2,10 @@
 # vim: ft=yaml
 ---
 exclude_paths: []
-rules: {}
+rules:
+  204:  # Lines should be no longer that 160 chars
+    ignore: |
+      vault/files/vault.service.fbsd.j2
 skip_list:
   # Using `salt-lint` for linting other files as well, such as Jinja macros/templates
   - 205  # Use ".sls" as a Salt State file extension

Gemfile

@@ -17,3 +17,7 @@ gem 'kitchen-docker', git: 'https://gitlab.com/saltstack-formulas/infrastructure
 
 gem 'kitchen-inspec', '>= 2.5.0'
 gem 'kitchen-salt', '>= 0.7.2'
+
+group :vagrant do
+  gem 'kitchen-vagrant'
+end

Gemfile.lock

@@ -387,6 +387,8 @@ GEM
     kitchen-salt (0.7.2)
       hashie (>= 3.5)
       test-kitchen (>= 1.4)
+    kitchen-vagrant (1.11.0)
+      test-kitchen (>= 1.4, < 4)
     license-acceptance (2.1.13)
       pastel (~> 0.7)
       tomlrb (>= 1.2, < 3.0)
@@ -669,6 +671,7 @@ DEPENDENCIES
   kitchen-docker!
   kitchen-inspec (>= 2.5.0)
   kitchen-salt (>= 0.7.2)
+  kitchen-vagrant
 
 BUNDLED WITH
    2.1.2

docs/README.rst

@@ -105,7 +105,7 @@ Requirements
 ``kitchen converge``
 ^^^^^^^^^^^^^^^^^^^^
 
-Creates the docker instance and runs the ``template`` main state, ready for testing.
+Creates the docker instance and runs the ``vault`` main states, ready for testing.
 
 ``kitchen verify``
 ^^^^^^^^^^^^^^^^^^
@@ -126,3 +126,65 @@ Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``veri
 ^^^^^^^^^^^^^^^^^
 
 Gives you SSH access to the instance for manual testing.
+
+Testing with Vagrant
+--------------------
+
+Windows/FreeBSD/OpenBSD testing is done with ``kitchen-salt``.
+
+Requirements
+^^^^^^^^^^^^
+
+* Ruby
+* Virtualbox
+* Vagrant
+
+Setup
+^^^^^
+
+.. code-block:: bash
+
+   $ gem install bundler
+   $ bundle install --with=vagrant
+   $ bin/kitchen test [platform]
+
+Where ``[platform]`` is the platform name defined in ``kitchen.vagrant.yml``,
+e.g. ``windows-81-latest-py3``.
+
+Note
+^^^^
+
+When testing using Vagrant you must set the environment variable ``KITCHEN_LOCAL_YAML`` to ``kitchen.vagrant.yml``.  For example:
+
+.. code-block:: bash
+
+   $ KITCHEN_LOCAL_YAML=kitchen.vagrant.yml bin/kitchen test      # Alternatively,
+   $ export KITCHEN_LOCAL_YAML=kitchen.vagrant.yml
+   $ bin/kitchen test
+
+Then run the following commands as needed.
+
+``bin/kitchen converge``
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+Creates the Vagrant instance and runs the ``vault`` main states, ready for testing.
+
+``bin/kitchen verify``
+^^^^^^^^^^^^^^^^^^^^^^
+
+Runs the ``inspec`` tests on the actual instance.
+
+``bin/kitchen destroy``
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Removes the Vagrant instance.
+
+``bin/kitchen test``
+^^^^^^^^^^^^^^^^^^^^
+
+Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.
+
+``bin/kitchen login``
+^^^^^^^^^^^^^^^^^^^^^
+
+Gives you RDP/SSH access to the instance for manual testing.

kitchen.vagrant.yml

@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+driver:
+  name: vagrant
+  cache_directory: false
+  customize:
+    usbxhci: 'off'
+  gui: false
+  ssh:
+    shell: /bin/sh
+  <% unless ENV['CI'] %>
+  linked_clone: true
+  synced_folders:
+    - - '.kitchen/kitchen-vagrant/%{instance_name}/vagrant'
+      - '/vagrant'
+      - 'create: true, disabled: false'
+  <% end %>
+
+platforms:
+  - name: freebsd-130-master-py3
+    driver:
+      box: myii/freebsd-13.0-master-py3
+  - name: freebsd-123-master-py3
+    driver:
+      box: myii/freebsd-12.3-master-py3
+  - name: freebsd-130-3004-0-py3
+    driver:
+      box: myii/freebsd-13.0-3004.0-py3
+  - name: freebsd-123-3004-0-py3
+    driver:
+      box: myii/freebsd-12.3-3004.0-py3

test/integration/dev_server/controls/vault_spec.rb

@@ -1,8 +1,17 @@
 # frozen_string_literal: true
 
+config_json, service_cmd =
+  case system.platform[:family]
+  when 'bsd'
+    ['/usr/local/etc/vault/conf.d/config.json', 'service vault status']
+  else
+    ['/etc/vault/conf.d/config.json', 'journalctl -u vault']
+  end
+
 describe command('/usr/local/bin/vault -version') do
   its(:exit_status) { should eq 0 }
   its(:stderr) { should be_empty }
+  # https://rubular.com/r/vVeCVuHAmtTYt3
   its(:stdout) { should match(/^Vault v[0-9.]+ \('[0-9a-f]+'\)/) }
 end
 
@@ -15,27 +24,40 @@
   describe file('/etc/init/vault.conf') do
     it { should be_a_file }
   end
+
+  describe file('/usr/local/etc/rc.d/vault') do
+    it { should be_a_file }
+  end
 end
 
 describe service('vault') do
+  it { should be_installed }
   it { should be_enabled }
   it { should be_running }
 end
 
-describe file('/etc/vault/conf.d/config.json') do
+describe file(config_json) do
   it { should_not be_a_file }
 end
 
-describe.one do
-  describe command('journalctl -u vault') do
-    its(:exit_status) { should eq 0 }
-    its(:stderr) { should be_empty }
-    its(:stdout) { should match(/WARNING! dev mode is enabled!/) }
+control 'vault.service' do
+  title 'dev mode warning message should be displayed and logged'
+
+  only_if('Warning message is not displayed on FreeBSD') do
+    !%w[freebsd].include?(system.platform[:name])
   end
 
-  describe file('/var/log/vault.log') do
-    it { should be_a_file }
-    its(:content) { should match(/WARNING! dev mode is enabled!/) }
+  describe.one do
+    describe command(service_cmd) do
+      its(:exit_status) { should eq 0 }
+      its(:stderr) { should be_empty }
+      its(:stdout) { should match(/WARNING! dev mode is enabled!/) }
+    end
+
+    describe file('/var/log/vault.log') do
+      it { should be_a_file }
+      its(:content) { should match(/WARNING! dev mode is enabled!/) }
+    end
   end
 end
 

test/integration/prod_server/controls/vault_spec.rb

@@ -1,25 +1,42 @@
 # frozen_string_literal: true
 
+config_json, service_cmd, path_to_etc_vault =
+  case system.platform[:family]
+  when 'bsd'
+    ['/usr/local/etc/vault/conf.d/config.json', 'service vault status',
+     '/usr/local/etc/vault']
+  else
+    ['/etc/vault/conf.d/config.json', 'journalctl -u vault', '/etc/vault']
+  end
+
 describe command('/usr/local/bin/vault -version') do
   its(:exit_status) { should eq 0 }
   its(:stderr) { should be_empty }
   # https://rubular.com/r/vVeCVuHAmtTYt3
   its(:stdout) { should match(/^Vault v[0-9.]+ \('[0-9a-f]+'\)/) }
 end
 
-describe command('getcap $(readlink -f /usr/local/bin/vault)') do
-  its(:exit_status) { should eq 0 }
-  its(:stderr) { should be_empty }
-  # https://rubular.com/r/JApIMY1oNqGRZ8
-  its(:stdout) { should match(%r{/vault\s?=? cap_ipc_lock[+=]ep$}) }
+control 'vault.package.install' do
+  title 'Linux capabilities should be set'
+
+  only_if('`getcap` not available on FreeBSD') do
+    !%w[freebsd].include?(system.platform[:name])
+  end
+
+  describe command('getcap $(readlink -f /usr/local/bin/vault)') do
+    its(:exit_status) { should eq 0 }
+    its(:stderr) { should be_empty }
+    # https://rubular.com/r/JApIMY1oNqGRZ8
+    its(:stdout) { should match(%r{/vault\s?=? cap_ipc_lock[+=]ep$}) }
+  end
 end
 
 describe user('vault') do
   it { should exist }
   its('group') { should eq 'vault' }
 end
 
-describe file('/etc/vault/conf.d/config.json') do
+describe file(config_json) do
   it { should be_a_file }
   its('owner') { should eq 'root' }
   its('group') { should eq 'vault' }
@@ -35,6 +52,10 @@
   describe file('/etc/init/vault.conf') do
     it { should be_a_file }
   end
+
+  describe file('/usr/local/etc/rc.d/vault') do
+    it { should be_a_file }
+  end
 end
 
 describe service('vault') do
@@ -44,10 +65,10 @@
 end
 
 describe.one do
-  describe command('journalctl -u vault') do
+  describe command(service_cmd) do
     its(:exit_status) { should eq 0 }
     its(:stderr) { should be_empty }
-    its(:stdout) { should match(/Vault server started/) }
+    its(:stdout) { should match(/Vault server started|vault is running as pid \d+/) }
   end
 
   describe file('/var/log/vault.log') do
@@ -70,10 +91,10 @@
   its('sealed') { should eq true }
 end
 
-describe file('/etc/vault/localhost.pem') do
+describe file("#{path_to_etc_vault}/localhost.pem") do
   it { should be_a_file }
 end
 
-describe file('/etc/vault/localhost-nopass.key') do
+describe file("#{path_to_etc_vault}/localhost-nopass.key") do
   it { should be_a_file }
 end

test/salt/pillar/prod_server.sls

@@ -6,6 +6,10 @@ vault:
     storage:
       file:
         path: /var/lib/vault/data
+    # `disable_mlock` is only needed for FreeBSD (Vagrant)
+    # Doesn't appear to cause a problem for other instances but use an `if`
+    # block if it does
+    disable_mlock: true
   tls_disable: 1
   self_signed_cert:
     enabled: true

vault/config/clean.sls

@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+{% from "vault/map.jinja" import vault with context %}
 
 vault-config-clean-file-absent:
   file.absent:
-    - name: /etc/vault
+    - name: {{ vault.config_path }}/vault