diff --git a/lib/kitchen/provisioner/dependencies.erb b/lib/kitchen/provisioner/dependencies.erb index 9f3df5b..babacd9 100644 --- a/lib/kitchen/provisioner/dependencies.erb +++ b/lib/kitchen/provisioner/dependencies.erb @@ -63,9 +63,23 @@ def install_dependencies if formula.key?(:repo) case formula[:repo] when 'git' - script += <<-INSTALL + if formula[:source].start_with?("http") + script += <<-INSTALL fetchGitFormula #{formula[:source]} "#{formula[:name]}" "#{formula[:branch] || 'master'}" - INSTALL + INSTALL + else + if formula[:ssh_key].nil? and config[:ssh_key].nil? + raise "No ssh_key specified for #{formula[:source]}" + end + if formula[:ssh_key].nil? + ssh_key = config[:root_path] + config[:ssh_home] + "/" + File.basename(config[:ssh_key]) + else + ssh_key = config[:root_path] + config[:ssh_home] + "/" + File.basename(formula[:ssh_key]) + end + script += <<-INSTALL + fetchGitFormula #{formula[:source]} "#{formula[:name]}" "#{formula[:branch] || 'master'}" "#{ssh_key}" + INSTALL + end when 'spm' if formula[:package].nil? script += <<-INSTALL diff --git a/lib/kitchen/provisioner/formula-fetch.sh b/lib/kitchen/provisioner/formula-fetch.sh index abefdd9..64e1c6a 100755 --- a/lib/kitchen/provisioner/formula-fetch.sh +++ b/lib/kitchen/provisioner/formula-fetch.sh @@ -9,12 +9,12 @@ # GIT_FORMULAS_PATH=/usr/share/salt-formulas/env/_formulas # xargs -n1 ./formula-fetch.sh < dependencies.txt - # Parse git dependencies from metadata.yml # $1 - path to /metadata.yml # sample to output: # https://github.com/salt-formulas/salt-formula-git git # https://github.com/salt-formulas/salt-formula-salt salt + function fetchDependencies() { METADATA="$1"; grep -E "^dependencies:" "$METADATA" >/dev/null || return 0 @@ -30,15 +30,25 @@ function fetchDependencies() { # $1 - formula git repo url # $2 - formula name (optional) # $3 - branch (optional) +# $4 - path to deploykey function fetchGitFormula() { test -n "${FETCHED}" || declare -a FETCHED=() export GIT_FORMULAS_PATH=${GIT_FORMULAS_PATH:-/usr/share/salt-formulas/env/_formulas} + + if [[ -n $4 ]] + then + sshbin=$(command -v ssh) + export GIT_SSH_COMMAND="${sshbin} -o UserKnownHostsFile=/tmp/kitchen/ssh/known_hosts -o StrictHostKeyChecking=no -i ${4}" + export GIT_SSH="/tmp/kitchen/git_ssh.sh" + fi + mkdir -p "$GIT_FORMULAS_PATH" if [ -n "$1" ]; then source="$1" name="$2" test -n "$name" || name="${source//*salt-formula-}" test -z "$3" && branch=master || branch=$3 + if ! [[ "${FETCHED[*]}" =~ $name ]]; then # dependency not yet fetched echo "Fetching: $name" if test -e "$GIT_FORMULAS_PATH/$name"; then @@ -47,7 +57,7 @@ function fetchGitFormula() { popd &>/dev/null || exit else echo "git clone $source $GIT_FORMULAS_PATH/$name -b $branch" - git clone "$source" "$GIT_FORMULAS_PATH/$name" -b "$branch" + git clone "$source" "$GIT_FORMULAS_PATH/$name" -b "$branch" || exit 1 fi # install dependencies FETCHED+=("$name") diff --git a/lib/kitchen/provisioner/git_ssh.sh b/lib/kitchen/provisioner/git_ssh.sh new file mode 100755 index 0000000..c705d8e --- /dev/null +++ b/lib/kitchen/provisioner/git_ssh.sh @@ -0,0 +1,3 @@ +#!/bin/sh +# Workaround: GIT_SSH_COMMAND is not supported by Git < 2.3 +exec "${GIT_SSH_COMMAND:-ssh}" "$@" diff --git a/lib/kitchen/provisioner/known_hosts b/lib/kitchen/provisioner/known_hosts new file mode 100644 index 0000000..6295cde --- /dev/null +++ b/lib/kitchen/provisioner/known_hosts @@ -0,0 +1,5 @@ +github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== +bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== +gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= +gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 +gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf diff --git a/lib/kitchen/provisioner/salt_solo.rb b/lib/kitchen/provisioner/salt_solo.rb index ba6f134..7284c6c 100644 --- a/lib/kitchen/provisioner/salt_solo.rb +++ b/lib/kitchen/provisioner/salt_solo.rb @@ -77,10 +77,12 @@ class SaltSolo < Base salt_spm_root: '/srv/spm', salt_state_top: '/srv/salt/top.sls', salt_version: 'latest', - salt_yum_repo_key: 'https://repo.saltproject.io/yum/redhat/$releasever/$basearch/archive/%s/SALTSTACK-GPG-KEY.pub', - salt_yum_repo_latest: 'https://repo.saltproject.io/yum/redhat/salt-repo-latest-2.el7.noarch.rpm', - salt_yum_repo: 'https://repo.saltproject.io/yum/redhat/$releasever/$basearch/archive/%s', - salt_yum_rpm_key: 'https://repo.saltproject.io/yum/redhat/7/x86_64/archive/%s/SALTSTACK-GPG-KEY.pub', + salt_yum_repo_key: 'https://repo.saltstack.com/yum/redhat/$releasever/$basearch/archive/%s/SALTSTACK-GPG-KEY.pub', + salt_yum_repo_latest: 'https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm', + salt_yum_repo: 'https://repo.saltstack.com/yum/redhat/$releasever/$basearch/archive/%s', + salt_yum_rpm_key: 'https://repo.saltstack.com/yum/redhat/7/x86_64/archive/%s/SALTSTACK-GPG-KEY.pub', + ssh_home: '/ssh', + ssh_key: nil, state_collection: false, state_top_from_file: false, state_top: {}, @@ -429,6 +431,31 @@ def prepare_dependencies # sub-directory return if windows_os? + # Write ssh known_hosts + write_raw_file(File.join(sandbox_path, config[:ssh_home], "known_hosts"), File.read(File.expand_path("../known_hosts", __FILE__))) + # Write general deploy key. + unless config[:ssh_key].nil? + outfile = File.join(sandbox_path, config[:ssh_home], File.basename(config[:ssh_key])) + contents = File.read(File.expand_path(config[:ssh_key])) + if contents.include?("ENCRYPTED") + raise("Encrypted key not supported offending key: #{config[:ssh_key]}") + end + info("Copying #{config[:ssh_key]} to #{outfile}") + write_raw_file(outfile, contents) + end + # Write dependency overridden deploykey + config[:dependencies].each do |dependency| + unless dependency[:ssh_key].nil? + outfile = File.join(sandbox_path, config[:ssh_home], File.basename(dependency[:ssh_key])) + contents = File.read(File.expand_path(dependency[:ssh_key])) + if contents.include?("ENCRYPTED") + raise("Encrypted key not supported offending key: #{dependency[:ssh_key]}") + end + info("Copying #{dependency[:ssh_key]} to #{outfile}") + write_raw_file(outfile, contents) + end + end + # upload scripts sandbox_scripts_path = File.join(sandbox_path, config[:salt_config], 'scripts') info("Preparing scripts into #{config[:salt_config]}/scripts") @@ -455,7 +482,7 @@ def prepare_dependencies end # upload scripts - %w[formula-fetch.sh repository-setup.sh].each do |script| + %w[formula-fetch.sh repository-setup.sh git_ssh.sh].each do |script| write_raw_file(File.join(sandbox_path, script), File.read(File.expand_path("../#{script}", __FILE__))) end dependencies_script = File.expand_path('./../dependencies.erb', __FILE__)