Add external openldap terraform scenario

dev/config.yml.example

@@ -41,7 +41,12 @@ vm:
   # enable a separate external vm
   # start: true
   # These will map directly to entries in the generated chef-server.rb
-
+
+  # ldap:
+  # enable a separate ldap vm but do not use it unless use-external is set.
+  # start: true
+
+
   node-attributes:
     provisioning:
       # uncomment to enable default configuration of remote postgres node.

dev/cookbooks/provisioning/attributes/default.rb

@@ -4,3 +4,4 @@
 default['ldap']['basedn']   = 'dc=chef-server,dc=dev'
 default['ldap']['ssl_key']  = '/etc/ldap/ssl/chef-server_dev.key'
 default['ldap']['ssl_cert'] = '/etc/ldap/ssl/chef-server_dev.crt'
+default['ldap']['password']   = 'H0\/\/!|\/|3tY0ur|\/|0th3r'

dev/cookbooks/provisioning/recipes/hosts.rb

@@ -3,6 +3,7 @@
   owner "root"
   group "root"
   action :create
+  mode  "0644"
   variables({"fqdns" => ["api.chef-server.dev",  "manage.chef-server.dev"],
              "global_fqdns" => node['provisioning']['hosts']})
 

terraform/scenarios/omnibus-external-openldap/README.md

@@ -0,0 +1,7 @@
+# Omnibus External OpenLDAP
+
+This directory contains the Terraform code used to instantiate an OpenLDAP Server followed by a Chef Infra Server utilizing an Omnibus built artifact downloaded from `$upgrade_version_url` as the install package.
+
+The Chef Infra Server will receive a `/etc/opscode/chef-server.rb` configuration file that is setup to use the external LDAP server over TLS.
+
+Once both servers are installed and configured, the pedant tests are run against the Chef Infra Server.

terraform/scenarios/omnibus-external-openldap/files/chef-server.rb

@@ -0,0 +1,19 @@
+opscode_erchef['keygen_start_size'] = 30
+
+opscode_erchef['keygen_cache_size'] = 60
+
+nginx['ssl_dhparam'] = '/etc/opscode/dhparam.pem'
+
+data_collector['token'] = 'foobar'
+
+profiles['root_url'] = 'http://localhost:9998'
+
+ldap['base_dn'] = 'ou=chefs,dc=chef-server,dc=dev'
+ldap['bind_dn'] = 'cn=admin,dc=chef-server,dc=dev'
+ldap['bind_password'] = 'H0\/\/!|\/|3tY0ur|\/|0th3r'
+ldap['host'] = 'ldap.chef-server.dev'
+ldap['login_attribute'] = 'uid'
+
+# Use TLS for encryption against an OpenLDAP instance to avoid connection resets
+ldap['ssl_enabled'] = false
+ldap['tls_enabled'] = true

terraform/scenarios/omnibus-external-openldap/files/dhparam.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAtAvx3pUHBNcK2nD58nPPlKtJzZvrFCyKEn9BSn16/BmFwBhL8rh4
++fkrnLflZ/k9wJjiUkU0DCi+Fy6DUohPHOmmT0BiuwgsDZAFDyTj0PeZKINpbHnQ
+EbZENzWo5s5hsb1zVxIMEtTMRrigdHM3FQupFbzOHxonkO0JlocarOJBHGX+Crjp
+y/8SReCpC71R+Vl6d4+Dw6GFdL+6k6W558dPfq3UeV8HPWQEaM7/jXDUKJZ0tB6a
+1csrekkz3gBFlSjSxececRVn8bm5dTfc86rIWJWeWQVLYdBFT6zi43AvF+nLYKYh
++oVnVrhWgOLYvEKX311d9SaqcdrXVFscYwIBAg==
+-----END DH PARAMETERS-----

terraform/scenarios/omnibus-external-openldap/main.tf

@@ -0,0 +1,156 @@
+module "chef_server" {
+  source = "../../aws_instance"
+
+  aws_profile       = "${var.aws_profile}"
+  aws_region        = "${var.aws_region}"
+  aws_vpc_name      = "${var.aws_vpc_name}"
+  aws_department    = "${var.aws_department}"
+  aws_contact       = "${var.aws_contact}"
+  aws_ssh_key_id    = "${var.aws_ssh_key_id}"
+  aws_instance_type = "${var.aws_instance_type}"
+  enable_ipv6       = "${var.enable_ipv6}"
+  platform          = "${var.platform}"
+  name              = "chefserver-${var.scenario}-${var.enable_ipv6 ? "ipv6" : "ipv4"}-${var.platform}"
+}
+
+module "ldap" {
+  source = "../../aws_instance"
+
+  aws_profile       = "${var.aws_profile}"
+  aws_region        = "${var.aws_region}"
+  aws_vpc_name      = "${var.aws_vpc_name}"
+  aws_department    = "${var.aws_department}"
+  aws_contact       = "${var.aws_contact}"
+  aws_ssh_key_id    = "${var.aws_ssh_key_id}"
+  aws_instance_type = "${var.aws_instance_type}"
+  enable_ipv6       = "${var.enable_ipv6}"
+  platform          = "ubuntu-16.04"
+  name              = "ldap-${var.scenario}-${var.enable_ipv6 ? "ipv6" : "ipv4"}-${var.platform}"
+}
+
+# generate static hosts configuration
+data "template_file" "hosts_config" {
+  template = "${file("${path.module}/templates/hosts.tpl")}"
+
+  vars {
+    chef_server_ip = "${var.enable_ipv6 == true ? module.chef_server.public_ipv6_address : module.chef_server.private_ipv4_address}"
+    ldap_ip        = "${var.enable_ipv6 == true ? module.ldap.public_ipv6_address : module.ldap.private_ipv4_address}"
+  }
+}
+
+# update ldap server
+resource "null_resource" "ldap_config" {
+  # provide some connection info
+  connection {
+    type = "ssh"
+    user = "${module.ldap.ssh_username}"
+    host = "${module.ldap.public_ipv4_dns}"
+  }
+
+  provisioner "file" {
+    content     = "${data.template_file.hosts_config.rendered}"
+    destination = "/tmp/hosts"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "set -evx",
+      "sudo chown root:root /tmp/hosts",
+      "sudo mv /tmp/hosts /etc/hosts",
+    ]
+  }
+}
+
+# install/configure ldap service
+resource "null_resource" "ldap_cookbook" {
+  depends_on = ["null_resource.ldap_config"]
+
+  provisioner "local-exec" {
+    command = "chef-run --user ${module.ldap.ssh_username} ${module.ldap.public_ipv4_dns} ${path.module}/../../../dev/cookbooks/provisioning/recipes/ldap-server.rb"
+  }
+}
+
+# update chef server
+resource "null_resource" "chef_server_config" {
+  depends_on = ["null_resource.ldap_cookbook"]
+
+  # provide some connection info
+  connection {
+    type = "ssh"
+    user = "${module.chef_server.ssh_username}"
+    host = "${module.chef_server.public_ipv4_dns}"
+  }
+
+  provisioner "file" {
+    content     = "${data.template_file.hosts_config.rendered}"
+    destination = "/tmp/hosts"
+  }
+
+  provisioner "file" {
+    source      = "${path.module}/files/chef-server.rb"
+    destination = "/tmp/chef-server.rb"
+  }
+
+  provisioner "file" {
+    source      = "${path.module}/files/dhparam.pem"
+    destination = "/tmp/dhparam.pem"
+  }
+
+  # install chef-server
+  provisioner "remote-exec" {
+    inline = [
+      "set -evx",
+      "sudo chown root:root /tmp/hosts",
+      "sudo mv /tmp/hosts /etc/hosts",
+      "curl -vo /tmp/${replace(var.upgrade_version_url, "/^.*\\//", "")} ${var.upgrade_version_url}",
+      "sudo ${replace(var.upgrade_version_url, "rpm", "") != var.upgrade_version_url ? "rpm -U" : "dpkg -iEG"} /tmp/${replace(var.upgrade_version_url, "/^.*\\//", "")}",
+      "sudo chown root:root /tmp/chef-server.rb",
+      "sudo chown root:root /tmp/dhparam.pem",
+      "sudo mv /tmp/chef-server.rb /etc/opscode",
+      "sudo mv /tmp/dhparam.pem /etc/opscode",
+      "sudo chef-server-ctl reconfigure --chef-license=accept",
+      "sleep 120",
+    ]
+  }
+
+  # run smoke test
+  provisioner "remote-exec" {
+    inline = [
+      "set -evx",
+      "sudo chef-server-ctl test",
+    ]
+  }
+
+  # install push jobs and run pedant test
+  provisioner "remote-exec" {
+    inline = [
+      "set -evx",
+      "sudo chef-server-ctl install opscode-push-jobs-server",
+      "sudo chef-server-ctl reconfigure --chef-license=accept",
+      "sleep 30",
+      "sudo opscode-push-jobs-server-ctl reconfigure",
+      "sleep 30",
+      "sudo opscode-push-jobs-server-ctl test",
+    ]
+  }
+
+  # install chef-manage
+  provisioner "remote-exec" {
+    inline = [
+      "set -evx",
+      "sudo chef-server-ctl install chef-manage",
+      "sudo chef-server-ctl reconfigure --chef-license=accept",
+      "sleep 30",
+      "sudo chef-manage-ctl reconfigure --accept-license",
+      "sleep 30",
+    ]
+  }
+
+  # run pedant test
+  provisioner "remote-exec" {
+    inline = [
+      "set -evx",
+      "sudo chef-server-ctl test -J pedant.xml --all --compliance-proxy-tests",
+    ]
+  }
+}

terraform/scenarios/omnibus-external-openldap/templates/hosts.tpl

@@ -0,0 +1,13 @@
+127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
+
+# The following lines are desirable for IPv6 capable hosts
+::1       localhost.localdomain localhost6 localhost6.localdomain6 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+${chef_server_ip} chefserver.internal
+
+${ldap_ip} ldap.internal ldap.chef-server.dev

terraform/scenarios/omnibus-external-openldap/variables.tf

@@ -0,0 +1,64 @@
+#########################################################################
+# AWS
+#########################################################################
+variable "aws_profile" {
+  type        = "string"
+  description = "Name of the AWS profile used for authentication (e.g. chef-engineering)."
+  default     = "chef-engineering"
+}
+
+variable "aws_region" {
+  type        = "string"
+  description = "Name of the AWS region to create instances in (e.g. us-west-2)."
+  default     = "us-west-1"
+}
+
+variable "aws_vpc_name" {
+  type        = "string"
+  description = "Name of the AWS virtual private cloud where tests will be run."
+  default     = ""
+}
+
+variable "aws_department" {
+  type        = "string"
+  description = "Department that owns the resources should be one of: EngServ, Operations, Eng, Training, Solutions, Sales, BD, Success or Partner"
+}
+
+variable "aws_contact" {
+  type        = "string"
+  description = "The primary contact for the resources, this should be the IAM username and must be able to receive email by appending @chef.io to it (this person can explain what/why, might not be the business owner)."
+}
+
+variable "aws_ssh_key_id" {
+  type        = "string"
+  description = "AWS ID of the SSH key used to access the instance (e.g. csnapp)."
+}
+
+variable "aws_instance_type" {
+  type        = "string"
+  description = "Name of the AWS instance type used to determine size of instances (e.g. t2.medium)."
+  default     = "t2.medium"
+}
+
+variable "platform" {
+  type        = "string"
+  description = "Operating System of the instance to be created."
+}
+
+#########################################################################
+# Chef Server
+#########################################################################
+variable "scenario" {
+  type        = "string"
+  description = "The name of the scenario being executed."
+}
+
+variable "upgrade_version_url" {
+  type        = "string"
+  description = "The URL to a chef-server used during initial install."
+}
+
+variable "enable_ipv6" {
+  type        = "string"
+  description = "Use IPv6 in the chef-server.rb config and /etc/hosts."
+}