Giter VIP home page Giter VIP logo

golja-gnupg's Introduction

#GnuPG puppet module

####Table of Contents

  1. Overview
  2. Installation
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module
  7. License

##Overview

Install GnuPG on Ubuntu/Debian/RedHat/CentOS/Amazon AMI and manage users public keys.

Tested with Tavis CI

NOTE: For puppet 2.7.x supported module please use version 0.X.X

Build Status Puppet Forge

##Installation

 $ puppet module install golja/gnupg

##Usage

####Install GnuPG package

include '::gnupg'

####Add public key 20BC0A86 from PGP server from hkp://pgp.mit.edu/ to user root

gnupg_key { 'hkp_server_20BC0A86':
  ensure     => present,
  key_id     => '20BC0A86',
  user       => 'root',
  key_server => 'hkp://pgp.mit.edu/',
  key_type   => public,
}

####Add public key D50582E6 from standard http URI to user foo

gnupg_key { 'jenkins_foo_key':
  ensure     => present,
  key_id     => 'D50582E6',
  user       => 'foo',
  key_source => 'http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key',
  key_type   => public,
}

####Add public key D50582E6 from puppet fileserver to user foo

gnupg_key { 'jenkins_foo_key':
  ensure     => present,
  key_id     => 'D50582E6',
  user       => 'foo',
  key_source => 'puppet:///modules/gnupg/D50582E6.key',
  key_type   => public,
}

####Add public key D50582E6 from puppet fileserver to user bar via a string value

gnupg_key { 'jenkins_foo_key':
  ensure      => present,
  key_id      => 'D50582E6',
  user        => 'bar',
  key_content => '-----BEGIN BROKEN PUBLIC KEY BLOCK-----...',
  key_type    => public,
}

Note: You should use hiera lookup to get the key content

####Remove public key 20BC0A86 from user root

gnupg_key {'root_remove':
  ensure   => absent,
  key_id   => '20BC0A86',
  user     => 'root',
  key_type => public,
}

###Remove both private and public key 20BC0A66

gnupg_key {'root_remove':
  ensure   => absent,
  key_id   => '20BC0A66',
  user     => 'root',
  key_type => both,
}

##Reference

###Classes

####gnupg

#####package_ensure

Valid value present/absent. In most cases you should never uninstall this package, because most of the modern Linux distros rely on gnupg for package verification, etc Default: present

#####package_name

Name of the GnuPG package. Default value determined by $::osfamily/$::operatingsystem facts

####gnupg_key

#####ensure

REQUIRED - Valid value present/absent

#####user

REQUIRED - System username for who to store the public key. Also define the location of the pubring (default ${HOME}/.gnupg/)

#####key_id

REQUIRED - Key ID. Usually the traditional 8-character key ID. Also accepted the long more accurate (but less convenient) 16-character key ID. Accept only hexadecimal values.

#####key_source

REQUIRED if key_server or key_content is not defined and ensure is present. A source file containing PGP key. Values can be URIs pointing to remote files, or fully qualified paths to files available on the local system.

The available URI schemes are puppet, https, http and file. Puppet URIs will retrieve files from Puppet's built-in file server, and are usually formatted as:

puppet:///modules/name_of_module/filename

#####key_server

REQUIRED if key_source or key_content is not defined and ensure is present.

PGP key server from where to retrieve the public key. Valid URI schemes are http, https, ldap and hkp.

#####key_content

REQUIRED if key_server or key_source is not defined and ensure is present.

Provide the content of the key as a string. This is useful when the key is stored as a hiera property and the consumer doesn't want to have to write that content to a file before the gnupg_key resource executes.

#####key_type

OPTIONAL - key type. Valid values (public|private|both). Default: public

#####proxy

OPTIONAL - use a http proxy url to access the keyserver, for example: http://proxy.corp.domain:80. Default: undef

Tests

There are two types of tests distributed with the module. Unit tests with rspec-puppet and system tests using rspec-system or beaker.

For unit testing, make sure you have:

  • rake
  • bundler

Install the necessary gems:

bundle install --path=vendor

And then run the unit tests:

bundle exec rake spec

If you want to run the system tests, make sure you also have:

  • vagrant > 1.3.x
  • Virtualbox > 4.2.10

Then run the tests using:

bundle exec rake spec:system

To run the tests on different operating systems, see the sets available in .nodeset.yml and run the specific set with the following syntax:

RSPEC_SET=debian-607-x64 bundle exec rake spec:system

Alernatively you can run beaker tests using:

bundle exec rake beaker

##Limitations

This module has been tested on:

  • Debian 6/7
  • Ubuntu 12+
  • RedHat 5/6/7
  • CentOS 5/6/7
  • Amazon AMI

##Development

Please see CONTRIBUTING.md

License

See LICENSE file

golja-gnupg's People

Contributors

dgolja avatar edestecd avatar jplindquist avatar mattock avatar mklette avatar nibalizer avatar tampakrap avatar timatlassian avatar tobyclemson avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

mattock pleschev edestecd timatlassian max-siegieda datacentred puppet-finland tampakrap clio ajmaidak keynetics emonty code-management nibalizer arineng crispygoth dschaaff thiagomarinho neatnerdprime mjburling arenhardt alexfouche anthill-utils gdubicki arakmar rrenard lionce samk mjrasobarnett pillarsdotnet iatanasov77 flupsy operatorofhell ugent-dict dominmuda rlanger-wesleyan rayderua encoretechnologies ekohl jplindquist bastelfreak tuxmea binh-worldfront dctrotz flepoutre

golja-gnupg's Issues

Renewing Puppet Forge Approved Status

Hey dgolja,

Here at puppetlabs, we are currently going through all of our Approved modules on the Puppet Forge. We have some feedback for your module if you would be interested in retaining the approved status. If you are keen on keeping your approved status please ensure you respond as soon as you possibly can.

Many Thanks
The Puppet Approvals Committee.

Setting Trust Level of Installed Keys

Hi,

There doesn't appear to be any way to set the trust level of installed keys when using this module to add gnupg keys. This can be necessary if, for example, gpg public keys are being installed which are going to be used to encrypt files (in which case, gpg likes the public keys involved to be trusted).

Could we adapt the module to allow setting of trust levels via a parameter to the gnupg_key type?

Something like:

  gnupg_key {
    'mykey - public':
      ensure      => present,
      key_id      => 'a2b4c6f8',
      user        => 'root',
      key_content => "-----BEGIN PGP PUBLIC KEY BLOCK-----
      ...
-----END PGP PUBLIC KEY BLOCK-----",
      key_trust   => 6,
      key_type    => public;
}

The --import-ownertrust gpg command could be used, to this end.

Ref: https://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html#option-_002d_002dexport_002downertrust

gnupg's user should be autorequired

We have to manually specify require => User[$someUser] for each gnupg resource defined, to make sure the user is created before the gnupg.

Since we already set the user for the gnupg type, we can autorequire it.

Applying gnupg_key fails if an Agent-side directory environment is missing

Applying gnupg_key resources fail if the node running the agent is missing a directory environment matching the environment given in /etc/puppetlabs/puppet/puppet.conf (or on the command-line):

$ puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for server.domain.com
Info: Applying configuration version '1447410145'
Error: Could not find a directory environment named 'testing' anywhere in the path: /etc/puppetlabs/code/environments. Does the directory exist?
Error: /Stage[main]/Freight::Config::Gnupg/Gnupg_key[freight-public-key]/ensure: change from absent to present failed: Could not find a directory environment named 'testing' anywhere in the path: /etc/puppetlabs/code/environments. Does the directory exist?
Error: Could not find a directory environment named 'testing' anywhere in the path: /etc/puppetlabs/code/environments. Does the directory exist?
Error: /Stage[main]/Freight::Config::Gnupg/Gnupg_key[freight-private-key]/ensure: change from absent to present failed: Could not find a directory environment named 'testing' anywhere in the path: /etc/puppetlabs/code/environments. Does the directory exist?
Notice: Applied catalog in 0.36 seconds

This problem can be circumvented by creating the said directory environment on the node that runs the Puppe Agent:

$ mkdir /etc/puppetlabs/code/environments/testing
$ puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for server.domain.com
Info: Applying configuration version '1447410758'
Notice: /Stage[main]/Freight::Config::Gnupg/Gnupg_key[freight-public-key]/ensure: created
Notice: /Stage[main]/Freight::Config::Gnupg/Gnupg_key[freight-private-key]/ensure: created
Notice: Applied catalog in 0.43 seconds

This problem is reproducible on Puppet 4.2.3. I have not tested any of the earlier versions. On the puppetserver side the environment is correctly configured, and nothing suspicious shows up in /var/log/puppetlabs/puppetserver/puppetserver.log. So this failure occurs strictly on the agent side.

undefined method `exitstatus'

I'm trying to use the maestrodev rvm module which has this module as a dependency. I have declared the following class into my profile to make sure there was nothing wonky on the call from rvm module:

include ::gnupg

gnupg_key { 'hkp_server_D39DC0E3':
ensure => present,
key_id => 'D39DC0E3',
user => 'root',
key_server => 'hkp://keys.gnupg.net',
key_type => public,
}

From puppet run with debug enabled:

Debug: Executing 'gpg --list-keys --with-colons D39DC0E3'
Error: /Stage[main]/Profiles::cool_app/Gnupg_key[hkp_server_D39DC0E3]: Could not evaluate: undefined method `exitstatus' for #String:0x00000005111ae8

When I run the command above manually on the instance this is what I get:
gpg --list-keys --with-colons D39DC0E3
tru::1:1434731668:0:3:1:5
gpg: error reading key: No public key

Puppet 8x

Hello,
Is is possible to create a new tag with Puppet 8x compatibility ?

Thanks.

key type parameter uses unquoted string in ready which leads to reserved word errors

in the example below key_type is set private

gnupg_key { 'hkp_server_20BC0A86':
  ensure     => present,
  key_id     => '20BC0A86',
  user       => 'root',
  key_server => 'hkp://pgp.mit.edu/',
  key_type   => private,
}

which produces the error Use of reserved word: private, must be quoted if intended to be a String value

In our use we are now quoting private, e.g.

gnupg_key { 'hkp_server_20BC0A86':
  ensure     => present,
  key_id     => '20BC0A86',
  user       => 'root',
  key_server => 'hkp://pgp.mit.edu/',
  key_type   => 'private',
}

and the module is continuing to function as expected. Based on that I believe it just needs to be adjusted in the ready to be quoted as a string.

Support for puppet v4

Has anyone looked at what it would take to upgrade this module to be compatible with puppet v4?

The documentation on the puppet forge suggests that the module is not supported / tested past v4.0

Key is recreated with every puppet run

I am using v. 1.2.3.

I use this code in manifest:

create_resources('gnupg_key', $::profiles::common::gpg_keys::user_keys,
      {'ensure' => 'present'})

and this in hiera:

profiles::common::gpg_keys::user_keys:
  'All something something something <[email protected]>':
    key_id: 'someid'
    user: root
    key_content: 'somecontent'
    key_type: public

..and with each puppet run I get:

Notice: /Stage[main]/Profiles::Common::Gpg_user_keys/Gnupg_key[All something something something <[email protected]>]/ensure: created

I think that this started happening when I started to use key name with a space in it...

Add fact that indicates if gpg is installed or not.

I would like to manage a key only if gpg is installed on a system.
RVM only uses gpg if it is installed, so I would like to replicate this behavior in the RVM module here:
https://forge.puppetlabs.com/maestrodev/rvm

It currently uses an exec for key management, but I would prefer to switch to this module.
Is there anyway currently to tell if gpg is already installed? If not, what do you think of adding a fact?
I could write one and submit a PR.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.