Implemented basic CLI operations with whitelist
Change-Id: I4ccf158807099add16a5082d8a461205447d7fa0
This commit is contained in:
parent
79a59c52f0
commit
ec68268b3b
68
README.md
68
README.md
|
@ -28,8 +28,11 @@ Than enable extension for a particular environment
|
|||
|
||||
### How to Use
|
||||
|
||||
This extension introduces set of additional Fuel CLI commands which allows the operator to
|
||||
associate a git repo with a particular environment and preform CRUD operations on this repo.
|
||||
This extension introduces two sets of additional Fuel CLI commands. The first set allows the
|
||||
operator to associate a git repo with a particular environment and preform CRUD operations on
|
||||
this repo. The second set allows the operator to execute audit and enforce operations on the
|
||||
environment as well as list the changes made to configuration. It also allows to manage white
|
||||
lists for these changes.
|
||||
See details [here](./doc/cli.md).
|
||||
```
|
||||
gitrepo create
|
||||
|
@ -38,6 +41,13 @@ See details [here](./doc/cli.md).
|
|||
gitrepo init
|
||||
gitrepo list
|
||||
gitrepo update
|
||||
|
||||
audit enforce
|
||||
audit noop
|
||||
audit list outofsync
|
||||
audit whitelist show
|
||||
audit whitelist add
|
||||
audit whitelist delete
|
||||
```
|
||||
Create repository and configure nailgun to use it.
|
||||
```
|
||||
|
@ -105,5 +115,59 @@ roles:
|
|||
Configuration files for Role and Node levels should be placed in corresponding directory described
|
||||
in overrides.yaml
|
||||
|
||||
### Audit and enforcement
|
||||
This feature enables the operator to audit the changes made to the environment as well as enforce
|
||||
configuration.
|
||||
|
||||
```
|
||||
fuel2 audit noop --env <env-id> || --repo <repo-id>
|
||||
```
|
||||
Audit is basically a Fuel graph run with noop flag set. This runs the whole graph and records Puppet resources, that would have changed their state. The command above is equivalent to
|
||||
```
|
||||
fuel2 env redeploy --noop <env-id>
|
||||
```
|
||||
|
||||
After the audit run, the operator is able to list the changes to the state of Puppet resources on the environment via following command:
|
||||
```
|
||||
fuel2 audit list outofsync --task <noop-task-id> || --repo <repo-id>
|
||||
```
|
||||
This is a convenient alternative to the stock command:
|
||||
```
|
||||
fuel2 task history show <noop-task-id> --include-summary
|
||||
```
|
||||
|
||||
To enforce configuration state, the operator can issue a stock redeploy command:
|
||||
```
|
||||
fuel2 env redeploy <env-id>
|
||||
```
|
||||
|
||||
To perform the whole audit-enforce process automatically, this extension provides the following command:
|
||||
```
|
||||
fuel2 audit enforce --env <env-id> || --repo <repo-id>
|
||||
```
|
||||
This command will run audit, check the changes and will enforce configuration, if needed.
|
||||
|
||||
### Audit changes whitelisting
|
||||
Since fuel-library contains non-idempotent tasks, that contain Puppet resources, which will be
|
||||
triggered on each deployment run, this extension provides the operator the ability to filter such changes out.
|
||||
|
||||
A whitelist rule is a string, that is included into a Puppet report line for the whitelisted resource change, e.g. for
|
||||
```
|
||||
Openstack_tasks::Swift::Proxy_storage/Package[mc]/ensure
|
||||
```
|
||||
the whitelist rule could be
|
||||
```
|
||||
Package[mc]/ensure
|
||||
```
|
||||
Whitelist rules for an environment can be listed by
|
||||
```
|
||||
fuel2 audit whitelist show <env-id>
|
||||
```
|
||||
These rules can be managed by following commands:
|
||||
```
|
||||
fuel2 audit whitelist add <env-id> <rule>
|
||||
fuel2 audit whitelist delete <rule-id>
|
||||
```
|
||||
|
||||
### REST API
|
||||
API documentation can be found [here](./doc/api.md)
|
||||
|
|
55
doc/api.md
55
doc/api.md
|
@ -35,3 +35,58 @@ Example:
|
|||
```
|
||||
curl -X PUT -H 'X-Auth-Token: $(fuel token)' http://localhost:8000/api/v1/clusters/4/git-repos/2 -d '{"ref": "master"}'
|
||||
```
|
||||
|
||||
|
||||
#### GET /clusters/changes-whitelist/(obj_id)
|
||||
Returns the serialized whitelist rule object
|
||||
Example
|
||||
```
|
||||
curl -H "X-Auth-Token: $(fuel token)" http://localhost:8000/api/v1/clusters/changes-whitelist/1
|
||||
```
|
||||
|
||||
#### PUT /clusters/changes-whitelist/(obj_id)
|
||||
Updates a whitelist rule
|
||||
Input data schema:
|
||||
```
|
||||
"$schema": "http://json-schema.org/draft-04/schema#",
|
||||
"title": "ChangesWhitelistRule",
|
||||
"description": "Serialized ChangesWhitelistRule object",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"rule": {"type": "string"},
|
||||
}
|
||||
```
|
||||
Example
|
||||
```
|
||||
curl -H "X-Auth-Token: $(fuel token)" -X PUT http://localhost:8000/api/v1/clusters/changes-whitelist/1 -d '{"rule": "new-rule-string"}'
|
||||
```
|
||||
|
||||
#### DELETE /clusters/changes-whitelist/(obj_id)
|
||||
Deletes a whitelist rule
|
||||
Example
|
||||
```
|
||||
curl -H "X-Auth-Token: $(fuel token)" -X DELETE http://localhost:8000/api/v1/clusters/changes-whitelist/1
|
||||
```
|
||||
|
||||
#### GET /clusters/(env_id)/changes-whitelist/
|
||||
Returns the whitelist rules for a specified environment
|
||||
Example
|
||||
```
|
||||
curl -H "X-Auth-Token: $(fuel token)" http://localhost:8000/api/v1/clusters/1/changes-whitelist/
|
||||
```
|
||||
#### POST /clusters/(env_id)/changes-whitelist/
|
||||
Creates one or more whitelist rule(s)
|
||||
Input data schema:
|
||||
```
|
||||
"$schema": "http://json-schema.org/draft-04/schema#",
|
||||
"title": "ChangesWhitelistRule Collection",
|
||||
"description": "Serialized ChangesWhitelistRule collection",
|
||||
"type": "object",
|
||||
"items": {
|
||||
"rule": {"type": "string"}
|
||||
}
|
||||
```
|
||||
Example
|
||||
```
|
||||
curl -H "X-Auth-Token: $(fuel token)" -X POST http://localhost:8000/api/v1/clusters/1/changes-whitelist/ -d '[{"rule": "new-rule-string"}, {"rule": "new-rule-2"}]'
|
||||
```
|
||||
|
|
36
doc/cli.md
36
doc/cli.md
|
@ -48,3 +48,39 @@ To get more detailed description use:
|
|||
```
|
||||
fuel2 help <command>
|
||||
```
|
||||
|
||||
##### Audit and enforce
|
||||
These commands allow to perform audit and enforce configuration on the environment as well as to list the changes made to it.
|
||||
|
||||
To perform the audit run on the environment:
|
||||
```
|
||||
fuel2 audit noop --env <env-id> || --repo <repo-id>
|
||||
```
|
||||
|
||||
To list the changes:
|
||||
```
|
||||
fuel2 audit list outofsync --task <noop-task-id> || --env <env-id>
|
||||
```
|
||||
|
||||
To perform audit run, inspect changes and enforce configuration, if needed:
|
||||
```
|
||||
fuel2 audit enforce --env <env-id> || --repo <repo-id>
|
||||
```
|
||||
|
||||
##### Changes whitelist commands
|
||||
These commands manage the rules, that allow to ignore certain changes to configuration.
|
||||
|
||||
To show rules whitelist for the environment:
|
||||
```
|
||||
fuel2 audit whitelist show <env-id>
|
||||
```
|
||||
|
||||
To add a rule:
|
||||
```
|
||||
fuel2 audit whitelist add <env-id> <rule>
|
||||
```
|
||||
|
||||
To delete a rule:
|
||||
```
|
||||
fuel2 audit whitelist delete <rule-id>
|
||||
```
|
||||
|
|
|
@ -89,7 +89,7 @@ class Audit(lister.Lister, command.Command):
|
|||
group = parser.add_mutually_exclusive_group(required=True)
|
||||
group.add_argument('--env',
|
||||
type=int,
|
||||
help='Associated Repo ID')
|
||||
help='Environment ID')
|
||||
group.add_argument('--repo',
|
||||
type=int,
|
||||
help='Associated Repo ID')
|
||||
|
@ -213,3 +213,78 @@ class OutOfSyncResources(lister.Lister, command.Command):
|
|||
|
||||
data = data_utils.get_display_data_multi(self.columns, changes)
|
||||
return (self.columns, data)
|
||||
|
||||
|
||||
class WhitelistRulesShow(lister.Lister, command.Command):
|
||||
columns = (
|
||||
'id',
|
||||
'rule'
|
||||
)
|
||||
|
||||
def get_parser(self, prog_name):
|
||||
parser = super(WhitelistRulesShow, self).get_parser(prog_name)
|
||||
parser.add_argument('env',
|
||||
type=int,
|
||||
help=('Environment to find whitelist rules '
|
||||
'associated with'))
|
||||
return parser
|
||||
|
||||
def take_action(self, parsed_args):
|
||||
env_id = parsed_args.env
|
||||
|
||||
rules = fc_client.get_request(
|
||||
'/clusters/{env}/changes-whitelist/'.format(env=env_id)
|
||||
)
|
||||
|
||||
data = data_utils.get_display_data_multi(self.columns, rules)
|
||||
return (self.columns, data)
|
||||
|
||||
|
||||
class WhitelistRuleAdd(lister.Lister, command.Command):
|
||||
columns = (
|
||||
'id',
|
||||
'rule'
|
||||
)
|
||||
|
||||
def get_parser(self, prog_name):
|
||||
parser = super(WhitelistRuleAdd, self).get_parser(prog_name)
|
||||
parser.add_argument('env',
|
||||
type=int,
|
||||
help='Environment to add whitelist rules to')
|
||||
parser.add_argument('rule',
|
||||
type=str,
|
||||
help='Rule to add')
|
||||
return parser
|
||||
|
||||
def take_action(self, parsed_args):
|
||||
env_id = parsed_args.env
|
||||
rule = parsed_args.rule
|
||||
data = {'rule': rule}
|
||||
|
||||
ret = fc_client.post_request(
|
||||
'/clusters/{env}/changes-whitelist/'.format(env=env_id),
|
||||
data
|
||||
)
|
||||
ret = data_utils.get_display_data_multi(self.columns, ret)
|
||||
|
||||
return (self.columns, ret)
|
||||
|
||||
|
||||
class WhitelistRuleDelete(command.Command):
|
||||
columns = ()
|
||||
|
||||
def get_parser(self, prog_name):
|
||||
parser = super(WhitelistRuleDelete, self).get_parser(prog_name)
|
||||
parser.add_argument('rule_id',
|
||||
type=int,
|
||||
help='Rule ID to delete')
|
||||
return parser
|
||||
|
||||
def take_action(self, parsed_args):
|
||||
rule_id = parsed_args.rule_id
|
||||
|
||||
fc_client.delete_request(
|
||||
'/clusters/changes-whitelist/{rule}'.format(rule=rule_id)
|
||||
)
|
||||
|
||||
return ((), {})
|
||||
|
|
|
@ -33,3 +33,6 @@ fuelclient:
|
|||
audit_enforce = fuel_external_git.fuelclient_audit:Audit
|
||||
audit_noop = fuel_external_git.fuelclient_audit:AuditRun
|
||||
audit_list_outofsync = fuel_external_git.fuelclient_audit:OutOfSyncResources
|
||||
audit_whitelist_show = fuel_external_git.fuelclient_audit:WhitelistRulesShow
|
||||
audit_whitelist_add = fuel_external_git.fuelclient_audit:WhitelistRuleAdd
|
||||
audit_whitelist_delete = fuel_external_git.fuelclient_audit:WhitelistRuleDelete
|
||||
|
|
Loading…
Reference in New Issue