chef-boneyard / delivery-sugar Goto Github PK

The README currently says that workflow_change_patchset_branch is

The name of the branch originally given to the change when it was submitted for review.

I'd expect that to persist after the merge so I can reference it in the subsequent build stage from that description, but it is coming up as an empty string now. This is presumably because delivery is no longer passed the --branch argument looking at the top of the run output.

Example from verify stage, lint phase:

Starting job on builder chef-runner1.us-west-2.aws at 2017-08-16T21:29:32+00:00.
Command: delivery job verify lint --server automate.example.com --user builder --ent default --org org --project project --for master --change-id bb792b91-cc14-444a-8391-2fc156c57e2a --branch _reviews/master/initialize-delivery-pipeline/3 --git-url ssh://builder@[email protected]:8989/default/org/project

Example from build stage, lint phase:

Starting job on builder chef-runner3.us-west-2.aws at 2017-08-16T22:01:05+00:00.
Command: delivery job build lint --server automate.example.com --user builder --ent default --org org --project project --for master --change-id bb792b91-cc14-444a-8391-2fc156c57e2a --shasum 532c569dc18e4c33c9dd5295b8154b29d02678a9 --git-url ssh://builder@[email protected]:8989/default/org/project

Update the code that executes the inspec cli to pass in the --no-distinct-exit, this will change the inspec cli to have the previous behavior where a successful pass always exists with 0 even if controls are skipped. https://github.com/chef-cookbooks/delivery-sugar/blob/f7f33c751401be51316a51fef2db31b6a0907cbb/libraries/delivery_inspec.rb#L112 and https://github.com/chef-cookbooks/delivery-sugar/blob/f7f33c751401be51316a51fef2db31b6a0907cbb/libraries/delivery_inspec.rb#L139

Hi gurus,

I've been playing around this: https://github.com/chef-cookbooks/delivery-sugar/blob/master/examples/terraform/.delivery/build_cookbook/README_TERRAFORM.md but I cannot use it other than in a single phase (like provision), it feels awkward provision the VM, bootstrapping it and running the tests in the same phase.
We're currently able to use a REST HTTP backend to store the terraform state, so wondering how that might be leveraged to spread the execution across all phases in Acceptance stage.

I have a fork where I have started to work on this - you can check it out at https://github.com/mattstratton/delivery-sugar/tree/add-kitchen-azurerm

One of the main issues I have run into is that to install the kitchen-azurerm gem, developer tools are needed on the build nodes. It seems a little presumptive to do this in delivery-sugar, but I am curious as to what the best guideline would be for this requirement? Add the installation of the package into delivery-sugar somewhere, or document it as a requirement for the build nodes if someone wants to use this feature?

For reference, here's a gist with the errors - https://gist.github.com/mattstratton/a7b8d0abc2c5c3d71fb79aa530afc646

Hello,

In delivery_test_kitchen.rb we clearly expect @environment to be passed in, otherwise, why would we parameters[:environment] || {} and not just set it to {} out of the gate?

However, it does not appear that we can actually pass in environment attributes as setting something like:

delivery_test_kitchen 'unit_create' do
  driver 'ec2'
  suite 'default'
  environment('TK_EC2_REGION' => 'us-west-2', 'TK_MACHINE_SIZE' => 't2.micro')
  action :test
end

Results in an error "no function environment" or so...

Basically we're making heavy use of environment variables as Team A might not have access to the same EC2 VPCs as Team B. But save pointing to a different region, ami, etc. it's the same process. so we have a .kitchen.yml:

driver:
  name: ec2
  region: <%= ENV['TK_EC2_REGION'] %>
  instance_type: <%= ENV['TK_INSTANCE_TYPE'] %>

Team A might have a shell script

#!/usr/bin/env bash
export TK_EC2_REGION = us-west-2
export TK_INSTANCE_TYPE = t2.micro

and Team B gets

#!/usr/bin/env bash
export TK_EC2_REGION= us-east-1
export TK_INSTANCE_TYPE = t1.large

What we'd like to see is the ability to pass "arbitrary" environment variables to our Test Kitchen run.

Thanks!

• Q

The default kitchen timeout prevented spinning up and connecting a windows node within ec2

There is a rescue here that always triggers in the Deploy phase. This causes errors in Deploy for instances where the default workspace path is not used (e.g Windows Build Nodes).

I believe the issue is caused by calling DeliverySugar::ChefServer.new.with_server_config from within DeliveryTruck::Helpers::Deploy without passing the node object. Which causes change to fail to initialize (and triggering the rescue)

Here is the code path that leads to the error (based on my understanding):

• DeliveryTruck::Helpers::DSL.delivery_chef_server_search is called
• DeliveryTruck::Helpers::Deploy method is called (no node object passed)
• DeliverySugar::ChefServer is initialized without arguments
• DeliverySugar::DSL.delivery_knife_rb is called
• DeliverySugar::DSL.delivery_workspace is called
• DeliverySugar::DSL.change is called
• change object fails to initialize because node does not exist
• rescue is triggered in DeliverySugar::DSL.delivery_workspace
• Run fails because knife.rb is not found

The function delivery_workspace checks the node attribute node['delivery']['workspace_path']. Where does this attribute get set? Should it be checking against node['delivery_build']['root'] as that is what gets set in delivery_build?

To help validate all delivery server side tests would it be possible to add the ability to run test-kitchen tests via 'delivery job verify 'functional' --local

I am working on a build cookbook for a cookbook that is still being developed in parallel on github, so I do not want to push to master of that cookbook on github yet. I specified the branch delivery, intending to push there on github until the author is using delivery also.

However, when this tries to push you get the following:

error: src refspec delivery does not match any.
error: failed to push some refs to '[email protected]:tylercloke/qa-chef-server-cluster.git'

This is because the branch delivery does not exist locally. This tool should consider creating the branch locally before pushing to support pushing to branches that exist on github and not in delivery, or use another git method to do so that I am unaware of.

When running the syntax phase, a cookbook that has not bumped version in metadata.rb is not always caught.

E.x.
Dir.glob("#{path}/*") vs Dir.glob("#{path}/"

Working when:

../delivery-project/cookbooks/jalapeno/Berskfile is modified because it is at the root of the cookbook

Not working when:

../delivery-project/cookbooks/jalapeno/attributes/default.rb is modified because it is NOT at the root of the cookbook

---- Begin output of bundle install ----
STDOUT: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/

Downgrading to 1.2.0 cookbook works - additional information and context can be found here - https://discourse.chef.io/t/jobs-failing-trying-to-install-jobs/10418/4

There are a couple of references to the location of knife.rb in delivery-sugar:
delivery_chef_server.rb
delivery_push_jobs_resource.rb

At the moment some server permissions means its desirable for me to be storing this config in a spot other than /var/opt/delivery/workspace/.chef but this breaks delivery-sugar.

Is offering this as an configurable location an option? Something like a chef_config attribute you could pass into the resource.

Happy to code up a PR just keen for some community guidance first up.

Once we merge in #14, the TestKitchen class is longer than 100 lines, which causes a Rubocop failure. In #14 we are working around this by disabling that cop on that particular class, but this seems to be a bit of a band-aid.

Especially as we add more and more drivers to this, the class will start to get really long. We should refactor this class so that perhaps the drivers each subclass the TestKitchen class?

Open to discussion on how to approach this. I'm hoping to add a bunch more drivers shortly, so I'd like to figure this out sooner than later.

Hello!

I'm looking for enhanced support around the delivery_chef_cookbook resource, specifically to support uploading a cookbook and its dependencies (via Berksfiles and metadata.rb?) to multiple endpoints. It appears the way things are setup now, it will only upload a single cookbook, and ideally it does something similar to how the default delivery-truck publish phase works (unless there is a specific/solid reason not to!)

• https://github.com/chef-cookbooks/delivery-truck/blob/master/recipes/publish.rb

To be clear, I'm looking to publish/deliver cookbooks (and their dependencies) to multiple organizations/chef servers, ideally using Automate to keep these in sync, and specifically referencing the following:

• https://docs.chef.io/publish_cookbooks_multiple_servers.html

Whatever the correct solution ends up being, the ideal end state (from my POV) is that after a cookbook passes and is accepted/delivered, it automatically publishes to our internal private supermarket and uploads itself(and its dependencies!) to one or more chef servers/orgs, similar to how a berks upload would work.

Thanks!

It would be delightful to add support for the kitchen-docker driver for the Test Kitchen helper.

I have a few ideas on how to enhance the "Handling Secrets" functionality in delivery-sugar.

First of all, we do support an "org" level databag; I suggest we also add an "enterprise" level databag.

Also, I suggest that we merge all levels of the databags into one secret merged hash. Here's why:

Let's say that I have set some secrets at the org level (for example, I want to set a default ec2 key for my whole org). But then, I want to be able to set one differently for one specific project. That works great right now. But what if later I want to add a global secret for, say, a private key for use with InSpec tests. I now have to go add this key to every project-level databag as well as the org level one.

The behavior I suggest is that when getting the values from delivery-secrets, it creates a merged hash, but the most specific item's value "wins". That is to say, let's say that at the org-level item I set the value of "inspec-key"; if there is no project-level value for "inspec-key", then the org value is used. If there is a project level value for "inspec-key", then it is used. But any items at the org/enterprise level item that do NOT exist in a project-level item, those are used.

I've been facing this when I run complex tf plans using openstack resources:

Mixlib::ShellOut::CommandTimeout: delivery_terraform[terraform-plan union] (ibm_build::provision line 93) had an error: Mixlib::ShellOut::CommandTimeout: Command timed out after 600s:
Command exceeded allowed execution time, process terminated

@jeremymv2

In chef automate I am using delivery-sugar to run test kitchen for aws ec2. When running my recipe in the acceptance stage and attempting to use the workflow_stage variable I am presented with the following error.
================================================================================
Recipe Compile Error in /tmp/kitchen/cache/cookbooks/dt_zks_kafka/recipes/default.rb
================================================================================

   NoMethodError
   -------------
   undefined method `[]' for nil:NilClass
   
   Cookbook Trace:
   ---------------
     /tmp/kitchen/cache/cookbooks/delivery-sugar/libraries/delivery_change.rb:46:in `initialize'
     /tmp/kitchen/cache/cookbooks/delivery-sugar/libraries/delivery_dsl.rb:439:in `new'
     /tmp/kitchen/cache/cookbooks/delivery-sugar/libraries/delivery_dsl.rb:439:in `change'
     /tmp/kitchen/cache/cookbooks/delivery-sugar/libraries/delivery_dsl.rb:211:in `workflow_stage'
     /tmp/kitchen/cache/cookbooks/dt_zks_kafka/recipes/server.rb:9:in `from_file'
     /tmp/kitchen/cache/cookbooks/dt_zks_kafka/recipes/default.rb:7:in `from_file'
   
   Relevant File Content:
   ----------------------
   /tmp/kitchen/cache/cookbooks/delivery-sugar/libraries/delivery_change.rb:
   
    39:      # rubocop:disable AbcSize
    40:      # rubocop:disable Metrics/MethodLength
    41:      # rubocop:disable AccessorMethodName
    42:      # rubocop:disable CyclomaticComplexity
    43:      # rubocop:disable PerceivedComplexity
    44:      #
    45:      def initialize(node)
    46>>       change = node['delivery']['change']
    47:        workspace = node['delivery']['workspace']
    48:        @build_user = node['delivery_builder']['build_user']
    49:        @workspace_repo = workspace['repo']
    50:        @workspace_cache = workspace['cache']
    51:        @workspace_chef = workspace['chef']
    52:        @workspace_root = workspace['root']
    53:        @workspace_path = node['delivery']['workspace_path'] ||
    54:                          '/var/opt/delivery/workspace'
    55:        @enterprise = change['enterprise']
   
   System Info:
   ------------
   chef_version=13.6.4
   platform=ubuntu
   platform_version=16.04
   ruby=ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]
   program_name=chef-solo worker: ppid=1522;start=13:21:48;
   executable=/opt/chef/bin/chef-solo

We use heavily the delivery_test_kitchen functionality to run functional tests as part of the delivery pipeline, by calling this within .delivery/build-cookbook/recipes/functional.rb:

if node['delivery']['change']['stage'] == 'acceptance'
  delivery_test_kitchen 'functional' do
    yaml '.kitchen.ec2.yml'
    driver 'ec2'
    action [:converge, :verify, :destroy]
  end
end

This works great! However, several of our cookbooks take over 10 minutes to complete (especially ones that e.g. install a lot of packages as part of their converge), and that fails the stage and the project can't be delivered, even if the converge/verify would have succeeded eventually.

There doesn't appear to be a way to easily extend the timeout. For now, we work around this by monkey patching in each cookbook that requires the timeout to be extended:

# inside .delivery/build-cookbook/libraries/extend_timeout.rb
# Monkeypatch TestKitchen class to override default (600s) timeout to 1800s
class ::DeliverySugar::TestKitchen
  #
  # Run test kitchen action
  #
  def run(action)
    Chef::Log.warn "overriding kitchen run action"
    prepare_kitchen
    shell_out!(
      "kitchen #{action} #{suite} #{@options}",
      cwd: @repo_path,
      env: @environment.merge!('KITCHEN_YAML' => kitchen_yaml_file),
      live_stream: STDOUT,
      timeout: 1800
    )
  end
end

I'd love to see a configurabletimeout parameter added to delivery_test_kitchen. I just don't have the time right now to make a PR, so I'm making an issue instead.

inspec_test_path needs to start with a slash.
Documentation for the delivery-sugar cookbook should be updated and example should rather look like this:

delivery_inspec "run_inspec" do
  infra_node '10.0.0.1'
  os 'windows'
  inspec_test_path '/test/smoke'
end

Currently we have to create a secret databag for every project we want to sync with our Stash Git. It would be valuable to be able to reference a single secret databag since within each project.

I have an enterprise called "bluth", and an org called "bluth".

I have created an encrypted databag called delivery-secrets/bluth-bluth, but when I attempt the following code:

my_secrets = get_project_secrets
ssh-user = my_secrets['ssh-user'] # chef-Delivery-Build-Cookbooks-delivery-truck
ssh-private_key = my_secrets['ssh-private-key']

I get the following error:

[2016-12-02T15:42:33+00:00] ERROR: Failed to load data bag item: "delivery-secrets" "bluth-bluth-bluth_linux_base"
[2016-12-02T15:42:33+00:00] WARN: Secrets Not Found for project_slug[bluth-bluth-bluth_linux_base]

(bluth_linux_base is the name of the cookbook I am pushing through Automate)

It seems like delivery-sugar is not bothering to try to check for the org-level databag but only querying for the project-level one.