Update how agent and handler are configured #345
Conversation
Some users may wish to assign the api_key and application_key attributes during runtime instead of compile time -- particularly, users who want to obtain the value of the key(s) from an external service. Allow doing so by deferring evaluation of these attributes. Closes DataDog#328
If the user has placed API and/or application keys in the `node.run_state` hash, read them from there instead of from the node's attributes. If run_state is used, implementors can obtain the keys from other data sources (e.g. Hashicorp Vault) and prevent the keys from being inadvertently stored in Chef Server. Closes DataDog#341
The `compile_time` attribute for `chef_gem` has been deprecated in favor of deferring name resolution until convergence time. Fix accordingly. Reference: https://blog.chef.io/2015/03/03/chef-12-1-0-released/
mfischer-zd
force-pushed
the
defer_attribute_lookup
branch
from
981327b to
29fa562
Compare
|
Thanks @mfischer-zd, we'll spend some time in the next few weeks to test these changes in details. Being able to prevent storing the unencrypted app/api keys in Chef Server is definitely a very welcome feature. Can you confirm that your changes on |
I cannot confirm; we don't use Chef 11. (It should be noted that Chef 12 has been out for 18 months.) |
|
Hello, have you had time to review this? It's been nearly 2 months. |
|
I'd recommend leaving the |
| @@ -32,10 +32,7 @@ | |||
| chef_gem 'chef-handler-datadog' do # ~FC009 | |||
| action :install | |||
| version node['datadog']['chef_handler_version'] | |||
| # Chef 12 introduced `compile_time` - remove when Chef 11 is EOL. | |||
| compile_time true if respond_to?(:compile_time) | |||
There was a problem hiding this comment.
As the comment indicated, this compile_time should not be removed yet. Chef 11 is still supported by Chef and has not reached EOL. Other than to tidy up the code, the use of #respond_to? effectively negates any technical need to remove this line.
|
@iancward @haidangwa It wasn't removed to stop supporting Chef 11. It was removed because it's no longer needed with this PR. |
|
@mfischer-zd If you have tests with chef 11 clients that show it doesn't have any adverse affect, then I'd be ok with that, but removing that will change when the gem is installed. If the difference between getting installed at compile time versus getting installed at convergence doesn't have any negligible affect, then I'm ok. If anything, using |
|
@haidangwa I'd expect Datadog to run the tests under whatever versions of Chef it plans to support. If the test suite still passes, then I'd expect it to be OK. |
|
Quick update on the review of this PR: we plan to test and release these changes for the next minor release of the cookbook (2.8), in the next month or so. Sorry for the delay in getting this merged and thanks again for this big contribution. Since the cookbook still needs to support Chef 11 the change on Unfortunately we don't have automated tests on Chef 11, we need to improve that. |
This part of the change should not impact Chef 11 compatibility. |
|
But does the gem need to be installed at compile time to work? If not, then the line can safely be removed. If it does need to be installed at compile time, then the comment should be removed but the code line left. Since Since Chef changed the install time of chef_gem from compile time to run time in Chef 12. |
| end | ||
| require 'chef/handler/datadog' |
There was a problem hiding this comment.
@iancward Note the move of this line. This is what formerly required the Gem to be installed at compile time; the require here would fail since it would refer to a Gem that hadn't been installed yet.
There was a problem hiding this comment.
Took some time to test this, and unfortunately moving the require doesn't change its evaluation time, it's still evaluated at compile time.
This commit still works in Chef 12 because not specifying compile_time on chef_gem still makes the install of chef-handler-datadog happen at compile time (see, in the link you provided: The default behavior has not changed, but every chef_gem resource will now emit out a warning). The default will actually change to compile_time false in Chef 13.
So we should keep the compile_time true line until we can get rid of the require altogether (and I think we'll be able to do that once we bump the requirement on chef_handler to ~> 1.3, see related #338 (comment) ). Let's keep this discussion in a separate issue/PR though.
| config | ||
| end | ||
|
|
||
| require 'chef/handler/datadog' |
There was a problem hiding this comment.
@iancward Note the move of the require line to here. Since it's now declared in a resource provider block, it isn't evaluated until runtime. Therefore, the Gem no longer needs to be installed at compile time. As long as it's declared before this handler resource is declared, things will work properly even if the Gem is installed at runtime.
|
Thanks @mfischer-zd for clarifying your changes on |
|
@olivielpeau we need an update on this. |
|
Just opened:
|
|
@olivielpeau thanks, keep me posted. |
|
Going to close this PR as I've just merged #395. Will be released with Thanks again @mfischer-zd! |
|
Update: |
See commits for information. Closes #328, #341