- Fixes Issue [#185](#185)

  * a startup issue was resolved for SplunkForwarder installations with an improved
    systemd unit file (fix below)
  * Adds Inspec tests to verify from SplunkForwarder starts (thanks, @jjm)
- Fixes Issue [#187](#187)
  * the systemd unit file is now relegated to the `splunk enable boot-start` command to manage
- Adds Inspec tests and sets the verifier in Test Kitchen for some test suites; some are still in serverspec
- Render the user-seed.conf with a file resource rather than a template
- The default recipe no longer includes the disable recipe; to disable splunk, add `recipe[chef-splunk::disabled]` to a run list explicitly
- Disabling splunk will no longer uninstall Splunk Enterprise nor the Splunk Universal Forwarder
- Adds `#SecretsHelper` to aid with secrets rotation and maintaining idempotency for handling Splunk's hashed secret values
- Improved guards to prevent `service[splunk]` restart/start when it should be disabled.

Signed-off-by: Dang H. Nguyen <dang.nguyen@disney.com>

CHANGELOG.md

@@ -2,6 +2,20 @@
 
 This file is used to list changes made in each version of the splunk cookbook.
 
+## 6.4.0 (2020-10-17)
+- Fixes Issue [#185](https://github.com/chef-cookbooks/chef-splunk/issues/185)
+  * a startup issue was resolved for SplunkForwarder installations with an improved
+    systemd unit file (fix below)
+  * Adds Inspec tests to verify from SplunkForwarder starts (thanks, @jjm)
+- Fixes Issue [#187](https://github.com/chef-cookbooks/chef-splunk/issues/187)
+  * the systemd unit file is now relegated to the `splunk enable boot-start` command to manage
+- Adds Inspec tests and sets the verifier in Test Kitchen for some test suites; some are still in serverspec
+- Render the user-seed.conf with a file resource rather than a template
+- The default recipe no longer includes the disable recipe; to disable splunk, add `recipe[chef-splunk::disabled]` to a run list explicitly
+- Disabling splunk will no longer uninstall Splunk Enterprise nor the Splunk Universal Forwarder
+- Adds `#SecretsHelper` to aid with secrets rotation and maintaining idempotency for handling Splunk's hashed secret values
+- Improved guards to prevent `service[splunk]` restart/start when it should be disabled.
+
 ## 6.3.0 (2020-10-14)
 - Fixes Issue [#183](https://github.com/chef-cookbooks/chef-splunk/issues/183): make upgrades idempotent
 - it is no longer necessary to include `chef-splunk::upgrade` to a run list; Instead, set the following:

README.md

@@ -83,7 +83,7 @@ General attributes:
 * `node['splunk']['data_bag']`: Set this to the name of the data bag where your splunk auth
   and other secrets are stored (Default: `vault`)
 * `node['splunk']['disabled']`: Disable the splunk agent by setting
-  this to true (Default: false)
+  this to true (Default: false) and adding `recipe[chef-splunk::disabled]` to a node's run list
 * `node['splunk']['receiver_port']`: The port that the receiver
   (server) listens to. This is set to the Splunk Enterprise default, 9997.
 * `node['splunk']['mgmt_port']`: The port that splunkd service
@@ -579,9 +579,6 @@ node['splunk']['inputs_conf']['ports'] =
 
 ### default
 
-The default recipe will include the `disabled` recipe if
-`node['splunk']['disabled']` is true.
-
 It will include the `client` or `server` recipe depending on whether
 the `is_server` attribute is set.
 
@@ -594,8 +591,7 @@ through a wrapper cookbook.
 In some cases it may be required to disable Splunk on a particular
 node. For example, it may be sending too much data to Splunk and
 exceed the local license capacity. To use the `disabled` recipe, set
-the `node['splunk']['disabled']` attribute to true, and include the
-recipe on the required node, or just use the `default` recipe.
+the `node['splunk']['disabled']` attribute to `true`, and add `recipe[chef-splunk::disabled]` to a node's run list
 
 ### install_forwarder
 

attributes/default.rb

@@ -27,6 +27,8 @@
 default['splunk']['data_bag'] = 'vault'
 
 default['splunk']['setup_auth'] = true
+default['splunk']['service_name'] = 'splunk' # Splunk changes this to Splunkd or SplunkForwarder on systemd-managed servers
+default['splunk']['startup_script'] = '/etc/init.d/splunk' # Splunk changes this to Splunkd or SplunkForwarder on systemd-managed servers
 default['splunk']['user'] = {
   'username' => 'splunk',
   'comment' => 'Splunk Server',

kitchen.yml

@@ -12,8 +12,14 @@ provisioner:
   name: dokken
   deprecations_as_errors: true
   chef_license: accept
+  data_bags_path: test/fixtures/data_bags
+  product_name: chef
+  client_rb:
+    environment: _default
+    log_level: :debug
   attributes:
-    dev_mode: true
+    chef-vault:
+      databag_fallback: true
     splunk:
       accept_license: true
       enable_ssl: false
@@ -23,114 +29,79 @@ provisioner:
         startwebserver: 1
       web_port: 8000
 
-verifier:
-  root_path: '/opt/verifier'
-
 platforms:
-  - name: debian-9
-    driver:
-      image: dokken/debian-9
-      pid_one_command: /bin/systemd
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get -y update
-        - RUN mkdir -p /data/splunk-test
-        # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
-        - RUN mkdir -p /opt/splunk/etc
-        - RUN printf '
-          SPLUNK_SERVER_NAME=Splunkd\n
-          SLPUNK_WEB_NAME=splunkweb\n
-          OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
-
   - name: debian-10
     driver:
       image: dokken/debian-10
       pid_one_command: /sbin/init
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get -y update
-        - RUN mkdir -p /data/splunk-test
-        # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
-        - RUN mkdir -p /opt/splunk/etc
-        - RUN printf '
-          SPLUNK_SERVER_NAME=Splunkd\n
-          SLPUNK_WEB_NAME=splunkweb\n
-          OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
-
-  - name: centos-7
-    driver:
-      image: dokken/centos-7
-      pid_one_command: /usr/lib/systemd/systemd
-      intermediate_instructions:
-        - RUN mkdir -p /data/splunk-test
-        # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
-        - RUN mkdir -p /opt/splunk/etc
-        - RUN printf '
-          SPLUNK_SERVER_NAME=Splunkd\n
-          SLPUNK_WEB_NAME=splunkweb\n
-          OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
+      # intermediate_instructions:
+      #   - RUN /usr/bin/apt-get -y update
+      #   - RUN mkdir -p /data/splunk-test
+      #   # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
+      #   - RUN mkdir -p /opt/splunk/etc
+      #   - RUN printf '
+      #     SPLUNK_SERVER_NAME=Splunkd\n
+      #     SLPUNK_WEB_NAME=splunkweb\n
+      #     OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
 
   - name: centos-8
     driver:
       image: dokken/centos-8
       pid_one_command: /usr/lib/systemd/systemd
-      intermediate_instructions:
-        - RUN mkdir -p /data/splunk-test
-        # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
-        - RUN mkdir -p /opt/splunk/etc
-        - RUN printf '
-          SPLUNK_SERVER_NAME=Splunkd\n
-          SLPUNK_WEB_NAME=splunkweb\n
-          OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
+      # intermediate_instructions:
+      #   - RUN mkdir -p /data/splunk-test
+      #   # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
+      #   - RUN mkdir -p /opt/splunk/etc
+      #   - RUN printf '
+      #     SPLUNK_SERVER_NAME=Splunkd\n
+      #     SLPUNK_WEB_NAME=splunkweb\n
+      #     OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
 
   - name: ubuntu-20.04
     driver:
       image: dokken/ubuntu-20.04
       pid_one_command: /bin/systemd
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get -y update
-        - RUN mkdir -p /data/splunk-test
-        # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
-        - RUN mkdir -p /opt/splunk/etc
-        - RUN printf '
-          SPLUNK_SERVER_NAME=Splunkd\n
-          SLPUNK_WEB_NAME=splunkweb\n
-          OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
-
-  - name: ubuntu-18.04
-    driver:
-      image: dokken/ubuntu-18.04
-      pid_one_command: /bin/systemd
-      intermediate_instructions:
-        - RUN /usr/bin/apt-get -y update
-        - RUN mkdir -p /data/splunk-test
-        # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
-        - RUN mkdir -p /opt/splunk/etc
-        - RUN printf '
-          SPLUNK_SERVER_NAME=Splunkd\n
-          SLPUNK_WEB_NAME=splunkweb\n
-          OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
+      # intermediate_instructions:
+      #   - RUN /usr/bin/apt-get -y update
+      #   - RUN mkdir -p /data/splunk-test
+      #   # Disable file locking check by Splunk as it fails on unsupported file systems used in some Docker hosts (e.g. on Mac)
+      #   - RUN mkdir -p /opt/splunk/etc
+      #   - RUN printf '
+      #     SPLUNK_SERVER_NAME=Splunkd\n
+      #     SLPUNK_WEB_NAME=splunkweb\n
+      #     OPTIMISTIC_ABOUT_FILE_LOCKING=1\n' > /opt/splunk/etc/splunk-launch.conf
 
 suites:
   - name: client
     run_list:
       - recipe[chef-splunk::default]
     attributes:
-      dev_mode: true
       splunk:
         accept_license: true
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/client_test.rb
 
   - name: uninstall_forwarder
     run_list:
       - recipe[test::uninstall_forwarder]
     attributes:
-      dev_mode: true
       splunk:
         accept_license: true
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/uninstall_forwarder_test.rb
 
   - name: client-inputs-outputs
     run_list:
       - recipe[chef-splunk::default]
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/client_inputs_outputs_test.rb
     attributes:
-      dev_mode: true
       splunk:
         accept_license: true
         outputs_conf:
@@ -152,76 +123,87 @@ suites:
     run_list:
       - recipe[chef-splunk::default]
     attributes:
-      dev_mode: true
       splunk:
-        server:
-          runasroot: true
         is_server: true
         accept_license: true
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/server_test.rb
 
-  - name: server-runas-splunk
-    run_list:
-      - recipe[chef-splunk::default]
-    attributes:
-      dev_mode: true
-      splunk:
-        server:
-          runasroot: false
-        is_server: true
-        accept_license: true
-        web_port: 8000
+  # - name: server-runas-splunk
+  #   run_list:
+  #     - recipe[chef-splunk::default]
+  #   attributes:
+  #     splunk:
+  #       server:
+  #         runasroot: false
+  #       is_server: true
+  #       accept_license: true
+  #       web_port: 8000
+  #   verifier:
+  #     name: inspec
+  #     inspec_tests:
+  #       - path: test/integration/inspec/server_test.rb
 
   - name: server-cluster-master
     run_list:
       - recipe[chef-splunk::default]
     attributes:
-      dev_mode: true
       splunk:
-        server:
-          runasroot: false
         is_server: true
         accept_license: true
         clustering:
           enabled: true
           mode: master
           replication_factor: 5
           search_factor: 3
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/server_cluster_master_test.rb
 
   - name: server-shdeployer
     run_list:
       - recipe[chef-splunk]
     attributes:
-      dev_mode: true
       splunk:
-        server:
-          runasroot: false
         is_server: true
         accept_license: true
         shclustering:
           enabled: true
           mode: deployer
         web_port: 8000
+    verifier:
+      root_path: /opt/verifier
 
   - name: server-shcluster-member
     run_list:
       - recipe[chef-splunk::default]
     attributes:
-      dev_mode: true
       splunk:
-        server:
-          runasroot: false
         is_server: true
         accept_license: true
         shclustering:
           enabled: true
         web_port: 8000
+    verifier:
+      root_path: /opt/verifier
 
   - name: disabled
     run_list:
       - recipe[chef-splunk::default]
+      - recipe[chef-splunk::disabled]
+    attributes:
     attributes:
       splunk:
+        is_server: true
+        accept_license: true
         disabled: true
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/disabled_test.rb
 
   - name: upgrade_server
     run_list:
@@ -232,6 +214,10 @@ suites:
         upgrade_enabled: true
         accept_license: true
         is_server: true
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/upgrade_test.rb
 
   - name: upgrade_client
     run_list:
@@ -242,29 +228,35 @@ suites:
         upgrade_enabled: true
         accept_license: true
         is_server: false
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/upgrade_test.rb
 
   - name: server_resources
     run_list:
       - recipe[chef-splunk::default]
       - recipe[test::splunk_app]
       - recipe[test::splunk_index]
     attributes:
-      dev_mode: true
       splunk:
-        server:
-          runasroot: false
         accept_license: true
         is_server: true
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/custom_resources_test.rb
 
   - name: client_resources
     run_list:
       - recipe[chef-splunk::default]
       - recipe[test::splunk_app]
       - recipe[test::splunk_monitor]
     attributes:
-      dev_mode: true
       splunk:
-        server:
-          runasroot: false
         accept_license: true
         is_server: false
+    verifier:
+      name: inspec
+      inspec_tests:
+        - path: test/integration/inspec/custom_resources_test.rb