Move allowed node attrs to config file, apply automatically

This moves the whitelist for nodes' "normal" attributes to a config
file, which is loaded live during every run and applied in memory in
case the node's local file hasn't been updated before the client run.

Fixes allowed attributes being overwritten/removed in the node info
JSON files.
This commit is contained in:
2026-07-05 17:07:56 +02:00
parent 3e6faf34c4
commit 301565b910
3 changed files with 37 additions and 2 deletions
@@ -26,6 +26,33 @@
include_recipe "apt"
cookbook_file "/etc/chef/chef_normal_attributes.yml" do
source "chef_normal_attributes.yml"
owner "root"
group "root"
mode "0644"
end
ruby_block "update allowed_normal_attributes in client.rb" do
block do
whitelist = YAML.load_file("/etc/chef/chef_normal_attributes.yml")
fe = Chef::Util::FileEdit.new("/etc/chef/client.rb")
fe.search_file_replace_line(
/^allowed_normal_attributes.*/,
"allowed_normal_attributes #{whitelist.inspect}"
)
fe.write_file
Chef::Config[:allowed_normal_attributes] = whitelist
Chef::Config[:normal_attribute_allowlist] = whitelist
end
not_if do
whitelist = YAML.load_file("/etc/chef/chef_normal_attributes.yml")
client_rb = ::File.read("/etc/chef/client.rb")
whitelist.all? { |attr| client_rb.include?(attr) }
end
end
directory "/etc/apt/keyrings" do
mode "0755"
action :create