Add a post-run method that can be used to delete validation.pem files

For those who run chef in non-daemon mode, they would like to delete
the validation.pem file if chef finishes as expected to remove that file
from existing in an easy to read manner.

1 files changed, 11 insertions, 1 deletions

diff --git a/cloudinit/config/cc_chef.py b/cloudinit/config/cc_chef.py
index 1e44ec72..4350a353 100644
--- a/cloudinit/config/cc_chef.py
+++ b/cloudinit/config/cc_chef.py
@@ -78,6 +78,7 @@ CHEF_RB_TPL_KEYS.extend([
 ])
 CHEF_RB_TPL_KEYS = frozenset(CHEF_RB_TPL_KEYS)
 CHEF_RB_PATH = '/etc/chef/client.rb'
+CHEF_VALIDATION_PEM_PATH = '/etc/chef/validation.pem'
 CHEF_FB_PATH = '/etc/chef/firstboot.json'
 CHEF_EXEC_PATH = '/usr/bin/chef-client'
 CHEF_EXEC_DEF_ARGS = tuple(['-d', '-i', '1800', '-s', '20'])
@@ -91,6 +92,14 @@ def is_installed():
     return True
 
 
+def post_run_chef(chef_cfg, log):
+    delete_pem = util.get_cfg_option_bool(chef_cfg,
+                                          'delete_validation_post_exec',
+                                          default=False)
+    if delete_pem and os.path.isfile(CHEF_VALIDATION_PEM_PATH):
+        os.unlink(CHEF_VALIDATION_PEM_PATH)
+
+
 def get_template_params(iid, chef_cfg, log):
     params = CHEF_RB_TPL_DEFAULTS.copy()
     # Allow users to overwrite any of the keys they want (if they so choose),
@@ -143,7 +152,7 @@ def handle(name, cfg, cloud, log, _args):
     # takes precedence
     for key in ('validation_key', 'validation_cert'):
         if key in chef_cfg and chef_cfg[key]:
-            util.write_file('/etc/chef/validation.pem', chef_cfg[key])
+            util.write_file(CHEF_VALIDATION_PEM_PATH, chef_cfg[key])
             break
 
     # Create the chef config from template
@@ -190,6 +199,7 @@ def handle(name, cfg, cloud, log, _args):
         run = False
     if run:
         run_chef(chef_cfg, log)
+        post_run_chef(chef_cfg, log)
 
 
 def run_chef(chef_cfg, log):