Skip to content

Instantly share code, notes, and snippets.

@nellshamrell

nellshamrell/habitat_inspec_demo.md

Last active December 10, 2018 23:21
Show Gist options
  • Save nellshamrell/2c3855ede3943e85452436d59eed64cd to your computer and use it in GitHub Desktop.
Save nellshamrell/2c3855ede3943e85452436d59eed64cd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
habitat_inspec_demo.md

Pre-req

Demo Script

I once famously said that Habitat and Kubernetes are like Peanut Butter and Jelly. Likewise, Habitat and InSpec are two fantastic tools that work wonderfully on their own, but work even better together. Everything is magical and wholesome.

InSpec has a Habitat integration which makes packaging and managing your InSpec profiles with Habitat effortless.

Let's take a look.

Here on my workstation I have inspec installed:

$ inspec

And one of the things we use InSpec for is to create compliance profiles. Let's go ahead and pull one down from github right now:

$ git clone https://github.com/<YOUR GITHUB NAME>/nginx-baseline

Now let's take a look at what is in that directory:

$ ls nginx-baseline

Creating a HART file

Now, let's package this profile with Habitat. If we just want to create a HART file - a Habitat Artifact - we can use this command:

$ inspec habitat profile create ./nginx-baseline

Once I run this, InSpec will automatically create a Habitat plan for my compliance profile, pull down all dependencies required to run that profile with InSpec, then build and output a HART file - which includes our profile, inspec, and everything needed to run it with inspec.

We can then upload this directory to a Builder Depot or directly wherever we want to run it.

[SHOW UPLOADING HART FILE TO DEPOT - the pull to a piece of infrastructure and running it]

Uploading a HART file to Builder

If we like, we can both create the HART file and upload it to a Builder Depot all with one command:

$ inspec habitat profile upload ./nginx-baseline

This also automatically createa a Habitat plan for my compliance profile, pulls down all dependencies required to run that profile with InSpec, then builds and outputs a HART file. But it does one additional step - it automatically uploads my HART file to a Builder Depot. You can configure this to upload to either the public Builder Depot or a private on premises Builder Depot.

[SHOW HART FILE ON DEPOT]

Integrating a Profile with the Builder SaaS Service

So far we've seen how we can create a HART file for our compliance profile and upload that to the Builder Depot. But what if we want to use the Builder SaaS Service on the public Builder?

We need to not only create a HART file - we need to have the plan file added to our Compliance profile repo, commit it to GitHub, then connect it to the Builder Service.

We do this using this command:

$ inspec habitat profile setup ./nginx-baseline

Let's look at what it added to our profile

$ ls ./nginx-baseline
  |_habitat
    |_plan.sh
    |_Default.toml
    |_config
    |_hooks

It added in a Habitat directory containing a plan file, a Default.toml, config files, and hooks. This is everything we need to package, build, and install our profile with Habitat.

Let's take a look at the plan.sh file

plan.sh

pkg_name=inspec-profile-nginx-baseline
pkg_version=2.2.0
pkg_origin=nshamrell
pkg_deps=(chef/inspec core/ruby core/hab)
pkg_svc_user=root
pkg_license='Apache-2.0'


do_build() {
  cp -vr $PLAN_CONTEXT/../* $HAB_CACHE_SRC_PATH/$pkg_dirname
}

do_install() {
  local profile_contents
  local excludes
  profile_contents=($(ls))
  excludes=(habitat results *.hart)

  for item in ${excludes[@]}; do
    profile_contents=(${profile_contents[@]/$item/})
  done

  mkdir ${pkg_prefix}/dist
  cp -r ${profile_contents[@]} ${pkg_prefix}/dist/
}

This was all autogenerated by the Habitat Inspec integration.

Now let's add and commit these files to GitHub.

$ cd nginx-baseline
$ git add habitat
$ git commit -m 'adds Habitat files'
$ git push origin master

Now let's connect this to Builder.

[SHOW CONNECTING PLAN FILE TO BUILDER, DOING A BUILD, GENERATED HART FILE]

Now, everytime one of the plans my profile depends on (such as chef/inspec) is built, my profile will automatically be rebuilt and placed in the "unstable" channel for me to review. When I feel it's ready, I can promote this package to the stable branch.

[SHOW PROMOTING PACKAGE TO STABLE]

Command Script

Introducing

inspec 
hab
git clone https://github.com/<YOUR GITHUB NAME>/nginx-baseline
ls nginx-baseline
code .

Creating a HART file

inspec habitat profile create ./nginx-baseline
ls .
hab package upload ./<hart file>

[SHOW ON BUILDER]

Creating and uploading HART file at same time

inspec habitat profile upload ./nginx-baseline

[SHOW NEW VERSION ON BUILDER]

Running profile on a node

(Have Habitat already and tmux already installed on node)

sudo hab sup run &
sudo hab svc load nshamrell/inspec-profile-nginx-baseline &
cat /hab/svc/inspec-profile-nginx-baseline/var/inspec_results/inspec-profile-nginx-baseline.json
sudo hab pgk install core/jq-static --binlink
sudo cat /hab/svc/inspec-profile-nginx-baseline/var/inspec_results/inspec-profile-nginx-baseline.json | jq '.'

Connecting to Builder

inspec habitat profile setup ./nginx-baseline
ls ./nginx-baseline
ls ./nginx-baseline/habitat
code ./nginx-baseline/habitat
git add habitat
git commit -m 'adds Habitat files'
git push origin master

[SHOW CONNECTING TO BUILDER, DOING A BUILD, PROMOTING TO STABLE]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment