CA Certificate Plugin for Vagrant

A Vagrant plugin which configures the virtual machine to inject the specified certificates into the guest's root bundle. This is useful, for example, if your enterprise network has a firewall (or appliance) which utilizes SSL interception.

Warning: This plugin adds certificates to the guest operating system's root certificate bundle. You should only use this if you know exactly what you are doing. This should never be used on a production machine.

Fork

This is a fork of original vagrant-ca-certificates plugin.

Installation

The latest stable version of this plugin can be installed using the standard vagrant plugin install with the vagrant-certificates argument. If you're looking to hack on the plugin or test a development release you'll need to checkout the branch and build the gem yourself. That's pretty easy.

The following set of commands checks out the master branch, uses bundler to install all of the Ruby dependencies and finally creates the gem locally. Once the gem is built we use the Vagrant command-line tool to install it.

git clone https://github.com/williambailey/vagrant-certificates ~/Projects/vagrant-certificates
cd ~/Projects/vagrant-certificates
bundle install
rake build
vagrant plugin install pkg/vagrant-certificates-*.gem

Using with Test Kitchen

Writing a Vagrantfile.rb

In order to be able to use test kitchen within an environment that has a HTTP proxy with SSL interception we need to ensure that we set both the proxies and inject in our new certificate bundles.

If you're following the complete tutorial here we're going to save this file in a newly created directory ~/.vagrant.d/Vagrantfile. This will be merged into the final Vagrantfile configuration that the test-kitchen run will use to provision a new instance.

Vagrant.configure('2') do |config|
  config.proxy.enabled = true if Vagrant.has_plugin?('vagrant-proxyconf')

  if Vagrant.has_plugin?('vagrant-certificates')
    config.certificates.enabled = true
    config.certificates.certs = [
      '/etc/pki/ca-trust/source/anchors/root.crt',
      '/etc/pki/ca-trust/source/anchors/sub.crt'
    ]
  end
end

Writing a .kitchen.local.yml

One goal that we set out when creating internal cookbooks is if that they can be open sourced we want to be easily able to do so in the future. That means we try to keep out as much of our environment specific variables, such as proxy configuration, from the repository's base kitchen configuration. Luckily test-kitchen merges in a local file, if it exists, at the time of the run.

Here is an example of the local configuration file that we use to merge in the Vagrantfile that we've created in the above example. This can be saved into $HOME/.kitchen/config.yml to be applied to all test-kitchen runs for this user (on this host machine).

---
driver:
    provision: true
    http_proxy: "http://proxy.corporate.com:80"
    https_proxy: "http://proxy.corporate.com:80"
    ftp_proxy: "http://proxy.corporate.com:80"
    no_proxy: "localhost,127.0.0.1"

Vagrant Configuration

If you're just looking to inject the certificate only for a single Vagrantfile then you can simply use the following block anywhere within the Vagrant configuration. This enables the plugin and injects the specified certificates.

Vagrant.configure('2') do |config|
  if Vagrant.has_plugin?('vagrant-certificates')
    config.certificates.enabled = true
    config.certificates.certs = Dir.glob('/etc/pki/ca-trust/source/anchors/*.crt')
  end
end

System Wide

At Bloomberg we often find ourselves in a situation where we do not want to make modifications to open source tools, but we need them to work within our enterprise network. Using this default base configuration for Vagrant we're able to ensure that all runs will inject the appropriate certificates into the guest.

Additionally if you need proxies modified in the guest as well an excellent choice is the Vagrant Proxyconf plugin which should handle everything you'll run into on a daily basis. Finally, we add the Vagrant cachier plugin so that we are not continually going out to the Internet on successive Test Kitchen and Vagrant runs.

This file should be saved to $HOME/.kitchen/Vagrantfile.rb.

# These are requirements for this base Vagrantfile. If they are not
# installed there will be a warning message with Vagrant/test-kitchen.
%w(vagrant-certificates vagrant-proxyconf vagrant-cachier).each do |name|
  fail "Please install the '#{name}' plugin!" unless Vagrant.has_plugin?(name)
end

Vagrant.configure('2') do |config|
  config.cache.scope = :box
  config.proxy.enabled = true
  config.certificates.enabled = true
  config.certificates.certs = Dir.glob('/etc/pki/ca-trust/source/anchors/*.crt')
end