Revision 4ad6d02a
Added by Ivan Necas over 10 years ago
manifests/certs.pp | ||
---|---|---|
# Constains certs specific configurations for candlepin
|
||
class candlepin::certs (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$storage = '/etc/candlepin/certs',
|
||
$ca_cert = '/etc/candlepin/certs/candlepin-ca.crt',
|
||
$ca_key = '/etc/candlepin/certs/candlepin-ca.key',
|
||
$pki_dir = '/etc/pki/katello',
|
||
$keystore = '/etc/pki/katello/keystore',
|
||
$keystore_password_file = undef,
|
||
$keystore_password = undef,
|
||
$candlepin_certs_dir = $certs::params::candlepin_certs_dir,
|
||
$candlepin_ca_password_file = $certs::params::candlepin_ca_password_file,
|
||
) {
|
||
|
||
if $deploy {
|
||
file { $keystore_password_file:
|
||
ensure => file,
|
||
content => $keystore_password,
|
||
mode => '0644',
|
||
owner => 'tomcat',
|
||
group => $::certs::user_groups,
|
||
replace => false;
|
||
} ~>
|
||
file { $pki_dir:
|
||
ensure => directory,
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0750',
|
||
} ~>
|
||
pubkey { $ca_cert:
|
||
cert => $ca,
|
||
} ~>
|
||
file { $ca_cert:
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0644';
|
||
} ~>
|
||
# TODO: it would be probably a bit better to not unprotect it here and
|
||
# make candlepin and openssl pkcs12 command to use the passphrase-file instead.
|
||
# On the other hand, technically there is not big difference between having
|
||
# the key unprotected or storing the passphrase-file: in both cases, getting
|
||
# the file means corrupting the certificate
|
||
privkey { $ca_key:
|
||
cert => $ca,
|
||
unprotect => true;
|
||
} ~>
|
||
file { $ca_key:
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0640';
|
||
} ~>
|
||
exec { 'generate-ssl-keystore':
|
||
command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${keystore_password_file}\"",
|
||
logoutput => 'on_failure',
|
||
path => '/bin:/usr/bin',
|
||
creates => $keystore;
|
||
} ~>
|
||
|
||
file { "/usr/share/${candlepin::tomcat}/conf/keystore":
|
||
ensure => link,
|
||
target => $keystore;
|
||
}
|
||
}
|
||
}
|
manifests/config.pp | ||
---|---|---|
# Configuration for Candlepin
|
||
class candlepin::config {
|
||
include certs
|
||
|
||
user { 'tomcat':
|
||
ensure => present,
|
||
groups => $candlepin::user_groups,
|
||
before => Service[$candlepin::tomcat]
|
||
}
|
||
|
||
file { "/usr/share/${candlepin::tomcat}/conf/keystore":
|
||
ensure => link,
|
||
target => $certs::keystore,
|
||
require => File[$certs::keystore],
|
||
before => Service[$candlepin::tomcat],
|
||
}
|
||
|
||
file {
|
||
... | ... | |
ensure => file,
|
||
content => template('candlepin/etc/candlepin/candlepin.conf.erb'),
|
||
mode => '0600',
|
||
owner => 'tomcat',
|
||
notify => Service[$candlepin::tomcat];
|
||
owner => 'tomcat';
|
||
|
||
"/etc/${candlepin::tomcat}/server.xml":
|
||
ensure => file,
|
||
content => template("candlepin/etc/${candlepin::tomcat}/server.xml.erb"),
|
||
mode => '0644',
|
||
owner => 'root',
|
||
group => 'root',
|
||
notify => Service[$candlepin::tomcat];
|
||
group => 'root';
|
||
|
||
# various tomcat versions had some permission bugs - fix them all
|
||
"/etc/${candlepin::tomcat}":
|
||
... | ... | |
command => "rm -f ${candlepin::log_dir}/cpdb_done; rm -f ${candlepin::log_dir}/cpinit_done; service ${candlepin::tomcat} stop; test 1 -eq 1",
|
||
path => '/sbin:/bin:/usr/bin',
|
||
before => Exec['cpdb'],
|
||
notify => Postgresql::Dropdb[$candlepin::db_name],
|
||
}
|
||
postgresql::dropdb {$candlepin::db_name:
|
||
logfile => "${candlepin::log_dir}/drop-postgresql-candlepin-database.log",
|
manifests/init.pp | ||
---|---|---|
|
||
) inherits candlepin::params {
|
||
|
||
include certs
|
||
include certs::config
|
||
|
||
$keystore_password = $certs::keystore_password
|
||
|
||
$weburl = "https://${::fqdn}/${candlepin::deployment_url}/distributors?uuid="
|
||
$apiurl = "https://${::fqdn}/${candlepin::deployment_url}/api/distributors/"
|
||
|
||
$keystore_password_file = '/etc/katello/keystore_password-file'
|
||
$keystore_password = find_or_create_password($keystore_password_file)
|
||
|
||
if $candlepin::thumbslug_enabled {
|
||
require 'thumbslug::params'
|
||
$thumbslug_oauth_key = 'thumbslug'
|
||
... | ... | |
|
||
class { 'candlepin::install': } ~>
|
||
class { 'candlepin::config': } ~>
|
||
class { 'candlepin::certs':
|
||
keystore_password_file => $keystore_password_file,
|
||
keystore_password => $keystore_password,
|
||
} ~>
|
||
class { 'candlepin::database': } ~>
|
||
class { 'candlepin::service': } ->
|
||
Class['candlepin']
|
Also available in: Unified diff
Extract Candlepin specific certs settings into candlepin::certs