Revision 0f464074
Added by Ivan Necas over 10 years ago
manifests/config.pp | ||
---|---|---|
# Certs Configuration
|
||
class certs::config {
|
||
|
||
$candlepin_cert_name = 'candlepin-cert'
|
||
|
||
$ssl_build_path = '/root/ssl-build'
|
||
$ssl_tool_common = "--set-country '${certs::country}' --set-state '${certs::state}' --set-city '${certs::city}' --set-org-unit '${certs::org_unit}' --set-email '${certs::email}'"
|
||
|
||
$katello_pub_cert_name = 'KATELLO-TRUSTED-SSL-CERT'
|
||
$katello_private_key_name = 'KATELLO-PRIVATE-SSL-KEY'
|
||
$katello_pub_cert = "/usr/share/katello/${katello_pub_cert_name}"
|
||
$katello_private_key = "${ssl_build_path}/${katello_private_key_name}"
|
||
|
||
$candlepin_pub_cert_name = "${candlepin_cert_name}.crt"
|
||
$candlepin_private_key_name = "${candlepin_cert_name}.key"
|
||
$candlepin_pub_cert = "/usr/share/katello/${candlepin_pub_cert_name}"
|
||
$candlepin_private_key = "${ssl_build_path}/${candlepin_private_key_name}"
|
||
$candlepin_certs_storage = '/etc/candlepin/certs'
|
||
|
||
$candlepin_key_pair_name = "katello-${candlepin_cert_name}-key-pair"
|
||
|
||
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
|
||
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
|
||
$candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.'
|
||
|
||
|
||
}
|
manifests/config/pulp.pp | ||
---|---|---|
include pulp::service
|
||
include qpid::service
|
||
|
||
$qpid_cert_name = 'qpid-broker'
|
||
$qpid_client_cert_name = 'qpid-client'
|
||
$qpid_package = "katello-${qpid_cert_name}-key-pair"
|
||
|
||
$nss_db_dir = "${certs::pki_dir}/nssdb/"
|
||
|
||
exec { 'generate-ssl-qpid-broker-certificate':
|
||
cwd => '/root',
|
||
path => '/usr/bin:/bin',
|
||
... | ... | |
require => Exec['generate-ssl-qpid-broker-certificate'],
|
||
}
|
||
|
||
exec { 'generate-nss-password':
|
||
command => "openssl rand -base64 24 > ${certs::nss_db_password_file}",
|
||
path => '/usr/bin',
|
||
creates => $certs::nss_db_password_file
|
||
}
|
||
|
||
file { $certs::nss_db_password_file:
|
||
owner => 'root',
|
||
group => $certs::user_groups,
|
||
... | ... | |
];
|
||
}
|
||
|
||
exec { 'add-candlepin-cert-to-nss-db':
|
||
command => "certutil -A -d '${nss_db_dir}' -n 'ca' -t 'TCu,Cu,Tuw' -a -i '${candlepin_pub_cert}' 2>>${certs::log_dir}/certificates.log",
|
||
path => '/usr/bin',
|
||
require => [Exec['create-nss-db'], Exec['deploy-candlepin-certificate-to-cp'], File[$certs::log_dir]],
|
||
before => Class['qpid::service'],
|
||
refreshonly => true,
|
||
}
|
||
|
||
exec { 'add-broker-cert-to-nss-db':
|
||
command => "certutil -A -d '${nss_db_dir}' -n 'broker' -t ',,' -a -i '${ssl_build_path}/${::fqdn}/${qpid_cert_name}.crt' 2>>${certs::log_dir}/certificates.log",
|
||
path => '/usr/bin',
|
||
require => [Exec['create-nss-db'], Exec['deploy-candlepin-certificate-to-cp'], File[$certs::log_dir]],
|
||
before => Class['qpid::service'],
|
||
refreshonly => true,
|
||
}
|
||
|
||
exec { 'generate-pfx-for-nss-db':
|
||
command => "openssl pkcs12 -in ${ssl_build_path}/${::fqdn}/${qpid_cert_name}.crt -inkey ${ssl_build_path}/${::fqdn}/${qpid_cert_name}.key -export -out '${ssl_build_path}/${::fqdn}/${qpid_cert_name}.pfx' -password 'file:${certs::ssl_pk12_password_file}' 2>>${certs::log_dir}/certificates.log",
|
||
path => '/usr/bin',
|
||
require => [Exec['create-nss-db'], File[$certs::ssl_pk12_password_file], File[$certs::log_dir]],
|
||
before => Class['qpid::service'],
|
||
refreshonly => true,
|
||
}
|
||
|
||
exec { 'add-private-key-to-nss-db':
|
||
command => "pk12util -i '${ssl_build_path}/${::fqdn}/${qpid_cert_name}.pfx' -d '${nss_db_dir}' -w '${certs::ssl_pk12_password_file}' -k '${certs::nss_db_password_file}' 2>>${certs::log_dir}/certificates.log",
|
||
path => '/usr/bin',
|
||
require => [Exec['add-broker-cert-to-nss-db'], Exec['generate-pfx-for-nss-db'], File[$certs::log_dir]],
|
||
before => Class['qpid::service'],
|
||
refreshonly => true,
|
||
}
|
||
|
||
# qpid client certificates
|
||
exec { 'generate-ssl-qpid-client-certificate':
|
||
cwd => '/root',
|
manifests/init.pp | ||
---|---|---|
$ssl_ca_password_file = $certs::params::ssl_ca_password_file
|
||
$nss_db_password_file = $certs::params::nss_db_password_file
|
||
$ssl_pk12_password_file = $certs::params::ssl_pk12_password_file
|
||
|
||
$nss_db_dir = '/etc/pki/katello/nssdb'
|
||
|
||
class { 'certs::install': }
|
||
|
Also available in: Unified diff
Extract the code