Project

General

Profile

« Previous | Next » 

Revision 2c2acd78

Added by Ivan Necas over 10 years ago

Extract candlepin specific cert configs to candlepin module

View differences:

lib/puppet/provider/katello_ssl_tool.rb
passphrase_file = passphrase_file(cert_name)
if File.exists?(passphrase_file)
details[:passphrase_file] = passphrase_file
details[:passphrase] = File.read(passphrase_file).chomp
end
......
initvars
commands :openssl => 'openssl'
def exists?
return false unless File.exists?(resource[:path])
checksum(expected_content) == checksum(current_content)
lib/puppet/provider/privkey/katello_ssl_tool.rb
protected
def expected_content
if resource[:unprotect]
tmp_file = "#{source_path}.tmp"
begin
openssl('rsa',
'-in', source_path,
'-out', tmp_file,
'-passin', "file:#{cert_details[:passphrase_file]}")
File.read(tmp_file)
ensure
File.delete(tmp_file) if File.exists?(tmp_file)
end
else
super
end
end
def source_path
cert_details[:privkey]
end
lib/puppet/type/privkey.rb
desc 'Stores the private key file on a location'
instance_eval(&Certs::FILE_COMMON_PARAMS)
# to make the key unprotected by the passphrase
newparam(:unprotect)
end
manifests/config.pp
$candlepin_key_pair_name = "katello-${candlepin_cert_name}-key-pair"
file { $certs::keystore_password_file:
ensure => file,
content => $certs::keystore_password,
mode => '0644',
owner => 'tomcat',
group => $certs::user_groups,
replace => false;
}
exec { 'generate-ssl-ca-password':
command => "openssl rand -base64 24 > ${certs::ssl_ca_password_file}",
path => '/usr/bin',
creates => $certs::ssl_ca_password_file
}
exec { 'generate-candlepin-ca-password':
command => "openssl rand -base64 24 > ${certs::candlepin_ca_password_file}",
path => '/usr/bin',
creates => $certs::candlepin_ca_password_file
}
file { $certs::ssl_ca_password_file:
owner => 'root',
group => 'root',
mode => '0600',
require => Exec['generate-ssl-ca-password']
}
file { $certs::candlepin_ca_password_file:
owner => 'root',
group => 'root',
mode => '0600',
require => Exec['generate-candlepin-ca-password']
}
file { $certs::pki_dir:
ensure => directory,
owner => 'root',
group => $certs::user_groups,
mode => '0750',
}
exec { 'generate-ssl-keystore':
command => "openssl pkcs12 -export -in ${candlepin_certs_storage}/candlepin-ca.crt -inkey ${candlepin_certs_storage}/candlepin-ca.key -out ${certs::keystore} -name tomcat -CAfile ${candlepin_pub_cert} -caname root -password \"file:${certs::keystore_password_file}\" 2>>${certs::log_dir}/certificates.log",
path => '/usr/bin',
creates => $certs::keystore,
notify => Service[$certs::tomcat],
require => [File[$certs::pki_dir], Exec['deploy-candlepin-certificate-to-cp'], File[$certs::log_dir]]
}
file { $certs::keystore:
owner => 'root',
group => $certs::user_groups,
mode => '0640',
require => [Exec['generate-ssl-keystore']]
}
file { $ssl_build_path:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700'
}
file { "${ssl_build_path}/rhsm-katello-reconfigure":
content => template('certs/rhsm-katello-reconfigure.erb'),
owner => 'root',
group => 'root',
mode => '0700',
require => File[$ssl_build_path]
}
exec { 'generate-candlepin-certificate':
cwd => '/root',
command => "katello-ssl-tool --gen-ca -p \"$(cat ${certs::candlepin_ca_password_file})\" --set-country '${certs::country}' --set-state '${certs::state}' --set-city '${certs::city}' --set-org '${certs::org}' --set-org-unit '${certs::org_unit}' --set-common-name `hostname` --set-email '' --ca-key '${candlepin_cert_name}.key' --ca-cert '${candlepin_cert_name}.crt' --ca-cert-rpm '${candlepin_key_pair_name}' 2>>${certs::log_dir}/certificates.log",
path => '/usr/bin:/bin',
creates => "${ssl_build_path}/${candlepin_cert_name}.crt",
require => [File[$certs::candlepin_ca_password_file], File[$certs::log_dir]],
notify => Exec['generate-candlepin-consumer-certificate'] # regenerate consumer RPM as well
}
exec { 'deploy-candlepin-certificate-to-cp':
command => "openssl x509 -in ${candlepin_pub_cert} -out ${candlepin_certs_storage}/candlepin-ca.crt; openssl rsa -in ${candlepin_private_key} -out ${candlepin_certs_storage}/candlepin-ca.key -passin 'file:/etc/katello/candlepin_ca_password-file' 2>>${certs::log_dir}/certificates.log",
path => '/bin:/usr/bin',
creates => ["${candlepin_certs_storage}/candlepin-ca.crt", "${candlepin_certs_storage}/candlepin-ca.key"],
require => [Exec['deploy-candlepin-certificate'], File[$certs::log_dir]]
} ->
exec { 'install-ca-certificate':
cwd => '/etc/pki/tls/certs',
command => "ln -s ${candlepin_certs_storage}/candlepin-ca.crt `openssl x509 -hash -noout -in ${candlepin_certs_storage}/candlepin-ca.crt`.0",
unless => "test -e `openssl x509 -hash -noout -in ${candlepin_certs_storage}/candlepin-ca.crt`.0",
path => '/usr/bin:/bin'
}
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
$candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.'
file { "${certs::candlepin_certs_dir}/candlepin-ca.key":
owner => 'root',
group => $certs::user_groups,
mode => '0640',
require => Exec['deploy-candlepin-certificate-to-cp'],
before => Class['candlepin::service']
}
file { "${certs::candlepin_certs_dir}/candlepin-ca.crt":
owner => 'root',
group => $certs::user_groups,
mode => '0644',
require => Exec['deploy-candlepin-certificate-to-cp'],
before => Class['candlepin::service']
}
$katello_www_pub_dir = '/var/www/html/pub'
file { $katello_www_pub_dir:
ensure => directory,
owner => 'apache',
group => 'apache',
mode => '0755',
}
exec { 'generate-candlepin-consumer-certificate':
cwd => $katello_www_pub_dir,
command => "gen-rpm.sh --name '${candlepin_consumer_name}' --version 1.0 --release 1 --packager None --vendor None --group 'Applications/System' --summary '${candlepin_consumer_summary}' --description '${candlepin_consumer_description}' --requires subscription-manager --post ${ssl_build_path}/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:644=${ssl_build_path}/${candlepin_cert_name}.crt 2>>${certs::log_dir}/certificates.log && /sbin/restorecon ./*rpm",
path => '/usr/share/katello/certs:/usr/bin:/bin',
creates => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
require => [Exec['generate-candlepin-certificate'], File["${ssl_build_path}/rhsm-katello-reconfigure"], File[$certs::log_dir]]
}
file { "${katello_www_pub_dir}/${candlepin_cert_name}-consumer-latest.noarch.rpm":
ensure => 'link',
target => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
require => Exec['generate-candlepin-certificate']
}
exec { 'deploy-candlepin-certificate':
command => "rpm -qp /root/ssl-build/$(grep ${candlepin_cert_name}.*noarch.rpm /root/ssl-build/latest.txt) | xargs rpm -q; if [ $? -ne 0 ]; then rpm -Uvh --force /root/ssl-build/$(grep noarch.rpm /root/ssl-build/latest.txt); fi",
path => '/bin:/usr/bin',
creates => $candlepin_pub_cert,
require => [File["${katello_www_pub_dir}/${candlepin_cert_name}-consumer-latest.noarch.rpm"]]
}
}
manifests/config/pulp.pp
# Certs Configuration for Pulp
class certs::config::pulp {
include certs::config
include pulp::service
include qpid::service
manifests/init.pp
$user_groups = $certs::params::user_groups,
$pki_dir = $certs::params::pki_dir,
$keystore = $certs::params::keystore,
$keystore_password_file = $certs::params::keystore_password_file,
$keystore_password = $certs::params::keystore_password,
$candlepin_certs_dir = $certs::params::candlepin_certs_dir,
$candlepin_ca_password_file = $certs::params::candlepin_ca_password_file,
$ssl_ca_password_file = $certs::params::ssl_ca_password_file,
$nss_db_password_file = $certs::params::nss_db_password_file,

Also available in: Unified diff