Revision 2c2acd78
Added by Ivan Necas over 10 years ago
lib/puppet/provider/katello_ssl_tool.rb | ||
---|---|---|
|
||
passphrase_file = passphrase_file(cert_name)
|
||
if File.exists?(passphrase_file)
|
||
details[:passphrase_file] = passphrase_file
|
||
details[:passphrase] = File.read(passphrase_file).chomp
|
||
end
|
||
|
||
... | ... | |
|
||
initvars
|
||
|
||
commands :openssl => 'openssl'
|
||
|
||
def exists?
|
||
return false unless File.exists?(resource[:path])
|
||
checksum(expected_content) == checksum(current_content)
|
lib/puppet/provider/privkey/katello_ssl_tool.rb | ||
---|---|---|
|
||
protected
|
||
|
||
def expected_content
|
||
if resource[:unprotect]
|
||
tmp_file = "#{source_path}.tmp"
|
||
begin
|
||
openssl('rsa',
|
||
'-in', source_path,
|
||
'-out', tmp_file,
|
||
'-passin', "file:#{cert_details[:passphrase_file]}")
|
||
File.read(tmp_file)
|
||
ensure
|
||
File.delete(tmp_file) if File.exists?(tmp_file)
|
||
end
|
||
else
|
||
super
|
||
end
|
||
end
|
||
|
||
def source_path
|
||
cert_details[:privkey]
|
||
end
|
lib/puppet/type/privkey.rb | ||
---|---|---|
desc 'Stores the private key file on a location'
|
||
|
||
instance_eval(&Certs::FILE_COMMON_PARAMS)
|
||
|
||
# to make the key unprotected by the passphrase
|
||
newparam(:unprotect)
|
||
end
|
manifests/config.pp | ||
---|---|---|
|
||
$candlepin_key_pair_name = "katello-${candlepin_cert_name}-key-pair"
|
||
|
||
file { $certs::keystore_password_file:
|
||
ensure => file,
|
||
content => $certs::keystore_password,
|
||
mode => '0644',
|
||
owner => 'tomcat',
|
||
group => $certs::user_groups,
|
||
replace => false;
|
||
}
|
||
|
||
exec { 'generate-ssl-ca-password':
|
||
command => "openssl rand -base64 24 > ${certs::ssl_ca_password_file}",
|
||
path => '/usr/bin',
|
||
creates => $certs::ssl_ca_password_file
|
||
}
|
||
|
||
exec { 'generate-candlepin-ca-password':
|
||
command => "openssl rand -base64 24 > ${certs::candlepin_ca_password_file}",
|
||
path => '/usr/bin',
|
||
creates => $certs::candlepin_ca_password_file
|
||
}
|
||
|
||
file { $certs::ssl_ca_password_file:
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0600',
|
||
require => Exec['generate-ssl-ca-password']
|
||
}
|
||
|
||
file { $certs::candlepin_ca_password_file:
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0600',
|
||
require => Exec['generate-candlepin-ca-password']
|
||
}
|
||
|
||
file { $certs::pki_dir:
|
||
ensure => directory,
|
||
owner => 'root',
|
||
group => $certs::user_groups,
|
||
mode => '0750',
|
||
}
|
||
exec { 'generate-ssl-keystore':
|
||
command => "openssl pkcs12 -export -in ${candlepin_certs_storage}/candlepin-ca.crt -inkey ${candlepin_certs_storage}/candlepin-ca.key -out ${certs::keystore} -name tomcat -CAfile ${candlepin_pub_cert} -caname root -password \"file:${certs::keystore_password_file}\" 2>>${certs::log_dir}/certificates.log",
|
||
path => '/usr/bin',
|
||
creates => $certs::keystore,
|
||
notify => Service[$certs::tomcat],
|
||
require => [File[$certs::pki_dir], Exec['deploy-candlepin-certificate-to-cp'], File[$certs::log_dir]]
|
||
}
|
||
|
||
file { $certs::keystore:
|
||
owner => 'root',
|
||
group => $certs::user_groups,
|
||
mode => '0640',
|
||
require => [Exec['generate-ssl-keystore']]
|
||
}
|
||
|
||
file { $ssl_build_path:
|
||
ensure => directory,
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0700'
|
||
}
|
||
|
||
file { "${ssl_build_path}/rhsm-katello-reconfigure":
|
||
content => template('certs/rhsm-katello-reconfigure.erb'),
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0700',
|
||
require => File[$ssl_build_path]
|
||
}
|
||
|
||
exec { 'generate-candlepin-certificate':
|
||
cwd => '/root',
|
||
command => "katello-ssl-tool --gen-ca -p \"$(cat ${certs::candlepin_ca_password_file})\" --set-country '${certs::country}' --set-state '${certs::state}' --set-city '${certs::city}' --set-org '${certs::org}' --set-org-unit '${certs::org_unit}' --set-common-name `hostname` --set-email '' --ca-key '${candlepin_cert_name}.key' --ca-cert '${candlepin_cert_name}.crt' --ca-cert-rpm '${candlepin_key_pair_name}' 2>>${certs::log_dir}/certificates.log",
|
||
path => '/usr/bin:/bin',
|
||
creates => "${ssl_build_path}/${candlepin_cert_name}.crt",
|
||
require => [File[$certs::candlepin_ca_password_file], File[$certs::log_dir]],
|
||
notify => Exec['generate-candlepin-consumer-certificate'] # regenerate consumer RPM as well
|
||
}
|
||
|
||
exec { 'deploy-candlepin-certificate-to-cp':
|
||
command => "openssl x509 -in ${candlepin_pub_cert} -out ${candlepin_certs_storage}/candlepin-ca.crt; openssl rsa -in ${candlepin_private_key} -out ${candlepin_certs_storage}/candlepin-ca.key -passin 'file:/etc/katello/candlepin_ca_password-file' 2>>${certs::log_dir}/certificates.log",
|
||
path => '/bin:/usr/bin',
|
||
creates => ["${candlepin_certs_storage}/candlepin-ca.crt", "${candlepin_certs_storage}/candlepin-ca.key"],
|
||
require => [Exec['deploy-candlepin-certificate'], File[$certs::log_dir]]
|
||
} ->
|
||
exec { 'install-ca-certificate':
|
||
cwd => '/etc/pki/tls/certs',
|
||
command => "ln -s ${candlepin_certs_storage}/candlepin-ca.crt `openssl x509 -hash -noout -in ${candlepin_certs_storage}/candlepin-ca.crt`.0",
|
||
unless => "test -e `openssl x509 -hash -noout -in ${candlepin_certs_storage}/candlepin-ca.crt`.0",
|
||
path => '/usr/bin:/bin'
|
||
}
|
||
|
||
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
|
||
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
|
||
$candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.'
|
||
|
||
file { "${certs::candlepin_certs_dir}/candlepin-ca.key":
|
||
owner => 'root',
|
||
group => $certs::user_groups,
|
||
mode => '0640',
|
||
require => Exec['deploy-candlepin-certificate-to-cp'],
|
||
before => Class['candlepin::service']
|
||
}
|
||
|
||
file { "${certs::candlepin_certs_dir}/candlepin-ca.crt":
|
||
owner => 'root',
|
||
group => $certs::user_groups,
|
||
mode => '0644',
|
||
require => Exec['deploy-candlepin-certificate-to-cp'],
|
||
before => Class['candlepin::service']
|
||
}
|
||
|
||
$katello_www_pub_dir = '/var/www/html/pub'
|
||
|
||
file { $katello_www_pub_dir:
|
||
ensure => directory,
|
||
owner => 'apache',
|
||
group => 'apache',
|
||
mode => '0755',
|
||
}
|
||
|
||
exec { 'generate-candlepin-consumer-certificate':
|
||
cwd => $katello_www_pub_dir,
|
||
command => "gen-rpm.sh --name '${candlepin_consumer_name}' --version 1.0 --release 1 --packager None --vendor None --group 'Applications/System' --summary '${candlepin_consumer_summary}' --description '${candlepin_consumer_description}' --requires subscription-manager --post ${ssl_build_path}/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:644=${ssl_build_path}/${candlepin_cert_name}.crt 2>>${certs::log_dir}/certificates.log && /sbin/restorecon ./*rpm",
|
||
path => '/usr/share/katello/certs:/usr/bin:/bin',
|
||
creates => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
|
||
require => [Exec['generate-candlepin-certificate'], File["${ssl_build_path}/rhsm-katello-reconfigure"], File[$certs::log_dir]]
|
||
}
|
||
|
||
file { "${katello_www_pub_dir}/${candlepin_cert_name}-consumer-latest.noarch.rpm":
|
||
ensure => 'link',
|
||
target => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
|
||
require => Exec['generate-candlepin-certificate']
|
||
}
|
||
|
||
exec { 'deploy-candlepin-certificate':
|
||
command => "rpm -qp /root/ssl-build/$(grep ${candlepin_cert_name}.*noarch.rpm /root/ssl-build/latest.txt) | xargs rpm -q; if [ $? -ne 0 ]; then rpm -Uvh --force /root/ssl-build/$(grep noarch.rpm /root/ssl-build/latest.txt); fi",
|
||
path => '/bin:/usr/bin',
|
||
creates => $candlepin_pub_cert,
|
||
require => [File["${katello_www_pub_dir}/${candlepin_cert_name}-consumer-latest.noarch.rpm"]]
|
||
}
|
||
|
||
}
|
manifests/config/pulp.pp | ||
---|---|---|
# Certs Configuration for Pulp
|
||
class certs::config::pulp {
|
||
include certs::config
|
||
include pulp::service
|
||
include qpid::service
|
||
|
manifests/init.pp | ||
---|---|---|
$user_groups = $certs::params::user_groups,
|
||
|
||
$pki_dir = $certs::params::pki_dir,
|
||
$keystore = $certs::params::keystore,
|
||
$keystore_password_file = $certs::params::keystore_password_file,
|
||
$keystore_password = $certs::params::keystore_password,
|
||
|
||
$candlepin_certs_dir = $certs::params::candlepin_certs_dir,
|
||
$candlepin_ca_password_file = $certs::params::candlepin_ca_password_file,
|
||
$ssl_ca_password_file = $certs::params::ssl_ca_password_file,
|
||
|
||
$nss_db_password_file = $certs::params::nss_db_password_file,
|
Also available in: Unified diff
Extract candlepin specific cert configs to candlepin module