/manifests/init.pp - Annotate - Installer - Foreman

puppet-certs/manifests/init.pp @ 6bdb6533

97bac87e	Eric D. Helms	# == Class: certs
		#
4296d7d9	Ivan Nečas	# Base for installing and configuring certs. It holds the basic configuration
		# aournd certificates generation and deployment. The per-subsystem configuratoin
		# of certificates should go into `subsystem_module/manifests/certs.pp`.
97bac87e	Eric D. Helms	#
		# === Parameters:
		#
4296d7d9	Ivan Nečas	# $log_dir:: When the log files should go
		#
		# $node_fqdn:: The fqdn of the host the generated certificates
		# should be for
		#
		# $generate:: Should the generation of the certs be part of the
		# configuration
		# type: boolean
		#
		# $regenerate:: Force regeneration of the certificates (excluding
		# ca certificates)
		# type: boolean
		#
		# $regenerate_ca:: Force regeneration of the ca certificate
		# type: boolean
		#
		# $deploy:: Deploy the certs on the configured system. False means
		# we want apply it on a different system
		# type: boolean
		#
		# $ca_common_name:: Common name for the generated CA certificate
		# type: string
		#
		# $country:: Country attribute for managed certificates
		# type: string
		#
		# $state:: State attribute for managed certificates
		# type: string
		#
		# $city:: City attribute for managed certificates
		# type: string
		#
		# $org:: Org attribute for managed certificates
		# type: string
		#
		# $org_unit:: Org unit attribute for managed certificates
		# type: string
		#
		# $expiration:: Expiration attribute for managed certificates
		# type: string
		#
		# $ca_expiration:: Ca expiration attribute for managed certificates
		# type: string
97bac87e	Eric D. Helms	#
dff469d9	Ivan Nečas	# $server_ca_cert:: Path to the CA that issued the ssl certificates for https
		# if not specified, the default CA will be used
		#
		# $server_cert:: Path to the ssl certificate for https
		# if not specified, the default CA will generate one
		#
		# $server_key:: Path to the ssl key for https
		# if not specified, the default CA will generate one
		#
		# $server_cert_req:: Path to the ssl certificate request for https
		# if not specified, the default CA will generate one
		#
3e3ec92e	Eric D. Helms	# $pki_dir:: The PKI directory under which to place certs
		#
dff469d9	Ivan Nečas	# $ssl_build_dir:: The directory where SSL keys, certs and RPMs will be generated
d4a730d7	Eric D. Helms	#
3e3ec92e	Eric D. Helms	# $user:: The system user name who should own the certs;
		#
		# $group:: The group who should own the certs;
		#
		# $password_file_dir:: The location to store password files
		#
dff469d9	Ivan Nečas	# $default_ca_name:: The name of the default CA
		#
		# $server_ca_name:: The name of the server CA (used for https)
d4a730d7	Eric D. Helms	#
7f082050	Ivan Necas	class certs (
97bac87e	Eric D. Helms
4296d7d9	Ivan Nečas	$log_dir = $certs::params::log_dir,
		$node_fqdn = $certs::params::node_fqdn,
		$generate = $certs::params::generate,
		$regenerate = $certs::params::regenerate,
		$regenerate_ca = $certs::params::regenerate_ca,
		$deploy = $certs::params::deploy,
		$ca_common_name = $certs::params::ca_common_name,
7f082050	Ivan Necas	$country = $certs::params::country,
		$state = $certs::params::state,
a1731d81	Ivan Nečas	$city = $certs::params::city,
7f082050	Ivan Necas	$org = $certs::params::org,
		$org_unit = $certs::params::org_unit,

		$expiration = $certs::params::expiration,
3e3ec92e	Eric D. Helms	$ca_expiration = $certs::params::ca_expiration,

dff469d9	Ivan Nečas	$server_cert = $certs::params::server_cert,
		$server_key = $certs::params::server_key,
		$server_cert_req = $certs::params::server_cert_req,
		$server_ca_cert = $certs::params::server_ca_cert,

d4a730d7	Eric D. Helms	$pki_dir = $certs::params::pki_dir,
		$ssl_build_dir = $certs::params::ssl_build_dir,
3e3ec92e	Eric D. Helms
		$password_file_dir = $certs::params::password_file_dir,

		$user = $certs::params::user,
d4a730d7	Eric D. Helms	$group = $certs::params::group,
3e3ec92e	Eric D. Helms
dff469d9	Ivan Nečas	$default_ca_name = $certs::params::default_ca_name,
		$server_ca_name = $certs::params::server_ca_name
d4a730d7	Eric D. Helms	) inherits certs::params {
97bac87e	Eric D. Helms
dff469d9	Ivan Nečas	if $server_cert {
6bdb6533	Eric D. Helms	validate_absolute_path($server_cert)
		validate_absolute_path($server_cert_req)
		validate_absolute_path($server_key)
		validate_absolute_path($server_ca_cert)
dff469d9	Ivan Nečas	validate_file_exists($server_cert, $server_cert_req, $server_key, $server_ca_cert)
		}

d4a730d7	Eric D. Helms	$nss_db_dir = "${pki_dir}/nssdb"
7f082050	Ivan Necas
d4a730d7	Eric D. Helms	$ca_key = "${certs::pki_dir}/private/${default_ca_name}.key"
		$ca_cert = "${certs::pki_dir}/certs/${default_ca_name}.crt"
		$ca_cert_stripped = "${certs::pki_dir}/certs/${default_ca_name}-stripped.crt"
8dde1e37	Dustin Tsang	$ca_key_password = cache_data('ca_key_password', random_password(24))
d4a730d7	Eric D. Helms	$ca_key_password_file = "${certs::pki_dir}/private/${default_ca_name}.pwd"
7f082050	Ivan Necas
9bf22a94	Eric D. Helms	$katello_server_ca_cert = "${certs::pki_dir}/certs/${server_ca_name}.crt"

28652b02	Eric D. Helms	class { '::certs::install': } ->
		class { '::certs::config': } ->
d4a730d7	Eric D. Helms	file { $ca_key_password_file:
		ensure => file,
		content => $ca_key_password,
		owner => 'root',
		group => 'root',
28652b02	Eric D. Helms	mode => '0400',
d4a730d7	Eric D. Helms	} ~>
		ca { $default_ca_name:
		ensure => present,
		common_name => $certs::ca_common_name,
		country => $certs::country,
		state => $certs::state,
		city => $certs::city,
		org => $certs::org,
		org_unit => $certs::org_unit,
		expiration => $certs::ca_expiration,
		generate => $certs::generate,
		deploy => $certs::deploy,
28652b02	Eric D. Helms	password_file => $ca_key_password_file,
d4a730d7	Eric D. Helms	}

dff469d9	Ivan Nečas	$default_ca = Ca[$default_ca_name]

		if $certs::server_cert {
		ca { $certs::server_ca_name:
		ensure => present,
		generate => $certs::generate,
		deploy => $certs::deploy,
		custom_pubkey => $certs::server_ca_cert,
		}
		} else {
		ca { $certs::server_ca_name:
		ensure => present,
		generate => $certs::generate,
		deploy => $certs::deploy,
		ca => $certs::default_ca,
		}
		}
		$server_ca = Ca[$certs::server_ca_name]

		if $certs::generate {
		file { "${ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
		ensure => link,
		target => "${ssl_build_dir}/${certs::server_ca_name}.crt",
		require => $server_ca,
		}
		}

d4a730d7	Eric D. Helms	if $deploy {

		Ca[$default_ca_name] ~>
		pubkey { $ca_cert:
28652b02	Eric D. Helms	key_pair => $default_ca,
d4a730d7	Eric D. Helms	} ~>
		pubkey { $ca_cert_stripped:
e6faf88d	root	strip => true,
28652b02	Eric D. Helms	key_pair => $default_ca,
d4a730d7	Eric D. Helms	} ~>
		file { $ca_cert:
e6faf88d	root	ensure => file,
		owner => 'root',
		group => $certs::group,
		mode => '0644',
d4a730d7	Eric D. Helms	}
7f082050	Ivan Necas
9bf22a94	Eric D. Helms	Ca[$server_ca_name] ~>
		pubkey { $katello_server_ca_cert:
28652b02	Eric D. Helms	key_pair => $server_ca,
9bf22a94	Eric D. Helms	} ~>
		file { $katello_server_ca_cert:
		ensure => file,
		owner => 'root',
		group => $certs::group,
		mode => '0644',
		}

5f2f0557	Ivan Nečas	if $generate {
		Ca[$default_ca_name] ~>
		privkey { $ca_key:
		key_pair => $default_ca,
		unprotect => true,
28652b02	Eric D. Helms	password_file => $ca_key_password_file,
5f2f0557	Ivan Nečas	} ~>
		file { $ca_key:
e6faf88d	root	ensure => file,
		owner => 'root',
		group => $certs::group,
		mode => '0440',
5f2f0557	Ivan Nečas	}
		}
		}
7f082050	Ivan Necas	}

Project

General

Profile

Foreman » Installer