Revision 76be89b8
Added by Ivan Necas over 10 years ago
manifests/apache.pp | ||
---|---|---|
class certs::apache (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$apache_ssl_cert = $::certs::params::apache_ssl_cert,
|
||
$apache_ssl_key = $::certs::params::apache_ssl_cert,
|
||
$apache_ca_cert = $::certs::params::apache_ca_cert
|
||
$apache_ssl_key = $::certs::params::apache_ssl_key,
|
||
$apache_ca_cert = $::certs::params::apache_ca_cert
|
||
) inherits certs::params {
|
||
|
||
cert { "${::certs::node_fqdn}-ssl":
|
||
hostname => $::certs::node_fqdn,
|
||
ensure => present,
|
||
hostname => $::certs::node_fqdn,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::sity,
|
||
... | ... | |
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
... | ... | |
|
||
pubkey { $apache_ssl_cert:
|
||
ensure => present,
|
||
cert => Cert["${::certs::node_fqdn}-ssl"]
|
||
cert => Cert["${::certs::node_fqdn}-ssl"]
|
||
}
|
||
|
||
pubkey { $apache_ca_cert:
|
||
ensure => present,
|
||
cert => $ca
|
||
cert => $ca
|
||
}
|
||
|
||
privkey { $apache_ssl_key:
|
||
ensure => present,
|
||
cert => Cert["${::certs::node_fqdn}-ssl"]
|
||
cert => Cert["${::certs::node_fqdn}-ssl"]
|
||
} ->
|
||
file { $apache_ssl_key:
|
||
owner => $apache::params::user,
|
||
... | ... | |
}
|
||
|
||
file { "${apache::params::configdir}/ssl.conf":
|
||
content => template("apache/ssl.conf.erb"),
|
||
mode => '0644',
|
||
owner => 'root',
|
||
group => 'root',
|
||
content => template('apache/ssl.conf.erb'),
|
||
mode => '0644',
|
||
owner => 'root',
|
||
group => 'root',
|
||
require => [Pubkey[$apache_ssl_cert], Privkey[$apache_ssl_key]],
|
||
notify => Exec['reload-apache'],
|
||
notify => Exec['reload-apache'],
|
||
}
|
||
}
|
||
}
|
manifests/candlepin.pp | ||
---|---|---|
# Constains certs specific configurations for candlepin
|
||
class certs::candlepin (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$storage = '/etc/candlepin/certs',
|
||
$ca_cert = '/etc/candlepin/certs/candlepin-ca.crt',
|
||
$ca_key = '/etc/candlepin/certs/candlepin-ca.key',
|
||
$pki_dir = '/etc/pki/katello',
|
||
$keystore = '/etc/pki/katello/keystore',
|
||
$keystore_password_file = undef,
|
||
$keystore_password = undef,
|
||
$candlepin_certs_dir = $certs::params::candlepin_certs_dir
|
||
) {
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$storage = $::certs::params::candlepin_certs_storage,
|
||
$ca_cert = $::certs::params::candlepin_ca_cert,
|
||
$ca_key = $::certs::params::candlepin_ca_key,
|
||
$pki_dir = $::certs::params::candlepin_pki_dir,
|
||
$keystore = $::certs::params::candlepin_keystore,
|
||
$keystore_password_file = $::certs::params::candlepin_keystore_password_file,
|
||
$keystore_password = $::certs::params::candlepin_keystore_password,
|
||
$candlepin_certs_dir = $::certs::params::candlepin_certs_dir
|
||
) inherits certs::params {
|
||
|
||
Exec { logoutput => 'on_failure' }
|
||
|
||
... | ... | |
group => $::certs::user_groups,
|
||
mode => '0644';
|
||
} ~>
|
||
# TODO: it would be probably a bit better to not unprotect it here and
|
||
# make candlepin and openssl pkcs12 command to use the passphrase-file instead.
|
||
# On the other hand, technically there is not big difference between having
|
||
# the key unprotected or storing the passphrase-file: in both cases, getting
|
||
# the file means corrupting the certificate
|
||
privkey { $ca_key:
|
||
cert => $ca,
|
||
unprotect => true;
|
||
... | ... | |
path => '/bin:/usr/bin',
|
||
creates => $keystore;
|
||
} ~>
|
||
|
||
file { "/usr/share/${candlepin::tomcat}/conf/keystore":
|
||
ensure => link,
|
||
target => $keystore;
|
manifests/foreman.pp | ||
---|---|---|
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
... | ... | |
|
||
file { $client_key:
|
||
owner => "foreman",
|
||
mode => "0400"
|
||
mode => "0400"
|
||
}
|
||
|
||
pubkey { $client_ca:
|
manifests/init.pp | ||
---|---|---|
) inherits certs::params {
|
||
|
||
$user_groups = $certs::params::user_groups
|
||
$ssl_ca_password_file = $certs::params::ssl_ca_password_file
|
||
$nss_db_password_file = $certs::params::nss_db_password_file
|
||
$ssl_pk12_password_file = $certs::params::ssl_pk12_password_file
|
||
$nss_db_dir = '/etc/pki/katello/nssdb'
|
||
$nss_db_dir = $certs::params::nss_db_dir
|
||
|
||
class { 'certs::install': }
|
||
|
manifests/katello.pp | ||
---|---|---|
# Katello specific certs settings
|
||
class certs::katello {
|
||
|
||
$ssl_build_path = '/root/ssl-build'
|
||
$katello_www_pub_dir = '/var/www/html/pub'
|
||
$candlepin_cert_name = 'candlepin-ca'
|
||
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
|
||
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
|
||
$ssl_build_path = '/root/ssl-build'
|
||
$katello_www_pub_dir = '/var/www/html/pub'
|
||
$candlepin_cert_name = 'candlepin-ca'
|
||
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
|
||
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
|
||
$candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.'
|
||
|
||
file { $katello_www_pub_dir:
|
manifests/params.pp | ||
---|---|---|
$regenerate_ca = false
|
||
$deploy = true
|
||
|
||
$country = 'US'
|
||
$state = 'North Carolina'
|
||
$city = 'Raleigh'
|
||
$org = 'SomeOrg'
|
||
$org_unit = 'SomeOrgUnit'
|
||
$expiration = '365'
|
||
$country = 'US'
|
||
$state = 'North Carolina'
|
||
$city = 'Raleigh'
|
||
$org = 'SomeOrg'
|
||
$org_unit = 'SomeOrgUnit'
|
||
$expiration = '365'
|
||
$ca_expiration = '36500'
|
||
|
||
$ssl_ca_password_file = '/etc/katello/ssl_ca_password-file'
|
||
$candlepin_ca_password_file = '/etc/katello/candlepin_ca_password-file'
|
||
|
||
# main keystore location
|
||
$pki_dir = '/etc/pki/katello'
|
||
$keystore = "${pki_dir}/keystore"
|
||
$keystore_password_file = '/etc/katello/keystore_password-file'
|
||
$keystore_password = find_or_create_password($keystore_password_file)
|
||
|
||
$nss_db_password_file = '/etc/katello/nss_db_password-file'
|
||
$nss_db_dir = '/etc/pki/katello/nssdb'
|
||
$nss_db_password_file = '/etc/katello/nss_db_password-file'
|
||
$nss_db_dir = '/etc/pki/katello/nssdb'
|
||
$ssl_pk12_password_file = '/etc/katello/pk12_password-file'
|
||
|
||
$candlepin_certs_dir = '/etc/candlepin/certs'
|
||
|
||
$user_groups = 'foreman'
|
||
|
||
$foreman_client_cert = '/etc/foreman/client_cert.pem'
|
||
$foreman_client_key = '/etc/foreman/client_key.pem'
|
||
$foreman_client_ca = '/etc/foreman/client_ca.pem'
|
||
$foreman_client_key = '/etc/foreman/client_key.pem'
|
||
$foreman_client_ca = '/etc/foreman/client_ca.pem'
|
||
|
||
$foreman_proxy_cert = '/etc/foreman-proxy/ssl_cert.pem'
|
||
$foreman_proxy_key = '/etc/foreman-proxy/ssl_key.pem'
|
||
$foreman_proxy_ca = '/etc/foreman-proxy/ssl_ca.pem'
|
||
$foreman_proxy_key = '/etc/foreman-proxy/ssl_key.pem'
|
||
$foreman_proxy_ca = '/etc/foreman-proxy/ssl_ca.pem'
|
||
|
||
$puppet_client_cert = '/etc/puppet/client_cert.pem'
|
||
$puppet_client_key = '/etc/puppet/client_key.pem'
|
||
$puppet_client_ca = '/etc/puppet/client_ca.pem'
|
||
$puppet_client_key = '/etc/puppet/client_key.pem'
|
||
$puppet_client_ca = '/etc/puppet/client_ca.pem'
|
||
|
||
$apache_ssl_cert = '/etc/pki/tls/certs/katello-node.crt'
|
||
$apache_ssl_key = '/etc/pki/tls/private/katello-node.key'
|
||
$apache_ca_cert = '/etc/pki/tls/certs/katello-ca.crt'
|
||
$apache_ca_cert = '/etc/pki/tls/certs/katello-ca.crt'
|
||
|
||
$candlepin_certs_storage = '/etc/candlepin/certs'
|
||
$candlepin_ca_cert = '/etc/candlepin/certs/candlepin-ca.crt'
|
||
$candlepin_ca_key = '/etc/candlepin/certs/candlepin-ca.key'
|
||
$candlepin_pki_dir = '/etc/pki/katello'
|
||
$candlepin_keystore = '/etc/pki/katello/keystore'
|
||
$candlepin_keystore_password_file = '/etc/katello/keystore_password-file'
|
||
$candlepin_keystore_password = find_or_create_password($candlepin_keystore_password_file)
|
||
$candlepin_certs_dir = '/etc/candlepin/certs'
|
||
|
||
}
|
manifests/puppet.pp | ||
---|---|---|
|
||
file { $client_key:
|
||
owner => "puppet",
|
||
mode => "0400"
|
||
mode => "0400",
|
||
}
|
||
|
||
pubkey { $client_ca:
|
manifests/qpid.pp | ||
---|---|---|
|
||
Exec { logoutput => 'on_failure' }
|
||
|
||
if $qpid::ssl {
|
||
if $::qpid::ssl {
|
||
|
||
cert { "${::certs::qpid::hostname}-qpid-broker":
|
||
ensure => present,
|
Also available in: Unified diff
Clean code