Project

General

Profile

« Previous | Next » 

Revision 76be89b8

Added by Ivan Necas over 10 years ago

Clean code

View differences:

manifests/apache.pp
class certs::apache (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$apache_ssl_cert = $::certs::params::apache_ssl_cert,
$apache_ssl_key = $::certs::params::apache_ssl_cert,
$apache_ca_cert = $::certs::params::apache_ca_cert
$apache_ssl_key = $::certs::params::apache_ssl_key,
$apache_ca_cert = $::certs::params::apache_ca_cert
) inherits certs::params {
cert { "${::certs::node_fqdn}-ssl":
hostname => $::certs::node_fqdn,
ensure => present,
hostname => $::certs::node_fqdn,
country => $::certs::country,
state => $::certs::state,
city => $::certs::sity,
......
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
regenerate => $regenerate,
deploy => $deploy,
}
......
pubkey { $apache_ssl_cert:
ensure => present,
cert => Cert["${::certs::node_fqdn}-ssl"]
cert => Cert["${::certs::node_fqdn}-ssl"]
}
pubkey { $apache_ca_cert:
ensure => present,
cert => $ca
cert => $ca
}
privkey { $apache_ssl_key:
ensure => present,
cert => Cert["${::certs::node_fqdn}-ssl"]
cert => Cert["${::certs::node_fqdn}-ssl"]
} ->
file { $apache_ssl_key:
owner => $apache::params::user,
......
}
file { "${apache::params::configdir}/ssl.conf":
content => template("apache/ssl.conf.erb"),
mode => '0644',
owner => 'root',
group => 'root',
content => template('apache/ssl.conf.erb'),
mode => '0644',
owner => 'root',
group => 'root',
require => [Pubkey[$apache_ssl_cert], Privkey[$apache_ssl_key]],
notify => Exec['reload-apache'],
notify => Exec['reload-apache'],
}
}
}
manifests/candlepin.pp
# Constains certs specific configurations for candlepin
class certs::candlepin (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$storage = '/etc/candlepin/certs',
$ca_cert = '/etc/candlepin/certs/candlepin-ca.crt',
$ca_key = '/etc/candlepin/certs/candlepin-ca.key',
$pki_dir = '/etc/pki/katello',
$keystore = '/etc/pki/katello/keystore',
$keystore_password_file = undef,
$keystore_password = undef,
$candlepin_certs_dir = $certs::params::candlepin_certs_dir
) {
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$storage = $::certs::params::candlepin_certs_storage,
$ca_cert = $::certs::params::candlepin_ca_cert,
$ca_key = $::certs::params::candlepin_ca_key,
$pki_dir = $::certs::params::candlepin_pki_dir,
$keystore = $::certs::params::candlepin_keystore,
$keystore_password_file = $::certs::params::candlepin_keystore_password_file,
$keystore_password = $::certs::params::candlepin_keystore_password,
$candlepin_certs_dir = $::certs::params::candlepin_certs_dir
) inherits certs::params {
Exec { logoutput => 'on_failure' }
......
group => $::certs::user_groups,
mode => '0644';
} ~>
# TODO: it would be probably a bit better to not unprotect it here and
# make candlepin and openssl pkcs12 command to use the passphrase-file instead.
# On the other hand, technically there is not big difference between having
# the key unprotected or storing the passphrase-file: in both cases, getting
# the file means corrupting the certificate
privkey { $ca_key:
cert => $ca,
unprotect => true;
......
path => '/bin:/usr/bin',
creates => $keystore;
} ~>
file { "/usr/share/${candlepin::tomcat}/conf/keystore":
ensure => link,
target => $keystore;
manifests/foreman.pp
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
regenerate => $regenerate,
deploy => $deploy,
}
......
file { $client_key:
owner => "foreman",
mode => "0400"
mode => "0400"
}
pubkey { $client_ca:
manifests/init.pp
) inherits certs::params {
$user_groups = $certs::params::user_groups
$ssl_ca_password_file = $certs::params::ssl_ca_password_file
$nss_db_password_file = $certs::params::nss_db_password_file
$ssl_pk12_password_file = $certs::params::ssl_pk12_password_file
$nss_db_dir = '/etc/pki/katello/nssdb'
$nss_db_dir = $certs::params::nss_db_dir
class { 'certs::install': }
manifests/katello.pp
# Katello specific certs settings
class certs::katello {
$ssl_build_path = '/root/ssl-build'
$katello_www_pub_dir = '/var/www/html/pub'
$candlepin_cert_name = 'candlepin-ca'
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
$ssl_build_path = '/root/ssl-build'
$katello_www_pub_dir = '/var/www/html/pub'
$candlepin_cert_name = 'candlepin-ca'
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
$candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.'
file { $katello_www_pub_dir:
manifests/params.pp
$regenerate_ca = false
$deploy = true
$country = 'US'
$state = 'North Carolina'
$city = 'Raleigh'
$org = 'SomeOrg'
$org_unit = 'SomeOrgUnit'
$expiration = '365'
$country = 'US'
$state = 'North Carolina'
$city = 'Raleigh'
$org = 'SomeOrg'
$org_unit = 'SomeOrgUnit'
$expiration = '365'
$ca_expiration = '36500'
$ssl_ca_password_file = '/etc/katello/ssl_ca_password-file'
$candlepin_ca_password_file = '/etc/katello/candlepin_ca_password-file'
# main keystore location
$pki_dir = '/etc/pki/katello'
$keystore = "${pki_dir}/keystore"
$keystore_password_file = '/etc/katello/keystore_password-file'
$keystore_password = find_or_create_password($keystore_password_file)
$nss_db_password_file = '/etc/katello/nss_db_password-file'
$nss_db_dir = '/etc/pki/katello/nssdb'
$nss_db_password_file = '/etc/katello/nss_db_password-file'
$nss_db_dir = '/etc/pki/katello/nssdb'
$ssl_pk12_password_file = '/etc/katello/pk12_password-file'
$candlepin_certs_dir = '/etc/candlepin/certs'
$user_groups = 'foreman'
$foreman_client_cert = '/etc/foreman/client_cert.pem'
$foreman_client_key = '/etc/foreman/client_key.pem'
$foreman_client_ca = '/etc/foreman/client_ca.pem'
$foreman_client_key = '/etc/foreman/client_key.pem'
$foreman_client_ca = '/etc/foreman/client_ca.pem'
$foreman_proxy_cert = '/etc/foreman-proxy/ssl_cert.pem'
$foreman_proxy_key = '/etc/foreman-proxy/ssl_key.pem'
$foreman_proxy_ca = '/etc/foreman-proxy/ssl_ca.pem'
$foreman_proxy_key = '/etc/foreman-proxy/ssl_key.pem'
$foreman_proxy_ca = '/etc/foreman-proxy/ssl_ca.pem'
$puppet_client_cert = '/etc/puppet/client_cert.pem'
$puppet_client_key = '/etc/puppet/client_key.pem'
$puppet_client_ca = '/etc/puppet/client_ca.pem'
$puppet_client_key = '/etc/puppet/client_key.pem'
$puppet_client_ca = '/etc/puppet/client_ca.pem'
$apache_ssl_cert = '/etc/pki/tls/certs/katello-node.crt'
$apache_ssl_key = '/etc/pki/tls/private/katello-node.key'
$apache_ca_cert = '/etc/pki/tls/certs/katello-ca.crt'
$apache_ca_cert = '/etc/pki/tls/certs/katello-ca.crt'
$candlepin_certs_storage = '/etc/candlepin/certs'
$candlepin_ca_cert = '/etc/candlepin/certs/candlepin-ca.crt'
$candlepin_ca_key = '/etc/candlepin/certs/candlepin-ca.key'
$candlepin_pki_dir = '/etc/pki/katello'
$candlepin_keystore = '/etc/pki/katello/keystore'
$candlepin_keystore_password_file = '/etc/katello/keystore_password-file'
$candlepin_keystore_password = find_or_create_password($candlepin_keystore_password_file)
$candlepin_certs_dir = '/etc/candlepin/certs'
}
manifests/puppet.pp
file { $client_key:
owner => "puppet",
mode => "0400"
mode => "0400",
}
pubkey { $client_ca:
manifests/qpid.pp
Exec { logoutput => 'on_failure' }
if $qpid::ssl {
if $::qpid::ssl {
cert { "${::certs::qpid::hostname}-qpid-broker":
ensure => present,

Also available in: Unified diff