Revision 9501017b
Added by Ivan Necas over 10 years ago
manifests/apache.pp | ||
---|---|---|
class certs::apache (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$apache_ssl_cert = $::certs::params::apache_ssl_cert,
|
||
$apache_ssl_key = $::certs::params::apache_ssl_cert,
|
||
$apache_ca_cert = $::certs::params::apache_ca_cert
|
||
) inherits certs::params {
|
||
|
||
cert { "${::certs::node_fqdn}-ssl":
|
||
hostname => $::certs::node_fqdn,
|
||
ensure => present,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::sity,
|
||
org => $::certs::org,
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
if $deploy {
|
||
include apache
|
||
include apache::ssl
|
||
|
||
pubkey { $apache_ssl_cert:
|
||
ensure => present,
|
||
cert => Cert["${::certs::node_fqdn}-ssl"]
|
||
}
|
||
|
||
pubkey { $apache_ca_cert:
|
||
ensure => present,
|
||
cert => $ca
|
||
}
|
||
|
||
privkey { $apache_ssl_key:
|
||
ensure => present,
|
||
cert => Cert["${::certs::node_fqdn}-ssl"]
|
||
} ->
|
||
file { $apache_ssl_key:
|
||
owner => $apache::params::user,
|
||
group => $apache::params::group,
|
||
mode => '0400';
|
||
}
|
||
|
||
file { "${apache::params::configdir}/ssl.conf":
|
||
content => template("apache/ssl.conf.erb"),
|
||
mode => '0644',
|
||
owner => 'root',
|
||
group => 'root',
|
||
require => [Pubkey[$apache_ssl_cert], Privkey[$apache_ssl_key]],
|
||
notify => Exec['reload-apache'],
|
||
}
|
||
}
|
||
}
|
manifests/candlepin.pp | ||
---|---|---|
# Constains certs specific configurations for candlepin
|
||
class certs::candlepin (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$storage = '/etc/candlepin/certs',
|
||
$ca_cert = '/etc/candlepin/certs/candlepin-ca.crt',
|
||
$ca_key = '/etc/candlepin/certs/candlepin-ca.key',
|
||
$pki_dir = '/etc/pki/katello',
|
||
$keystore = '/etc/pki/katello/keystore',
|
||
$keystore_password_file = undef,
|
||
$keystore_password = undef,
|
||
$candlepin_certs_dir = $certs::params::candlepin_certs_dir
|
||
) {
|
||
|
||
Exec { logoutput => 'on_failure' }
|
||
|
||
if $deploy {
|
||
file { $keystore_password_file:
|
||
ensure => file,
|
||
content => $keystore_password,
|
||
mode => '0644',
|
||
owner => 'tomcat',
|
||
group => $::certs::user_groups,
|
||
replace => false;
|
||
} ~>
|
||
file { $pki_dir:
|
||
ensure => directory,
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0750',
|
||
} ~>
|
||
pubkey { $ca_cert:
|
||
cert => $ca,
|
||
} ~>
|
||
file { $ca_cert:
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0644';
|
||
} ~>
|
||
# TODO: it would be probably a bit better to not unprotect it here and
|
||
# make candlepin and openssl pkcs12 command to use the passphrase-file instead.
|
||
# On the other hand, technically there is not big difference between having
|
||
# the key unprotected or storing the passphrase-file: in both cases, getting
|
||
# the file means corrupting the certificate
|
||
privkey { $ca_key:
|
||
cert => $ca,
|
||
unprotect => true;
|
||
} ~>
|
||
file { $ca_key:
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0640';
|
||
} ~>
|
||
exec { 'generate-ssl-keystore':
|
||
command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${keystore_password_file}\"",
|
||
path => '/bin:/usr/bin',
|
||
creates => $keystore;
|
||
} ~>
|
||
|
||
file { "/usr/share/${candlepin::tomcat}/conf/keystore":
|
||
ensure => link,
|
||
target => $keystore;
|
||
} ~>
|
||
exec { 'add-candlepin-cert-to-nss-db':
|
||
command => "certutil -A -d '${::certs::nss_db_dir}' -n 'ca' -t 'TCu,Cu,Tuw' -a -i '${ca_cert}'",
|
||
path => '/usr/bin',
|
||
subscribe => Exec['create-nss-db'],
|
||
refreshonly => true,
|
||
}
|
||
|
||
}
|
||
}
|
manifests/foreman.pp | ||
---|---|---|
class certs::foreman (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$client_cert = $::certs::params::foreman_client_cert,
|
||
$client_key = $::certs::params::foreman_client_key,
|
||
$client_ca = $::certs::params::foreman_client_ca
|
||
) inherits certs::params {
|
||
|
||
# cert for authentication of puppetmaster against foreman
|
||
cert { "${::certs::foreman::hostname}-foreman-client":
|
||
hostname => $::certs::foreman::hostname,
|
||
purpose => client,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::sity,
|
||
org => 'FOREMAN',
|
||
org_unit => 'PUPPET',
|
||
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
if $deploy {
|
||
pubkey { $client_cert:
|
||
cert => Cert["${::certs::foreman::hostname}-foreman-client"],
|
||
}
|
||
|
||
privkey { $client_key:
|
||
cert => Cert["${::certs::foreman::hostname}-foreman-client"],
|
||
} ->
|
||
|
||
file { $client_key:
|
||
owner => "foreman",
|
||
mode => "0400"
|
||
}
|
||
|
||
pubkey { $client_ca:
|
||
cert => $ca,
|
||
}
|
||
}
|
||
}
|
manifests/foreman_proxy.pp | ||
---|---|---|
class certs::foreman_proxy (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$proxy_cert = $::certs::params::foreman_proxy_cert,
|
||
$proxy_key = $::certs::params::foreman_proxy_key,
|
||
$proxy_ca = $::certs::params::foreman_proxy_ca
|
||
) inherits certs::params {
|
||
|
||
# cert for ssl of foreman-proxy
|
||
cert { "${::certs::foreman_proxy::hostname}-foreman-proxy":
|
||
hostname => $::certs::foreman_proxy::hostname,
|
||
purpose => server,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::sity,
|
||
org => 'FOREMAN',
|
||
org_unit => 'SMART_PROXY',
|
||
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
if $deploy {
|
||
pubkey { $proxy_cert:
|
||
cert => Cert["${::certs::foreman_proxy::hostname}-foreman-proxy"],
|
||
}
|
||
|
||
privkey { $proxy_key:
|
||
cert => Cert["${::certs::foreman_proxy::hostname}-foreman-proxy"],
|
||
} ->
|
||
|
||
file { $proxy_key:
|
||
owner => "foreman-proxy",
|
||
mode => "0400"
|
||
}
|
||
|
||
pubkey { $proxy_ca:
|
||
cert => $ca,
|
||
}
|
||
}
|
||
}
|
manifests/katello.pp | ||
---|---|---|
# Katello specific certs settings
|
||
class certs::katello {
|
||
|
||
$ssl_build_path = '/root/ssl-build'
|
||
$katello_www_pub_dir = '/var/www/html/pub'
|
||
$candlepin_cert_name = 'candlepin-ca'
|
||
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
|
||
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
|
||
$candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.'
|
||
|
||
file { $katello_www_pub_dir:
|
||
ensure => directory,
|
||
owner => 'apache',
|
||
group => 'apache',
|
||
mode => '0755';
|
||
} ->
|
||
file { $ssl_build_path:
|
||
ensure => directory,
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0700';
|
||
} ->
|
||
file { "${ssl_build_path}/rhsm-katello-reconfigure":
|
||
content => template('certs/rhsm-katello-reconfigure.erb'),
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0700',
|
||
} ~>
|
||
exec { 'generate-candlepin-consumer-certificate':
|
||
cwd => $katello_www_pub_dir,
|
||
command => "gen-rpm.sh --name '${candlepin_consumer_name}' --version 1.0 --release 1 --packager None --vendor None --group 'Applications/System' --summary '${candlepin_consumer_summary}' --description '${candlepin_consumer_description}' --requires subscription-manager --post ${ssl_build_path}/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:644=${ssl_build_path}/${candlepin_cert_name}.crt && /sbin/restorecon ./*rpm",
|
||
path => '/usr/share/katello/certs:/usr/bin:/bin',
|
||
creates => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
|
||
logoutput => 'on_failure';
|
||
} ~>
|
||
file { "${katello_www_pub_dir}/${candlepin_cert_name}-consumer-latest.noarch.rpm":
|
||
ensure => 'link',
|
||
target => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
|
||
}
|
||
}
|
manifests/params.pp | ||
---|---|---|
$candlepin_certs_dir = '/etc/candlepin/certs'
|
||
|
||
$user_groups = 'foreman'
|
||
|
||
$foreman_client_cert = '/etc/foreman/client_cert.pem'
|
||
$foreman_client_key = '/etc/foreman/client_key.pem'
|
||
$foreman_client_ca = '/etc/foreman/client_ca.pem'
|
||
|
||
$foreman_proxy_cert = '/etc/foreman-proxy/ssl_cert.pem'
|
||
$foreman_proxy_key = '/etc/foreman-proxy/ssl_key.pem'
|
||
$foreman_proxy_ca = '/etc/foreman-proxy/ssl_ca.pem'
|
||
|
||
$puppet_client_cert = '/etc/puppet/client_cert.pem'
|
||
$puppet_client_key = '/etc/puppet/client_key.pem'
|
||
$puppet_client_ca = '/etc/puppet/client_ca.pem'
|
||
|
||
$apache_ssl_cert = '/etc/pki/tls/certs/katello-node.crt'
|
||
$apache_ssl_key = '/etc/pki/tls/private/katello-node.key'
|
||
$apache_ca_cert = '/etc/pki/tls/certs/katello-ca.crt'
|
||
}
|
manifests/pulp_child.pp | ||
---|---|---|
# Pulp Node Certs
|
||
class certs::pulp_child (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca
|
||
) {
|
||
|
||
if $deploy {
|
||
pubkey { $pulp::consumers_ca_cert:
|
||
cert => $ca,
|
||
} ~>
|
||
|
||
pubkey { $pulp::ssl_ca_cert:
|
||
# Defined in certs::apache module
|
||
cert => Cert["${::certs::pulp_child::hostname}-ssl"],
|
||
}
|
||
}
|
||
}
|
manifests/pulp_parent.pp | ||
---|---|---|
# Pulp Master Certs configuration
|
||
class certs::pulp_parent (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$nodes_cert = '/etc/pki/pulp/nodes/node.crt',
|
||
$messaging_ca_cert = $pulp::params::messaging_ca_cert,
|
||
$messaging_client_cert = $pulp::params::messaging_client_cert
|
||
) inherits pulp::params {
|
||
|
||
# cert for nodes authenitcation
|
||
cert { "${::certs::pulp_parent::hostname}-parent-cert":
|
||
hostname => $certs::pulp_parent::hostname,
|
||
common_name => 'pulp-child-node-cert',
|
||
purpose => client,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::sity,
|
||
org => 'PULP',
|
||
org_unit => 'NODES',
|
||
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
cert { "${::certs::pulp_parent::hostname}-qpid-client-cert":
|
||
hostname => $::certs::pulp_parent::hostname,
|
||
common_name => 'pulp-qpid-client-cert',
|
||
purpose => client,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::sity,
|
||
org => 'PULP',
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
if $deploy {
|
||
key_bundle { $::certs::pulp_parent::nodes_cert:
|
||
cert => Cert["${::certs::pulp_parent::hostname}-parent-cert"],
|
||
}
|
||
|
||
key_bundle { $messaging_client_cert:
|
||
cert => Cert["${::certs::pulp_parent::hostname}-qpid-client-cert"],
|
||
} ~>
|
||
file { $messaging_client_cert:
|
||
owner => 'apache',
|
||
group => 'apache',
|
||
mode => '0640',
|
||
}
|
||
}
|
||
}
|
manifests/puppet.pp | ||
---|---|---|
class certs::puppet (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca,
|
||
$client_cert = $::certs::params::puppet_client_cert,
|
||
$client_key = $::certs::params::puppet_client_key,
|
||
$client_ca = $::certs::params::puppet_client_ca
|
||
) inherits certs::params {
|
||
|
||
# cert for authentication of puppetmaster against foreman
|
||
cert { "${::certs::puppet::hostname}-puppet-client":
|
||
hostname => $::certs::puppet::hostname,
|
||
purpose => client,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::sity,
|
||
org => 'FOREMAN',
|
||
org_unit => 'PUPPET',
|
||
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
if $deploy {
|
||
pubkey { $client_cert:
|
||
cert => Cert["${::certs::puppet::hostname}-puppet-client"],
|
||
}
|
||
|
||
privkey { $client_key:
|
||
cert => Cert["${::certs::puppet::hostname}-puppet-client"],
|
||
} ->
|
||
|
||
file { $client_key:
|
||
owner => "puppet",
|
||
mode => "0400"
|
||
}
|
||
|
||
pubkey { $client_ca:
|
||
cert => $ca,
|
||
}
|
||
}
|
||
}
|
manifests/qpid.pp | ||
---|---|---|
class certs::qpid (
|
||
$hostname = $::certs::node_fqdn,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$ca = $::certs::default_ca
|
||
){
|
||
|
||
Exec { logoutput => 'on_failure' }
|
||
|
||
if $qpid::ssl {
|
||
|
||
cert { "${::certs::qpid::hostname}-qpid-broker":
|
||
ensure => present,
|
||
hostname => $::certs::qpid::hostname,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::sity,
|
||
org => 'pulp',
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
}
|
||
|
||
if $deploy {
|
||
|
||
# TODO: for some reason still not working: postponing to not block other
|
||
# activities
|
||
$nss_db_password_file = '/etc/katello/nss_db_password-file'
|
||
$ssl_pk12_password_file = $certs::params::ssl_pk12_password_file
|
||
$qpid_cert_name = 'qpid-broker'
|
||
$client_cert = "/etc/pki/katello/${qpid_cert_name}.crt"
|
||
$client_key = "/etc/pki/katello/${qpid_cert_name}.key"
|
||
$pfx_path = "/etc/pki/katello/${qpid_cert_name}.pfx"
|
||
$nssdb_files = ["${::certs::nss_db_dir}/cert8.db", "${::certs::nss_db_dir}/key3.db", "${::certs::nss_db_dir}/secmod.db"]
|
||
|
||
pubkey { $client_cert:
|
||
cert => Cert["${::certs::qpid::hostname}-qpid-broker"]
|
||
} ~>
|
||
privkey { $client_key:
|
||
cert => Cert["${::certs::qpid::hostname}-qpid-broker"]
|
||
} ~>
|
||
file { $client_key:
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0400',
|
||
} ~>
|
||
exec { 'generate-nss-password':
|
||
command => "openssl rand -base64 24 > ${nss_db_password_file}",
|
||
path => '/usr/bin',
|
||
creates => $nss_db_password_file
|
||
} ->
|
||
file { $nss_db_password_file:
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0640',
|
||
} ~>
|
||
exec { 'generate-pk12-password':
|
||
path => '/usr/bin',
|
||
command => "openssl rand -base64 24 > ${ssl_pk12_password_file}",
|
||
creates => $ssl_pk12_password_file
|
||
} ~>
|
||
file { $ssl_pk12_password_file:
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0600',
|
||
require => Exec['generate-pk12-password']
|
||
} ~>
|
||
file { $::certs::nss_db_dir:
|
||
ensure => directory,
|
||
owner => 'root',
|
||
group => $certs::user_groups,
|
||
mode => '0744',
|
||
} ~>
|
||
exec { 'create-nss-db':
|
||
command => "certutil -N -d '${::certs::nss_db_dir}' -f '${nss_db_password_file}'",
|
||
path => '/usr/bin',
|
||
creates => $nssdb_files,
|
||
} ~>
|
||
file { $nssdb_files:
|
||
owner => 'root',
|
||
group => $::certs::user_groups,
|
||
mode => '0640',
|
||
} ~>
|
||
exec { 'add-broker-cert-to-nss-db':
|
||
command => "certutil -A -d '${::certs::nss_db_dir}' -n 'broker' -t ',,' -a -i '${client_cert}'",
|
||
path => '/usr/bin',
|
||
refreshonly => true,
|
||
} ~>
|
||
exec { 'generate-pfx-for-nss-db':
|
||
command => "openssl pkcs12 -in ${client_cert} -inkey ${client_key} -export -out '${pfx_path}' -password 'file:${ssl_pk12_password_file}'",
|
||
path => '/usr/bin',
|
||
refreshonly => true,
|
||
} ~>
|
||
exec { 'add-private-key-to-nss-db':
|
||
command => "pk12util -i '${pfx_path}' -d '${::certs::nss_db_dir}' -w '${ssl_pk12_password_file}' -k '${nss_db_password_file}'",
|
||
path => '/usr/bin',
|
||
refreshonly => true,
|
||
}
|
||
|
||
}
|
||
|
||
}
|
||
|
||
}
|
Also available in: Unified diff
Get certs work on one place