Project

General

Profile

« Previous | Next » 

Revision 9501017b

Added by Ivan Necas over 10 years ago

Get certs work on one place

View differences:

manifests/apache.pp
class certs::apache (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$apache_ssl_cert = $::certs::params::apache_ssl_cert,
$apache_ssl_key = $::certs::params::apache_ssl_cert,
$apache_ca_cert = $::certs::params::apache_ca_cert
) inherits certs::params {
cert { "${::certs::node_fqdn}-ssl":
hostname => $::certs::node_fqdn,
ensure => present,
country => $::certs::country,
state => $::certs::state,
city => $::certs::sity,
org => $::certs::org,
org_unit => $::certs::org_unit,
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
}
if $deploy {
include apache
include apache::ssl
pubkey { $apache_ssl_cert:
ensure => present,
cert => Cert["${::certs::node_fqdn}-ssl"]
}
pubkey { $apache_ca_cert:
ensure => present,
cert => $ca
}
privkey { $apache_ssl_key:
ensure => present,
cert => Cert["${::certs::node_fqdn}-ssl"]
} ->
file { $apache_ssl_key:
owner => $apache::params::user,
group => $apache::params::group,
mode => '0400';
}
file { "${apache::params::configdir}/ssl.conf":
content => template("apache/ssl.conf.erb"),
mode => '0644',
owner => 'root',
group => 'root',
require => [Pubkey[$apache_ssl_cert], Privkey[$apache_ssl_key]],
notify => Exec['reload-apache'],
}
}
}
manifests/candlepin.pp
# Constains certs specific configurations for candlepin
class certs::candlepin (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$storage = '/etc/candlepin/certs',
$ca_cert = '/etc/candlepin/certs/candlepin-ca.crt',
$ca_key = '/etc/candlepin/certs/candlepin-ca.key',
$pki_dir = '/etc/pki/katello',
$keystore = '/etc/pki/katello/keystore',
$keystore_password_file = undef,
$keystore_password = undef,
$candlepin_certs_dir = $certs::params::candlepin_certs_dir
) {
Exec { logoutput => 'on_failure' }
if $deploy {
file { $keystore_password_file:
ensure => file,
content => $keystore_password,
mode => '0644',
owner => 'tomcat',
group => $::certs::user_groups,
replace => false;
} ~>
file { $pki_dir:
ensure => directory,
owner => 'root',
group => $::certs::user_groups,
mode => '0750',
} ~>
pubkey { $ca_cert:
cert => $ca,
} ~>
file { $ca_cert:
owner => 'root',
group => $::certs::user_groups,
mode => '0644';
} ~>
# TODO: it would be probably a bit better to not unprotect it here and
# make candlepin and openssl pkcs12 command to use the passphrase-file instead.
# On the other hand, technically there is not big difference between having
# the key unprotected or storing the passphrase-file: in both cases, getting
# the file means corrupting the certificate
privkey { $ca_key:
cert => $ca,
unprotect => true;
} ~>
file { $ca_key:
owner => 'root',
group => $::certs::user_groups,
mode => '0640';
} ~>
exec { 'generate-ssl-keystore':
command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${keystore_password_file}\"",
path => '/bin:/usr/bin',
creates => $keystore;
} ~>
file { "/usr/share/${candlepin::tomcat}/conf/keystore":
ensure => link,
target => $keystore;
} ~>
exec { 'add-candlepin-cert-to-nss-db':
command => "certutil -A -d '${::certs::nss_db_dir}' -n 'ca' -t 'TCu,Cu,Tuw' -a -i '${ca_cert}'",
path => '/usr/bin',
subscribe => Exec['create-nss-db'],
refreshonly => true,
}
}
}
manifests/foreman.pp
class certs::foreman (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$client_cert = $::certs::params::foreman_client_cert,
$client_key = $::certs::params::foreman_client_key,
$client_ca = $::certs::params::foreman_client_ca
) inherits certs::params {
# cert for authentication of puppetmaster against foreman
cert { "${::certs::foreman::hostname}-foreman-client":
hostname => $::certs::foreman::hostname,
purpose => client,
country => $::certs::country,
state => $::certs::state,
city => $::certs::sity,
org => 'FOREMAN',
org_unit => 'PUPPET',
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
}
if $deploy {
pubkey { $client_cert:
cert => Cert["${::certs::foreman::hostname}-foreman-client"],
}
privkey { $client_key:
cert => Cert["${::certs::foreman::hostname}-foreman-client"],
} ->
file { $client_key:
owner => "foreman",
mode => "0400"
}
pubkey { $client_ca:
cert => $ca,
}
}
}
manifests/foreman_proxy.pp
class certs::foreman_proxy (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$proxy_cert = $::certs::params::foreman_proxy_cert,
$proxy_key = $::certs::params::foreman_proxy_key,
$proxy_ca = $::certs::params::foreman_proxy_ca
) inherits certs::params {
# cert for ssl of foreman-proxy
cert { "${::certs::foreman_proxy::hostname}-foreman-proxy":
hostname => $::certs::foreman_proxy::hostname,
purpose => server,
country => $::certs::country,
state => $::certs::state,
city => $::certs::sity,
org => 'FOREMAN',
org_unit => 'SMART_PROXY',
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
}
if $deploy {
pubkey { $proxy_cert:
cert => Cert["${::certs::foreman_proxy::hostname}-foreman-proxy"],
}
privkey { $proxy_key:
cert => Cert["${::certs::foreman_proxy::hostname}-foreman-proxy"],
} ->
file { $proxy_key:
owner => "foreman-proxy",
mode => "0400"
}
pubkey { $proxy_ca:
cert => $ca,
}
}
}
manifests/katello.pp
# Katello specific certs settings
class certs::katello {
$ssl_build_path = '/root/ssl-build'
$katello_www_pub_dir = '/var/www/html/pub'
$candlepin_cert_name = 'candlepin-ca'
$candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}"
$candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}"
$candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.'
file { $katello_www_pub_dir:
ensure => directory,
owner => 'apache',
group => 'apache',
mode => '0755';
} ->
file { $ssl_build_path:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700';
} ->
file { "${ssl_build_path}/rhsm-katello-reconfigure":
content => template('certs/rhsm-katello-reconfigure.erb'),
owner => 'root',
group => 'root',
mode => '0700',
} ~>
exec { 'generate-candlepin-consumer-certificate':
cwd => $katello_www_pub_dir,
command => "gen-rpm.sh --name '${candlepin_consumer_name}' --version 1.0 --release 1 --packager None --vendor None --group 'Applications/System' --summary '${candlepin_consumer_summary}' --description '${candlepin_consumer_description}' --requires subscription-manager --post ${ssl_build_path}/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:644=${ssl_build_path}/${candlepin_cert_name}.crt && /sbin/restorecon ./*rpm",
path => '/usr/share/katello/certs:/usr/bin:/bin',
creates => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
logoutput => 'on_failure';
} ~>
file { "${katello_www_pub_dir}/${candlepin_cert_name}-consumer-latest.noarch.rpm":
ensure => 'link',
target => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm",
}
}
manifests/params.pp
$candlepin_certs_dir = '/etc/candlepin/certs'
$user_groups = 'foreman'
$foreman_client_cert = '/etc/foreman/client_cert.pem'
$foreman_client_key = '/etc/foreman/client_key.pem'
$foreman_client_ca = '/etc/foreman/client_ca.pem'
$foreman_proxy_cert = '/etc/foreman-proxy/ssl_cert.pem'
$foreman_proxy_key = '/etc/foreman-proxy/ssl_key.pem'
$foreman_proxy_ca = '/etc/foreman-proxy/ssl_ca.pem'
$puppet_client_cert = '/etc/puppet/client_cert.pem'
$puppet_client_key = '/etc/puppet/client_key.pem'
$puppet_client_ca = '/etc/puppet/client_ca.pem'
$apache_ssl_cert = '/etc/pki/tls/certs/katello-node.crt'
$apache_ssl_key = '/etc/pki/tls/private/katello-node.key'
$apache_ca_cert = '/etc/pki/tls/certs/katello-ca.crt'
}
manifests/pulp_child.pp
# Pulp Node Certs
class certs::pulp_child (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca
) {
if $deploy {
pubkey { $pulp::consumers_ca_cert:
cert => $ca,
} ~>
pubkey { $pulp::ssl_ca_cert:
# Defined in certs::apache module
cert => Cert["${::certs::pulp_child::hostname}-ssl"],
}
}
}
manifests/pulp_parent.pp
# Pulp Master Certs configuration
class certs::pulp_parent (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$nodes_cert = '/etc/pki/pulp/nodes/node.crt',
$messaging_ca_cert = $pulp::params::messaging_ca_cert,
$messaging_client_cert = $pulp::params::messaging_client_cert
) inherits pulp::params {
# cert for nodes authenitcation
cert { "${::certs::pulp_parent::hostname}-parent-cert":
hostname => $certs::pulp_parent::hostname,
common_name => 'pulp-child-node-cert',
purpose => client,
country => $::certs::country,
state => $::certs::state,
city => $::certs::sity,
org => 'PULP',
org_unit => 'NODES',
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
}
cert { "${::certs::pulp_parent::hostname}-qpid-client-cert":
hostname => $::certs::pulp_parent::hostname,
common_name => 'pulp-qpid-client-cert',
purpose => client,
country => $::certs::country,
state => $::certs::state,
city => $::certs::sity,
org => 'PULP',
org_unit => $::certs::org_unit,
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
}
if $deploy {
key_bundle { $::certs::pulp_parent::nodes_cert:
cert => Cert["${::certs::pulp_parent::hostname}-parent-cert"],
}
key_bundle { $messaging_client_cert:
cert => Cert["${::certs::pulp_parent::hostname}-qpid-client-cert"],
} ~>
file { $messaging_client_cert:
owner => 'apache',
group => 'apache',
mode => '0640',
}
}
}
manifests/puppet.pp
class certs::puppet (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca,
$client_cert = $::certs::params::puppet_client_cert,
$client_key = $::certs::params::puppet_client_key,
$client_ca = $::certs::params::puppet_client_ca
) inherits certs::params {
# cert for authentication of puppetmaster against foreman
cert { "${::certs::puppet::hostname}-puppet-client":
hostname => $::certs::puppet::hostname,
purpose => client,
country => $::certs::country,
state => $::certs::state,
city => $::certs::sity,
org => 'FOREMAN',
org_unit => 'PUPPET',
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
}
if $deploy {
pubkey { $client_cert:
cert => Cert["${::certs::puppet::hostname}-puppet-client"],
}
privkey { $client_key:
cert => Cert["${::certs::puppet::hostname}-puppet-client"],
} ->
file { $client_key:
owner => "puppet",
mode => "0400"
}
pubkey { $client_ca:
cert => $ca,
}
}
}
manifests/qpid.pp
class certs::qpid (
$hostname = $::certs::node_fqdn,
$generate = $::certs::generate,
$regenerate = $::certs::regenerate,
$deploy = $::certs::deploy,
$ca = $::certs::default_ca
){
Exec { logoutput => 'on_failure' }
if $qpid::ssl {
cert { "${::certs::qpid::hostname}-qpid-broker":
ensure => present,
hostname => $::certs::qpid::hostname,
country => $::certs::country,
state => $::certs::state,
city => $::certs::sity,
org => 'pulp',
org_unit => $::certs::org_unit,
expiration => $::certs::expiration,
ca => $ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
}
if $deploy {
# TODO: for some reason still not working: postponing to not block other
# activities
$nss_db_password_file = '/etc/katello/nss_db_password-file'
$ssl_pk12_password_file = $certs::params::ssl_pk12_password_file
$qpid_cert_name = 'qpid-broker'
$client_cert = "/etc/pki/katello/${qpid_cert_name}.crt"
$client_key = "/etc/pki/katello/${qpid_cert_name}.key"
$pfx_path = "/etc/pki/katello/${qpid_cert_name}.pfx"
$nssdb_files = ["${::certs::nss_db_dir}/cert8.db", "${::certs::nss_db_dir}/key3.db", "${::certs::nss_db_dir}/secmod.db"]
pubkey { $client_cert:
cert => Cert["${::certs::qpid::hostname}-qpid-broker"]
} ~>
privkey { $client_key:
cert => Cert["${::certs::qpid::hostname}-qpid-broker"]
} ~>
file { $client_key:
owner => 'root',
group => $::certs::user_groups,
mode => '0400',
} ~>
exec { 'generate-nss-password':
command => "openssl rand -base64 24 > ${nss_db_password_file}",
path => '/usr/bin',
creates => $nss_db_password_file
} ->
file { $nss_db_password_file:
owner => 'root',
group => $::certs::user_groups,
mode => '0640',
} ~>
exec { 'generate-pk12-password':
path => '/usr/bin',
command => "openssl rand -base64 24 > ${ssl_pk12_password_file}",
creates => $ssl_pk12_password_file
} ~>
file { $ssl_pk12_password_file:
owner => 'root',
group => 'root',
mode => '0600',
require => Exec['generate-pk12-password']
} ~>
file { $::certs::nss_db_dir:
ensure => directory,
owner => 'root',
group => $certs::user_groups,
mode => '0744',
} ~>
exec { 'create-nss-db':
command => "certutil -N -d '${::certs::nss_db_dir}' -f '${nss_db_password_file}'",
path => '/usr/bin',
creates => $nssdb_files,
} ~>
file { $nssdb_files:
owner => 'root',
group => $::certs::user_groups,
mode => '0640',
} ~>
exec { 'add-broker-cert-to-nss-db':
command => "certutil -A -d '${::certs::nss_db_dir}' -n 'broker' -t ',,' -a -i '${client_cert}'",
path => '/usr/bin',
refreshonly => true,
} ~>
exec { 'generate-pfx-for-nss-db':
command => "openssl pkcs12 -in ${client_cert} -inkey ${client_key} -export -out '${pfx_path}' -password 'file:${ssl_pk12_password_file}'",
path => '/usr/bin',
refreshonly => true,
} ~>
exec { 'add-private-key-to-nss-db':
command => "pk12util -i '${pfx_path}' -d '${::certs::nss_db_dir}' -w '${ssl_pk12_password_file}' -k '${nss_db_password_file}'",
path => '/usr/bin',
refreshonly => true,
}
}
}
}

Also available in: Unified diff