Revision a6af1d3d
Added by Timo Goebel about 7 years ago
manifests/apache.pp | ||
---|---|---|
# Certs configurations for Apache
|
||
class certs::apache (
|
||
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
) inherits certs::params {
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$pki_dir = $::certs::pki_dir,
|
||
$server_cert = $::certs::server_cert,
|
||
$server_key = $::certs::server_key,
|
||
$server_cert_req = $::certs::server_cert_req,
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$org = $::certs::org,
|
||
$org_unit = $::certs::org_unit,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
$group = $::certs::group,
|
||
) inherits certs {
|
||
|
||
$apache_cert_name = "${hostname}-apache"
|
||
$apache_cert = "${::certs::pki_dir}/certs/katello-apache.crt"
|
||
$apache_key = "${::certs::pki_dir}/private/katello-apache.key"
|
||
$apache_cert = "${pki_dir}/certs/katello-apache.crt"
|
||
$apache_key = "${pki_dir}/private/katello-apache.key"
|
||
|
||
if $::certs::server_cert {
|
||
if $server_cert {
|
||
cert { $apache_cert_name:
|
||
ensure => present,
|
||
hostname => $hostname,
|
||
... | ... | |
generate => $generate,
|
||
deploy => $deploy,
|
||
regenerate => $regenerate,
|
||
custom_pubkey => $::certs::server_cert,
|
||
custom_privkey => $::certs::server_key,
|
||
custom_req => $::certs::server_cert_req,
|
||
custom_pubkey => $server_cert,
|
||
custom_privkey => $server_key,
|
||
custom_req => $server_cert_req,
|
||
}
|
||
} else {
|
||
cert { $apache_cert_name:
|
||
ensure => present,
|
||
hostname => $hostname,
|
||
cname => $cname,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
org => $::certs::org,
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => $org,
|
||
org_unit => $org_unit,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
}
|
||
|
||
... | ... | |
manage_key => true,
|
||
key_owner => $::apache::user,
|
||
key_mode => '0400',
|
||
key_group => $::certs::group,
|
||
key_group => $group,
|
||
cert_file => $apache_cert,
|
||
notify => Service['httpd'],
|
||
}
|
manifests/candlepin.pp | ||
---|---|---|
# Constains certs specific configurations for candlepin
|
||
class certs::candlepin (
|
||
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
... | ... | |
$amqp_keystore = $::certs::candlepin_amqp_keystore,
|
||
$amqp_store_dir = $::certs::candlepin_amqp_store_dir,
|
||
$tomcat = $::certs::tomcat,
|
||
) inherits certs::params {
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$org = $::certs::org,
|
||
$org_unit = $::certs::org_unit,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
$user = $::certs::user,
|
||
$group = $::certs::group,
|
||
$nss_db_dir = $::certs::nss_db_dir,
|
||
$qpid_exchange = $::certs::candlepin_qpid_exchange,
|
||
) inherits certs {
|
||
|
||
Exec {
|
||
logoutput => 'on_failure',
|
||
... | ... | |
ensure => present,
|
||
hostname => $hostname,
|
||
cname => $cname,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'candlepin',
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
org_unit => $org_unit,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
$tomcat_cert_name = "${hostname}-tomcat"
|
||
... | ... | |
ensure => present,
|
||
hostname => $hostname,
|
||
cname => $cname,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
org => $::certs::org,
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => $org,
|
||
org_unit => $org_unit,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
$keystore_password = cache_data('foreman_cache_data', $keystore_password_file, random_password(32))
|
||
... | ... | |
file { $password_file:
|
||
ensure => file,
|
||
content => $keystore_password,
|
||
owner => $::certs::user,
|
||
group => $::certs::group,
|
||
owner => $user,
|
||
group => $group,
|
||
mode => '0440',
|
||
} ~>
|
||
exec { 'candlepin-generate-ssl-keystore':
|
||
command => "openssl pkcs12 -export -in ${tomcat_cert} -inkey ${tomcat_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${::certs::ca_key_password_file}\" ",
|
||
command => "openssl pkcs12 -export -in ${tomcat_cert} -inkey ${tomcat_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${ca_key_password_file}\" ",
|
||
creates => $keystore,
|
||
} ~>
|
||
file { "/usr/share/${tomcat}/conf/keystore":
|
||
ensure => link,
|
||
target => $keystore,
|
||
owner => 'tomcat',
|
||
group => $::certs::group,
|
||
group => $group,
|
||
}
|
||
|
||
certs::keypair { 'candlepin':
|
||
... | ... | |
cert_file => $client_cert,
|
||
} ~>
|
||
certs::ssltools::certutil { 'amqp-client':
|
||
nss_db_dir => $::certs::nss_db_dir,
|
||
nss_db_dir => $nss_db_dir,
|
||
client_cert => $client_cert,
|
||
refreshonly => true,
|
||
subscribe => Exec['create-nss-db'],
|
||
... | ... | |
file { $amqp_store_dir:
|
||
ensure => directory,
|
||
owner => 'tomcat',
|
||
group => $::certs::group,
|
||
group => $group,
|
||
mode => '0750',
|
||
} ~>
|
||
exec { 'import CA into Candlepin truststore':
|
||
... | ... | |
file { $amqp_keystore:
|
||
ensure => file,
|
||
owner => 'tomcat',
|
||
group => $::certs::group,
|
||
group => $group,
|
||
mode => '0640',
|
||
}
|
||
}
|
manifests/foreman.pp | ||
---|---|---|
# Handles Foreman certs configuration
|
||
class certs::foreman (
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$client_cert = $::certs::params::foreman_client_cert,
|
||
$client_key = $::certs::params::foreman_client_key,
|
||
$ssl_ca_cert = $::certs::params::foreman_ssl_ca_cert
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$client_cert = $::certs::params::foreman_client_cert,
|
||
$client_key = $::certs::params::foreman_client_key,
|
||
$ssl_ca_cert = $::certs::params::foreman_ssl_ca_cert,
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
$server_ca = $::certs::server_ca,
|
||
) inherits certs::params {
|
||
|
||
$client_cert_name = "${hostname}-foreman-client"
|
||
... | ... | |
hostname => $hostname,
|
||
cname => $cname,
|
||
purpose => 'client',
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'FOREMAN',
|
||
org_unit => 'PUPPET',
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
if $deploy {
|
||
... | ... | |
cert_file => $client_cert,
|
||
} ->
|
||
pubkey { $ssl_ca_cert:
|
||
key_pair => $::certs::server_ca,
|
||
key_pair => $server_ca,
|
||
}
|
||
}
|
||
}
|
manifests/foreman_proxy.pp | ||
---|---|---|
# Handles Foreman Proxy cert configuration
|
||
class certs::foreman_proxy (
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$proxy_cert = $::certs::params::foreman_proxy_cert,
|
||
$proxy_key = $::certs::params::foreman_proxy_key,
|
||
$proxy_ca_cert = $::certs::params::foreman_proxy_ca_cert,
|
||
$foreman_ssl_cert = $::certs::params::foreman_proxy_foreman_ssl_cert,
|
||
$foreman_ssl_key = $::certs::params::foreman_proxy_foreman_ssl_key,
|
||
$foreman_ssl_ca_cert = $::certs::params::foreman_proxy_foreman_ssl_ca_cert
|
||
) inherits certs::params {
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$proxy_cert = $::certs::params::foreman_proxy_cert,
|
||
$proxy_key = $::certs::params::foreman_proxy_key,
|
||
$proxy_ca_cert = $::certs::params::foreman_proxy_ca_cert,
|
||
$foreman_ssl_cert = $::certs::params::foreman_proxy_foreman_ssl_cert,
|
||
$foreman_ssl_key = $::certs::params::foreman_proxy_foreman_ssl_key,
|
||
$foreman_ssl_ca_cert = $::certs::params::foreman_proxy_foreman_ssl_ca_cert,
|
||
$pki_dir = $::certs::pki_dir,
|
||
$server_ca = $::certs::server_ca,
|
||
$server_cert = $::certs::server_cert,
|
||
$server_key = $::certs::server_key,
|
||
$server_cert_req = $::certs::server_cert_req,
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
$group = $::certs::group,
|
||
) inherits certs {
|
||
|
||
$proxy_cert_name = "${hostname}-foreman-proxy"
|
||
$foreman_proxy_client_cert_name = "${hostname}-foreman-proxy-client"
|
||
$foreman_proxy_ssl_client_bundle = "${::certs::pki_dir}/private/${foreman_proxy_client_cert_name}-bundle.pem"
|
||
$foreman_proxy_ssl_client_bundle = "${pki_dir}/private/${foreman_proxy_client_cert_name}-bundle.pem"
|
||
|
||
if $::certs::server_cert {
|
||
if $server_cert {
|
||
cert { $proxy_cert_name:
|
||
ensure => present,
|
||
hostname => $hostname,
|
||
... | ... | |
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
custom_pubkey => $::certs::server_cert,
|
||
custom_privkey => $::certs::server_key,
|
||
custom_req => $::certs::server_cert_req,
|
||
custom_pubkey => $server_cert,
|
||
custom_privkey => $server_key,
|
||
custom_req => $server_cert_req,
|
||
}
|
||
} else {
|
||
# cert for ssl of foreman-proxy
|
||
... | ... | |
hostname => $hostname,
|
||
cname => $cname,
|
||
purpose => 'server',
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'FOREMAN',
|
||
org_unit => 'SMART_PROXY',
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
}
|
||
|
||
... | ... | |
hostname => $hostname,
|
||
cname => $cname,
|
||
purpose => 'client',
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'FOREMAN',
|
||
org_unit => 'FOREMAN_PROXY',
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
if $deploy {
|
||
... | ... | |
manage_key => true,
|
||
key_owner => 'foreman-proxy',
|
||
key_mode => '0400',
|
||
key_group => $::certs::group,
|
||
key_group => $group,
|
||
cert_file => $proxy_cert,
|
||
} ->
|
||
pubkey { $proxy_ca_cert:
|
||
key_pair => $::certs::default_ca,
|
||
key_pair => $default_ca,
|
||
}
|
||
|
||
certs::keypair { 'foreman_proxy_client':
|
||
... | ... | |
cert_file => $foreman_ssl_cert,
|
||
} ->
|
||
pubkey { $foreman_ssl_ca_cert:
|
||
key_pair => $::certs::server_ca,
|
||
key_pair => $server_ca,
|
||
} ~>
|
||
key_bundle { $foreman_proxy_ssl_client_bundle:
|
||
key_pair => Cert[$foreman_proxy_client_cert_name],
|
manifests/katello.pp | ||
---|---|---|
# Katello specific certs settings
|
||
class certs::katello (
|
||
$hostname = $::certs::node_fqdn,
|
||
$deployment_url = undef,
|
||
$rhsm_port = 443,
|
||
$hostname = $::certs::node_fqdn,
|
||
$deployment_url = undef,
|
||
$rhsm_port = 443,
|
||
$candlepin_cert_rpm_alias_filename = undef,
|
||
) {
|
||
$katello_server_ca_cert = $::certs::katello_server_ca_cert,
|
||
$server_ca_name = $::certs::server_ca_name,
|
||
$ca_cert = $::certs::ca_cert,
|
||
$server_ca = $::certs::server_ca,
|
||
) inherits certs {
|
||
|
||
$candlepin_cert_rpm_alias = $candlepin_cert_rpm_alias_filename ? {
|
||
undef => 'katello-ca-consumer-latest.noarch.rpm',
|
||
... | ... | |
|
||
include ::trusted_ca
|
||
trusted_ca::ca { 'katello_server-host-cert':
|
||
source => $::certs::katello_server_ca_cert,
|
||
require => File[$::certs::katello_server_ca_cert],
|
||
source => $katello_server_ca_cert,
|
||
require => File[$katello_server_ca_cert],
|
||
}
|
||
|
||
file { $katello_www_pub_dir:
|
||
... | ... | |
mode => '0755',
|
||
} ->
|
||
# Placing the CA in the pub dir for trusting by a user in their browser
|
||
file { "${katello_www_pub_dir}/${::certs::server_ca_name}.crt":
|
||
file { "${katello_www_pub_dir}/${server_ca_name}.crt":
|
||
ensure => file,
|
||
source => $::certs::katello_server_ca_cert,
|
||
source => $katello_server_ca_cert,
|
||
owner => 'root',
|
||
group => 'root',
|
||
mode => '0644',
|
||
require => File[$::certs::katello_server_ca_cert],
|
||
require => File[$katello_server_ca_cert],
|
||
} ~>
|
||
certs::rhsm_reconfigure_script { "${katello_www_pub_dir}/${katello_rhsm_setup_script}":
|
||
ca_cert => $::certs::ca_cert,
|
||
server_ca_cert => $::certs::katello_server_ca_cert,
|
||
ca_cert => $ca_cert,
|
||
server_ca_cert => $katello_server_ca_cert,
|
||
} ~>
|
||
certs_bootstrap_rpm { $candlepin_consumer_name:
|
||
dir => $katello_www_pub_dir,
|
||
... | ... | |
bootstrap_script => inline_template('/bin/bash <%= @katello_rhsm_setup_script_location %>'),
|
||
postun_script => 'test -f /etc/rhsm/rhsm.conf.kat-backup && command cp /etc/rhsm/rhsm.conf.kat-backup /etc/rhsm/rhsm.conf',
|
||
alias => $candlepin_cert_rpm_alias,
|
||
subscribe => $::certs::server_ca,
|
||
subscribe => $server_ca,
|
||
}
|
||
}
|
manifests/pulp_client.pp | ||
---|---|---|
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$common_name = 'admin',
|
||
) {
|
||
$pki_dir = $::certs::pki_dir,
|
||
$ca_cert = $::certs::ca_cert,
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
$group = $::certs::group,
|
||
) inherits certs {
|
||
|
||
$client_cert_name = 'pulp-client'
|
||
$client_cert = "${::certs::pki_dir}/certs/${client_cert_name}.crt"
|
||
$client_key = "${::certs::pki_dir}/private/${client_cert_name}.key"
|
||
$ssl_ca_cert = $::certs::ca_cert
|
||
$client_cert = "${pki_dir}/certs/${client_cert_name}.crt"
|
||
$client_key = "${pki_dir}/private/${client_cert_name}.key"
|
||
$ssl_ca_cert = $ca_cert
|
||
|
||
cert { $client_cert_name:
|
||
hostname => $hostname,
|
||
... | ... | |
city => $::certs::city,
|
||
org => 'PULP',
|
||
org_unit => 'NODES',
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
if $deploy {
|
||
... | ... | |
key_pair => $client_cert_name,
|
||
key_file => $client_key,
|
||
manage_key => true,
|
||
key_group => $::certs::group,
|
||
key_group => $group,
|
||
key_owner => 'root',
|
||
key_mode => '0440',
|
||
cert_file => $client_cert,
|
manifests/puppet.pp | ||
---|---|---|
# Class for handling Puppet cert configuration
|
||
class certs::puppet (
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
|
||
$client_cert = $::certs::params::puppet_client_cert,
|
||
$client_key = $::certs::params::puppet_client_key,
|
||
$ssl_ca_cert = $::certs::params::puppet_ssl_ca_cert
|
||
) inherits certs::params {
|
||
$client_cert = $::certs::puppet_client_cert,
|
||
$client_key = $::certs::puppet_client_key,
|
||
$ssl_ca_cert = $::certs::puppet_ssl_ca_cert,
|
||
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
$server_ca = $::certs::server_ca,
|
||
|
||
$pki_dir = $::certs::pki_dir,
|
||
) inherits certs {
|
||
|
||
$puppet_client_cert_name = "${hostname}-puppet-client"
|
||
|
||
... | ... | |
hostname => $hostname,
|
||
cname => $cname,
|
||
purpose => 'client',
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'FOREMAN',
|
||
org_unit => 'PUPPET',
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
if $deploy {
|
||
file { "${::certs::pki_dir}/puppet":
|
||
file { "${pki_dir}/puppet":
|
||
ensure => directory,
|
||
owner => 'puppet',
|
||
mode => '0700',
|
||
... | ... | |
cert_mode => '0400',
|
||
} ->
|
||
pubkey { $ssl_ca_cert:
|
||
key_pair => $::certs::server_ca,
|
||
key_pair => $server_ca,
|
||
} ->
|
||
file { $ssl_ca_cert:
|
||
ensure => file,
|
manifests/qpid.pp | ||
---|---|---|
# Handles Qpid cert configuration
|
||
class certs::qpid (
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
) {
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$org_unit = $::certs::org_unit,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
$pki_dir = $::certs::pki_dir,
|
||
$nss_db_dir = $::certs::nss_db_dir,
|
||
$ca_cert = $::certs::ca_cert,
|
||
$qpidd_group = $::certs::qpidd_group,
|
||
) inherits certs {
|
||
|
||
Exec { logoutput => 'on_failure' }
|
||
|
||
... | ... | |
ensure => present,
|
||
hostname => $hostname,
|
||
cname => concat($cname, 'localhost'),
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'pulp',
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
org_unit => $org_unit,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
if $deploy {
|
||
include ::certs::ssltools::nssdb
|
||
$nss_db_password_file = $::certs::ssltools::nssdb::nss_db_password_file
|
||
|
||
$client_cert = "${::certs::pki_dir}/certs/${qpid_cert_name}.crt"
|
||
$client_key = "${::certs::pki_dir}/private/${qpid_cert_name}.key"
|
||
$pfx_path = "${::certs::pki_dir}/${qpid_cert_name}.pfx"
|
||
$client_cert = "${pki_dir}/certs/${qpid_cert_name}.crt"
|
||
$client_key = "${pki_dir}/private/${qpid_cert_name}.key"
|
||
$pfx_path = "${pki_dir}/${qpid_cert_name}.pfx"
|
||
|
||
certs::keypair { 'qpid':
|
||
key_pair => $qpid_cert_name,
|
||
key_file => $client_key,
|
||
manage_key => true,
|
||
key_owner => 'root',
|
||
key_group => $::certs::qpidd_group,
|
||
key_group => $qpidd_group,
|
||
key_mode => '0440',
|
||
cert_file => $client_cert,
|
||
} ~>
|
||
Class['::certs::ssltools::nssdb'] ~>
|
||
certs::ssltools::certutil { 'ca':
|
||
nss_db_dir => $::certs::nss_db_dir,
|
||
client_cert => $::certs::ca_cert,
|
||
nss_db_dir => $nss_db_dir,
|
||
client_cert => $ca_cert,
|
||
trustargs => 'TCu,Cu,Tuw',
|
||
refreshonly => true,
|
||
subscribe => Pubkey[$::certs::ca_cert],
|
||
} ~>
|
||
certs::ssltools::certutil { 'broker':
|
||
nss_db_dir => $::certs::nss_db_dir,
|
||
nss_db_dir => $nss_db_dir,
|
||
client_cert => $client_cert,
|
||
refreshonly => true,
|
||
subscribe => Pubkey[$client_cert],
|
||
... | ... | |
refreshonly => true,
|
||
} ~>
|
||
exec { 'add-private-key-to-nss-db':
|
||
command => "pk12util -i '${pfx_path}' -d '${::certs::nss_db_dir}' -w '${nss_db_password_file}' -k '${nss_db_password_file}'",
|
||
command => "pk12util -i '${pfx_path}' -d '${nss_db_dir}' -w '${nss_db_password_file}' -k '${nss_db_password_file}'",
|
||
path => '/usr/bin',
|
||
refreshonly => true,
|
||
}
|
manifests/qpid_client.pp | ||
---|---|---|
# Pulp Master Certs configuration
|
||
class certs::qpid_client (
|
||
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
$regenerate = $::certs::regenerate,
|
||
$deploy = $::certs::deploy,
|
||
|
||
$messaging_client_cert = $::certs::messaging_client_cert,
|
||
) {
|
||
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$org_unit = $::certs::org_unit,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
) inherits certs {
|
||
|
||
$qpid_client_cert_name = "${hostname}-qpid-client-cert"
|
||
|
||
... | ... | |
cname => $cname,
|
||
common_name => 'pulp-qpid-client-cert',
|
||
purpose => client,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'PULP',
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
org_unit => $org_unit,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
if $deploy {
|
manifests/qpid_router.pp | ||
---|---|---|
# Constains certs specific configurations for qpid dispatch router
|
||
class certs::qpid_router(
|
||
class certs::qpid_router (
|
||
$hostname = $::certs::node_fqdn,
|
||
$cname = $::certs::cname,
|
||
$generate = $::certs::generate,
|
||
... | ... | |
$client_key = $::certs::qpid_router_client_key,
|
||
$owner = $::certs::qpid_router_owner,
|
||
$group = $::certs::qpid_router_group,
|
||
) inherits certs::params {
|
||
|
||
$country = $::certs::country,
|
||
$state = $::certs::state,
|
||
$city = $::certs::city,
|
||
$org_unit = $::certs::org_unit,
|
||
$expiration = $::certs::expiration,
|
||
$default_ca = $::certs::default_ca,
|
||
$ca_key_password_file = $::certs::ca_key_password_file,
|
||
) inherits certs {
|
||
|
||
$server_keypair = "${hostname}-qpid-router-server"
|
||
$client_keypair = "${hostname}-qpid-router-client"
|
||
... | ... | |
ensure => present,
|
||
hostname => $hostname,
|
||
cname => $cname,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'dispatch server',
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
org_unit => $org_unit,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
purpose => 'server',
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
cert { $client_keypair:
|
||
ensure => present,
|
||
hostname => $hostname,
|
||
cname => $cname,
|
||
country => $::certs::country,
|
||
state => $::certs::state,
|
||
city => $::certs::city,
|
||
country => $country,
|
||
state => $state,
|
||
city => $city,
|
||
org => 'dispatch client',
|
||
org_unit => $::certs::org_unit,
|
||
expiration => $::certs::expiration,
|
||
ca => $::certs::default_ca,
|
||
org_unit => $org_unit,
|
||
expiration => $expiration,
|
||
ca => $default_ca,
|
||
generate => $generate,
|
||
regenerate => $regenerate,
|
||
deploy => $deploy,
|
||
purpose => 'client',
|
||
password_file => $::certs::ca_key_password_file,
|
||
password_file => $ca_key_password_file,
|
||
}
|
||
|
||
if $deploy {
|
spec/classes/certs_apache_spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'certs::apache' do
|
||
let :facts do
|
||
on_supported_os['redhat-7-x86_64']
|
||
end
|
||
|
||
describe 'with default parameters' do
|
||
it { should compile.with_all_deps }
|
||
end
|
||
end
|
spec/classes/certs_candlepin_spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'certs::candlepin' do
|
||
let :facts do
|
||
on_supported_os['redhat-7-x86_64']
|
||
end
|
||
|
||
let :pre_condition do
|
||
"service{'qpidd': }"
|
||
end
|
||
|
||
describe 'with default parameters' do
|
||
it { should compile.with_all_deps }
|
||
end
|
||
end
|
spec/classes/certs_foreman_proxy_content_spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'certs::foreman_proxy_content' do
|
||
let :facts do
|
||
on_supported_os['redhat-7-x86_64']
|
||
end
|
||
|
||
let :pre_condition do
|
||
"
|
||
package{ 'qpid-cpp-server': }
|
||
class { 'puppet':
|
||
server_foreman => false,
|
||
agent => false,
|
||
server => true,
|
||
}
|
||
"
|
||
end
|
||
|
||
let :params do
|
||
{
|
||
:certs_tar => '/tmp/tar'
|
||
}
|
||
end
|
||
|
||
describe 'with default parameters' do
|
||
it { should compile.with_all_deps }
|
||
end
|
||
end
|
spec/classes/certs_foreman_proxy_spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'certs::foreman_proxy' do
|
||
let :facts do
|
||
on_supported_os['redhat-7-x86_64']
|
||
end
|
||
|
||
describe 'with default parameters' do
|
||
it { should compile.with_all_deps }
|
||
end
|
||
end
|
spec/classes/certs_pulp_client_spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'certs::pulp_client' do
|
||
let :facts do
|
||
on_supported_os['redhat-7-x86_64']
|
||
end
|
||
|
||
describe 'with default parameters' do
|
||
it { should compile.with_all_deps }
|
||
end
|
||
end
|
spec/classes/certs_puppet_spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'certs::puppet' do
|
||
let :facts do
|
||
on_supported_os['redhat-7-x86_64']
|
||
end
|
||
|
||
let :pre_condition do
|
||
"
|
||
class { 'puppet':
|
||
server_foreman => false,
|
||
agent => false,
|
||
server => true,
|
||
}
|
||
"
|
||
end
|
||
|
||
describe 'with default parameters' do
|
||
it { should compile.with_all_deps }
|
||
end
|
||
end
|
spec/classes/certs_qpid_router_spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'certs::qpid_router' do
|
||
let :facts do
|
||
on_supported_os['redhat-7-x86_64']
|
||
end
|
||
|
||
describe 'with default parameters' do
|
||
it { should compile.with_all_deps }
|
||
end
|
||
end
|
spec/classes/certs_qpid_spec.rb | ||
---|---|---|
end
|
||
|
||
describe "without parameters" do
|
||
let :pre_condition do
|
||
'include ::certs'
|
||
end
|
||
|
||
it { is_expected.to compile.with_all_deps }
|
||
|
||
it do
|
Also available in: Unified diff
classes inherit from init