Merge "Add manifests to install and configure stunnel"

2017-08-30 15:31:42 +00:00 · 2017-08-30 15:31:42 +00:00 · 044d9a0362
parent 531130ceed f85199c778
commit 044d9a0362
6 changed files with 171 additions and 0 deletions
--- a/files/stunnel.service
+++ b/files/stunnel.service
@ -0,0 +1,19 @@
+[Unit]
+Description=SSL tunnel for network daemons
+After=network.target
+After=syslog.target
+
+[Install]
+WantedBy=multi-user.target
+Alias=stunnel.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
+ExecStop=/usr/bin/killall -9 stunnel
+
+# Give up if ping don't get an answer
+TimeoutSec=600
+
+Restart=always
+PrivateTmp=false
--- a/manifests/stunnel.pp
+++ b/manifests/stunnel.pp
@ -0,0 +1,60 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::stunnel
+#
+# Installs and starts stunnel
+#
+# [*manage_service*]
+#   (Optional) Whether we'll be managing the stunnel service or not.
+#   Defaults to true
+#
+# [*service_ensure*]
+#   (Optional) Ensure the service be running or stopped
+#   Defaults to 'running'
+#
+# [*foreground*]
+#   (Optional) Sets the configuration for stunnel to run the process in
+#   the foreground. This is useful when trying to run stunnel in a
+#   container.
+#   Defaults to 'no'
+#
+class tripleo::stunnel (
+  $manage_service = true,
+  $service_ensure = 'running',
+  $foreground     = 'no',
+){
+  package { 'stunnel':
+    ensure => 'present'
+  }
+
+  concat { '/etc/stunnel/stunnel.conf':
+    ensure => present,
+  }
+  concat::fragment { 'stunnel-foreground':
+    target  => '/etc/stunnel/stunnel.conf',
+    order   => '10-foreground-config',
+    content => template('tripleo/stunnel/foreground.erb'),
+  }
+  if $manage_service {
+    Concat['/etc/stunnel/stunnel.conf'] ~> Service['stunnel']
+
+    include ::tripleo::stunnel::systemd_unit
+
+    service { 'stunnel':
+      ensure => $service_ensure
+    }
+  }
+}
--- a/manifests/stunnel/service_proxy.pp
+++ b/manifests/stunnel/service_proxy.pp
@ -0,0 +1,61 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::stunnel::service_proxy
+#
+# Configures a TLS proxy for a service.
+#
+# === Parameters
+#
+# [*accept_host*]
+#   Host or IP where the tunnel will be accepting connections.
+#
+# [*accept_port*]
+#   Port where the tunnel will be accepting connections.
+#
+# [*connect_port*]
+#   Port where the tunnel will be proxying to.
+#
+# [*certificate*]
+#   Cert that the TLS proxy will be using for the TLS connection.
+#
+# [*key*]
+#   Key that the TLS proxy will be using for the TLS connection.
+#
+# [*client*]
+#   Whether this proxy is meant for client connections.
+#   Defaults to 'no'
+#
+# [*connect_host*]
+#   Host where the tunnel will be proxying to.
+#   Defaults to 'localhost'
+#
+define tripleo::stunnel::service_proxy (
+  $accept_host,
+  $accept_port,
+  $connect_port,
+  $certificate,
+  $key,
+  $client = 'no',
+  $connect_host = 'localhost',
+) {
+  concat::fragment { "stunnel-service-${name}":
+    target  => '/etc/stunnel/stunnel.conf',
+    order   => "20-${name}",
+    content => template('tripleo/stunnel/service.erb'),
+  }
+
+  Concat::Fragment["stunnel-service-${name}"] ~> Service<| title == 'stunnel' |>
+}
--- a/manifests/stunnel/systemd_unit.pp
+++ b/manifests/stunnel/systemd_unit.pp
@ -0,0 +1,24 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::stunnel::systemd_unit
+#
+# Configures the systemd unit for stunnel
+#
+class tripleo::stunnel::systemd_unit {
+  systemd::unit_file {'stunnel.service':
+    source => 'puppet:///modules/tripleo/stunnel.service'
+  }
+}
--- a/templates/stunnel/foreground.erb
+++ b/templates/stunnel/foreground.erb
@ -0,0 +1 @@
+foreground = <%= @foreground %>
--- a/templates/stunnel/service.erb
+++ b/templates/stunnel/service.erb
@ -0,0 +1,6 @@
+[<%= @name %>]
+client = <%= @client %>
+accept=<%= @accept_host %>:<%= @accept_port %>
+connect=<%= @connect_host %>:<%= @connect_port %>
+cert=<%= @certificate %>
+key=<%= @key %>