Browse Source

Remove puppet-certmonger related puppet-files

Implements: blueprint ansible-certmonger
Depends-On: https://review.opendev.org/771832
Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/786053
Change-Id: I5305bce78e9bbf382b00e3f3b5803b983a059db7
changes/40/772340/6
Grzegorz Grasza 8 months ago
parent
commit
48832c961c
  1. 4
      Puppetfile_extras
  2. 10
      files/certmonger-dashboard-refresh.sh
  3. 25
      files/certmonger-etcd-refresh.sh
  4. 9
      files/certmonger-grafana-refresh.sh
  5. 54
      files/certmonger-haproxy-refresh.sh
  6. 20
      files/certmonger-memcached-refresh.sh
  7. 24
      files/certmonger-metrics-qdr-refresh.sh
  8. 21
      files/certmonger-neutron-dhcpd-refresh.sh
  9. 17
      files/certmonger-novnc-proxy-refresh.sh
  10. 17
      files/certmonger-rabbitmq-refresh.sh
  11. 14
      files/certmonger-redis-refresh.sh
  12. 9
      files/certmonger-rgw-refresh.sh
  13. 74
      files/cm_ipa_subca_wrapper.py
  14. 55
      manifests/certmonger/apache_dirs.pp
  15. 165
      manifests/certmonger/ca/crl.pp
  16. 65
      manifests/certmonger/ca/libvirt_vnc.pp
  17. 45
      manifests/certmonger/ca/local.pp
  18. 65
      manifests/certmonger/ca/qemu.pp
  19. 87
      manifests/certmonger/ceph_dashboard.pp
  20. 87
      manifests/certmonger/ceph_grafana.pp
  21. 123
      manifests/certmonger/ceph_rgw.pp
  22. 92
      manifests/certmonger/etcd.pp
  23. 159
      manifests/certmonger/haproxy.pp
  24. 55
      manifests/certmonger/haproxy_dirs.pp
  25. 86
      manifests/certmonger/httpd.pp
  26. 86
      manifests/certmonger/libvirt.pp
  27. 56
      manifests/certmonger/libvirt_dirs.pp
  28. 122
      manifests/certmonger/libvirt_vnc.pp
  29. 56
      manifests/certmonger/libvirt_vnc_dirs.pp
  30. 85
      manifests/certmonger/memcached.pp
  31. 89
      manifests/certmonger/metrics_qdr.pp
  32. 78
      manifests/certmonger/mysql.pp
  33. 84
      manifests/certmonger/neutron.pp
  34. 76
      manifests/certmonger/neutron_ovn.pp
  35. 97
      manifests/certmonger/novnc_proxy.pp
  36. 80
      manifests/certmonger/openvswitch.pp
  37. 76
      manifests/certmonger/ovn_controller.pp
  38. 75
      manifests/certmonger/ovn_dbs.pp
  39. 76
      manifests/certmonger/ovn_metadata.pp
  40. 76
      manifests/certmonger/ovn_octavia.pp
  41. 108
      manifests/certmonger/qemu.pp
  42. 41
      manifests/certmonger/qemu_dirs.pp
  43. 42
      manifests/certmonger/qemu_nbd_dirs.pp
  44. 84
      manifests/certmonger/rabbitmq.pp
  45. 91
      manifests/certmonger/redis.pp
  46. 322
      manifests/profile/base/certmonger_user.pp
  47. 6
      releasenotes/notes/remove_puppet_certmonger-843205d2ef88d6e4.yaml
  48. 116
      spec/classes/tripleo_certmonger_ca_crl_spec.rb
  49. 57
      spec/classes/tripleo_certmonger_ca_local_spec.rb
  50. 82
      spec/classes/tripleo_certmonger_etcd_spec.rb
  51. 60
      spec/classes/tripleo_certmonger_memcached_spec.rb
  52. 58
      spec/classes/tripleo_certmonger_mysql_spec.rb
  53. 68
      spec/classes/tripleo_certmonger_openvswitch_spec.rb
  54. 60
      spec/classes/tripleo_certmonger_ovn_dbs_spec.rb
  55. 60
      spec/classes/tripleo_certmonger_rabbitmq_spec.rb
  56. 65
      spec/defines/tripleo_certmonger_httpd_spec.rb

4
Puppetfile_extras

@ -33,10 +33,6 @@ mod 'fdio',
:git => 'https://git.fd.io/puppet-fdio',
:ref => 'master'
mod 'certmonger',
:git => 'https://github.com/saltedsignal/puppet-certmonger',
:ref => 'v2.6.0'
mod 'ptp',
:git => 'https://github.com/redhat-nfvpe/ptp',
:ref => 'master'

10
files/certmonger-dashboard-refresh.sh

@ -1,10 +0,0 @@
#!/bin/bash
# Get mgr systemd unit
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
# Restart the mgr systemd unit
if [ -n "$mgr_unit" ]; then
systemctl restart "$mgr_unit"
fi

25
files/certmonger-etcd-refresh.sh

@ -1,25 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
# cinder uses etcd, so its containers also need to be refreshed
container_names=$($container_cli ps --format="{{.Names}}" | grep -E 'cinder|etcd')
service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_certificate)"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_key)"
kolla_dir="/var/lib/kolla/config_files/src-tls"
# For each container, check whether the cert and key files need to be updated.
# The check is necessary because the original THT design directly bind mounted
# the files to their final location, and did not copy them in via $kolla_dir.
# Regardless of whether the container is directly using the files, or a copy,
# there's no need to trigger a reload because the cert is not cached.
for container_name in ${container_names[*]}; do
$container_cli exec -u root "$container_name" bash -c "
[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
true
"
done

9
files/certmonger-grafana-refresh.sh

@ -1,9 +0,0 @@
#!/bin/bash
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi

54
files/certmonger-haproxy-refresh.sh

@ -1,54 +0,0 @@
#!/bin/bash
# This script is meant to reload HAProxy when certmonger triggers a certificate
# renewal. It'll concatenate the needed certificates for the PEM file that
# HAProxy reads.
die() { echo "$*" 1>&2 ; exit 1; }
[[ $# -eq 2 ]] || die "Invalid number of arguments"
[[ $1 == @(reload|restart) ]] || die "First argument must be one of 'reload' or 'restart'."
ACTION=$1
NETWORK=$2
certmonger_ca=$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.crt"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir)/overcloud-haproxy-$NETWORK.key"
ca_path=""
if [ "$certmonger_ca" == "local" ]; then
ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
elif [ "$certmonger_ca" == "IPA" ]; then
ca_path="/etc/ipa/ca.crt"
fi
if [ "$NETWORK" != "external" ]; then
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.pem"
else
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
fi
cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
if [ "$ACTION" == "reload" ]; then
# Refresh the cert at the mount-point
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Set appropriate permissions
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
# Trigger a reload for HAProxy to read the new certificates
$container_cli kill --signal HUP "$haproxy_container_name"
elif [ "$ACTION" == "restart" ]; then
# Copying the certificate and permissions will be handled by kolla's start
# script.
$container_cli restart "$haproxy_container_name"
fi

20
files/certmonger-memcached-refresh.sh

@ -1,20 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep memcached)
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_certificate)"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_key)"
# Copy the new cert and key from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
$container_cli exec "$container_name" chown memcached:memcached "$service_certificate"
$container_cli exec "$container_name" chown memcached:memcached "$service_key"
# Send refresh_certs command to memcached
memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen.0 127.0.0.1)"
memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)"
echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port

24
files/certmonger-metrics-qdr-refresh.sh

@ -1,24 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep metrics_qdr)
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_certificate)"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_key)"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
# Copy the new key from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_certificate"
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
# Trigger a container restart to read the new certificates
$container_cli restart $container_name

21
files/certmonger-neutron-dhcpd-refresh.sh

@ -1,21 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep neutron_dhcp)
# The certificate is also installed on the computes, but neutron_dhcp is only
# present on the controllers, so we exit if the container could not be found.
[[ -z $container_name ]] && exit 0
service_crt="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_cert_file)"
service_key="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_key_file)"
# Copy the new cert from the mount-point to the real path
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# No need to trigger a reload for neutron dhcpd since the cert is not cached

17
files/certmonger-novnc-proxy-refresh.sh

@ -1,17 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep nova_vnc_proxy)
service_crt="$(hiera -c /etc/puppet/hiera.yaml nova::cert)"
service_key="$(hiera -c /etc/puppet/hiera.yaml nova::key)"
# Copy the new cert from the mount-point to the real path
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# No need to trigger a reload for novnc proxy since the cert is not cached

17
files/certmonger-rabbitmq-refresh.sh

@ -1,17 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Set appropriate permissions
$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."

14
files/certmonger-redis-refresh.sh

@ -1,14 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep redis_tls_proxy)
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::redis::service_certificate)"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Trigger a reload for stunnel to read the new certificates
pkill -o -HUP stunnel

9
files/certmonger-rgw-refresh.sh

@ -1,9 +0,0 @@
#!/bin/bash
# Get ceph rgw systemd unit
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
# Restart the rgw systemd unit
if [ -n "$rgw_unit" ]; then
systemctl restart "$rgw_unit"
fi

74
files/cm_ipa_subca_wrapper.py

@ -1,74 +0,0 @@
#!/usr/bin/python
try:
import ConfigParser as configparser
except ImportError:
import configparser
import os
import sys
import subprocess
CM_SUBMIT_STATUS_ISSUED = 0
CM_SUBMIT_STATUS_UNCONFIGURED = 4
def main():
if len(sys.argv) < 3:
return CM_SUBMIT_STATUS_UNCONFIGURED
sub_ca = sys.argv[1]
wrapped_command = sys.argv[2:]
operation = os.environ.get('CERTMONGER_OPERATION')
os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA'
if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa':
config = configparser.ConfigParser()
try:
with open('/etc/ipa/default.conf') as fp:
config.readfp(fp)
except:
return CM_SUBMIT_STATUS_UNCONFIGURED
host = config.get('global', 'host')
realm = config.get('global', 'realm')
if host is None or realm is None:
return CM_SUBMIT_STATUS_UNCONFIGURED
principal = 'host/{}@{}'.format(host, realm)
os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper'
try:
subprocess.check_call([
'/usr/bin/kinit', '-k', principal
])
except:
return CM_SUBMIT_STATUS_UNCONFIGURED
try:
data = subprocess.check_output([
'/usr/bin/ipa', 'ca-show', sub_ca
])
except:
return CM_SUBMIT_STATUS_ISSUED
config = {}
for line in data.split('\n'):
line = line.strip()
try:
key, value = line.split(': ')
except:
continue
config[key] = value
if config.get('Name').lower() != sub_ca.lower():
return CM_SUBMIT_STATUS_ISSUED
print(realm, sub_ca, 'CA')
print('-----BEGIN CERTIFICATE-----')
certificate = config['Certificate']
for i in range((len(certificate)/64) + 1):
print(certificate[i*64:(i+1)*64])
print('-----END CERTIFICATE-----')
sys.stdout.flush()
else:
os.environ['CERTMONGER_CA_ISSUER'] = sub_ca
os.execl(wrapped_command[0], *wrapped_command)
if __name__ == '__main__':
main()

55
manifests/certmonger/apache_dirs.pp

@ -1,55 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# : = Class: tripleo::certmonger::apache_dirs
#
# Creates the necessary directories for apache's certificates and keys in the
# assigned locations if specified. It also assigns the correct SELinux tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where apache's certificates will be stored. If left
# unspecified, it won't be created.
# Defaults to undef
#
# [*key_dir*]
# (Optional) Directory where apache's keys will be stored.
# Defaults to undef
#
class tripleo::certmonger::apache_dirs(
$certificate_dir = undef,
$key_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
}
if $key_dir {
file { $key_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
}
}

165
manifests/certmonger/ca/crl.pp

@ -1,165 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == class: tripleo::certmonger::ca::crl
#
# Class that downloads the appropriate CRL file from the CA. This can
# furtherly be used by services in order for proper certificate revocation to
# come into effect. The class also sets up a cron job that will refresh the CRL
# once a week. Also, processing of the CRL file might be needed. e.g. most CAs
# use DER format to distribute the CRLs, while services such as HAProxy expect
# the CRL to be in PEM format.
#
# === Parameters
#
# [*crl_dest*]
# (Optional) The file where the CRL file will be stored.
# Defaults to '/etc/pki/CA/crl/overcloud-crl.pem'
#
# [*crl_source*]
# (Optional) The URI where the CRL file will be fetched from.
# Defaults to undef
#
# [*process*]
# (Optional) Whether the CRL needs processing before being used. This means
# transforming from DER to PEM format or viceversa. This is because most CRLs
# by default come in DER format, so most likely it needs to be transformed.
# Defaults to true
#
# [*crl_preprocessed*]
# (Optional) The pre-processed CRL file which will be transformed.
# Defaults to '/etc/pki/CA/crl/overcloud-crl.bin'
#
# [*crl_preprocessed_format*]
# (Optional) The pre-processed CRL file's format which will be transformed.
# Defaults to 'DER'
#
# [*minute*]
# (optional) Defaults to '0'.
#
# [*hour*]
# (optional) Defaults to '*/2'.
#
# [*monthday*]
# (optional) Defaults to '*'.
#
# [*month*]
# (optional) Defaults to '*'.
#
# [*weekday*]
# (optional) Defaults to '6'.
#
# [*maxdelay*]
# (optional) Seconds. Defaults to 0. Should be a positive integer.
# Induces a random delay before running the cronjob to avoid running all
# cron jobs at the same time on all hosts this job is configured.
#
# [*reload_cmds*]
# (Optional) list of commands to be executed after fetching the CRL list in
# the cron job. This will usually be a list of reload commands issued to
# services that use the CRL.
# Defaults to []
#
class tripleo::certmonger::ca::crl (
$crl_dest = '/etc/pki/CA/crl/overcloud-crl.pem',
$crl_source = undef,
$process = true,
$crl_preprocessed = '/etc/pki/CA/crl/overcloud-crl.bin',
$crl_preprocessed_format = 'DER',
$minute = '0',
$hour = '*/2',
$monthday = '*',
$month = '*',
$weekday = '*',
$maxdelay = 0,
$reload_cmds = [],
) {
if $process {
$fetched_crl = $crl_preprocessed
} else {
$fetched_crl = $crl_dest
}
$esc_fetched_crl = shell_escape($fetched_crl)
$esc_crl_src = shell_escape($crl_source)
if $crl_source {
$ensure = 'present'
# LP(1787878): We need to use an explicit command instead of the file
# resource, because puppet won't use query parameters when handling
# redirects.
# If FreeIPA is being installed in a similar time as the overcloud, the tries
# and time in between tries gives it a chance to generate the CRL.
exec {'tripleo-ca-crl':
command => "curl -Ls --connect-timeout 120 -o ${esc_fetched_crl} ${esc_crl_src}",
path => '/usr/bin/',
creates => $fetched_crl,
tries => 5,
try_sleep => 5,
} ~> file {'tripleo-ca-crl-file':
group => 'root',
mode => '0644',
owner => 'root',
path => $fetched_crl,
}
} else {
$ensure = 'absent'
}
if $maxdelay == 0 {
$sleep = ''
} else {
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
}
if $process and $ensure == 'present' {
$crl_dest_format = $crl_preprocessed_format ? {
'PEM' => 'DER',
'DER' => 'PEM'
}
# transform CRL from DER to PEM or viceversa
$process_cmd = "openssl crl -in ${crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
exec { 'tripleo-ca-crl-process-command' :
command => $process_cmd,
path => '/usr/bin',
refreshonly => true,
subscribe => [
Exec['tripleo-ca-crl'],
File['tripleo-ca-crl-file']
]
}
} else {
$process_cmd = []
}
if $ensure == 'present' {
# Fetch CRL in cron job and notify needed services
$cmd_list = concat(["${sleep}curl -g -s -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds)
$cron_cmd = join($cmd_list, ' && ')
} else {
$cron_cmd = absent
}
cron { 'tripleo-refresh-crl-file':
ensure => $ensure,
command => $cron_cmd,
environment => 'PATH=/usr/bin:/bin SHELL=/bin/sh',
user => 'root',
minute => $minute,
hour => $hour,
monthday => $monthday,
month => $month,
weekday => $weekday,
}
}

65
manifests/certmonger/ca/libvirt_vnc.pp

@ -1,65 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ca::libvirt_vnc
#
# Sets the necessary file that will be used libvirt vnc servers and
# clients.
#
# === Parameters:
#
# [*origin_ca_pem*]
# (Optional) Path to the CA certificate that libvirt vnc will use. This is not
# assumed automatically or uses the system CA bundle as is the case of other
# services because a limitation with the file sizes in GNU TLS, which libvirt
# uses as a TLS backend.
# Defaults to undef
#
# [*certmonger_ca*]
# (Optional) The CA name that certmonger will use to generate VNC certificates.
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be
# added to the certmonger CA list.
# Defaults to hiera('certmonger_ca_vnc', 'local').
#
class tripleo::certmonger::ca::libvirt_vnc(
$origin_ca_pem = undef,
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
){
if $origin_ca_pem {
$ensure_file = 'link'
} else {
$ensure_file = 'absent'
}
file { '/etc/pki/libvirt-vnc/ca-cert.pem':
ensure => $ensure_file,
mode => '0644',
target => $origin_ca_pem,
}
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
file { $wrapper_path:
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
mode => '0755',
notify => Service['certmonger']
}
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
path => ['/usr/bin', '/bin'],
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
notify => Service['certmonger']
}
}
}

45
manifests/certmonger/ca/local.pp

@ -1,45 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ca::local
#
# Does the necessary action to extract and trust certmonger's local CA.
#
# === Parameters:
#
# [*ca_pem*]
# (optional) PEM file that will contain the local CA certificate.
# Defaults to '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
#
class tripleo::certmonger::ca::local(
$ca_pem = '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem',
){
$ca_pkcs12 = '/var/lib/certmonger/local/creds'
$extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''"
$trust_ca_cmd = 'update-ca-trust extract'
file { "${ca_pem}":
ensure => present,
mode => '0644',
owner => 'root',
}
exec { 'extract-and-trust-ca':
command => "${extract_cmd} && ${trust_ca_cmd}",
path => '/usr/bin',
tries => 5,
try_sleep => 1,
notify => File[$ca_pem]
}
Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |>
}

65
manifests/certmonger/ca/qemu.pp

@ -1,65 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ca::qemu
#
# Sets the necessary file that will be used by qemu servers and
# clients.
#
# === Parameters:
#
# [*origin_ca_pem*]
# (Optional) Path to the CA certificate that qemu will use. This is not
# assumed automatically or uses the system CA bundle as is the case of other
# services because a limitation with the file sizes in GNU TLS, which qemu
# uses as a TLS backend.
# Defaults to undef
#
# [*certmonger_ca*]
# (Optional) The CA name that certmonger will use to generate qemu certificates.
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be
# added to the certmonger CA list.
# Defaults to hiera('certmonger_ca_qemu', 'local').
#
class tripleo::certmonger::ca::qemu(
$origin_ca_pem = undef,
$certmonger_ca = hiera('certmonger_ca_qemu', 'local'),
){
if $origin_ca_pem {
$ensure_file = 'link'
} else {
$ensure_file = 'absent'
}
file { '/etc/pki/qemu/ca-cert.pem':
ensure => $ensure_file,
mode => '0644',
target => $origin_ca_pem,
}
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
file { $wrapper_path:
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
mode => '0755',
notify => Service['certmonger']
}
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
path => ['/usr/bin', '/bin'],
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
notify => Service['certmonger']
}
}
}

87
manifests/certmonger/ceph_dashboard.pp

@ -1,87 +0,0 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ceph_dashboard
#
# Request a certificate for Ceph Dashboard and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_dashboard (
$hostname,
$service_certificate,
$service_key,
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-dashboard-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'ceph_dashboard' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ceph_dashboard'],
owner => 472,
group => 472,
}
file { $service_key :
require => Certmonger_certificate['ceph_dashboard'],
owner => 472,
group => 472,
}
}

87
manifests/certmonger/ceph_grafana.pp

@ -1,87 +0,0 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ceph_grafana
#
# Request a certificate for Ceph Grafana and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_grafana (
$hostname,
$service_certificate,
$service_key,
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-grafana-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'ceph_grafana' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ceph_grafana'],
owner => 472,
group => 472,
}
file { $service_key :
require => Certmonger_certificate['ceph_grafana'],
owner => 472,
group => 472,
}
}

123
manifests/certmonger/ceph_rgw.pp

@ -1,123 +0,0 @@
# Copyright 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ceph_rgw
#
# Request a certificate for Ceph RGW and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_pem*]
# The file in PEM format that the HAProxy service will use as a certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_rgw (
$hostname,
$service_certificate,
$service_key,
$service_pem,
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-rgw-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'ceph_rgw' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
concat { $service_pem :
ensure => present,
mode => '0640',
owner => 472,
group => 472,
tag => 'ceph-rgw-cert',
}
concat::fragment { "${title}-cert-fragment":
target => $service_pem,
source => $service_certificate,
order => '01',
tag => 'ceph_rgw-cert',
require => Concat["${service_pem}"]
}
if $certmonger_ca == 'local' {
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => $ca_pem,
order => '10',
tag => 'ceph_rgw-cert',
require => [ Class['tripleo::certmonger::ca::local'], Concat::Fragment["${title}-cert-fragment"] ]
}
} elsif $certmonger_ca == 'IPA' {
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => '/etc/ipa/ca.crt',
order => '10',
tag => 'ceph_rgw-cert',
require => Concat::Fragment["${title}-cert-fragment"]
}
}
concat::fragment { "${title}-key-fragment":
target => $service_pem,
source => $service_key,
order => 20,
tag => 'ceph_rgw-cert',
require => Concat::Fragment["${title}-ca-fragment"],
}
}

92
manifests/certmonger/etcd.pp

@ -1,92 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::etcd
#
# Request a certificate for the etcd service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*dnsnames*]
# (Optional) The DNS names that will be added for the SubjectAltNames entry
# in the certificate.
# Defaults to $hostname
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef
#
# [*principal*]
# (Optional) The haproxy service principal that is set for etcd in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::etcd (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
ensure_resource('file', '/usr/bin/certmonger-etcd-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-etcd-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'etcd' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $dnsnames,
principal => $principal,
postsave_cmd => $postsave_cmd,
key_size => $key_size,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['etcd'],
}
file { $service_key :
require => Certmonger_certificate['etcd'],
}
File[$service_certificate] ~> Service<| title == 'etcd' |>
File[$service_key] ~> Service<| title == 'etcd' |>
}

159
manifests/certmonger/haproxy.pp

@ -1,159 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::haproxy
#
# Request a certificate for the HAProxy service and does the necessary logic to
# get it into a format that the service understands.
#
# === Parameters
#
# [*service_pem*]
# The file in PEM format that the HAProxy service will use as a certificate.
#
# [*service_certificate*]
# The certificate file that certmonger will be tracking.
#
# [*service_key*]
# The key file that certmonger will use for the certificate.
#
# [*hostname*]
# The hostname that certmonger will use as the common name for the
# certificate.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*dnsnames*]
# (Optional) The DNS names that will be added for the SubjectAltNames entry
# in the certificate. If left unset, the value will be set to the $hostname.
# Defaults to undef
#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
# [*postsave_cmd*]
# The post-save-command that certmonger will use once it renews the
# certificate.
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::haproxy (
$service_pem,
$service_certificate,
$service_key,
$hostname,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = undef,
$principal = undef,
$postsave_cmd = undef,
$key_size = 2048,
){
include certmonger
include haproxy::params
if $certmonger_ca == 'local' {
if defined(Class['::haproxy']) {
Class['::tripleo::certmonger::ca::local'] ~> Class['::haproxy']
}
$principal_real = undef
} else {
$principal_real = $principal
}
# If we have HAProxy in the resource catalog, we can use the haproxy user
# and group.
if defined(Class['::haproxy']) {
$cert_user = 'haproxy'
$cert_group = 'haproxy'
# If it's not in the resource catalog, it means that we're running in
# containers. So we have to rely on the container to set the appropriate
# permissions.
} else {
$cert_user = 'root'
$cert_group = 'root'
}
if $dnsnames {
$dnsnames_real = $dnsnames
} else {
$dnsnames_real = $hostname
}
ensure_resource('file', '/usr/bin/certmonger-haproxy-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-haproxy-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,
hostname => $hostname,
dnsname => $dnsnames_real,
certfile => $service_certificate,
keyfile => $service_key,
postsave_cmd => $postsave_cmd,
principal => $principal_real,
key_size => $key_size,
eku => ['id-kp-clientAuth', 'id-kp-serverAuth'],
wait => true,
tag => 'haproxy-cert',
require => Class['::certmonger'],
}
concat { $service_pem :
ensure => present,
mode => '0640',
owner => $cert_user,
group => $cert_group,
tag => 'haproxy-cert',
}
Package<| name == $::haproxy::params::package_name |> -> Concat[$service_pem]
concat::fragment { "${title}-cert-fragment":
target => $service_pem,
source => $service_certificate,
order => '01',
tag => 'haproxy-cert',
require => Certmonger_certificate["${title}-cert"],
}
if $certmonger_ca == 'local' {
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => $ca_pem,
order => '10',
tag => 'haproxy-cert',
require => Class['tripleo::certmonger::ca::local'],
}
} elsif $certmonger_ca == 'IPA' {
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => '/etc/ipa/ca.crt',
order => '10',
tag => 'haproxy-cert',
}
}
concat::fragment { "${title}-key-fragment":
target => $service_pem,
source => $service_key,
order => 20,
tag => 'haproxy-cert',
require => Certmonger_certificate["${title}-cert"],
}
}

55
manifests/certmonger/haproxy_dirs.pp

@ -1,55 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# : = Class: tripleo::certmonger::haproxy_dirs
#
# Creates the necessary directories for haproxy's certificates and keys in the
# assigned locations if specified. It also assigns the correct SELinux tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where haproxy's certificates will be stored. If left
# unspecified, it won't be created.
# Defaults to undef
#
# [*key_dir*]
# (Optional) Directory where haproxy's keys will be stored.
# Defaults to undef
#
class tripleo::certmonger::haproxy_dirs(
$certificate_dir = undef,
$key_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
}
if $key_dir {
file { $key_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
}
}

86
manifests/certmonger/httpd.pp

@ -1,86 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::httpd
#
# Request a certificate for the httpd service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*dnsnames*]
# (Optional) The DNS names that will be added for the SubjectAltNames entry
# in the certificate. If left unset, the value will be set to the $hostname.
# Defaults to undef
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl restart ${service name}"
# Defaults to undef.
#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::httpd (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = undef,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include apache::params
if $dnsnames {
$dnsnames_real = $dnsnames
} else {
$dnsnames_real = $hostname
}
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $dnsnames_real,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'apache-cert',
require => Class['::certmonger'],
}
Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |>
}

86
manifests/certmonger/libvirt.pp

@ -1,86 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::libvirt
#
# Request a certificate for libvirt and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl reload ${service name}"
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::libvirt (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::nova::params::libvirt_service_name}")
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'libvirt-cert',
require => Class['::certmonger'],
}
# Just register the files in puppet's resource catalog. Certmonger should
# give the right permissions.
file { $service_certificate :
require => Certmonger_certificate[$name],
}
file { $service_key :
require => Certmonger_certificate[$name],
}
File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |>
File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |>
}

56
manifests/certmonger/libvirt_dirs.pp

@ -1,56 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::libvirt_dirs
#
# Creates the necessary directories for libvirt's certificates and keys in the
# assigned locations if specified. It also assigns the correct SELinux tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where libvirt's certificates will be stored. If left
# unspecified, it won't be created.
# Defaults to undef
#
# [*key_dir*]
# (Optional) Directory where libvirt's keys will be stored.
# Defaults to undef
#
class tripleo::certmonger::libvirt_dirs(
$certificate_dir = undef,
$key_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
}
if $key_dir {
file { $key_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
}
}

122
manifests/certmonger/libvirt_vnc.pp

@ -1,122 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::libvirt_vnc
#
# Request a certificate for libvirt-vnc and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca_vnc', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl reload ${service name}"
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*cacertfile*]
# (Optional) Specifies that path to write the CA cerftificate to.
# Defaults to undef
#
# [*notify_service*]
# (Optional) Service to reload when certificate is created/renewed
# Defaults to $::nova::params::libvirt_service_name
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::libvirt_vnc (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
$postsave_cmd = undef,
$principal = undef,
$cacertfile = undef,
$notify_service = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
$notify_service_real = pick($notify_service, $::nova::params::libvirt_service_name)
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${notify_service_real}")
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
key_size => $key_size,
cacertfile => $cacertfile,
wait => true,
tag => 'libvirt-cert',
require => Class['::certmonger'],
}