Remove puppet-certmonger related puppet-files
Implements: blueprint ansible-certmonger Depends-On: https://review.opendev.org/771832 Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/786053 Change-Id: I5305bce78e9bbf382b00e3f3b5803b983a059db7
This commit is contained in:
parent
e3ebbb1143
commit
48832c961c
@ -33,10 +33,6 @@ mod 'fdio',
|
||||
:git => 'https://git.fd.io/puppet-fdio',
|
||||
:ref => 'master'
|
||||
|
||||
mod 'certmonger',
|
||||
:git => 'https://github.com/saltedsignal/puppet-certmonger',
|
||||
:ref => 'v2.6.0'
|
||||
|
||||
mod 'ptp',
|
||||
:git => 'https://github.com/redhat-nfvpe/ptp',
|
||||
:ref => 'master'
|
||||
|
@ -1,10 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Get mgr systemd unit
|
||||
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
|
||||
|
||||
# Restart the mgr systemd unit
|
||||
if [ -n "$mgr_unit" ]; then
|
||||
systemctl restart "$mgr_unit"
|
||||
fi
|
||||
|
@ -1,25 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
|
||||
# cinder uses etcd, so its containers also need to be refreshed
|
||||
container_names=$($container_cli ps --format="{{.Names}}" | grep -E 'cinder|etcd')
|
||||
|
||||
service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_certificate)"
|
||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_key)"
|
||||
|
||||
kolla_dir="/var/lib/kolla/config_files/src-tls"
|
||||
|
||||
# For each container, check whether the cert and key files need to be updated.
|
||||
# The check is necessary because the original THT design directly bind mounted
|
||||
# the files to their final location, and did not copy them in via $kolla_dir.
|
||||
# Regardless of whether the container is directly using the files, or a copy,
|
||||
# there's no need to trigger a reload because the cert is not cached.
|
||||
|
||||
for container_name in ${container_names[*]}; do
|
||||
$container_cli exec -u root "$container_name" bash -c "
|
||||
[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
|
||||
[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
|
||||
true
|
||||
"
|
||||
done
|
@ -1,9 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Get grafana systemd unit
|
||||
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
||||
|
||||
# Restart the grafana systemd unit
|
||||
if [ -z "$grafana_unit" ]; then
|
||||
systemctl restart "$grafana_unit"
|
||||
fi
|
@ -1,54 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# This script is meant to reload HAProxy when certmonger triggers a certificate
|
||||
# renewal. It'll concatenate the needed certificates for the PEM file that
|
||||
# HAProxy reads.
|
||||
|
||||
die() { echo "$*" 1>&2 ; exit 1; }
|
||||
|
||||
[[ $# -eq 2 ]] || die "Invalid number of arguments"
|
||||
[[ $1 == @(reload|restart) ]] || die "First argument must be one of 'reload' or 'restart'."
|
||||
|
||||
|
||||
ACTION=$1
|
||||
NETWORK=$2
|
||||
|
||||
certmonger_ca=$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.crt"
|
||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir)/overcloud-haproxy-$NETWORK.key"
|
||||
ca_path=""
|
||||
|
||||
if [ "$certmonger_ca" == "local" ]; then
|
||||
ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
|
||||
elif [ "$certmonger_ca" == "IPA" ]; then
|
||||
ca_path="/etc/ipa/ca.crt"
|
||||
fi
|
||||
|
||||
if [ "$NETWORK" != "external" ]; then
|
||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.pem"
|
||||
else
|
||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
|
||||
fi
|
||||
|
||||
cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
|
||||
|
||||
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
||||
|
||||
if [ "$ACTION" == "reload" ]; then
|
||||
# Refresh the cert at the mount-point
|
||||
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
||||
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
|
||||
# Set appropriate permissions
|
||||
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
|
||||
|
||||
# Trigger a reload for HAProxy to read the new certificates
|
||||
$container_cli kill --signal HUP "$haproxy_container_name"
|
||||
elif [ "$ACTION" == "restart" ]; then
|
||||
# Copying the certificate and permissions will be handled by kolla's start
|
||||
# script.
|
||||
$container_cli restart "$haproxy_container_name"
|
||||
fi
|
@ -1,20 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
container_name=$($container_cli ps --format="{{.Names}}" | grep memcached)
|
||||
|
||||
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_certificate)"
|
||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_key)"
|
||||
|
||||
# Copy the new cert and key from the mount-point to the real path
|
||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
|
||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
|
||||
# Set appropriate permissions
|
||||
$container_cli exec "$container_name" chown memcached:memcached "$service_certificate"
|
||||
$container_cli exec "$container_name" chown memcached:memcached "$service_key"
|
||||
|
||||
# Send refresh_certs command to memcached
|
||||
memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen.0 127.0.0.1)"
|
||||
memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)"
|
||||
echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port
|
@ -1,24 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
|
||||
container_name=$($container_cli ps --format="{{.Names}}" | grep metrics_qdr)
|
||||
|
||||
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_certificate)"
|
||||
|
||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_key)"
|
||||
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
|
||||
|
||||
# Copy the new key from the mount-point to the real path
|
||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
|
||||
# Set appropriate permissions
|
||||
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_certificate"
|
||||
|
||||
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
||||
|
||||
# Trigger a container restart to read the new certificates
|
||||
$container_cli restart $container_name
|
@ -1,21 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
|
||||
container_name=$($container_cli ps --format="{{.Names}}" | grep neutron_dhcp)
|
||||
|
||||
# The certificate is also installed on the computes, but neutron_dhcp is only
|
||||
# present on the controllers, so we exit if the container could not be found.
|
||||
[[ -z $container_name ]] && exit 0
|
||||
|
||||
service_crt="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_cert_file)"
|
||||
service_key="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_key_file)"
|
||||
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
|
||||
# Copy the new key from the mount-point to the real path
|
||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
|
||||
# No need to trigger a reload for neutron dhcpd since the cert is not cached
|
@ -1,17 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
|
||||
container_name=$($container_cli ps --format="{{.Names}}" | grep nova_vnc_proxy)
|
||||
|
||||
service_crt="$(hiera -c /etc/puppet/hiera.yaml nova::cert)"
|
||||
service_key="$(hiera -c /etc/puppet/hiera.yaml nova::key)"
|
||||
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
|
||||
# Copy the new key from the mount-point to the real path
|
||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
|
||||
# No need to trigger a reload for novnc proxy since the cert is not cached
|
@ -1,17 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
|
||||
container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
|
||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
|
||||
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
|
||||
# Set appropriate permissions
|
||||
$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
|
||||
|
||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
||||
$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."
|
@ -1,14 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
|
||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||
|
||||
container_name=$($container_cli ps --format="{{.Names}}" | grep redis_tls_proxy)
|
||||
|
||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::redis::service_certificate)"
|
||||
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
|
||||
# Trigger a reload for stunnel to read the new certificates
|
||||
pkill -o -HUP stunnel
|
@ -1,9 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Get ceph rgw systemd unit
|
||||
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
|
||||
|
||||
# Restart the rgw systemd unit
|
||||
if [ -n "$rgw_unit" ]; then
|
||||
systemctl restart "$rgw_unit"
|
||||
fi
|
@ -1,74 +0,0 @@
|
||||
#!/usr/bin/python
|
||||
try:
|
||||
import ConfigParser as configparser
|
||||
except ImportError:
|
||||
import configparser
|
||||
import os
|
||||
import sys
|
||||
import subprocess
|
||||
|
||||
CM_SUBMIT_STATUS_ISSUED = 0
|
||||
CM_SUBMIT_STATUS_UNCONFIGURED = 4
|
||||
|
||||
def main():
|
||||
if len(sys.argv) < 3:
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED
|
||||
sub_ca = sys.argv[1]
|
||||
wrapped_command = sys.argv[2:]
|
||||
|
||||
operation = os.environ.get('CERTMONGER_OPERATION')
|
||||
os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA'
|
||||
|
||||
if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa':
|
||||
config = configparser.ConfigParser()
|
||||
try:
|
||||
with open('/etc/ipa/default.conf') as fp:
|
||||
config.readfp(fp)
|
||||
except:
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED
|
||||
host = config.get('global', 'host')
|
||||
realm = config.get('global', 'realm')
|
||||
if host is None or realm is None:
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED
|
||||
principal = 'host/{}@{}'.format(host, realm)
|
||||
os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper'
|
||||
try:
|
||||
subprocess.check_call([
|
||||
'/usr/bin/kinit', '-k', principal
|
||||
])
|
||||
except:
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED
|
||||
|
||||
try:
|
||||
data = subprocess.check_output([
|
||||
'/usr/bin/ipa', 'ca-show', sub_ca
|
||||
])
|
||||
except:
|
||||
return CM_SUBMIT_STATUS_ISSUED
|
||||
|
||||
config = {}
|
||||
for line in data.split('\n'):
|
||||
line = line.strip()
|
||||
try:
|
||||
key, value = line.split(': ')
|
||||
except:
|
||||
continue
|
||||
config[key] = value
|
||||
|
||||
if config.get('Name').lower() != sub_ca.lower():
|
||||
return CM_SUBMIT_STATUS_ISSUED
|
||||
|
||||
print(realm, sub_ca, 'CA')
|
||||
print('-----BEGIN CERTIFICATE-----')
|
||||
certificate = config['Certificate']
|
||||
for i in range((len(certificate)/64) + 1):
|
||||
print(certificate[i*64:(i+1)*64])
|
||||
print('-----END CERTIFICATE-----')
|
||||
sys.stdout.flush()
|
||||
else:
|
||||
os.environ['CERTMONGER_CA_ISSUER'] = sub_ca
|
||||
|
||||
os.execl(wrapped_command[0], *wrapped_command)
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
@ -1,55 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# : = Class: tripleo::certmonger::apache_dirs
|
||||
#
|
||||
# Creates the necessary directories for apache's certificates and keys in the
|
||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*certificate_dir*]
|
||||
# (Optional) Directory where apache's certificates will be stored. If left
|
||||
# unspecified, it won't be created.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_dir*]
|
||||
# (Optional) Directory where apache's keys will be stored.
|
||||
# Defaults to undef
|
||||
#
|
||||
class tripleo::certmonger::apache_dirs(
|
||||
$certificate_dir = undef,
|
||||
$key_dir = undef,
|
||||
){
|
||||
|
||||
if $certificate_dir {
|
||||
file { $certificate_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
|
||||
}
|
||||
|
||||
if $key_dir {
|
||||
file { $key_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
|
||||
}
|
||||
}
|
@ -1,165 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == class: tripleo::certmonger::ca::crl
|
||||
#
|
||||
# Class that downloads the appropriate CRL file from the CA. This can
|
||||
# furtherly be used by services in order for proper certificate revocation to
|
||||
# come into effect. The class also sets up a cron job that will refresh the CRL
|
||||
# once a week. Also, processing of the CRL file might be needed. e.g. most CAs
|
||||
# use DER format to distribute the CRLs, while services such as HAProxy expect
|
||||
# the CRL to be in PEM format.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*crl_dest*]
|
||||
# (Optional) The file where the CRL file will be stored.
|
||||
# Defaults to '/etc/pki/CA/crl/overcloud-crl.pem'
|
||||
#
|
||||
# [*crl_source*]
|
||||
# (Optional) The URI where the CRL file will be fetched from.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*process*]
|
||||
# (Optional) Whether the CRL needs processing before being used. This means
|
||||
# transforming from DER to PEM format or viceversa. This is because most CRLs
|
||||
# by default come in DER format, so most likely it needs to be transformed.
|
||||
# Defaults to true
|
||||
#
|
||||
# [*crl_preprocessed*]
|
||||
# (Optional) The pre-processed CRL file which will be transformed.
|
||||
# Defaults to '/etc/pki/CA/crl/overcloud-crl.bin'
|
||||
#
|
||||
# [*crl_preprocessed_format*]
|
||||
# (Optional) The pre-processed CRL file's format which will be transformed.
|
||||
# Defaults to 'DER'
|
||||
#
|
||||
# [*minute*]
|
||||
# (optional) Defaults to '0'.
|
||||
#
|
||||
# [*hour*]
|
||||
# (optional) Defaults to '*/2'.
|
||||
#
|
||||
# [*monthday*]
|
||||
# (optional) Defaults to '*'.
|
||||
#
|
||||
# [*month*]
|
||||
# (optional) Defaults to '*'.
|
||||
#
|
||||
# [*weekday*]
|
||||
# (optional) Defaults to '6'.
|
||||
#
|
||||
# [*maxdelay*]
|
||||
# (optional) Seconds. Defaults to 0. Should be a positive integer.
|
||||
# Induces a random delay before running the cronjob to avoid running all
|
||||
# cron jobs at the same time on all hosts this job is configured.
|
||||
#
|
||||
# [*reload_cmds*]
|
||||
# (Optional) list of commands to be executed after fetching the CRL list in
|
||||
# the cron job. This will usually be a list of reload commands issued to
|
||||
# services that use the CRL.
|
||||
# Defaults to []
|
||||
#
|
||||
class tripleo::certmonger::ca::crl (
|
||||
$crl_dest = '/etc/pki/CA/crl/overcloud-crl.pem',
|
||||
$crl_source = undef,
|
||||
$process = true,
|
||||
$crl_preprocessed = '/etc/pki/CA/crl/overcloud-crl.bin',
|
||||
$crl_preprocessed_format = 'DER',
|
||||
$minute = '0',
|
||||
$hour = '*/2',
|
||||
$monthday = '*',
|
||||
$month = '*',
|
||||
$weekday = '*',
|
||||
$maxdelay = 0,
|
||||
$reload_cmds = [],
|
||||
) {
|
||||
if $process {
|
||||
$fetched_crl = $crl_preprocessed
|
||||
} else {
|
||||
$fetched_crl = $crl_dest
|
||||
}
|
||||
|
||||
$esc_fetched_crl = shell_escape($fetched_crl)
|
||||
$esc_crl_src = shell_escape($crl_source)
|
||||
|
||||
if $crl_source {
|
||||
$ensure = 'present'
|
||||
# LP(1787878): We need to use an explicit command instead of the file
|
||||
# resource, because puppet won't use query parameters when handling
|
||||
# redirects.
|
||||
# If FreeIPA is being installed in a similar time as the overcloud, the tries
|
||||
# and time in between tries gives it a chance to generate the CRL.
|
||||
exec {'tripleo-ca-crl':
|
||||
command => "curl -Ls --connect-timeout 120 -o ${esc_fetched_crl} ${esc_crl_src}",
|
||||
path => '/usr/bin/',
|
||||
creates => $fetched_crl,
|
||||
tries => 5,
|
||||
try_sleep => 5,
|
||||
} ~> file {'tripleo-ca-crl-file':
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
owner => 'root',
|
||||
path => $fetched_crl,
|
||||
}
|
||||
} else {
|
||||
$ensure = 'absent'
|
||||
}
|
||||
|
||||
if $maxdelay == 0 {
|
||||
$sleep = ''
|
||||
} else {
|
||||
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
|
||||
}
|
||||
|
||||
if $process and $ensure == 'present' {
|
||||
$crl_dest_format = $crl_preprocessed_format ? {
|
||||
'PEM' => 'DER',
|
||||
'DER' => 'PEM'
|
||||
}
|
||||
# transform CRL from DER to PEM or viceversa
|
||||
$process_cmd = "openssl crl -in ${crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
|
||||
exec { 'tripleo-ca-crl-process-command' :
|
||||
command => $process_cmd,
|
||||
path => '/usr/bin',
|
||||
refreshonly => true,
|
||||
subscribe => [
|
||||
Exec['tripleo-ca-crl'],
|
||||
File['tripleo-ca-crl-file']
|
||||
]
|
||||
}
|
||||
} else {
|
||||
$process_cmd = []
|
||||
}
|
||||
|
||||
if $ensure == 'present' {
|
||||
# Fetch CRL in cron job and notify needed services
|
||||
$cmd_list = concat(["${sleep}curl -g -s -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds)
|
||||
$cron_cmd = join($cmd_list, ' && ')
|
||||
} else {
|
||||
$cron_cmd = absent
|
||||
}
|
||||
|
||||
cron { 'tripleo-refresh-crl-file':
|
||||
ensure => $ensure,
|
||||
command => $cron_cmd,
|
||||
environment => 'PATH=/usr/bin:/bin SHELL=/bin/sh',
|
||||
user => 'root',
|
||||
minute => $minute,
|
||||
hour => $hour,
|
||||
monthday => $monthday,
|
||||
month => $month,
|
||||
weekday => $weekday,
|
||||
}
|
||||
}
|
@ -1,65 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ca::libvirt_vnc
|
||||
#
|
||||
# Sets the necessary file that will be used libvirt vnc servers and
|
||||
# clients.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*origin_ca_pem*]
|
||||
# (Optional) Path to the CA certificate that libvirt vnc will use. This is not
|
||||
# assumed automatically or uses the system CA bundle as is the case of other
|
||||
# services because a limitation with the file sizes in GNU TLS, which libvirt
|
||||
# uses as a TLS backend.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA name that certmonger will use to generate VNC certificates.
|
||||
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be
|
||||
# added to the certmonger CA list.
|
||||
# Defaults to hiera('certmonger_ca_vnc', 'local').
|
||||
#
|
||||
class tripleo::certmonger::ca::libvirt_vnc(
|
||||
$origin_ca_pem = undef,
|
||||
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
|
||||
){
|
||||
if $origin_ca_pem {
|
||||
$ensure_file = 'link'
|
||||
} else {
|
||||
$ensure_file = 'absent'
|
||||
}
|
||||
file { '/etc/pki/libvirt-vnc/ca-cert.pem':
|
||||
ensure => $ensure_file,
|
||||
mode => '0644',
|
||||
target => $origin_ca_pem,
|
||||
}
|
||||
|
||||
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
|
||||
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
|
||||
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
|
||||
file { $wrapper_path:
|
||||
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
|
||||
mode => '0755',
|
||||
notify => Service['certmonger']
|
||||
}
|
||||
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
|
||||
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
|
||||
path => ['/usr/bin', '/bin'],
|
||||
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
|
||||
notify => Service['certmonger']
|
||||
}
|
||||
}
|
||||
}
|
@ -1,45 +0,0 @@
|
||||
# Copyright 2016 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ca::local
|
||||
#
|
||||
# Does the necessary action to extract and trust certmonger's local CA.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*ca_pem*]
|
||||
# (optional) PEM file that will contain the local CA certificate.
|
||||
# Defaults to '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
||||
#
|
||||
class tripleo::certmonger::ca::local(
|
||||
$ca_pem = '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem',
|
||||
){
|
||||
$ca_pkcs12 = '/var/lib/certmonger/local/creds'
|
||||
$extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''"
|
||||
$trust_ca_cmd = 'update-ca-trust extract'
|
||||
|
||||
file { "${ca_pem}":
|
||||
ensure => present,
|
||||
mode => '0644',
|
||||
owner => 'root',
|
||||
}
|
||||
exec { 'extract-and-trust-ca':
|
||||
command => "${extract_cmd} && ${trust_ca_cmd}",
|
||||
path => '/usr/bin',
|
||||
tries => 5,
|
||||
try_sleep => 1,
|
||||
notify => File[$ca_pem]
|
||||
}
|
||||
Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |>
|
||||
}
|
@ -1,65 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ca::qemu
|
||||
#
|
||||
# Sets the necessary file that will be used by qemu servers and
|
||||
# clients.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*origin_ca_pem*]
|
||||
# (Optional) Path to the CA certificate that qemu will use. This is not
|
||||
# assumed automatically or uses the system CA bundle as is the case of other
|
||||
# services because a limitation with the file sizes in GNU TLS, which qemu
|
||||
# uses as a TLS backend.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA name that certmonger will use to generate qemu certificates.
|
||||
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be
|
||||
# added to the certmonger CA list.
|
||||
# Defaults to hiera('certmonger_ca_qemu', 'local').
|
||||
#
|
||||
class tripleo::certmonger::ca::qemu(
|
||||
$origin_ca_pem = undef,
|
||||
$certmonger_ca = hiera('certmonger_ca_qemu', 'local'),
|
||||
){
|
||||
if $origin_ca_pem {
|
||||
$ensure_file = 'link'
|
||||
} else {
|
||||
$ensure_file = 'absent'
|
||||
}
|
||||
file { '/etc/pki/qemu/ca-cert.pem':
|
||||
ensure => $ensure_file,
|
||||
mode => '0644',
|
||||
target => $origin_ca_pem,
|
||||
}
|
||||
|
||||
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
|
||||
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
|
||||
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
|
||||
file { $wrapper_path:
|
||||
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
|
||||
mode => '0755',
|
||||
notify => Service['certmonger']
|
||||
}
|
||||
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
|
||||
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
|
||||
path => ['/usr/bin', '/bin'],
|
||||
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
|
||||
notify => Service['certmonger']
|
||||
}
|
||||
}
|
||||
}
|
@ -1,87 +0,0 @@
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ceph_dashboard
|
||||
#
|
||||
# Request a certificate for Ceph Dashboard and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::ceph_dashboard (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$postsave_cmd = undef,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-dashboard-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'ceph_dashboard' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['ceph_dashboard'],
|
||||
owner => 472,
|
||||
group => 472,
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['ceph_dashboard'],
|
||||
owner => 472,
|
||||
group => 472,
|
||||
}
|
||||
}
|
@ -1,87 +0,0 @@
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ceph_grafana
|
||||
#
|
||||
# Request a certificate for Ceph Grafana and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::ceph_grafana (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$postsave_cmd = undef,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-grafana-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'ceph_grafana' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['ceph_grafana'],
|
||||
owner => 472,
|
||||
group => 472,
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['ceph_grafana'],
|
||||
owner => 472,
|
||||
group => 472,
|
||||
}
|
||||
}
|
@ -1,123 +0,0 @@
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ceph_rgw
|
||||
#
|
||||
# Request a certificate for Ceph RGW and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_pem*]
|
||||
# The file in PEM format that the HAProxy service will use as a certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::ceph_rgw (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$service_pem,
|
||||
$postsave_cmd = undef,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-rgw-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'ceph_rgw' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
concat { $service_pem :
|
||||
ensure => present,
|
||||
mode => '0640',
|
||||
owner => 472,
|
||||
group => 472,
|
||||
tag => 'ceph-rgw-cert',
|
||||
}
|
||||
|
||||
concat::fragment { "${title}-cert-fragment":
|
||||
target => $service_pem,
|
||||
source => $service_certificate,
|
||||
order => '01',
|
||||
tag => 'ceph_rgw-cert',
|
||||
require => Concat["${service_pem}"]
|
||||
}
|
||||
|
||||
if $certmonger_ca == 'local' {
|
||||
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
|
||||
concat::fragment { "${title}-ca-fragment":
|
||||
target => $service_pem,
|
||||
source => $ca_pem,
|
||||
order => '10',
|
||||
tag => 'ceph_rgw-cert',
|
||||
require => [ Class['tripleo::certmonger::ca::local'], Concat::Fragment["${title}-cert-fragment"] ]
|
||||
}
|
||||
} elsif $certmonger_ca == 'IPA' {
|
||||
concat::fragment { "${title}-ca-fragment":
|
||||
target => $service_pem,
|
||||
source => '/etc/ipa/ca.crt',
|
||||
order => '10',
|
||||
tag => 'ceph_rgw-cert',
|
||||
require => Concat::Fragment["${title}-cert-fragment"]
|
||||
}
|
||||
}
|
||||
|
||||
concat::fragment { "${title}-key-fragment":
|
||||
target => $service_pem,
|
||||
source => $service_key,
|
||||
order => 20,
|
||||
tag => 'ceph_rgw-cert',
|
||||
require => Concat::Fragment["${title}-ca-fragment"],
|
||||
}
|
||||
}
|
@ -1,92 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::etcd
|
||||
#
|
||||
# Request a certificate for the etcd service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*dnsnames*]
|
||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
||||
# in the certificate.
|
||||
# Defaults to $hostname
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for etcd in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::etcd (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$dnsnames = $hostname,
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-etcd-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-etcd-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'etcd' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $dnsnames,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
key_size => $key_size,
|
||||
ca => $certmonger_ca,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['etcd'],
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['etcd'],
|
||||
}
|
||||
|
||||
File[$service_certificate] ~> Service<| title == 'etcd' |>
|
||||
File[$service_key] ~> Service<| title == 'etcd' |>
|
||||
}
|
@ -1,159 +0,0 @@
|
||||
# Copyright 2016 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Resource: tripleo::certmonger::haproxy
|
||||
#
|
||||
# Request a certificate for the HAProxy service and does the necessary logic to
|
||||
# get it into a format that the service understands.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*service_pem*]
|
||||
# The file in PEM format that the HAProxy service will use as a certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The certificate file that certmonger will be tracking.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The key file that certmonger will use for the certificate.
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname that certmonger will use as the common name for the
|
||||
# certificate.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*dnsnames*]
|
||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
||||
# in the certificate. If left unset, the value will be set to the $hostname.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*principal*]
|
||||
# The haproxy service principal that is set for HAProxy in kerberos.
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# The post-save-command that certmonger will use once it renews the
|
||||
# certificate.
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
define tripleo::certmonger::haproxy (
|
||||
$service_pem,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$hostname,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$dnsnames = undef,
|
||||
$principal = undef,
|
||||
$postsave_cmd = undef,
|
||||
$key_size = 2048,
|
||||
){
|
||||
include certmonger
|
||||
include haproxy::params
|
||||
if $certmonger_ca == 'local' {
|
||||
if defined(Class['::haproxy']) {
|
||||
Class['::tripleo::certmonger::ca::local'] ~> Class['::haproxy']
|
||||
}
|
||||
$principal_real = undef
|
||||
} else {
|
||||
$principal_real = $principal
|
||||
}
|
||||
|
||||
# If we have HAProxy in the resource catalog, we can use the haproxy user
|
||||
# and group.
|
||||
if defined(Class['::haproxy']) {
|
||||
$cert_user = 'haproxy'
|
||||
$cert_group = 'haproxy'
|
||||
# If it's not in the resource catalog, it means that we're running in
|
||||
# containers. So we have to rely on the container to set the appropriate
|
||||
# permissions.
|
||||
} else {
|
||||
$cert_user = 'root'
|
||||
$cert_group = 'root'
|
||||
}
|
||||
|
||||
if $dnsnames {
|
||||
$dnsnames_real = $dnsnames
|
||||
} else {
|
||||
$dnsnames_real = $hostname
|
||||
}
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-haproxy-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-haproxy-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
certmonger_certificate { "${title}-cert":
|
||||
ensure => 'present',
|
||||
ca => $certmonger_ca,
|
||||
hostname => $hostname,
|
||||
dnsname => $dnsnames_real,
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
principal => $principal_real,
|
||||
key_size => $key_size,
|
||||
eku => ['id-kp-clientAuth', 'id-kp-serverAuth'],
|
||||
wait => true,
|
||||
tag => 'haproxy-cert',
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
concat { $service_pem :
|
||||
ensure => present,
|
||||
mode => '0640',
|
||||
owner => $cert_user,
|
||||
group => $cert_group,
|
||||
tag => 'haproxy-cert',
|
||||
}
|
||||
Package<| name == $::haproxy::params::package_name |> -> Concat[$service_pem]
|
||||
|
||||
concat::fragment { "${title}-cert-fragment":
|
||||
target => $service_pem,
|
||||
source => $service_certificate,
|
||||
order => '01',
|
||||
tag => 'haproxy-cert',
|
||||
require => Certmonger_certificate["${title}-cert"],
|
||||
}
|
||||
|
||||
if $certmonger_ca == 'local' {
|
||||
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
|
||||
concat::fragment { "${title}-ca-fragment":
|
||||
target => $service_pem,
|
||||
source => $ca_pem,
|
||||
order => '10',
|
||||
tag => 'haproxy-cert',
|
||||
require => Class['tripleo::certmonger::ca::local'],
|
||||
}
|
||||
} elsif $certmonger_ca == 'IPA' {
|
||||
concat::fragment { "${title}-ca-fragment":
|
||||
target => $service_pem,
|
||||
source => '/etc/ipa/ca.crt',
|
||||
order => '10',
|
||||
tag => 'haproxy-cert',
|
||||
}
|
||||
}
|
||||
|
||||
concat::fragment { "${title}-key-fragment":
|
||||
target => $service_pem,
|
||||
source => $service_key,
|
||||
order => 20,
|
||||
tag => 'haproxy-cert',
|
||||
require => Certmonger_certificate["${title}-cert"],
|
||||
}
|
||||
}
|
@ -1,55 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# : = Class: tripleo::certmonger::haproxy_dirs
|
||||
#
|
||||
# Creates the necessary directories for haproxy's certificates and keys in the
|
||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*certificate_dir*]
|
||||
# (Optional) Directory where haproxy's certificates will be stored. If left
|
||||
# unspecified, it won't be created.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_dir*]
|
||||
# (Optional) Directory where haproxy's keys will be stored.
|
||||
# Defaults to undef
|
||||
#
|
||||
class tripleo::certmonger::haproxy_dirs(
|
||||
$certificate_dir = undef,
|
||||
$key_dir = undef,
|
||||
){
|
||||
|
||||
if $certificate_dir {
|
||||
file { $certificate_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
|
||||
}
|
||||
|
||||
if $key_dir {
|
||||
file { $key_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
|
||||
}
|
||||
}
|
@ -1,86 +0,0 @@
|
||||
# Copyright 2016 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Resource: tripleo::certmonger::httpd
|
||||
#
|
||||
# Request a certificate for the httpd service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*dnsnames*]
|
||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
||||
# in the certificate. If left unset, the value will be set to the $hostname.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# The haproxy service principal that is set for HAProxy in kerberos.
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
define tripleo::certmonger::httpd (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$dnsnames = undef,
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
include apache::params
|
||||
|
||||
if $dnsnames {
|
||||
$dnsnames_real = $dnsnames
|
||||
} else {
|
||||
$dnsnames_real = $hostname
|
||||
}
|
||||
|
||||
certmonger_certificate { $name :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $dnsnames_real,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
tag => 'apache-cert',
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |>
|
||||
}
|
@ -1,86 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Resource: tripleo::certmonger::libvirt
|
||||
#
|
||||
# Request a certificate for libvirt and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# If nothing is given, it will default to: "systemctl reload ${service name}"
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
define tripleo::certmonger::libvirt (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
include nova::params
|
||||
|
||||
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::nova::params::libvirt_service_name}")
|
||||
certmonger_certificate { $name :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd_real,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
tag => 'libvirt-cert',
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
# Just register the files in puppet's resource catalog. Certmonger should
|
||||
# give the right permissions.
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate[$name],
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate[$name],
|
||||
}
|
||||
|
||||
File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |>
|
||||
File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |>
|
||||
}
|
@ -1,56 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::libvirt_dirs
|
||||
#
|
||||
# Creates the necessary directories for libvirt's certificates and keys in the
|
||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*certificate_dir*]
|
||||
# (Optional) Directory where libvirt's certificates will be stored. If left
|
||||
# unspecified, it won't be created.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_dir*]
|
||||
# (Optional) Directory where libvirt's keys will be stored.
|
||||
# Defaults to undef
|
||||
#
|
||||
class tripleo::certmonger::libvirt_dirs(
|
||||
$certificate_dir = undef,
|
||||
$key_dir = undef,
|
||||
){
|
||||
|
||||
if $certificate_dir {
|
||||
file { $certificate_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
|
||||
}
|
||||
|
||||
if $key_dir {
|
||||
file { $key_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
|
||||
}
|
||||
|
||||
}
|
@ -1,122 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Resource: tripleo::certmonger::libvirt_vnc
|
||||
#
|
||||
# Request a certificate for libvirt-vnc and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca_vnc', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# If nothing is given, it will default to: "systemctl reload ${service name}"
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*cacertfile*]
|
||||
# (Optional) Specifies that path to write the CA cerftificate to.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*notify_service*]
|
||||
# (Optional) Service to reload when certificate is created/renewed
|
||||
# Defaults to $::nova::params::libvirt_service_name
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
define tripleo::certmonger::libvirt_vnc (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$cacertfile = undef,
|
||||
$notify_service = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
include nova::params
|
||||
|
||||
$notify_service_real = pick($notify_service, $::nova::params::libvirt_service_name)
|
||||
|
||||
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${notify_service_real}")
|
||||
|
||||
certmonger_certificate { $name :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd_real,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
cacertfile => $cacertfile,
|
||||
wait => true,
|
||||
tag => 'libvirt-cert',
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
if $cacertfile {
|
||||
# Sometimes certmonger returns before creating the cacert file. This has
|
||||
# been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281
|
||||
# Until this is fixed, add this workaround.
|
||||
exec { $cacertfile :
|
||||
require => Certmonger_certificate[$name],
|
||||
command => "test -f ${cacertfile}",
|
||||
unless => "test -f ${cacertfile}",
|
||||
tries => 60,
|
||||
try_sleep => 1,
|
||||
timeout => 60,
|
||||
path => '/usr/bin:/bin',
|
||||
}
|
||||
|
||||
file { $cacertfile :
|
||||
require => Exec[$cacertfile],
|
||||
mode => '0644'
|
||||
}
|
||||
~> Service<| title == $notify_service_real |>
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate[$name],
|
||||
mode => '0644'
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate[$name],
|
||||
group => 'qemu',
|
||||
mode => '0640'
|
||||
}
|
||||
|
||||
File[$service_certificate] ~> Service<| title == $notify_service_real |>
|
||||
File[$service_key] ~> Service<| title == $notify_service_real |>
|
||||
}
|
@ -1,56 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::libvirt_vnc_dirs
|
||||
#
|
||||
# Creates the necessary directories for libvirt vnc certificates and keys in the
|
||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*certificate_dir*]
|
||||
# (Optional) Directory where libvirt-vnc's certificates will be stored. If left
|
||||
# unspecified, it won't be created.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_dir*]
|
||||
# (Optional) Directory where libvirt-vnc's keys will be stored.
|
||||
# Defaults to undef
|
||||
#
|
||||
class tripleo::certmonger::libvirt_vnc_dirs(
|
||||
$certificate_dir = undef,
|
||||
$key_dir = undef,
|
||||
){
|
||||
|
||||
if $certificate_dir {
|
||||
file { $certificate_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |>
|
||||
}
|
||||
|
||||
if $key_dir {
|
||||
file { $key_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |>
|
||||
}
|
||||
|
||||
}
|
@ -1,85 +0,0 @@
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::memcached
|
||||
#
|
||||
# Request a certificate for Memcached and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::memcached (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = '/usr/bin/certmonger-memcached-refresh.sh',
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-memcached-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-memcached-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'memcached' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['memcached'],
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['memcached'],
|
||||
}
|
||||
}
|
@ -1,89 +0,0 @@
|
||||
# Copyright 2016 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::metrics_qdr
|
||||
#
|
||||
# Request a certificate for the MetricsQdr service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for metrics_qdr in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::metrics_qdr (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
include qdr::params
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-metrics-qdr-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-metrics-qdr-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'metrics_qdr' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['metrics_qdr'],
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['metrics_qdr'],
|
||||
}
|
||||
|
||||
File[$service_certificate] ~> Service<| title == $::qdr::params::service_name |>
|
||||
File[$service_key] ~> Service<| title == $::qdr::params::service_name |>
|
||||
}
|
@ -1,78 +0,0 @@
|
||||
# Copyright 2016 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::mysql
|
||||
#
|
||||
# Request a certificate for the MySQL/Mariadb service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*dnsnames*]
|
||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
||||
# in the certificate. If left unset, the value will be set to the $hostname.
|
||||
# This parameter can take both a string or an array of strings.
|
||||
# Defaults to $hostname
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::mysql (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$dnsnames = $hostname,
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
certmonger_certificate { 'mysql' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $dnsnames,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
}
|
@ -1,84 +0,0 @@
|
||||
# Copyright 2018 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::neutron
|
||||
#
|
||||
# Request a certificate for the Neutron service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::neutron (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-neutron-dhcpd-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-neutron-dhcpd-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'neutron' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['neutron']
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['neutron']
|
||||
}
|
||||
|
||||
Certmonger_certificate['neutron'] ~> Service<| tag == 'neutron-service' |>
|
||||
}
|
@ -1,76 +0,0 @@
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::neutron_ovn
|
||||
#
|
||||
# Request a certificate for the ovn_controller service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::neutron_ovn (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
certmonger_certificate { 'neutron_ovn' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['neutron_ovn']
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['neutron_ovn']
|
||||
}
|
||||
|
||||
}
|
@ -1,97 +0,0 @@
|
||||
# Copyright 2018 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::novnc_proxy
|
||||
#
|
||||
# Request a certificate for novnc_proxy and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*notify_service*]
|
||||
# (Optional) Service to reload when certificate is created/renewed
|
||||
# Defaults to $::nova::params::libvirt_service_name
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::novnc_proxy (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$notify_service = undef,
|
||||
$postsave_cmd = undef,
|
||||
$key_size = 2048,
|
||||
$principal = undef,
|
||||
) {
|
||||
include certmonger
|
||||
include nova::params
|
||||
|
||||
$notify_service_real = pick($notify_service, $::nova::params::vncproxy_service_name)
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-novnc-proxy-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-novnc-proxy-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'novnc-proxy' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
tag => 'novnc-proxy',
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['novnc-proxy'],
|
||||
mode => '0644'
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['novnc-proxy'],
|
||||
mode => '0640'
|
||||
}
|
||||
|
||||
File[$service_certificate] ~> Service<| title == $notify_service_real |>
|
||||
File[$service_key] ~> Service<| title == $notify_service_real |>
|
||||
}
|
@ -1,80 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::openvswitch
|
||||
#
|
||||
# Request a certificate for the openvswitch service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to "systemctl reload openvswitch"
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for openvswitch in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::openvswitch (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = 'systemctl reload openvswitch',
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
certmonger_certificate { 'openvswitch' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
file { $service_certificate :
|
||||
owner => 'openvswitch',
|
||||
group => 'hugetlbfs',
|
||||
require => Certmonger_certificate['openvswitch'],
|
||||
}
|
||||
file { $service_key :
|
||||
owner => 'openvswitch',
|
||||
group => 'hugetlbfs',
|
||||
require => Certmonger_certificate['openvswitch'],
|
||||
}
|
||||
}
|
@ -1,76 +0,0 @@
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ovn_controller
|
||||
#
|
||||
# Request a certificate for the ovn_controller service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::ovn_controller (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
certmonger_certificate { 'ovn_controller' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['ovn_controller']
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['ovn_controller']
|
||||
}
|
||||
|
||||
}
|
@ -1,75 +0,0 @@
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ovn_sbdb
|
||||
#
|
||||
# Request a certificate for the ovn_sbdb service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::ovn_dbs (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
certmonger_certificate { 'ovn_dbs' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['ovn_dbs']
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['ovn_dbs']
|
||||
}
|
||||
}
|
@ -1,76 +0,0 @@
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ovn_metadata
|
||||
#
|
||||
# Request a certificate for the ovn_controller service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::ovn_metadata (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
certmonger_certificate { 'ovn_metadata' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['ovn_metadata']
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['ovn_metadata']
|
||||
}
|
||||
|
||||
}
|
@ -1,76 +0,0 @@
|
||||
# Copyright 2020 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::ovn_octavia
|
||||
#
|
||||
# Request a certificate for the ovn_controller service and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::ovn_octavia (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
certmonger_certificate { 'ovn_octavia' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['ovn_octavia']
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['ovn_octavia']
|
||||
}
|
||||
|
||||
}
|
@ -1,108 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Resource: tripleo::certmonger::qemu
|
||||
#
|
||||
# Request a certificate for quemu and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*cacertfile*]
|
||||
# (Optional) Specifies that path to write the CA cerftificate to.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
define tripleo::certmonger::qemu (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca_qemu', 'local'),
|
||||
$cacertfile = undef,
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
include nova::params
|
||||
|
||||
certmonger_certificate { $name :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
cacertfile => $cacertfile,
|
||||
wait => true,
|
||||
tag => 'qemu-cert',
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
if $cacertfile {
|
||||
# Sometimes certmonger returns before creating the cacert file. This has
|
||||
# been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281
|
||||
# Until this is fixed, add this workaround.
|
||||
exec { $cacertfile :
|
||||
require => Certmonger_certificate[$name],
|
||||
command => "test -f ${cacertfile}",
|
||||
unless => "test -f ${cacertfile}",
|
||||
tries => 60,
|
||||
try_sleep => 1,
|
||||
timeout => 60,
|
||||
path => '/usr/bin:/bin',
|
||||
}
|
||||
|
||||
file { $cacertfile :
|
||||
require => Exec[$cacertfile],
|
||||
mode => '0644'
|
||||
}
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate[$name],
|
||||
mode => '0644'
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate[$name],
|
||||
group => 'qemu',
|
||||
mode => '0640'
|
||||
}
|
||||
}
|
@ -1,41 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::qemu_dirs
|
||||
#
|
||||
# Creates the necessary directories for qemu certificates and keys in the
|
||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*certificate_dir*]
|
||||
# (Optional) Directory where qemu server certificates will be stored. If left
|
||||
# unspecified, it won't be created.
|
||||
# Defaults to undef
|
||||
#
|
||||
class tripleo::certmonger::qemu_dirs(
|
||||
$certificate_dir = undef,
|
||||
){
|
||||
|
||||
if $certificate_dir {
|
||||
file { $certificate_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-server-cert' |>
|
||||
}
|
||||
|
||||
}
|
@ -1,42 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::qemu_nbd_dirs
|
||||
#
|
||||
# Creates the necessary directories for qemu nbd client certificates and keys
|
||||
# in the assigned locations if specified. It also assigns the correct SELinux
|
||||
# tags.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*certificate_dir*]
|
||||
# (Optional) Directory where qemu-nbd's client certificates will be stored.
|
||||
# If left unspecified, it won't be created.
|
||||
# Defaults to undef
|
||||
#
|
||||
class tripleo::certmonger::qemu_nbd_dirs(
|
||||
$certificate_dir = undef,
|
||||
){
|
||||
|
||||
if $certificate_dir {
|
||||
file { $certificate_dir :
|
||||
ensure => 'directory',
|
||||
selrole => 'object_r',
|
||||
seltype => 'cert_t',
|
||||
seluser => 'system_u',
|
||||
}
|
||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-cert' |>
|
||||
}
|
||||
|
||||
}
|
@ -1,84 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::rabbitmq
|
||||
#
|
||||
# Request a certificate for RabbitMQ and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::rabbitmq (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-rabbitmq-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-rabbitmq-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'rabbitmq' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['rabbitmq'],
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['rabbitmq'],
|
||||
}
|
||||
}
|
@ -1,91 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::redis
|
||||
#
|
||||
# Request a certificate for Redis and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*dnsnames*]
|
||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
||||
# in the certificate. If left unset, the value will be set to the $hostname.
|
||||
# This parameter can take both a string or an array of strings.
|
||||
# Defaults to $hostname
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*key_size*]
|
||||
# (Optional) Specifies the private key size used when creating the certificate.
|
||||
# Defaults to 2048bits.
|
||||
#
|
||||
class tripleo::certmonger::redis (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$dnsnames = $hostname,
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
$key_size = 2048,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
ensure_resource('file', '/usr/bin/certmonger-redis-refresh.sh', {
|
||||
source => 'puppet:///modules/tripleo/certmonger-redis-refresh.sh',
|
||||
mode => '0700',
|
||||
seltype => 'bin_t',
|
||||
notify => Service['certmonger']
|
||||
})
|
||||
|
||||
certmonger_certificate { 'redis' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $dnsnames,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
key_size => $key_size,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['redis'],
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['redis'],
|
||||
}
|
||||
}
|
@ -1,322 +0,0 @@
|
||||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# == class: tripleo::profile::base::certmonger_user
|
||||
#
|
||||
# Profile that ensures that the relevant certmonger certificates have been
|
||||
# requested. The certificates come from the hiera set by the specific profiles
|
||||
# and come in a pre-defined format.
|
||||
# For a service that has several certificates (one per network name):
|
||||
# apache_certificates_specs:
|
||||
# httpd-internal_api:
|
||||
# hostname: <overcloud controller fqdn>
|
||||
# service_certificate: <service certificate path>
|
||||
# service_key: <service key path>
|
||||
# principal: "HTTP/<overcloud controller fqdn>"
|
||||
# For a service that uses a single certificate:
|
||||
# mysql_certificates_specs:
|
||||
# hostname: <overcloud controller fqdn>
|
||||
# service_certificate: <service certificate path>
|
||||
# service_key: <service key path>
|
||||
# principal: "mysql/<overcloud controller fqdn>"
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
# Defaults to hiera('step')
|
||||
#
|
||||
# [*apache_certificates_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('apache_certificate_specs', {}).
|
||||
#
|
||||
# [*haproxy_certificates_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
|
||||
#
|
||||
# [*libvirt_certificates_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('libvirt_certificates_specs', {}).
|
||||
#
|
||||
# [*libvirt_postsave_cmd*]
|
||||
# (Optional) If set, it overrides the default way to restart libvirt when the
|
||||
# certificate is renewed.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*libvirt_vnc_certificates_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('libvirt_vnc_certificates_specs', {}).
|
||||
#
|
||||
# [*libvirt_vnc_postsave_cmd*]
|
||||
# (Optional) If set, it overrides the default way to restart services when the
|
||||
# certificate is renewed.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*qemu_certificates_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('qemu_certificates_specs', {}).
|
||||
#
|
||||
# [*qemu_postsave_cmd*]
|
||||
# (Optional) If set, it overrides the default way to restart services when the
|
||||
# certificate is renewed.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*qdr_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger fot the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}).
|
||||
#
|
||||
# [*mysql_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
|
||||
#
|
||||
# [*memcached_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('tripleo::profile::base::memcached::certificate_specs', {}).
|
||||
#
|
||||
# [*rabbitmq_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
|
||||
#
|
||||
# [*redis_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('redis_certificate_specs', {}).
|
||||
#
|
||||
# [*ceph_grafana_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('ceph_grafana_certificate_specs', {}).
|
||||
#
|
||||
# [*ceph_dashboard_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('ceph_dashboard_certificate_specs', {}).
|
||||
#
|
||||
# [*ceph_rgw_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('ceph_rgw_certificate_specs', {}).
|
||||
#
|
||||
# [*etcd_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}).
|
||||
#
|
||||
# [*neutron_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('tripleo::profile::base::neutron::certificate_specs', {}).
|
||||
#
|
||||
# [*novnc_proxy_certificates_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('novnc_proxy_certificates_specs',{})
|
||||
#
|
||||
# [*novnc_proxy_postsave_cmd*]
|
||||
# (Optional) If set, it overrides the default way to restart novnc proxy when the
|
||||
# certificate is renewed.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*ovn_dbs_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('ovn_dbs_certificate_specs', {})
|
||||
#
|
||||
# [*ovn_controller_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('ovn_controller_certificate_specs', {})
|
||||
#
|
||||
# [*ovn_metadata_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('ovn_metadata_certificate_specs', {})
|
||||
#
|
||||
# [*neutron_ovn_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('neutron_ovn_certificate_specs', {})
|
||||
#
|
||||
# [*ovn_octavia_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('ovn_octavia_certificate_specs', {})
|
||||
#
|
||||
# === Deprecated
|
||||
#
|
||||
# [*haproxy_postsave_cmd*]
|
||||
# (Optional) If set, it overrides the default way to restart haproxy when the
|
||||
# certificate is renewed.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*apache_postsave_cmd*]
|
||||
# (Optional) If set, it overrides the default way to restart apache when the
|
||||
# certificate is renewed.
|
||||
# Defaults to undef
|
||||
#
|
||||
class tripleo::profile::base::certmonger_user (
|
||||
$step = Integer(hiera('step')),
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
|
||||
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
|
||||
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
|
||||
$libvirt_postsave_cmd = undef,
|
||||
$libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
|
||||
$libvirt_vnc_postsave_cmd = undef,
|
||||
$qemu_certificates_specs = hiera('qemu_certificates_specs', {}),
|
||||
$qemu_postsave_cmd = undef,
|
||||
$qdr_certificate_specs = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
|
||||
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
|
||||
$memcached_certificate_specs = hiera('tripleo::profile::base::memcached::certificate_specs', {}),
|
||||
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
|
||||
$redis_certificate_specs = hiera('redis_certificate_specs', {}),
|
||||
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
|
||||
$neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
|
||||
$novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
|
||||
$ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}),
|
||||
$ceph_dashboard_certificate_specs = hiera('ceph_dashboard_certificate_specs', {}),
|
||||
$ceph_rgw_certificate_specs = hiera('ceph_rgw_certificate_specs', {}),
|
||||
$ovn_dbs_certificate_specs = hiera('ovn_dbs_certificate_specs', {}),
|
||||
$ovn_controller_certificate_specs = hiera('ovn_controller_certificate_specs', {}),
|
||||
$ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}),
|
||||
$neutron_ovn_certificate_specs = hiera('neutron_ovn_certificate_specs', {}),
|
||||
$ovn_octavia_certificate_specs = hiera('ovn_octavia_certificate_specs', {}),
|
||||
$novnc_proxy_postsave_cmd = undef,
|
||||
# Deprecated
|
||||
$haproxy_postsave_cmd = undef,
|
||||
$apache_postsave_cmd = undef,
|
||||
) {
|
||||
include certmonger
|
||||
|
||||
if $step == 1 {
|
||||
# This is only needed for certmonger's local CA. For any other CA this
|
||||
# operation (trusting the CA) should be done by the deployer.
|
||||
if $certmonger_ca == 'local' {
|
||||
include tripleo::certmonger::ca::local
|
||||
}
|
||||
|
||||
# Remove haproxy_certificates_specs where hostname is empty.
|
||||
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1905604
|
||||
$haproxy_certificates_specs_filtered = $haproxy_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
|
||||
unless empty($haproxy_certificates_specs_filtered) {
|
||||
$reload_haproxy = ['systemctl reload tripleo_haproxy']
|
||||
Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
|
||||
if defined(Class['::haproxy']) {
|
||||
Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
|
||||
}
|
||||
} else {
|
||||
$reload_haproxy = []
|
||||
}
|
||||
class { 'tripleo::certmonger::ca::crl' :
|
||||
reload_cmds => $reload_haproxy,
|
||||
}
|
||||
Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl']
|
||||
include tripleo::certmonger::ca::libvirt_vnc
|
||||
include tripleo::certmonger::ca::qemu
|
||||
|
||||
# Remove apache_certificates_specs where hostname is empty.
|
||||
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1811207
|
||||
$apache_certificates_specs_filtered = $apache_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
|
||||
unless empty($apache_certificates_specs_filtered) {
|
||||
include tripleo::certmonger::apache_dirs
|
||||
ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs_filtered)
|
||||
}
|
||||
unless empty($libvirt_certificates_specs) {
|
||||
include tripleo::certmonger::libvirt_dirs
|
||||
ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs,
|
||||
{'postsave_cmd' => $libvirt_postsave_cmd})
|
||||
}
|
||||
unless empty($libvirt_vnc_certificates_specs) {
|
||||
include tripleo::certmonger::libvirt_vnc_dirs
|
||||
ensure_resources('tripleo::certmonger::libvirt_vnc', $libvirt_vnc_certificates_specs,
|
||||
{'postsave_cmd' => $libvirt_vnc_postsave_cmd})
|
||||
}
|
||||
unless empty($qemu_certificates_specs) {
|
||||
include tripleo::certmonger::qemu_dirs
|
||||
include tripleo::certmonger::qemu_nbd_dirs
|
||||
ensure_resources('tripleo::certmonger::qemu', $qemu_certificates_specs,
|
||||
{'postsave_cmd' => $qemu_postsave_cmd})
|
||||
}
|
||||
unless empty($haproxy_certificates_specs_filtered) {
|
||||
include tripleo::certmonger::haproxy_dirs
|
||||
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs_filtered)
|
||||
# The haproxy fronends (or listen resources) depend on the certificate
|
||||
# existing and need to be refreshed if it changed.
|
||||
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
|
||||
}
|
||||
unless empty($qdr_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::metrics_qdr', $qdr_certificate_specs)
|
||||
}
|
||||
unless empty($memcached_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::memcached', $memcached_certificate_specs)
|
||||
}
|
||||
unless empty($mysql_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
|
||||
}
|
||||
unless empty($rabbitmq_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
|
||||
}
|
||||
unless empty($redis_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::redis', $redis_certificate_specs)
|
||||
}
|
||||
unless empty($etcd_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
|
||||
}
|
||||
unless empty($neutron_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::neutron', $neutron_certificate_specs)
|
||||
}
|
||||
unless empty($novnc_proxy_certificates_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::novnc_proxy', $novnc_proxy_certificates_specs,
|
||||
{'postsave_cmd' => $novnc_proxy_postsave_cmd})
|
||||
}
|
||||
unless empty($ceph_grafana_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::ceph_grafana', $ceph_grafana_certificate_specs)
|
||||
}
|
||||
unless empty($ceph_dashboard_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::ceph_dashboard', $ceph_dashboard_certificate_specs)
|
||||
}
|
||||
unless empty($ceph_rgw_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::ceph_rgw', $ceph_rgw_certificate_specs)
|
||||
}
|
||||
unless empty($ovn_dbs_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs)
|
||||
}
|
||||
unless empty($ovn_controller_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::ovn_controller', $ovn_controller_certificate_specs)
|
||||
}
|
||||
unless empty($ovn_metadata_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::ovn_metadata', $ovn_metadata_certificate_specs)
|
||||
}
|
||||
unless empty($neutron_ovn_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs)
|
||||
}
|
||||
unless empty($ovn_octavia_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::ovn_octavia', $ovn_octavia_certificate_specs)
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
deprecations:
|
||||
- |
|
||||
Remove support for puppet_certmonger. All certificates are now managed by
|
||||
the linux-system-roles.certificate ansible role configured from each
|
||||
service's heat template. ::tripleo::certmonger puppet files are removed.
|
@ -1,116 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2017 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::ca::crl' do
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::ca::crl' do
|
||||
|
||||
context 'with default parameters (no crl_source)' do
|
||||
it 'should ensure no CRL nor cron job are present' do
|
||||
is_expected.not_to contain_exec('tripleo-ca-crl')
|
||||
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
||||
:ensure => 'absent'
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with defined CRL source' do
|
||||
let :params do
|
||||
{
|
||||
:crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem',
|
||||
:crl_preprocessed => '/etc/pki/CA/crl/overcloud-crl.bin',
|
||||
:crl_source => 'file://tmp/some/crl.bin',
|
||||
}
|
||||
end
|
||||
|
||||
let :process_cmd do
|
||||
"openssl crl -in #{params[:crl_preprocessed]} -inform DER -outform PEM -out #{params[:crl_dest]}"
|
||||
end
|
||||
|
||||
let :cron_cmd do
|
||||
"curl -g -s -L -o #{params[:crl_preprocessed]} #{params[:crl_source]} && #{process_cmd}"
|
||||
end
|
||||
|
||||
it 'should create and process CRL file' do
|
||||
is_expected.to contain_exec('tripleo-ca-crl').with(
|
||||
:command => "curl -Ls --connect-timeout 120 -o #{params[:crl_preprocessed]} #{params[:crl_source]}",
|
||||
:tries => 5,
|
||||
:try_sleep => 5
|
||||
)
|
||||
is_expected.to contain_file('tripleo-ca-crl-file').with(
|
||||
:group => 'root',
|
||||
:mode => '0644',
|
||||
:owner => 'root',
|
||||
:path => "#{params[:crl_preprocessed]}"
|
||||
)
|
||||
is_expected.to contain_exec('tripleo-ca-crl-process-command').with(
|
||||
:command => process_cmd
|
||||
)
|
||||
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
||||
:ensure => 'present',
|
||||
:command => cron_cmd
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with defined CRL source and no processing' do
|
||||
let :params do
|
||||
{
|
||||
:crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem',
|
||||
:crl_source => 'file://tmp/some/crl.pem',
|
||||
:process => false
|
||||
}
|
||||
end
|
||||
|
||||
let :cron_cmd do
|
||||
"curl -g -s -L -o #{params[:crl_dest]} #{params[:crl_source]}"
|
||||
end
|
||||
|
||||
it 'should create and process CRL file' do
|
||||
is_expected.to contain_exec('tripleo-ca-crl').with(
|
||||
:command => "curl -Ls --connect-timeout 120 -o #{params[:crl_dest]} #{params[:crl_source]}",
|
||||
:tries => 5,
|
||||
:try_sleep => 5
|
||||
)
|
||||
is_expected.to contain_file('tripleo-ca-crl-file').with(
|
||||
:group => 'root',
|
||||
:mode => '0644',
|
||||
:owner => 'root',
|
||||
:path => "#{params[:crl_dest]}"
|
||||
)
|
||||
is_expected.to_not contain_exec('tripleo-ca-crl-process-command')
|
||||
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
||||
:ensure => 'present',
|
||||
:command => cron_cmd
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::ca::crl'
|
||||
end
|
||||
end
|
||||
end
|
@ -1,57 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2017 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::ca::local' do
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::ca::local' do
|
||||
|
||||
let :pre_condition do
|
||||
"include certmonger"
|
||||
end
|
||||
|
||||
let :params do
|
||||
{
|
||||
:ca_pem => '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should extract CA cert' do
|
||||
is_expected.to contain_exec('extract-and-trust-ca')
|
||||
end
|
||||
|
||||
it 'set the correct permissions for the CA certificate file' do
|
||||
is_expected.to contain_file(params[:ca_pem]).with(
|
||||
:ensure => 'present',
|
||||
:mode => '0644',
|
||||
:owner => 'root'
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::ca::local'
|
||||
end
|
||||
end
|
||||
end
|
@ -1,82 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2017 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::etcd' do
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::etcd' do
|
||||
let :params do
|
||||
{
|
||||
:hostname => 'localhost',
|
||||
:service_certificate => '/etc/pki/cert.crt',
|
||||
:service_key => '/etc/pki/key.pem',
|
||||
}
|
||||
end
|
||||
|
||||
context 'with defaults' do
|
||||
it 'should include the base for using certmonger' do
|
||||
is_expected.to contain_class('certmonger')
|
||||
end
|
||||
|
||||
it 'should request a certificate' do
|
||||
is_expected.to contain_certmonger_certificate('etcd').with(
|
||||
:ensure => 'present',
|
||||
:certfile => '/etc/pki/cert.crt',
|
||||
:keyfile => '/etc/pki/key.pem',
|
||||
:hostname => 'localhost',
|
||||
:dnsname => 'localhost',
|
||||
:principal => nil,
|
||||
:postsave_cmd => nil,
|
||||
:ca => 'local',
|
||||
:wait => true,
|
||||
)
|
||||
is_expected.to contain_file('/etc/pki/cert.crt')
|
||||
is_expected.to contain_file('/etc/pki/key.pem')
|
||||
end
|
||||
end
|
||||
context 'with overrides' do
|
||||
before :each do
|
||||
params.merge!({
|
||||
:certmonger_ca => 'IPA',
|
||||
:dnsnames => 'host1,127.0.0.42',
|
||||
:postsave_cmd => '/usr/bin/refresh_me.sh',
|
||||
:principal => 'Principal_Lewis',
|
||||
})
|
||||
end
|
||||
it 'should request a certificate with overrides' do
|
||||
is_expected.to contain_certmonger_certificate('etcd').with(
|
||||
:dnsname => 'host1,127.0.0.42',
|
||||
:principal => 'Principal_Lewis',
|
||||
:postsave_cmd => '/usr/bin/refresh_me.sh',
|
||||
:ca => 'IPA',
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::etcd'
|
||||
end
|
||||
end
|
||||
end
|
@ -1,60 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2020 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::memcached' do
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::memcached' do
|
||||
let :params do
|
||||
{
|
||||
:hostname => 'localhost',
|
||||
:service_certificate => '/etc/pki/cert.crt',
|
||||
:service_key => '/etc/pki/key.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should include the base for using certmonger' do
|
||||
is_expected.to contain_class('certmonger')
|
||||
end
|
||||
|
||||
it 'should request a certificate' do
|
||||
is_expected.to contain_certmonger_certificate('memcached').with(
|
||||
:ensure => 'present',
|
||||
:certfile => '/etc/pki/cert.crt',
|
||||
:keyfile => '/etc/pki/key.pem',
|
||||
:hostname => 'localhost',
|
||||
:dnsname => 'localhost',
|
||||
:ca => 'local',
|
||||
:wait => true,
|
||||
)
|
||||
is_expected.to contain_file('/etc/pki/cert.crt')
|
||||
is_expected.to contain_file('/etc/pki/key.pem')
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::memcached'
|
||||
end
|
||||
end
|
||||
end
|
@ -1,58 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2017 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::mysql' do
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::mysql' do
|
||||
let :params do
|
||||
{
|
||||
:hostname => 'localhost',
|
||||
:service_certificate => '/etc/pki/cert.crt',
|
||||
:service_key => '/etc/pki/key.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should include the base for using certmonger' do
|
||||
is_expected.to contain_class('certmonger')
|
||||
end
|
||||
|
||||
it 'should request a certificate' do
|
||||
is_expected.to contain_certmonger_certificate('mysql').with(
|
||||
:ensure => 'present',
|
||||
:certfile => '/etc/pki/cert.crt',
|
||||
:keyfile => '/etc/pki/key.pem',
|
||||
:hostname => 'localhost',
|
||||
:dnsname => 'localhost',
|
||||
:ca => 'local',
|
||||
:wait => true,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::mysql'
|
||||
end
|
||||
end
|
||||
end
|
@ -1,68 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2017 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::openvswitch' do
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::openvswitch' do
|
||||
let :params do
|
||||
{
|
||||
:hostname => 'localhost',
|
||||
:service_certificate => '/etc/pki/cert.crt',
|
||||
:service_key => '/etc/pki/key.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should include the base for using certmonger' do
|
||||
is_expected.to contain_class('certmonger')
|
||||
end
|
||||
|
||||
it 'should request a certificate' do
|
||||
is_expected.to contain_certmonger_certificate('openvswitch').with(
|
||||
:ensure => 'present',
|
||||
:certfile => '/etc/pki/cert.crt',
|
||||
:keyfile => '/etc/pki/key.pem',
|
||||
:hostname => 'localhost',
|
||||
:dnsname => 'localhost',
|
||||
:ca => 'local',
|
||||
:wait => true,
|
||||
)
|
||||
is_expected.to contain_file('/etc/pki/cert.crt').with(
|
||||
:owner => 'openvswitch',
|
||||
:group => 'hugetlbfs',
|
||||
:require => 'Certmonger_certificate[openvswitch]'
|
||||
)
|
||||
is_expected.to contain_file('/etc/pki/key.pem').with(
|
||||
:owner => 'openvswitch',
|
||||
:group => 'hugetlbfs',
|
||||
:require => 'Certmonger_certificate[openvswitch]'
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::openvswitch'
|
||||
end
|
||||
end
|
||||
end
|
@ -1,60 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2019 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::ovn_dbs' do
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::ovn_dbs' do
|
||||
let :params do
|
||||
{
|
||||
:hostname => 'localhost',
|
||||
:service_certificate => '/etc/pki/cert.crt',
|
||||
:service_key => '/etc/pki/key.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should include the base for using certmonger' do
|
||||
is_expected.to contain_class('certmonger')
|
||||
end
|
||||
|
||||
it 'should request a certificate' do
|
||||
is_expected.to contain_certmonger_certificate('ovn_dbs').with(
|
||||
:ensure => 'present',
|
||||
:certfile => '/etc/pki/cert.crt',
|
||||
:keyfile => '/etc/pki/key.pem',
|
||||
:hostname => 'localhost',
|
||||
:dnsname => 'localhost',
|
||||
:ca => 'local',
|
||||
:wait => true,
|
||||
)
|
||||
is_expected.to contain_file('/etc/pki/cert.crt')
|
||||
is_expected.to contain_file('/etc/pki/key.pem')
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::ovn_dbs'
|
||||
end
|
||||
end
|
||||
end
|
@ -1,60 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2017 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::rabbitmq' do
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::rabbitmq' do
|
||||
let :params do
|
||||
{
|
||||
:hostname => 'localhost',
|
||||
:service_certificate => '/etc/pki/cert.crt',
|
||||
:service_key => '/etc/pki/key.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should include the base for using certmonger' do
|
||||
is_expected.to contain_class('certmonger')
|
||||
end
|
||||
|
||||
it 'should request a certificate' do
|
||||
is_expected.to contain_certmonger_certificate('rabbitmq').with(
|
||||
:ensure => 'present',
|
||||
:certfile => '/etc/pki/cert.crt',
|
||||
:keyfile => '/etc/pki/key.pem',
|
||||
:hostname => 'localhost',
|
||||
:dnsname => 'localhost',
|
||||
:ca => 'local',
|
||||
:wait => true,
|
||||
)
|
||||
is_expected.to contain_file('/etc/pki/cert.crt')
|
||||
is_expected.to contain_file('/etc/pki/key.pem')
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::rabbitmq'
|
||||
end
|
||||
end
|
||||
end
|
@ -1,65 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2017 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Unit tests for tripleo
|
||||
#
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'tripleo::certmonger::httpd' do
|
||||
|
||||
let(:title) { 'httpd-cert' }
|
||||
|
||||
shared_examples_for 'tripleo::certmonger::httpd' do
|
||||
let :params do
|
||||
{
|
||||
:name => 'httpd-cert',
|
||||
:hostname => 'localhost',
|
||||
:service_certificate => '/etc/pki/cert.crt',
|
||||
:service_key => '/etc/pki/key.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it 'should include the base for using certmonger' do
|
||||
is_expected.to contain_class('certmonger')
|
||||
end
|
||||
|
||||
it 'should include the httpd parameters' do
|
||||
is_expected.to contain_class('apache::params')
|
||||
end
|
||||
|
||||
it 'should request a certificate' do
|
||||
is_expected.to contain_certmonger_certificate('httpd-cert').with(
|
||||
:ensure => 'present',
|
||||
:certfile => '/etc/pki/cert.crt',
|
||||
:keyfile => '/etc/pki/key.pem',
|
||||
:hostname => 'localhost',
|
||||
:dnsname => 'localhost',
|
||||
:ca => 'local',
|
||||
:wait => true,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
context "on #{os}" do
|
||||
let(:facts) do
|
||||
facts.merge({})
|
||||
end
|
||||
|
||||
it_behaves_like 'tripleo::certmonger::httpd'
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue
Block a user