Remove puppet-certmonger related puppet-files

Implements: blueprint ansible-certmonger
Depends-On: https://review.opendev.org/771832
Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/786053
Change-Id: I5305bce78e9bbf382b00e3f3b5803b983a059db7
This commit is contained in:
Grzegorz Grasza 2021-01-25 13:49:56 +01:00
parent e3ebbb1143
commit 48832c961c
56 changed files with 6 additions and 3908 deletions

View File

@ -33,10 +33,6 @@ mod 'fdio',
:git => 'https://git.fd.io/puppet-fdio',
:ref => 'master'
mod 'certmonger',
:git => 'https://github.com/saltedsignal/puppet-certmonger',
:ref => 'v2.6.0'
mod 'ptp',
:git => 'https://github.com/redhat-nfvpe/ptp',
:ref => 'master'

View File

@ -1,10 +0,0 @@
#!/bin/bash
# Get mgr systemd unit
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
# Restart the mgr systemd unit
if [ -n "$mgr_unit" ]; then
systemctl restart "$mgr_unit"
fi

View File

@ -1,25 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
# cinder uses etcd, so its containers also need to be refreshed
container_names=$($container_cli ps --format="{{.Names}}" | grep -E 'cinder|etcd')
service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_certificate)"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_key)"
kolla_dir="/var/lib/kolla/config_files/src-tls"
# For each container, check whether the cert and key files need to be updated.
# The check is necessary because the original THT design directly bind mounted
# the files to their final location, and did not copy them in via $kolla_dir.
# Regardless of whether the container is directly using the files, or a copy,
# there's no need to trigger a reload because the cert is not cached.
for container_name in ${container_names[*]}; do
$container_cli exec -u root "$container_name" bash -c "
[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
true
"
done

View File

@ -1,9 +0,0 @@
#!/bin/bash
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi

View File

@ -1,54 +0,0 @@
#!/bin/bash
# This script is meant to reload HAProxy when certmonger triggers a certificate
# renewal. It'll concatenate the needed certificates for the PEM file that
# HAProxy reads.
die() { echo "$*" 1>&2 ; exit 1; }
[[ $# -eq 2 ]] || die "Invalid number of arguments"
[[ $1 == @(reload|restart) ]] || die "First argument must be one of 'reload' or 'restart'."
ACTION=$1
NETWORK=$2
certmonger_ca=$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.crt"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir)/overcloud-haproxy-$NETWORK.key"
ca_path=""
if [ "$certmonger_ca" == "local" ]; then
ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
elif [ "$certmonger_ca" == "IPA" ]; then
ca_path="/etc/ipa/ca.crt"
fi
if [ "$NETWORK" != "external" ]; then
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.pem"
else
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
fi
cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
if [ "$ACTION" == "reload" ]; then
# Refresh the cert at the mount-point
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Set appropriate permissions
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
# Trigger a reload for HAProxy to read the new certificates
$container_cli kill --signal HUP "$haproxy_container_name"
elif [ "$ACTION" == "restart" ]; then
# Copying the certificate and permissions will be handled by kolla's start
# script.
$container_cli restart "$haproxy_container_name"
fi

View File

@ -1,20 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep memcached)
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_certificate)"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_key)"
# Copy the new cert and key from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
$container_cli exec "$container_name" chown memcached:memcached "$service_certificate"
$container_cli exec "$container_name" chown memcached:memcached "$service_key"
# Send refresh_certs command to memcached
memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen.0 127.0.0.1)"
memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)"
echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port

View File

@ -1,24 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep metrics_qdr)
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_certificate)"
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_key)"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
# Copy the new key from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# Set appropriate permissions
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_certificate"
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
# Trigger a container restart to read the new certificates
$container_cli restart $container_name

View File

@ -1,21 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep neutron_dhcp)
# The certificate is also installed on the computes, but neutron_dhcp is only
# present on the controllers, so we exit if the container could not be found.
[[ -z $container_name ]] && exit 0
service_crt="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_cert_file)"
service_key="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_key_file)"
# Copy the new cert from the mount-point to the real path
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# No need to trigger a reload for neutron dhcpd since the cert is not cached

View File

@ -1,17 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep nova_vnc_proxy)
service_crt="$(hiera -c /etc/puppet/hiera.yaml nova::cert)"
service_key="$(hiera -c /etc/puppet/hiera.yaml nova::key)"
# Copy the new cert from the mount-point to the real path
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
# No need to trigger a reload for novnc proxy since the cert is not cached

View File

@ -1,17 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Set appropriate permissions
$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."

View File

@ -1,14 +0,0 @@
#!/bin/bash
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
container_name=$($container_cli ps --format="{{.Names}}" | grep redis_tls_proxy)
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::redis::service_certificate)"
# Copy the new cert from the mount-point to the real path
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
# Trigger a reload for stunnel to read the new certificates
pkill -o -HUP stunnel

View File

@ -1,9 +0,0 @@
#!/bin/bash
# Get ceph rgw systemd unit
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
# Restart the rgw systemd unit
if [ -n "$rgw_unit" ]; then
systemctl restart "$rgw_unit"
fi

View File

@ -1,74 +0,0 @@
#!/usr/bin/python
try:
import ConfigParser as configparser
except ImportError:
import configparser
import os
import sys
import subprocess
CM_SUBMIT_STATUS_ISSUED = 0
CM_SUBMIT_STATUS_UNCONFIGURED = 4
def main():
if len(sys.argv) < 3:
return CM_SUBMIT_STATUS_UNCONFIGURED
sub_ca = sys.argv[1]
wrapped_command = sys.argv[2:]
operation = os.environ.get('CERTMONGER_OPERATION')
os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA'
if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa':
config = configparser.ConfigParser()
try:
with open('/etc/ipa/default.conf') as fp:
config.readfp(fp)
except:
return CM_SUBMIT_STATUS_UNCONFIGURED
host = config.get('global', 'host')
realm = config.get('global', 'realm')
if host is None or realm is None:
return CM_SUBMIT_STATUS_UNCONFIGURED
principal = 'host/{}@{}'.format(host, realm)
os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper'
try:
subprocess.check_call([
'/usr/bin/kinit', '-k', principal
])
except:
return CM_SUBMIT_STATUS_UNCONFIGURED
try:
data = subprocess.check_output([
'/usr/bin/ipa', 'ca-show', sub_ca
])
except:
return CM_SUBMIT_STATUS_ISSUED
config = {}
for line in data.split('\n'):
line = line.strip()
try:
key, value = line.split(': ')
except:
continue
config[key] = value
if config.get('Name').lower() != sub_ca.lower():
return CM_SUBMIT_STATUS_ISSUED
print(realm, sub_ca, 'CA')
print('-----BEGIN CERTIFICATE-----')
certificate = config['Certificate']
for i in range((len(certificate)/64) + 1):
print(certificate[i*64:(i+1)*64])
print('-----END CERTIFICATE-----')
sys.stdout.flush()
else:
os.environ['CERTMONGER_CA_ISSUER'] = sub_ca
os.execl(wrapped_command[0], *wrapped_command)
if __name__ == '__main__':
main()

View File

@ -1,55 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# : = Class: tripleo::certmonger::apache_dirs
#
# Creates the necessary directories for apache's certificates and keys in the
# assigned locations if specified. It also assigns the correct SELinux tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where apache's certificates will be stored. If left
# unspecified, it won't be created.
# Defaults to undef
#
# [*key_dir*]
# (Optional) Directory where apache's keys will be stored.
# Defaults to undef
#
class tripleo::certmonger::apache_dirs(
$certificate_dir = undef,
$key_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
}
if $key_dir {
file { $key_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
}
}

View File

@ -1,165 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == class: tripleo::certmonger::ca::crl
#
# Class that downloads the appropriate CRL file from the CA. This can
# furtherly be used by services in order for proper certificate revocation to
# come into effect. The class also sets up a cron job that will refresh the CRL
# once a week. Also, processing of the CRL file might be needed. e.g. most CAs
# use DER format to distribute the CRLs, while services such as HAProxy expect
# the CRL to be in PEM format.
#
# === Parameters
#
# [*crl_dest*]
# (Optional) The file where the CRL file will be stored.
# Defaults to '/etc/pki/CA/crl/overcloud-crl.pem'
#
# [*crl_source*]
# (Optional) The URI where the CRL file will be fetched from.
# Defaults to undef
#
# [*process*]
# (Optional) Whether the CRL needs processing before being used. This means
# transforming from DER to PEM format or viceversa. This is because most CRLs
# by default come in DER format, so most likely it needs to be transformed.
# Defaults to true
#
# [*crl_preprocessed*]
# (Optional) The pre-processed CRL file which will be transformed.
# Defaults to '/etc/pki/CA/crl/overcloud-crl.bin'
#
# [*crl_preprocessed_format*]
# (Optional) The pre-processed CRL file's format which will be transformed.
# Defaults to 'DER'
#
# [*minute*]
# (optional) Defaults to '0'.
#
# [*hour*]
# (optional) Defaults to '*/2'.
#
# [*monthday*]
# (optional) Defaults to '*'.
#
# [*month*]
# (optional) Defaults to '*'.
#
# [*weekday*]
# (optional) Defaults to '6'.
#
# [*maxdelay*]
# (optional) Seconds. Defaults to 0. Should be a positive integer.
# Induces a random delay before running the cronjob to avoid running all
# cron jobs at the same time on all hosts this job is configured.
#
# [*reload_cmds*]
# (Optional) list of commands to be executed after fetching the CRL list in
# the cron job. This will usually be a list of reload commands issued to
# services that use the CRL.
# Defaults to []
#
class tripleo::certmonger::ca::crl (
$crl_dest = '/etc/pki/CA/crl/overcloud-crl.pem',
$crl_source = undef,
$process = true,
$crl_preprocessed = '/etc/pki/CA/crl/overcloud-crl.bin',
$crl_preprocessed_format = 'DER',
$minute = '0',
$hour = '*/2',
$monthday = '*',
$month = '*',
$weekday = '*',
$maxdelay = 0,
$reload_cmds = [],
) {
if $process {
$fetched_crl = $crl_preprocessed
} else {
$fetched_crl = $crl_dest
}
$esc_fetched_crl = shell_escape($fetched_crl)
$esc_crl_src = shell_escape($crl_source)
if $crl_source {
$ensure = 'present'
# LP(1787878): We need to use an explicit command instead of the file
# resource, because puppet won't use query parameters when handling
# redirects.
# If FreeIPA is being installed in a similar time as the overcloud, the tries
# and time in between tries gives it a chance to generate the CRL.
exec {'tripleo-ca-crl':
command => "curl -Ls --connect-timeout 120 -o ${esc_fetched_crl} ${esc_crl_src}",
path => '/usr/bin/',
creates => $fetched_crl,
tries => 5,
try_sleep => 5,
} ~> file {'tripleo-ca-crl-file':
group => 'root',
mode => '0644',
owner => 'root',
path => $fetched_crl,
}
} else {
$ensure = 'absent'
}
if $maxdelay == 0 {
$sleep = ''
} else {
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
}
if $process and $ensure == 'present' {
$crl_dest_format = $crl_preprocessed_format ? {
'PEM' => 'DER',
'DER' => 'PEM'
}
# transform CRL from DER to PEM or viceversa
$process_cmd = "openssl crl -in ${crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
exec { 'tripleo-ca-crl-process-command' :
command => $process_cmd,
path => '/usr/bin',
refreshonly => true,
subscribe => [
Exec['tripleo-ca-crl'],
File['tripleo-ca-crl-file']
]
}
} else {
$process_cmd = []
}
if $ensure == 'present' {
# Fetch CRL in cron job and notify needed services
$cmd_list = concat(["${sleep}curl -g -s -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds)
$cron_cmd = join($cmd_list, ' && ')
} else {
$cron_cmd = absent
}
cron { 'tripleo-refresh-crl-file':
ensure => $ensure,
command => $cron_cmd,
environment => 'PATH=/usr/bin:/bin SHELL=/bin/sh',
user => 'root',
minute => $minute,
hour => $hour,
monthday => $monthday,
month => $month,
weekday => $weekday,
}
}

View File

@ -1,65 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ca::libvirt_vnc
#
# Sets the necessary file that will be used libvirt vnc servers and
# clients.
#
# === Parameters:
#
# [*origin_ca_pem*]
# (Optional) Path to the CA certificate that libvirt vnc will use. This is not
# assumed automatically or uses the system CA bundle as is the case of other
# services because a limitation with the file sizes in GNU TLS, which libvirt
# uses as a TLS backend.
# Defaults to undef
#
# [*certmonger_ca*]
# (Optional) The CA name that certmonger will use to generate VNC certificates.
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be
# added to the certmonger CA list.
# Defaults to hiera('certmonger_ca_vnc', 'local').
#
class tripleo::certmonger::ca::libvirt_vnc(
$origin_ca_pem = undef,
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
){
if $origin_ca_pem {
$ensure_file = 'link'
} else {
$ensure_file = 'absent'
}
file { '/etc/pki/libvirt-vnc/ca-cert.pem':
ensure => $ensure_file,
mode => '0644',
target => $origin_ca_pem,
}
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
file { $wrapper_path:
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
mode => '0755',
notify => Service['certmonger']
}
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
path => ['/usr/bin', '/bin'],
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
notify => Service['certmonger']
}
}
}

View File

@ -1,45 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ca::local
#
# Does the necessary action to extract and trust certmonger's local CA.
#
# === Parameters:
#
# [*ca_pem*]
# (optional) PEM file that will contain the local CA certificate.
# Defaults to '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
#
class tripleo::certmonger::ca::local(
$ca_pem = '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem',
){
$ca_pkcs12 = '/var/lib/certmonger/local/creds'
$extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''"
$trust_ca_cmd = 'update-ca-trust extract'
file { "${ca_pem}":
ensure => present,
mode => '0644',
owner => 'root',
}
exec { 'extract-and-trust-ca':
command => "${extract_cmd} && ${trust_ca_cmd}",
path => '/usr/bin',
tries => 5,
try_sleep => 1,
notify => File[$ca_pem]
}
Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |>
}

View File

@ -1,65 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ca::qemu
#
# Sets the necessary file that will be used by qemu servers and
# clients.
#
# === Parameters:
#
# [*origin_ca_pem*]
# (Optional) Path to the CA certificate that qemu will use. This is not
# assumed automatically or uses the system CA bundle as is the case of other
# services because a limitation with the file sizes in GNU TLS, which qemu
# uses as a TLS backend.
# Defaults to undef
#
# [*certmonger_ca*]
# (Optional) The CA name that certmonger will use to generate qemu certificates.
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be
# added to the certmonger CA list.
# Defaults to hiera('certmonger_ca_qemu', 'local').
#
class tripleo::certmonger::ca::qemu(
$origin_ca_pem = undef,
$certmonger_ca = hiera('certmonger_ca_qemu', 'local'),
){
if $origin_ca_pem {
$ensure_file = 'link'
} else {
$ensure_file = 'absent'
}
file { '/etc/pki/qemu/ca-cert.pem':
ensure => $ensure_file,
mode => '0644',
target => $origin_ca_pem,
}
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
file { $wrapper_path:
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
mode => '0755',
notify => Service['certmonger']
}
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
path => ['/usr/bin', '/bin'],
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
notify => Service['certmonger']
}
}
}

View File

@ -1,87 +0,0 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ceph_dashboard
#
# Request a certificate for Ceph Dashboard and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_dashboard (
$hostname,
$service_certificate,
$service_key,
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-dashboard-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'ceph_dashboard' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ceph_dashboard'],
owner => 472,
group => 472,
}
file { $service_key :
require => Certmonger_certificate['ceph_dashboard'],
owner => 472,
group => 472,
}
}

View File

@ -1,87 +0,0 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ceph_grafana
#
# Request a certificate for Ceph Grafana and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_grafana (
$hostname,
$service_certificate,
$service_key,
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-grafana-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'ceph_grafana' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ceph_grafana'],
owner => 472,
group => 472,
}
file { $service_key :
require => Certmonger_certificate['ceph_grafana'],
owner => 472,
group => 472,
}
}

View File

@ -1,123 +0,0 @@
# Copyright 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ceph_rgw
#
# Request a certificate for Ceph RGW and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_pem*]
# The file in PEM format that the HAProxy service will use as a certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_rgw (
$hostname,
$service_certificate,
$service_key,
$service_pem,
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-rgw-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'ceph_rgw' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
concat { $service_pem :
ensure => present,
mode => '0640',
owner => 472,
group => 472,
tag => 'ceph-rgw-cert',
}
concat::fragment { "${title}-cert-fragment":
target => $service_pem,
source => $service_certificate,
order => '01',
tag => 'ceph_rgw-cert',
require => Concat["${service_pem}"]
}
if $certmonger_ca == 'local' {
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => $ca_pem,
order => '10',
tag => 'ceph_rgw-cert',
require => [ Class['tripleo::certmonger::ca::local'], Concat::Fragment["${title}-cert-fragment"] ]
}
} elsif $certmonger_ca == 'IPA' {
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => '/etc/ipa/ca.crt',
order => '10',
tag => 'ceph_rgw-cert',
require => Concat::Fragment["${title}-cert-fragment"]
}
}
concat::fragment { "${title}-key-fragment":
target => $service_pem,
source => $service_key,
order => 20,
tag => 'ceph_rgw-cert',
require => Concat::Fragment["${title}-ca-fragment"],
}
}

View File

@ -1,92 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::etcd
#
# Request a certificate for the etcd service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*dnsnames*]
# (Optional) The DNS names that will be added for the SubjectAltNames entry
# in the certificate.
# Defaults to $hostname
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef
#
# [*principal*]
# (Optional) The haproxy service principal that is set for etcd in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::etcd (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
ensure_resource('file', '/usr/bin/certmonger-etcd-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-etcd-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'etcd' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $dnsnames,
principal => $principal,
postsave_cmd => $postsave_cmd,
key_size => $key_size,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['etcd'],
}
file { $service_key :
require => Certmonger_certificate['etcd'],
}
File[$service_certificate] ~> Service<| title == 'etcd' |>
File[$service_key] ~> Service<| title == 'etcd' |>
}

View File

@ -1,159 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::haproxy
#
# Request a certificate for the HAProxy service and does the necessary logic to
# get it into a format that the service understands.
#
# === Parameters
#
# [*service_pem*]
# The file in PEM format that the HAProxy service will use as a certificate.
#
# [*service_certificate*]
# The certificate file that certmonger will be tracking.
#
# [*service_key*]
# The key file that certmonger will use for the certificate.
#
# [*hostname*]
# The hostname that certmonger will use as the common name for the
# certificate.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*dnsnames*]
# (Optional) The DNS names that will be added for the SubjectAltNames entry
# in the certificate. If left unset, the value will be set to the $hostname.
# Defaults to undef
#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
# [*postsave_cmd*]
# The post-save-command that certmonger will use once it renews the
# certificate.
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::haproxy (
$service_pem,
$service_certificate,
$service_key,
$hostname,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = undef,
$principal = undef,
$postsave_cmd = undef,
$key_size = 2048,
){
include certmonger
include haproxy::params
if $certmonger_ca == 'local' {
if defined(Class['::haproxy']) {
Class['::tripleo::certmonger::ca::local'] ~> Class['::haproxy']
}
$principal_real = undef
} else {
$principal_real = $principal
}
# If we have HAProxy in the resource catalog, we can use the haproxy user
# and group.
if defined(Class['::haproxy']) {
$cert_user = 'haproxy'
$cert_group = 'haproxy'
# If it's not in the resource catalog, it means that we're running in
# containers. So we have to rely on the container to set the appropriate
# permissions.
} else {
$cert_user = 'root'
$cert_group = 'root'
}
if $dnsnames {
$dnsnames_real = $dnsnames
} else {
$dnsnames_real = $hostname
}
ensure_resource('file', '/usr/bin/certmonger-haproxy-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-haproxy-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { "${title}-cert":
ensure => 'present',
ca => $certmonger_ca,
hostname => $hostname,
dnsname => $dnsnames_real,
certfile => $service_certificate,
keyfile => $service_key,
postsave_cmd => $postsave_cmd,
principal => $principal_real,
key_size => $key_size,
eku => ['id-kp-clientAuth', 'id-kp-serverAuth'],
wait => true,
tag => 'haproxy-cert',
require => Class['::certmonger'],
}
concat { $service_pem :
ensure => present,
mode => '0640',
owner => $cert_user,
group => $cert_group,
tag => 'haproxy-cert',
}
Package<| name == $::haproxy::params::package_name |> -> Concat[$service_pem]
concat::fragment { "${title}-cert-fragment":
target => $service_pem,
source => $service_certificate,
order => '01',
tag => 'haproxy-cert',
require => Certmonger_certificate["${title}-cert"],
}
if $certmonger_ca == 'local' {
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => $ca_pem,
order => '10',
tag => 'haproxy-cert',
require => Class['tripleo::certmonger::ca::local'],
}
} elsif $certmonger_ca == 'IPA' {
concat::fragment { "${title}-ca-fragment":
target => $service_pem,
source => '/etc/ipa/ca.crt',
order => '10',
tag => 'haproxy-cert',
}
}
concat::fragment { "${title}-key-fragment":
target => $service_pem,
source => $service_key,
order => 20,
tag => 'haproxy-cert',
require => Certmonger_certificate["${title}-cert"],
}
}

View File

@ -1,55 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# : = Class: tripleo::certmonger::haproxy_dirs
#
# Creates the necessary directories for haproxy's certificates and keys in the
# assigned locations if specified. It also assigns the correct SELinux tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where haproxy's certificates will be stored. If left
# unspecified, it won't be created.
# Defaults to undef
#
# [*key_dir*]
# (Optional) Directory where haproxy's keys will be stored.
# Defaults to undef
#
class tripleo::certmonger::haproxy_dirs(
$certificate_dir = undef,
$key_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
}
if $key_dir {
file { $key_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
}
}

View File

@ -1,86 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::httpd
#
# Request a certificate for the httpd service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*dnsnames*]
# (Optional) The DNS names that will be added for the SubjectAltNames entry
# in the certificate. If left unset, the value will be set to the $hostname.
# Defaults to undef
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl restart ${service name}"
# Defaults to undef.
#
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::httpd (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = undef,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include apache::params
if $dnsnames {
$dnsnames_real = $dnsnames
} else {
$dnsnames_real = $hostname
}
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $dnsnames_real,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'apache-cert',
require => Class['::certmonger'],
}
Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |>
}

View File

@ -1,86 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::libvirt
#
# Request a certificate for libvirt and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl reload ${service name}"
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::libvirt (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::nova::params::libvirt_service_name}")
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'libvirt-cert',
require => Class['::certmonger'],
}
# Just register the files in puppet's resource catalog. Certmonger should
# give the right permissions.
file { $service_certificate :
require => Certmonger_certificate[$name],
}
file { $service_key :
require => Certmonger_certificate[$name],
}
File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |>
File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |>
}

View File

@ -1,56 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::libvirt_dirs
#
# Creates the necessary directories for libvirt's certificates and keys in the
# assigned locations if specified. It also assigns the correct SELinux tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where libvirt's certificates will be stored. If left
# unspecified, it won't be created.
# Defaults to undef
#
# [*key_dir*]
# (Optional) Directory where libvirt's keys will be stored.
# Defaults to undef
#
class tripleo::certmonger::libvirt_dirs(
$certificate_dir = undef,
$key_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
}
if $key_dir {
file { $key_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
}
}

View File

@ -1,122 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::libvirt_vnc
#
# Request a certificate for libvirt-vnc and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca_vnc', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl reload ${service name}"
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*cacertfile*]
# (Optional) Specifies that path to write the CA cerftificate to.
# Defaults to undef
#
# [*notify_service*]
# (Optional) Service to reload when certificate is created/renewed
# Defaults to $::nova::params::libvirt_service_name
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::libvirt_vnc (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
$postsave_cmd = undef,
$principal = undef,
$cacertfile = undef,
$notify_service = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
$notify_service_real = pick($notify_service, $::nova::params::libvirt_service_name)
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${notify_service_real}")
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
key_size => $key_size,
cacertfile => $cacertfile,
wait => true,
tag => 'libvirt-cert',
require => Class['::certmonger'],
}
if $cacertfile {
# Sometimes certmonger returns before creating the cacert file. This has
# been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281
# Until this is fixed, add this workaround.
exec { $cacertfile :
require => Certmonger_certificate[$name],
command => "test -f ${cacertfile}",
unless => "test -f ${cacertfile}",
tries => 60,
try_sleep => 1,
timeout => 60,
path => '/usr/bin:/bin',
}
file { $cacertfile :
require => Exec[$cacertfile],
mode => '0644'
}
~> Service<| title == $notify_service_real |>
}
file { $service_certificate :
require => Certmonger_certificate[$name],
mode => '0644'
}
file { $service_key :
require => Certmonger_certificate[$name],
group => 'qemu',
mode => '0640'
}
File[$service_certificate] ~> Service<| title == $notify_service_real |>
File[$service_key] ~> Service<| title == $notify_service_real |>
}

View File

@ -1,56 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::libvirt_vnc_dirs
#
# Creates the necessary directories for libvirt vnc certificates and keys in the
# assigned locations if specified. It also assigns the correct SELinux tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where libvirt-vnc's certificates will be stored. If left
# unspecified, it won't be created.
# Defaults to undef
#
# [*key_dir*]
# (Optional) Directory where libvirt-vnc's keys will be stored.
# Defaults to undef
#
class tripleo::certmonger::libvirt_vnc_dirs(
$certificate_dir = undef,
$key_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |>
}
if $key_dir {
file { $key_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |>
}
}

View File

@ -1,85 +0,0 @@
# Copyright 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::memcached
#
# Request a certificate for Memcached and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl restart ${service name}"
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::memcached (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = '/usr/bin/certmonger-memcached-refresh.sh',
$principal = undef,
$key_size = 2048,
) {
include certmonger
ensure_resource('file', '/usr/bin/certmonger-memcached-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-memcached-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'memcached' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['memcached'],
}
file { $service_key :
require => Certmonger_certificate['memcached'],
}
}

View File

@ -1,89 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::metrics_qdr
#
# Request a certificate for the MetricsQdr service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl restart ${service name}"
# Defaults to undef.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for metrics_qdr in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::metrics_qdr (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include qdr::params
ensure_resource('file', '/usr/bin/certmonger-metrics-qdr-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-metrics-qdr-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'metrics_qdr' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['metrics_qdr'],
}
file { $service_key :
require => Certmonger_certificate['metrics_qdr'],
}
File[$service_certificate] ~> Service<| title == $::qdr::params::service_name |>
File[$service_key] ~> Service<| title == $::qdr::params::service_name |>
}

View File

@ -1,78 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::mysql
#
# Request a certificate for the MySQL/Mariadb service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*dnsnames*]
# (Optional) The DNS names that will be added for the SubjectAltNames entry
# in the certificate. If left unset, the value will be set to the $hostname.
# This parameter can take both a string or an array of strings.
# Defaults to $hostname
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# If nothing is given, it will default to: "systemctl restart ${service name}"
# Defaults to undef.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::mysql (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
certmonger_certificate { 'mysql' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $dnsnames,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
}

View File

@ -1,84 +0,0 @@
# Copyright 2018 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::neutron
#
# Request a certificate for the Neutron service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::neutron (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
ensure_resource('file', '/usr/bin/certmonger-neutron-dhcpd-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-neutron-dhcpd-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'neutron' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['neutron']
}
file { $service_key :
require => Certmonger_certificate['neutron']
}
Certmonger_certificate['neutron'] ~> Service<| tag == 'neutron-service' |>
}

View File

@ -1,76 +0,0 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::neutron_ovn
#
# Request a certificate for the ovn_controller service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::neutron_ovn (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
certmonger_certificate { 'neutron_ovn' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['neutron_ovn']
}
file { $service_key :
require => Certmonger_certificate['neutron_ovn']
}
}

View File

@ -1,97 +0,0 @@
# Copyright 2018 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::novnc_proxy
#
# Request a certificate for novnc_proxy and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*notify_service*]
# (Optional) Service to reload when certificate is created/renewed
# Defaults to $::nova::params::libvirt_service_name
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::novnc_proxy (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$notify_service = undef,
$postsave_cmd = undef,
$key_size = 2048,
$principal = undef,
) {
include certmonger
include nova::params
$notify_service_real = pick($notify_service, $::nova::params::vncproxy_service_name)
ensure_resource('file', '/usr/bin/certmonger-novnc-proxy-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-novnc-proxy-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'novnc-proxy' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'novnc-proxy',
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['novnc-proxy'],
mode => '0644'
}
file { $service_key :
require => Certmonger_certificate['novnc-proxy'],
mode => '0640'
}
File[$service_certificate] ~> Service<| title == $notify_service_real |>
File[$service_key] ~> Service<| title == $notify_service_real |>
}

View File

@ -1,80 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::openvswitch
#
# Request a certificate for the openvswitch service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to "systemctl reload openvswitch"
#
# [*principal*]
# (Optional) The haproxy service principal that is set for openvswitch in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::openvswitch (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = 'systemctl reload openvswitch',
$principal = undef,
$key_size = 2048,
) {
include certmonger
certmonger_certificate { 'openvswitch' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
owner => 'openvswitch',
group => 'hugetlbfs',
require => Certmonger_certificate['openvswitch'],
}
file { $service_key :
owner => 'openvswitch',
group => 'hugetlbfs',
require => Certmonger_certificate['openvswitch'],
}
}

View File

@ -1,76 +0,0 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ovn_controller
#
# Request a certificate for the ovn_controller service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_controller (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
certmonger_certificate { 'ovn_controller' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ovn_controller']
}
file { $service_key :
require => Certmonger_certificate['ovn_controller']
}
}

View File

@ -1,75 +0,0 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ovn_sbdb
#
# Request a certificate for the ovn_sbdb service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_dbs (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
certmonger_certificate { 'ovn_dbs' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ovn_dbs']
}
file { $service_key :
require => Certmonger_certificate['ovn_dbs']
}
}

View File

@ -1,76 +0,0 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ovn_metadata
#
# Request a certificate for the ovn_controller service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_metadata (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
certmonger_certificate { 'ovn_metadata' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ovn_metadata']
}
file { $service_key :
require => Certmonger_certificate['ovn_metadata']
}
}

View File

@ -1,76 +0,0 @@
# Copyright 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ovn_octavia
#
# Request a certificate for the ovn_controller service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_octavia (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
certmonger_certificate { 'ovn_octavia' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ovn_octavia']
}
file { $service_key :
require => Certmonger_certificate['ovn_octavia']
}
}

View File

@ -1,108 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Resource: tripleo::certmonger::qemu
#
# Request a certificate for quemu and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*cacertfile*]
# (Optional) Specifies that path to write the CA cerftificate to.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::qemu (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca_qemu', 'local'),
$cacertfile = undef,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
certmonger_certificate { $name :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
cacertfile => $cacertfile,
wait => true,
tag => 'qemu-cert',
require => Class['::certmonger'],
}
if $cacertfile {
# Sometimes certmonger returns before creating the cacert file. This has
# been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281
# Until this is fixed, add this workaround.
exec { $cacertfile :
require => Certmonger_certificate[$name],
command => "test -f ${cacertfile}",
unless => "test -f ${cacertfile}",
tries => 60,
try_sleep => 1,
timeout => 60,
path => '/usr/bin:/bin',
}
file { $cacertfile :
require => Exec[$cacertfile],
mode => '0644'
}
}
file { $service_certificate :
require => Certmonger_certificate[$name],
mode => '0644'
}
file { $service_key :
require => Certmonger_certificate[$name],
group => 'qemu',
mode => '0640'
}
}

View File

@ -1,41 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::qemu_dirs
#
# Creates the necessary directories for qemu certificates and keys in the
# assigned locations if specified. It also assigns the correct SELinux tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where qemu server certificates will be stored. If left
# unspecified, it won't be created.
# Defaults to undef
#
class tripleo::certmonger::qemu_dirs(
$certificate_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-server-cert' |>
}
}

View File

@ -1,42 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::qemu_nbd_dirs
#
# Creates the necessary directories for qemu nbd client certificates and keys
# in the assigned locations if specified. It also assigns the correct SELinux
# tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where qemu-nbd's client certificates will be stored.
# If left unspecified, it won't be created.
# Defaults to undef
#
class tripleo::certmonger::qemu_nbd_dirs(
$certificate_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-cert' |>
}
}

View File

@ -1,84 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::rabbitmq
#
# Request a certificate for RabbitMQ and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::rabbitmq (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
ensure_resource('file', '/usr/bin/certmonger-rabbitmq-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-rabbitmq-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'rabbitmq' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['rabbitmq'],
}
file { $service_key :
require => Certmonger_certificate['rabbitmq'],
}
}

View File

@ -1,91 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::redis
#
# Request a certificate for Redis and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*dnsnames*]
# (Optional) The DNS names that will be added for the SubjectAltNames entry
# in the certificate. If left unset, the value will be set to the $hostname.
# This parameter can take both a string or an array of strings.
# Defaults to $hostname
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::redis (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
ensure_resource('file', '/usr/bin/certmonger-redis-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-redis-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'redis' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $dnsnames,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['redis'],
}
file { $service_key :
require => Certmonger_certificate['redis'],
}
}

View File

@ -1,322 +0,0 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# == class: tripleo::profile::base::certmonger_user
#
# Profile that ensures that the relevant certmonger certificates have been
# requested. The certificates come from the hiera set by the specific profiles
# and come in a pre-defined format.
# For a service that has several certificates (one per network name):
# apache_certificates_specs:
# httpd-internal_api:
# hostname: <overcloud controller fqdn>
# service_certificate: <service certificate path>
# service_key: <service key path>
# principal: "HTTP/<overcloud controller fqdn>"
# For a service that uses a single certificate:
# mysql_certificates_specs:
# hostname: <overcloud controller fqdn>
# service_certificate: <service certificate path>
# service_key: <service key path>
# principal: "mysql/<overcloud controller fqdn>"
#
# === Parameters
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
# [*apache_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('apache_certificate_specs', {}).
#
# [*haproxy_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
#
# [*libvirt_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('libvirt_certificates_specs', {}).
#
# [*libvirt_postsave_cmd*]
# (Optional) If set, it overrides the default way to restart libvirt when the
# certificate is renewed.
# Defaults to undef
#
# [*libvirt_vnc_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('libvirt_vnc_certificates_specs', {}).
#
# [*libvirt_vnc_postsave_cmd*]
# (Optional) If set, it overrides the default way to restart services when the
# certificate is renewed.
# Defaults to undef
#
# [*qemu_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('qemu_certificates_specs', {}).
#
# [*qemu_postsave_cmd*]
# (Optional) If set, it overrides the default way to restart services when the
# certificate is renewed.
# Defaults to undef
#
# [*qdr_certificate_specs*]
# (Optional) The specifications to give to certmonger fot the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}).
#
# [*mysql_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
#
# [*memcached_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::memcached::certificate_specs', {}).
#
# [*rabbitmq_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
#
# [*redis_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('redis_certificate_specs', {}).
#
# [*ceph_grafana_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ceph_grafana_certificate_specs', {}).
#
# [*ceph_dashboard_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ceph_dashboard_certificate_specs', {}).
#
# [*ceph_rgw_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ceph_rgw_certificate_specs', {}).
#
# [*etcd_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}).
#
# [*neutron_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::neutron::certificate_specs', {}).
#
# [*novnc_proxy_certificates_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('novnc_proxy_certificates_specs',{})
#
# [*novnc_proxy_postsave_cmd*]
# (Optional) If set, it overrides the default way to restart novnc proxy when the
# certificate is renewed.
# Defaults to undef
#
# [*ovn_dbs_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ovn_dbs_certificate_specs', {})
#
# [*ovn_controller_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ovn_controller_certificate_specs', {})
#
# [*ovn_metadata_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ovn_metadata_certificate_specs', {})
#
# [*neutron_ovn_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('neutron_ovn_certificate_specs', {})
#
# [*ovn_octavia_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ovn_octavia_certificate_specs', {})
#
# === Deprecated
#
# [*haproxy_postsave_cmd*]
# (Optional) If set, it overrides the default way to restart haproxy when the
# certificate is renewed.
# Defaults to undef
#
# [*apache_postsave_cmd*]
# (Optional) If set, it overrides the default way to restart apache when the
# certificate is renewed.
# Defaults to undef
#
class tripleo::profile::base::certmonger_user (
$step = Integer(hiera('step')),
$certmonger_ca = hiera('certmonger_ca', 'local'),
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$libvirt_postsave_cmd = undef,
$libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
$libvirt_vnc_postsave_cmd = undef,
$qemu_certificates_specs = hiera('qemu_certificates_specs', {}),
$qemu_postsave_cmd = undef,
$qdr_certificate_specs = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
$memcached_certificate_specs = hiera('tripleo::profile::base::memcached::certificate_specs', {}),
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
$redis_certificate_specs = hiera('redis_certificate_specs', {}),
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
$neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
$novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
$ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}),
$ceph_dashboard_certificate_specs = hiera('ceph_dashboard_certificate_specs', {}),
$ceph_rgw_certificate_specs = hiera('ceph_rgw_certificate_specs', {}),
$ovn_dbs_certificate_specs = hiera('ovn_dbs_certificate_specs', {}),
$ovn_controller_certificate_specs = hiera('ovn_controller_certificate_specs', {}),
$ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}),
$neutron_ovn_certificate_specs = hiera('neutron_ovn_certificate_specs', {}),
$ovn_octavia_certificate_specs = hiera('ovn_octavia_certificate_specs', {}),
$novnc_proxy_postsave_cmd = undef,
# Deprecated
$haproxy_postsave_cmd = undef,
$apache_postsave_cmd = undef,
) {
include certmonger
if $step == 1 {
# This is only needed for certmonger's local CA. For any other CA this
# operation (trusting the CA) should be done by the deployer.
if $certmonger_ca == 'local' {
include tripleo::certmonger::ca::local
}
# Remove haproxy_certificates_specs where hostname is empty.
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1905604
$haproxy_certificates_specs_filtered = $haproxy_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
unless empty($haproxy_certificates_specs_filtered) {
$reload_haproxy = ['systemctl reload tripleo_haproxy']
Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
if defined(Class['::haproxy']) {
Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
}
} else {
$reload_haproxy = []
}
class { 'tripleo::certmonger::ca::crl' :
reload_cmds => $reload_haproxy,
}
Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl']
include tripleo::certmonger::ca::libvirt_vnc
include tripleo::certmonger::ca::qemu
# Remove apache_certificates_specs where hostname is empty.
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1811207
$apache_certificates_specs_filtered = $apache_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
unless empty($apache_certificates_specs_filtered) {
include tripleo::certmonger::apache_dirs
ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs_filtered)
}
unless empty($libvirt_certificates_specs) {
include tripleo::certmonger::libvirt_dirs
ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs,
{'postsave_cmd' => $libvirt_postsave_cmd})
}
unless empty($libvirt_vnc_certificates_specs) {
include tripleo::certmonger::libvirt_vnc_dirs
ensure_resources('tripleo::certmonger::libvirt_vnc', $libvirt_vnc_certificates_specs,
{'postsave_cmd' => $libvirt_vnc_postsave_cmd})
}
unless empty($qemu_certificates_specs) {
include tripleo::certmonger::qemu_dirs
include tripleo::certmonger::qemu_nbd_dirs
ensure_resources('tripleo::certmonger::qemu', $qemu_certificates_specs,
{'postsave_cmd' => $qemu_postsave_cmd})
}
unless empty($haproxy_certificates_specs_filtered) {
include tripleo::certmonger::haproxy_dirs
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs_filtered)
# The haproxy fronends (or listen resources) depend on the certificate
# existing and need to be refreshed if it changed.
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
}
unless empty($qdr_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::metrics_qdr', $qdr_certificate_specs)
}
unless empty($memcached_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::memcached', $memcached_certificate_specs)
}
unless empty($mysql_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
}
unless empty($rabbitmq_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
}
unless empty($redis_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::redis', $redis_certificate_specs)
}
unless empty($etcd_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
}
unless empty($neutron_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::neutron', $neutron_certificate_specs)
}
unless empty($novnc_proxy_certificates_specs) {
ensure_resource('class', 'tripleo::certmonger::novnc_proxy', $novnc_proxy_certificates_specs,
{'postsave_cmd' => $novnc_proxy_postsave_cmd})
}
unless empty($ceph_grafana_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ceph_grafana', $ceph_grafana_certificate_specs)
}
unless empty($ceph_dashboard_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ceph_dashboard', $ceph_dashboard_certificate_specs)
}
unless empty($ceph_rgw_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ceph_rgw', $ceph_rgw_certificate_specs)
}
unless empty($ovn_dbs_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs)
}
unless empty($ovn_controller_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_controller', $ovn_controller_certificate_specs)
}
unless empty($ovn_metadata_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_metadata', $ovn_metadata_certificate_specs)
}
unless empty($neutron_ovn_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs)
}
unless empty($ovn_octavia_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_octavia', $ovn_octavia_certificate_specs)
}
}
}

View File

@ -0,0 +1,6 @@
---
deprecations:
- |
Remove support for puppet_certmonger. All certificates are now managed by
the linux-system-roles.certificate ansible role configured from each
service's heat template. ::tripleo::certmonger puppet files are removed.

View File

@ -1,116 +0,0 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::ca::crl' do
shared_examples_for 'tripleo::certmonger::ca::crl' do
context 'with default parameters (no crl_source)' do
it 'should ensure no CRL nor cron job are present' do
is_expected.not_to contain_exec('tripleo-ca-crl')
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
:ensure => 'absent'
)
end
end
context 'with defined CRL source' do
let :params do
{
:crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem',
:crl_preprocessed => '/etc/pki/CA/crl/overcloud-crl.bin',
:crl_source => 'file://tmp/some/crl.bin',
}
end
let :process_cmd do
"openssl crl -in #{params[:crl_preprocessed]} -inform DER -outform PEM -out #{params[:crl_dest]}"
end
let :cron_cmd do
"curl -g -s -L -o #{params[:crl_preprocessed]} #{params[:crl_source]} && #{process_cmd}"
end
it 'should create and process CRL file' do
is_expected.to contain_exec('tripleo-ca-crl').with(
:command => "curl -Ls --connect-timeout 120 -o #{params[:crl_preprocessed]} #{params[:crl_source]}",
:tries => 5,
:try_sleep => 5
)
is_expected.to contain_file('tripleo-ca-crl-file').with(
:group => 'root',
:mode => '0644',
:owner => 'root',
:path => "#{params[:crl_preprocessed]}"
)
is_expected.to contain_exec('tripleo-ca-crl-process-command').with(
:command => process_cmd
)
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
:ensure => 'present',
:command => cron_cmd
)
end
end
context 'with defined CRL source and no processing' do
let :params do
{
:crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem',
:crl_source => 'file://tmp/some/crl.pem',
:process => false
}
end
let :cron_cmd do
"curl -g -s -L -o #{params[:crl_dest]} #{params[:crl_source]}"
end
it 'should create and process CRL file' do
is_expected.to contain_exec('tripleo-ca-crl').with(
:command => "curl -Ls --connect-timeout 120 -o #{params[:crl_dest]} #{params[:crl_source]}",
:tries => 5,
:try_sleep => 5
)
is_expected.to contain_file('tripleo-ca-crl-file').with(
:group => 'root',
:mode => '0644',
:owner => 'root',
:path => "#{params[:crl_dest]}"
)
is_expected.to_not contain_exec('tripleo-ca-crl-process-command')
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
:ensure => 'present',
:command => cron_cmd
)
end
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::ca::crl'
end
end
end

View File

@ -1,57 +0,0 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::ca::local' do
shared_examples_for 'tripleo::certmonger::ca::local' do
let :pre_condition do
"include certmonger"
end
let :params do
{
:ca_pem => '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem',
}
end
it 'should extract CA cert' do
is_expected.to contain_exec('extract-and-trust-ca')
end
it 'set the correct permissions for the CA certificate file' do
is_expected.to contain_file(params[:ca_pem]).with(
:ensure => 'present',
:mode => '0644',
:owner => 'root'
)
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::ca::local'
end
end
end

View File

@ -1,82 +0,0 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::etcd' do
shared_examples_for 'tripleo::certmonger::etcd' do
let :params do
{
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
context 'with defaults' do
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('etcd').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:principal => nil,
:postsave_cmd => nil,
:ca => 'local',
:wait => true,
)
is_expected.to contain_file('/etc/pki/cert.crt')
is_expected.to contain_file('/etc/pki/key.pem')
end
end
context 'with overrides' do
before :each do
params.merge!({
:certmonger_ca => 'IPA',
:dnsnames => 'host1,127.0.0.42',
:postsave_cmd => '/usr/bin/refresh_me.sh',
:principal => 'Principal_Lewis',
})
end
it 'should request a certificate with overrides' do
is_expected.to contain_certmonger_certificate('etcd').with(
:dnsname => 'host1,127.0.0.42',
:principal => 'Principal_Lewis',
:postsave_cmd => '/usr/bin/refresh_me.sh',
:ca => 'IPA',
)
end
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::etcd'
end
end
end

View File

@ -1,60 +0,0 @@
#
# Copyright (C) 2020 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::memcached' do
shared_examples_for 'tripleo::certmonger::memcached' do
let :params do
{
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('memcached').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:ca => 'local',
:wait => true,
)
is_expected.to contain_file('/etc/pki/cert.crt')
is_expected.to contain_file('/etc/pki/key.pem')
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::memcached'
end
end
end

View File

@ -1,58 +0,0 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::mysql' do
shared_examples_for 'tripleo::certmonger::mysql' do
let :params do
{
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('mysql').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:ca => 'local',
:wait => true,
)
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::mysql'
end
end
end

View File

@ -1,68 +0,0 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::openvswitch' do
shared_examples_for 'tripleo::certmonger::openvswitch' do
let :params do
{
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('openvswitch').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:ca => 'local',
:wait => true,
)
is_expected.to contain_file('/etc/pki/cert.crt').with(
:owner => 'openvswitch',
:group => 'hugetlbfs',
:require => 'Certmonger_certificate[openvswitch]'
)
is_expected.to contain_file('/etc/pki/key.pem').with(
:owner => 'openvswitch',
:group => 'hugetlbfs',
:require => 'Certmonger_certificate[openvswitch]'
)
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::openvswitch'
end
end
end

View File

@ -1,60 +0,0 @@
#
# Copyright (C) 2019 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::ovn_dbs' do
shared_examples_for 'tripleo::certmonger::ovn_dbs' do
let :params do
{
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('ovn_dbs').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:ca => 'local',
:wait => true,
)
is_expected.to contain_file('/etc/pki/cert.crt')
is_expected.to contain_file('/etc/pki/key.pem')
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::ovn_dbs'
end
end
end

View File

@ -1,60 +0,0 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::rabbitmq' do
shared_examples_for 'tripleo::certmonger::rabbitmq' do
let :params do
{
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('rabbitmq').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:ca => 'local',
:wait => true,
)
is_expected.to contain_file('/etc/pki/cert.crt')
is_expected.to contain_file('/etc/pki/key.pem')
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::rabbitmq'
end
end
end

View File

@ -1,65 +0,0 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::httpd' do
let(:title) { 'httpd-cert' }
shared_examples_for 'tripleo::certmonger::httpd' do
let :params do
{
:name => 'httpd-cert',
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should include the httpd parameters' do
is_expected.to contain_class('apache::params')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('httpd-cert').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:ca => 'local',
:wait => true,
)
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::httpd'
end
end
end