From 48832c961cd6866698c1e7585634381c43decc66 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 25 Jan 2021 13:49:56 +0100 Subject: [PATCH] Remove puppet-certmonger related puppet-files Implements: blueprint ansible-certmonger Depends-On: https://review.opendev.org/771832 Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/786053 Change-Id: I5305bce78e9bbf382b00e3f3b5803b983a059db7 --- Puppetfile_extras | 4 - files/certmonger-dashboard-refresh.sh | 10 - files/certmonger-etcd-refresh.sh | 25 -- files/certmonger-grafana-refresh.sh | 9 - files/certmonger-haproxy-refresh.sh | 54 --- files/certmonger-memcached-refresh.sh | 20 -- files/certmonger-metrics-qdr-refresh.sh | 24 -- files/certmonger-neutron-dhcpd-refresh.sh | 21 -- files/certmonger-novnc-proxy-refresh.sh | 17 - files/certmonger-rabbitmq-refresh.sh | 17 - files/certmonger-redis-refresh.sh | 14 - files/certmonger-rgw-refresh.sh | 9 - files/cm_ipa_subca_wrapper.py | 74 ---- manifests/certmonger/apache_dirs.pp | 55 --- manifests/certmonger/ca/crl.pp | 165 --------- manifests/certmonger/ca/libvirt_vnc.pp | 65 ---- manifests/certmonger/ca/local.pp | 45 --- manifests/certmonger/ca/qemu.pp | 65 ---- manifests/certmonger/ceph_dashboard.pp | 87 ----- manifests/certmonger/ceph_grafana.pp | 87 ----- manifests/certmonger/ceph_rgw.pp | 123 ------- manifests/certmonger/etcd.pp | 92 ----- manifests/certmonger/haproxy.pp | 159 --------- manifests/certmonger/haproxy_dirs.pp | 55 --- manifests/certmonger/httpd.pp | 86 ----- manifests/certmonger/libvirt.pp | 86 ----- manifests/certmonger/libvirt_dirs.pp | 56 --- manifests/certmonger/libvirt_vnc.pp | 122 ------- manifests/certmonger/libvirt_vnc_dirs.pp | 56 --- manifests/certmonger/memcached.pp | 85 ----- manifests/certmonger/metrics_qdr.pp | 89 ----- manifests/certmonger/mysql.pp | 78 ----- manifests/certmonger/neutron.pp | 84 ----- manifests/certmonger/neutron_ovn.pp | 76 ----- manifests/certmonger/novnc_proxy.pp | 97 ------ manifests/certmonger/openvswitch.pp | 80 ----- manifests/certmonger/ovn_controller.pp | 76 ----- manifests/certmonger/ovn_dbs.pp | 75 ---- manifests/certmonger/ovn_metadata.pp | 76 ----- manifests/certmonger/ovn_octavia.pp | 76 ----- manifests/certmonger/qemu.pp | 108 ------ manifests/certmonger/qemu_dirs.pp | 41 --- manifests/certmonger/qemu_nbd_dirs.pp | 42 --- manifests/certmonger/rabbitmq.pp | 84 ----- manifests/certmonger/redis.pp | 91 ----- manifests/profile/base/certmonger_user.pp | 322 ------------------ ...ve_puppet_certmonger-843205d2ef88d6e4.yaml | 6 + .../classes/tripleo_certmonger_ca_crl_spec.rb | 116 ------- .../tripleo_certmonger_ca_local_spec.rb | 57 ---- spec/classes/tripleo_certmonger_etcd_spec.rb | 82 ----- .../tripleo_certmonger_memcached_spec.rb | 60 ---- spec/classes/tripleo_certmonger_mysql_spec.rb | 58 ---- .../tripleo_certmonger_openvswitch_spec.rb | 68 ---- .../tripleo_certmonger_ovn_dbs_spec.rb | 60 ---- .../tripleo_certmonger_rabbitmq_spec.rb | 60 ---- spec/defines/tripleo_certmonger_httpd_spec.rb | 65 ---- 56 files changed, 6 insertions(+), 3908 deletions(-) delete mode 100644 files/certmonger-dashboard-refresh.sh delete mode 100644 files/certmonger-etcd-refresh.sh delete mode 100644 files/certmonger-grafana-refresh.sh delete mode 100644 files/certmonger-haproxy-refresh.sh delete mode 100644 files/certmonger-memcached-refresh.sh delete mode 100644 files/certmonger-metrics-qdr-refresh.sh delete mode 100644 files/certmonger-neutron-dhcpd-refresh.sh delete mode 100644 files/certmonger-novnc-proxy-refresh.sh delete mode 100644 files/certmonger-rabbitmq-refresh.sh delete mode 100644 files/certmonger-redis-refresh.sh delete mode 100644 files/certmonger-rgw-refresh.sh delete mode 100644 files/cm_ipa_subca_wrapper.py delete mode 100644 manifests/certmonger/apache_dirs.pp delete mode 100644 manifests/certmonger/ca/crl.pp delete mode 100644 manifests/certmonger/ca/libvirt_vnc.pp delete mode 100644 manifests/certmonger/ca/local.pp delete mode 100644 manifests/certmonger/ca/qemu.pp delete mode 100644 manifests/certmonger/ceph_dashboard.pp delete mode 100644 manifests/certmonger/ceph_grafana.pp delete mode 100644 manifests/certmonger/ceph_rgw.pp delete mode 100644 manifests/certmonger/etcd.pp delete mode 100644 manifests/certmonger/haproxy.pp delete mode 100644 manifests/certmonger/haproxy_dirs.pp delete mode 100644 manifests/certmonger/httpd.pp delete mode 100644 manifests/certmonger/libvirt.pp delete mode 100644 manifests/certmonger/libvirt_dirs.pp delete mode 100644 manifests/certmonger/libvirt_vnc.pp delete mode 100644 manifests/certmonger/libvirt_vnc_dirs.pp delete mode 100644 manifests/certmonger/memcached.pp delete mode 100644 manifests/certmonger/metrics_qdr.pp delete mode 100644 manifests/certmonger/mysql.pp delete mode 100644 manifests/certmonger/neutron.pp delete mode 100644 manifests/certmonger/neutron_ovn.pp delete mode 100644 manifests/certmonger/novnc_proxy.pp delete mode 100644 manifests/certmonger/openvswitch.pp delete mode 100644 manifests/certmonger/ovn_controller.pp delete mode 100644 manifests/certmonger/ovn_dbs.pp delete mode 100644 manifests/certmonger/ovn_metadata.pp delete mode 100644 manifests/certmonger/ovn_octavia.pp delete mode 100644 manifests/certmonger/qemu.pp delete mode 100644 manifests/certmonger/qemu_dirs.pp delete mode 100644 manifests/certmonger/qemu_nbd_dirs.pp delete mode 100644 manifests/certmonger/rabbitmq.pp delete mode 100644 manifests/certmonger/redis.pp delete mode 100644 manifests/profile/base/certmonger_user.pp create mode 100644 releasenotes/notes/remove_puppet_certmonger-843205d2ef88d6e4.yaml delete mode 100644 spec/classes/tripleo_certmonger_ca_crl_spec.rb delete mode 100644 spec/classes/tripleo_certmonger_ca_local_spec.rb delete mode 100644 spec/classes/tripleo_certmonger_etcd_spec.rb delete mode 100644 spec/classes/tripleo_certmonger_memcached_spec.rb delete mode 100644 spec/classes/tripleo_certmonger_mysql_spec.rb delete mode 100644 spec/classes/tripleo_certmonger_openvswitch_spec.rb delete mode 100644 spec/classes/tripleo_certmonger_ovn_dbs_spec.rb delete mode 100644 spec/classes/tripleo_certmonger_rabbitmq_spec.rb delete mode 100644 spec/defines/tripleo_certmonger_httpd_spec.rb diff --git a/Puppetfile_extras b/Puppetfile_extras index 2db1bb2c8..e6e2c7785 100644 --- a/Puppetfile_extras +++ b/Puppetfile_extras @@ -33,10 +33,6 @@ mod 'fdio', :git => 'https://git.fd.io/puppet-fdio', :ref => 'master' -mod 'certmonger', - :git => 'https://github.com/saltedsignal/puppet-certmonger', - :ref => 'v2.6.0' - mod 'ptp', :git => 'https://github.com/redhat-nfvpe/ptp', :ref => 'master' diff --git a/files/certmonger-dashboard-refresh.sh b/files/certmonger-dashboard-refresh.sh deleted file mode 100644 index ef88416ae..000000000 --- a/files/certmonger-dashboard-refresh.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -# Get mgr systemd unit -mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}') - -# Restart the mgr systemd unit -if [ -n "$mgr_unit" ]; then - systemctl restart "$mgr_unit" -fi - diff --git a/files/certmonger-etcd-refresh.sh b/files/certmonger-etcd-refresh.sh deleted file mode 100644 index 83bd06688..000000000 --- a/files/certmonger-etcd-refresh.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman) - -# cinder uses etcd, so its containers also need to be refreshed -container_names=$($container_cli ps --format="{{.Names}}" | grep -E 'cinder|etcd') - -service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_certificate)" -service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_key)" - -kolla_dir="/var/lib/kolla/config_files/src-tls" - -# For each container, check whether the cert and key files need to be updated. -# The check is necessary because the original THT design directly bind mounted -# the files to their final location, and did not copy them in via $kolla_dir. -# Regardless of whether the container is directly using the files, or a copy, -# there's no need to trigger a reload because the cert is not cached. - -for container_name in ${container_names[*]}; do - $container_cli exec -u root "$container_name" bash -c " -[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt; -[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key; -true -" -done diff --git a/files/certmonger-grafana-refresh.sh b/files/certmonger-grafana-refresh.sh deleted file mode 100644 index fb1680c8d..000000000 --- a/files/certmonger-grafana-refresh.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# Get grafana systemd unit -grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}') - -# Restart the grafana systemd unit -if [ -z "$grafana_unit" ]; then - systemctl restart "$grafana_unit" -fi diff --git a/files/certmonger-haproxy-refresh.sh b/files/certmonger-haproxy-refresh.sh deleted file mode 100644 index f2da7941e..000000000 --- a/files/certmonger-haproxy-refresh.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash - -# This script is meant to reload HAProxy when certmonger triggers a certificate -# renewal. It'll concatenate the needed certificates for the PEM file that -# HAProxy reads. - -die() { echo "$*" 1>&2 ; exit 1; } - -[[ $# -eq 2 ]] || die "Invalid number of arguments" -[[ $1 == @(reload|restart) ]] || die "First argument must be one of 'reload' or 'restart'." - - -ACTION=$1 -NETWORK=$2 - -certmonger_ca=$(hiera -c /etc/puppet/hiera.yaml certmonger_ca) -container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman) -service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.crt" -service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir)/overcloud-haproxy-$NETWORK.key" -ca_path="" - -if [ "$certmonger_ca" == "local" ]; then - ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem" -elif [ "$certmonger_ca" == "IPA" ]; then - ca_path="/etc/ipa/ca.crt" -fi - -if [ "$NETWORK" != "external" ]; then - service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.pem" -else - service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)" -fi - -cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem" - -haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?') - -if [ "$ACTION" == "reload" ]; then - # Refresh the cert at the mount-point - $container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem" - - # Copy the new cert from the mount-point to the real path - $container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem" - - # Set appropriate permissions - $container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem" - - # Trigger a reload for HAProxy to read the new certificates - $container_cli kill --signal HUP "$haproxy_container_name" -elif [ "$ACTION" == "restart" ]; then - # Copying the certificate and permissions will be handled by kolla's start - # script. - $container_cli restart "$haproxy_container_name" -fi diff --git a/files/certmonger-memcached-refresh.sh b/files/certmonger-memcached-refresh.sh deleted file mode 100644 index 86ddd56d6..000000000 --- a/files/certmonger-memcached-refresh.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman) -container_name=$($container_cli ps --format="{{.Names}}" | grep memcached) - -service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_certificate)" -service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_key)" - -# Copy the new cert and key from the mount-point to the real path -$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate" -$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - -# Set appropriate permissions -$container_cli exec "$container_name" chown memcached:memcached "$service_certificate" -$container_cli exec "$container_name" chown memcached:memcached "$service_key" - -# Send refresh_certs command to memcached -memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen.0 127.0.0.1)" -memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)" -echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port diff --git a/files/certmonger-metrics-qdr-refresh.sh b/files/certmonger-metrics-qdr-refresh.sh deleted file mode 100644 index 849a4327a..000000000 --- a/files/certmonger-metrics-qdr-refresh.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - - -container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman) - -container_name=$($container_cli ps --format="{{.Names}}" | grep metrics_qdr) - -service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_certificate)" - -service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_key)" - -# Copy the new cert from the mount-point to the real path -$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate" - -# Copy the new key from the mount-point to the real path -$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - -# Set appropriate permissions -$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_certificate" - -$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_key" - -# Trigger a container restart to read the new certificates -$container_cli restart $container_name diff --git a/files/certmonger-neutron-dhcpd-refresh.sh b/files/certmonger-neutron-dhcpd-refresh.sh deleted file mode 100644 index 94379f239..000000000 --- a/files/certmonger-neutron-dhcpd-refresh.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - - -container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman) - -container_name=$($container_cli ps --format="{{.Names}}" | grep neutron_dhcp) - -# The certificate is also installed on the computes, but neutron_dhcp is only -# present on the controllers, so we exit if the container could not be found. -[[ -z $container_name ]] && exit 0 - -service_crt="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_cert_file)" -service_key="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_key_file)" - -# Copy the new cert from the mount-point to the real path -$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" - -# Copy the new key from the mount-point to the real path -$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - -# No need to trigger a reload for neutron dhcpd since the cert is not cached diff --git a/files/certmonger-novnc-proxy-refresh.sh b/files/certmonger-novnc-proxy-refresh.sh deleted file mode 100644 index 0a8b7faf0..000000000 --- a/files/certmonger-novnc-proxy-refresh.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - - -container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman) - -container_name=$($container_cli ps --format="{{.Names}}" | grep nova_vnc_proxy) - -service_crt="$(hiera -c /etc/puppet/hiera.yaml nova::cert)" -service_key="$(hiera -c /etc/puppet/hiera.yaml nova::key)" - -# Copy the new cert from the mount-point to the real path -$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" - -# Copy the new key from the mount-point to the real path -$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" - -# No need to trigger a reload for novnc proxy since the cert is not cached diff --git a/files/certmonger-rabbitmq-refresh.sh b/files/certmonger-rabbitmq-refresh.sh deleted file mode 100644 index 9175727ab..000000000 --- a/files/certmonger-rabbitmq-refresh.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - - -container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman) - -container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?') - -service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)" - -# Copy the new cert from the mount-point to the real path -$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem" - -# Set appropriate permissions -$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem" - -# Trigger a pem cache clear in RabbitMQ to read the new certificates -$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()." diff --git a/files/certmonger-redis-refresh.sh b/files/certmonger-redis-refresh.sh deleted file mode 100644 index 7a0087e52..000000000 --- a/files/certmonger-redis-refresh.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - - -container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman) - -container_name=$($container_cli ps --format="{{.Names}}" | grep redis_tls_proxy) - -service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::redis::service_certificate)" - -# Copy the new cert from the mount-point to the real path -$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem" - -# Trigger a reload for stunnel to read the new certificates -pkill -o -HUP stunnel diff --git a/files/certmonger-rgw-refresh.sh b/files/certmonger-rgw-refresh.sh deleted file mode 100644 index 301385ffc..000000000 --- a/files/certmonger-rgw-refresh.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# Get ceph rgw systemd unit -rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}') - -# Restart the rgw systemd unit -if [ -n "$rgw_unit" ]; then - systemctl restart "$rgw_unit" -fi diff --git a/files/cm_ipa_subca_wrapper.py b/files/cm_ipa_subca_wrapper.py deleted file mode 100644 index f6fba89a9..000000000 --- a/files/cm_ipa_subca_wrapper.py +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/python -try: - import ConfigParser as configparser -except ImportError: - import configparser -import os -import sys -import subprocess - -CM_SUBMIT_STATUS_ISSUED = 0 -CM_SUBMIT_STATUS_UNCONFIGURED = 4 - -def main(): - if len(sys.argv) < 3: - return CM_SUBMIT_STATUS_UNCONFIGURED - sub_ca = sys.argv[1] - wrapped_command = sys.argv[2:] - - operation = os.environ.get('CERTMONGER_OPERATION') - os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA' - - if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa': - config = configparser.ConfigParser() - try: - with open('/etc/ipa/default.conf') as fp: - config.readfp(fp) - except: - return CM_SUBMIT_STATUS_UNCONFIGURED - host = config.get('global', 'host') - realm = config.get('global', 'realm') - if host is None or realm is None: - return CM_SUBMIT_STATUS_UNCONFIGURED - principal = 'host/{}@{}'.format(host, realm) - os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper' - try: - subprocess.check_call([ - '/usr/bin/kinit', '-k', principal - ]) - except: - return CM_SUBMIT_STATUS_UNCONFIGURED - - try: - data = subprocess.check_output([ - '/usr/bin/ipa', 'ca-show', sub_ca - ]) - except: - return CM_SUBMIT_STATUS_ISSUED - - config = {} - for line in data.split('\n'): - line = line.strip() - try: - key, value = line.split(': ') - except: - continue - config[key] = value - - if config.get('Name').lower() != sub_ca.lower(): - return CM_SUBMIT_STATUS_ISSUED - - print(realm, sub_ca, 'CA') - print('-----BEGIN CERTIFICATE-----') - certificate = config['Certificate'] - for i in range((len(certificate)/64) + 1): - print(certificate[i*64:(i+1)*64]) - print('-----END CERTIFICATE-----') - sys.stdout.flush() - else: - os.environ['CERTMONGER_CA_ISSUER'] = sub_ca - - os.execl(wrapped_command[0], *wrapped_command) - -if __name__ == '__main__': - main() diff --git a/manifests/certmonger/apache_dirs.pp b/manifests/certmonger/apache_dirs.pp deleted file mode 100644 index 2588e4653..000000000 --- a/manifests/certmonger/apache_dirs.pp +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# : = Class: tripleo::certmonger::apache_dirs -# -# Creates the necessary directories for apache's certificates and keys in the -# assigned locations if specified. It also assigns the correct SELinux tags. -# -# === Parameters: -# -# [*certificate_dir*] -# (Optional) Directory where apache's certificates will be stored. If left -# unspecified, it won't be created. -# Defaults to undef -# -# [*key_dir*] -# (Optional) Directory where apache's keys will be stored. -# Defaults to undef -# -class tripleo::certmonger::apache_dirs( - $certificate_dir = undef, - $key_dir = undef, -){ - - if $certificate_dir { - file { $certificate_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> - } - - if $key_dir { - file { $key_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> - } -} diff --git a/manifests/certmonger/ca/crl.pp b/manifests/certmonger/ca/crl.pp deleted file mode 100644 index ee879fe64..000000000 --- a/manifests/certmonger/ca/crl.pp +++ /dev/null @@ -1,165 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == class: tripleo::certmonger::ca::crl -# -# Class that downloads the appropriate CRL file from the CA. This can -# furtherly be used by services in order for proper certificate revocation to -# come into effect. The class also sets up a cron job that will refresh the CRL -# once a week. Also, processing of the CRL file might be needed. e.g. most CAs -# use DER format to distribute the CRLs, while services such as HAProxy expect -# the CRL to be in PEM format. -# -# === Parameters -# -# [*crl_dest*] -# (Optional) The file where the CRL file will be stored. -# Defaults to '/etc/pki/CA/crl/overcloud-crl.pem' -# -# [*crl_source*] -# (Optional) The URI where the CRL file will be fetched from. -# Defaults to undef -# -# [*process*] -# (Optional) Whether the CRL needs processing before being used. This means -# transforming from DER to PEM format or viceversa. This is because most CRLs -# by default come in DER format, so most likely it needs to be transformed. -# Defaults to true -# -# [*crl_preprocessed*] -# (Optional) The pre-processed CRL file which will be transformed. -# Defaults to '/etc/pki/CA/crl/overcloud-crl.bin' -# -# [*crl_preprocessed_format*] -# (Optional) The pre-processed CRL file's format which will be transformed. -# Defaults to 'DER' -# -# [*minute*] -# (optional) Defaults to '0'. -# -# [*hour*] -# (optional) Defaults to '*/2'. -# -# [*monthday*] -# (optional) Defaults to '*'. -# -# [*month*] -# (optional) Defaults to '*'. -# -# [*weekday*] -# (optional) Defaults to '6'. -# -# [*maxdelay*] -# (optional) Seconds. Defaults to 0. Should be a positive integer. -# Induces a random delay before running the cronjob to avoid running all -# cron jobs at the same time on all hosts this job is configured. -# -# [*reload_cmds*] -# (Optional) list of commands to be executed after fetching the CRL list in -# the cron job. This will usually be a list of reload commands issued to -# services that use the CRL. -# Defaults to [] -# -class tripleo::certmonger::ca::crl ( - $crl_dest = '/etc/pki/CA/crl/overcloud-crl.pem', - $crl_source = undef, - $process = true, - $crl_preprocessed = '/etc/pki/CA/crl/overcloud-crl.bin', - $crl_preprocessed_format = 'DER', - $minute = '0', - $hour = '*/2', - $monthday = '*', - $month = '*', - $weekday = '*', - $maxdelay = 0, - $reload_cmds = [], -) { - if $process { - $fetched_crl = $crl_preprocessed - } else { - $fetched_crl = $crl_dest - } - - $esc_fetched_crl = shell_escape($fetched_crl) - $esc_crl_src = shell_escape($crl_source) - - if $crl_source { - $ensure = 'present' - # LP(1787878): We need to use an explicit command instead of the file - # resource, because puppet won't use query parameters when handling - # redirects. - # If FreeIPA is being installed in a similar time as the overcloud, the tries - # and time in between tries gives it a chance to generate the CRL. - exec {'tripleo-ca-crl': - command => "curl -Ls --connect-timeout 120 -o ${esc_fetched_crl} ${esc_crl_src}", - path => '/usr/bin/', - creates => $fetched_crl, - tries => 5, - try_sleep => 5, - } ~> file {'tripleo-ca-crl-file': - group => 'root', - mode => '0644', - owner => 'root', - path => $fetched_crl, - } - } else { - $ensure = 'absent' - } - - if $maxdelay == 0 { - $sleep = '' - } else { - $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " - } - - if $process and $ensure == 'present' { - $crl_dest_format = $crl_preprocessed_format ? { - 'PEM' => 'DER', - 'DER' => 'PEM' - } - # transform CRL from DER to PEM or viceversa - $process_cmd = "openssl crl -in ${crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}" - exec { 'tripleo-ca-crl-process-command' : - command => $process_cmd, - path => '/usr/bin', - refreshonly => true, - subscribe => [ - Exec['tripleo-ca-crl'], - File['tripleo-ca-crl-file'] - ] - } - } else { - $process_cmd = [] - } - - if $ensure == 'present' { - # Fetch CRL in cron job and notify needed services - $cmd_list = concat(["${sleep}curl -g -s -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds) - $cron_cmd = join($cmd_list, ' && ') - } else { - $cron_cmd = absent - } - - cron { 'tripleo-refresh-crl-file': - ensure => $ensure, - command => $cron_cmd, - environment => 'PATH=/usr/bin:/bin SHELL=/bin/sh', - user => 'root', - minute => $minute, - hour => $hour, - monthday => $monthday, - month => $month, - weekday => $weekday, - } -} diff --git a/manifests/certmonger/ca/libvirt_vnc.pp b/manifests/certmonger/ca/libvirt_vnc.pp deleted file mode 100644 index b2c369a98..000000000 --- a/manifests/certmonger/ca/libvirt_vnc.pp +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ca::libvirt_vnc -# -# Sets the necessary file that will be used libvirt vnc servers and -# clients. -# -# === Parameters: -# -# [*origin_ca_pem*] -# (Optional) Path to the CA certificate that libvirt vnc will use. This is not -# assumed automatically or uses the system CA bundle as is the case of other -# services because a limitation with the file sizes in GNU TLS, which libvirt -# uses as a TLS backend. -# Defaults to undef -# -# [*certmonger_ca*] -# (Optional) The CA name that certmonger will use to generate VNC certificates. -# If this is not local or IPA then is assumed to be an IPA sub-CA and will be -# added to the certmonger CA list. -# Defaults to hiera('certmonger_ca_vnc', 'local'). -# -class tripleo::certmonger::ca::libvirt_vnc( - $origin_ca_pem = undef, - $certmonger_ca = hiera('certmonger_ca_vnc', 'local'), -){ - if $origin_ca_pem { - $ensure_file = 'link' - } else { - $ensure_file = 'absent' - } - file { '/etc/pki/libvirt-vnc/ca-cert.pem': - ensure => $ensure_file, - mode => '0644', - target => $origin_ca_pem, - } - - if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) { - $wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper' - $ipa_helper_path = '/usr/libexec/certmonger/ipa-submit' - file { $wrapper_path: - source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py', - mode => '0755', - notify => Service['certmonger'] - } - -> exec { "Add ${certmonger_ca} IPA subCA to certmonger": - command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'", - path => ['/usr/bin', '/bin'], - unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'", - notify => Service['certmonger'] - } - } -} diff --git a/manifests/certmonger/ca/local.pp b/manifests/certmonger/ca/local.pp deleted file mode 100644 index 7b89ab916..000000000 --- a/manifests/certmonger/ca/local.pp +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2016 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ca::local -# -# Does the necessary action to extract and trust certmonger's local CA. -# -# === Parameters: -# -# [*ca_pem*] -# (optional) PEM file that will contain the local CA certificate. -# Defaults to '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem' -# -class tripleo::certmonger::ca::local( - $ca_pem = '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem', -){ - $ca_pkcs12 = '/var/lib/certmonger/local/creds' - $extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''" - $trust_ca_cmd = 'update-ca-trust extract' - - file { "${ca_pem}": - ensure => present, - mode => '0644', - owner => 'root', - } - exec { 'extract-and-trust-ca': - command => "${extract_cmd} && ${trust_ca_cmd}", - path => '/usr/bin', - tries => 5, - try_sleep => 1, - notify => File[$ca_pem] - } - Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |> -} diff --git a/manifests/certmonger/ca/qemu.pp b/manifests/certmonger/ca/qemu.pp deleted file mode 100644 index aa5ddb1b2..000000000 --- a/manifests/certmonger/ca/qemu.pp +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ca::qemu -# -# Sets the necessary file that will be used by qemu servers and -# clients. -# -# === Parameters: -# -# [*origin_ca_pem*] -# (Optional) Path to the CA certificate that qemu will use. This is not -# assumed automatically or uses the system CA bundle as is the case of other -# services because a limitation with the file sizes in GNU TLS, which qemu -# uses as a TLS backend. -# Defaults to undef -# -# [*certmonger_ca*] -# (Optional) The CA name that certmonger will use to generate qemu certificates. -# If this is not local or IPA then is assumed to be an IPA sub-CA and will be -# added to the certmonger CA list. -# Defaults to hiera('certmonger_ca_qemu', 'local'). -# -class tripleo::certmonger::ca::qemu( - $origin_ca_pem = undef, - $certmonger_ca = hiera('certmonger_ca_qemu', 'local'), -){ - if $origin_ca_pem { - $ensure_file = 'link' - } else { - $ensure_file = 'absent' - } - file { '/etc/pki/qemu/ca-cert.pem': - ensure => $ensure_file, - mode => '0644', - target => $origin_ca_pem, - } - - if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) { - $wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper' - $ipa_helper_path = '/usr/libexec/certmonger/ipa-submit' - file { $wrapper_path: - source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py', - mode => '0755', - notify => Service['certmonger'] - } - -> exec { "Add ${certmonger_ca} IPA subCA to certmonger": - command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'", - path => ['/usr/bin', '/bin'], - unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'", - notify => Service['certmonger'] - } - } -} diff --git a/manifests/certmonger/ceph_dashboard.pp b/manifests/certmonger/ceph_dashboard.pp deleted file mode 100644 index d4033adfa..000000000 --- a/manifests/certmonger/ceph_dashboard.pp +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright 2019 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ceph_dashboard -# -# Request a certificate for Ceph Dashboard and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::ceph_dashboard ( - $hostname, - $service_certificate, - $service_key, - $postsave_cmd = undef, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $principal = undef, - $key_size = 2048, -) { - - ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-dashboard-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'ceph_dashboard' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - - file { $service_certificate : - require => Certmonger_certificate['ceph_dashboard'], - owner => 472, - group => 472, - } - file { $service_key : - require => Certmonger_certificate['ceph_dashboard'], - owner => 472, - group => 472, - } -} diff --git a/manifests/certmonger/ceph_grafana.pp b/manifests/certmonger/ceph_grafana.pp deleted file mode 100644 index ad1a94c88..000000000 --- a/manifests/certmonger/ceph_grafana.pp +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright 2019 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ceph_grafana -# -# Request a certificate for Ceph Grafana and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::ceph_grafana ( - $hostname, - $service_certificate, - $service_key, - $postsave_cmd = undef, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $principal = undef, - $key_size = 2048, -) { - - ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-grafana-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'ceph_grafana' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - - file { $service_certificate : - require => Certmonger_certificate['ceph_grafana'], - owner => 472, - group => 472, - } - file { $service_key : - require => Certmonger_certificate['ceph_grafana'], - owner => 472, - group => 472, - } -} diff --git a/manifests/certmonger/ceph_rgw.pp b/manifests/certmonger/ceph_rgw.pp deleted file mode 100644 index b3a8b357d..000000000 --- a/manifests/certmonger/ceph_rgw.pp +++ /dev/null @@ -1,123 +0,0 @@ -# Copyright 2020 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ceph_rgw -# -# Request a certificate for Ceph RGW and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_pem*] -# The file in PEM format that the HAProxy service will use as a certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::ceph_rgw ( - $hostname, - $service_certificate, - $service_key, - $service_pem, - $postsave_cmd = undef, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $principal = undef, - $key_size = 2048, -) { - - ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-rgw-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'ceph_rgw' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - - concat { $service_pem : - ensure => present, - mode => '0640', - owner => 472, - group => 472, - tag => 'ceph-rgw-cert', - } - - concat::fragment { "${title}-cert-fragment": - target => $service_pem, - source => $service_certificate, - order => '01', - tag => 'ceph_rgw-cert', - require => Concat["${service_pem}"] - } - - if $certmonger_ca == 'local' { - $ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem') - concat::fragment { "${title}-ca-fragment": - target => $service_pem, - source => $ca_pem, - order => '10', - tag => 'ceph_rgw-cert', - require => [ Class['tripleo::certmonger::ca::local'], Concat::Fragment["${title}-cert-fragment"] ] - } - } elsif $certmonger_ca == 'IPA' { - concat::fragment { "${title}-ca-fragment": - target => $service_pem, - source => '/etc/ipa/ca.crt', - order => '10', - tag => 'ceph_rgw-cert', - require => Concat::Fragment["${title}-cert-fragment"] - } - } - - concat::fragment { "${title}-key-fragment": - target => $service_pem, - source => $service_key, - order => 20, - tag => 'ceph_rgw-cert', - require => Concat::Fragment["${title}-ca-fragment"], - } -} diff --git a/manifests/certmonger/etcd.pp b/manifests/certmonger/etcd.pp deleted file mode 100644 index 406c9729e..000000000 --- a/manifests/certmonger/etcd.pp +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::etcd -# -# Request a certificate for the etcd service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*dnsnames*] -# (Optional) The DNS names that will be added for the SubjectAltNames entry -# in the certificate. -# Defaults to $hostname -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to undef -# -# [*principal*] -# (Optional) The haproxy service principal that is set for etcd in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::etcd ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $dnsnames = $hostname, - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - ensure_resource('file', '/usr/bin/certmonger-etcd-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-etcd-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'etcd' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $dnsnames, - principal => $principal, - postsave_cmd => $postsave_cmd, - key_size => $key_size, - ca => $certmonger_ca, - wait => true, - require => Class['::certmonger'], - } - file { $service_certificate : - require => Certmonger_certificate['etcd'], - } - file { $service_key : - require => Certmonger_certificate['etcd'], - } - - File[$service_certificate] ~> Service<| title == 'etcd' |> - File[$service_key] ~> Service<| title == 'etcd' |> -} diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp deleted file mode 100644 index 1064cbc62..000000000 --- a/manifests/certmonger/haproxy.pp +++ /dev/null @@ -1,159 +0,0 @@ -# Copyright 2016 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Resource: tripleo::certmonger::haproxy -# -# Request a certificate for the HAProxy service and does the necessary logic to -# get it into a format that the service understands. -# -# === Parameters -# -# [*service_pem*] -# The file in PEM format that the HAProxy service will use as a certificate. -# -# [*service_certificate*] -# The certificate file that certmonger will be tracking. -# -# [*service_key*] -# The key file that certmonger will use for the certificate. -# -# [*hostname*] -# The hostname that certmonger will use as the common name for the -# certificate. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*dnsnames*] -# (Optional) The DNS names that will be added for the SubjectAltNames entry -# in the certificate. If left unset, the value will be set to the $hostname. -# Defaults to undef -# -# [*principal*] -# The haproxy service principal that is set for HAProxy in kerberos. -# -# [*postsave_cmd*] -# The post-save-command that certmonger will use once it renews the -# certificate. -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -define tripleo::certmonger::haproxy ( - $service_pem, - $service_certificate, - $service_key, - $hostname, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $dnsnames = undef, - $principal = undef, - $postsave_cmd = undef, - $key_size = 2048, -){ - include certmonger - include haproxy::params - if $certmonger_ca == 'local' { - if defined(Class['::haproxy']) { - Class['::tripleo::certmonger::ca::local'] ~> Class['::haproxy'] - } - $principal_real = undef - } else { - $principal_real = $principal - } - - # If we have HAProxy in the resource catalog, we can use the haproxy user - # and group. - if defined(Class['::haproxy']) { - $cert_user = 'haproxy' - $cert_group = 'haproxy' - # If it's not in the resource catalog, it means that we're running in - # containers. So we have to rely on the container to set the appropriate - # permissions. - } else { - $cert_user = 'root' - $cert_group = 'root' - } - - if $dnsnames { - $dnsnames_real = $dnsnames - } else { - $dnsnames_real = $hostname - } - - ensure_resource('file', '/usr/bin/certmonger-haproxy-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-haproxy-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - certmonger_certificate { "${title}-cert": - ensure => 'present', - ca => $certmonger_ca, - hostname => $hostname, - dnsname => $dnsnames_real, - certfile => $service_certificate, - keyfile => $service_key, - postsave_cmd => $postsave_cmd, - principal => $principal_real, - key_size => $key_size, - eku => ['id-kp-clientAuth', 'id-kp-serverAuth'], - wait => true, - tag => 'haproxy-cert', - require => Class['::certmonger'], - } - concat { $service_pem : - ensure => present, - mode => '0640', - owner => $cert_user, - group => $cert_group, - tag => 'haproxy-cert', - } - Package<| name == $::haproxy::params::package_name |> -> Concat[$service_pem] - - concat::fragment { "${title}-cert-fragment": - target => $service_pem, - source => $service_certificate, - order => '01', - tag => 'haproxy-cert', - require => Certmonger_certificate["${title}-cert"], - } - - if $certmonger_ca == 'local' { - $ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem') - concat::fragment { "${title}-ca-fragment": - target => $service_pem, - source => $ca_pem, - order => '10', - tag => 'haproxy-cert', - require => Class['tripleo::certmonger::ca::local'], - } - } elsif $certmonger_ca == 'IPA' { - concat::fragment { "${title}-ca-fragment": - target => $service_pem, - source => '/etc/ipa/ca.crt', - order => '10', - tag => 'haproxy-cert', - } - } - - concat::fragment { "${title}-key-fragment": - target => $service_pem, - source => $service_key, - order => 20, - tag => 'haproxy-cert', - require => Certmonger_certificate["${title}-cert"], - } -} diff --git a/manifests/certmonger/haproxy_dirs.pp b/manifests/certmonger/haproxy_dirs.pp deleted file mode 100644 index c85769f21..000000000 --- a/manifests/certmonger/haproxy_dirs.pp +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# : = Class: tripleo::certmonger::haproxy_dirs -# -# Creates the necessary directories for haproxy's certificates and keys in the -# assigned locations if specified. It also assigns the correct SELinux tags. -# -# === Parameters: -# -# [*certificate_dir*] -# (Optional) Directory where haproxy's certificates will be stored. If left -# unspecified, it won't be created. -# Defaults to undef -# -# [*key_dir*] -# (Optional) Directory where haproxy's keys will be stored. -# Defaults to undef -# -class tripleo::certmonger::haproxy_dirs( - $certificate_dir = undef, - $key_dir = undef, -){ - - if $certificate_dir { - file { $certificate_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |> - } - - if $key_dir { - file { $key_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |> - } -} diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp deleted file mode 100644 index 5c1dec9e3..000000000 --- a/manifests/certmonger/httpd.pp +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright 2016 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Resource: tripleo::certmonger::httpd -# -# Request a certificate for the httpd service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*dnsnames*] -# (Optional) The DNS names that will be added for the SubjectAltNames entry -# in the certificate. If left unset, the value will be set to the $hostname. -# Defaults to undef -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# If nothing is given, it will default to: "systemctl restart ${service name}" -# Defaults to undef. -# -# [*principal*] -# The haproxy service principal that is set for HAProxy in kerberos. -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -define tripleo::certmonger::httpd ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $dnsnames = undef, - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - include apache::params - - if $dnsnames { - $dnsnames_real = $dnsnames - } else { - $dnsnames_real = $hostname - } - - certmonger_certificate { $name : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $dnsnames_real, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - tag => 'apache-cert', - require => Class['::certmonger'], - } - - Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |> -} diff --git a/manifests/certmonger/libvirt.pp b/manifests/certmonger/libvirt.pp deleted file mode 100644 index 597c25c51..000000000 --- a/manifests/certmonger/libvirt.pp +++ /dev/null @@ -1,86 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Resource: tripleo::certmonger::libvirt -# -# Request a certificate for libvirt and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# If nothing is given, it will default to: "systemctl reload ${service name}" -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -define tripleo::certmonger::libvirt ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - include nova::params - - $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::nova::params::libvirt_service_name}") - certmonger_certificate { $name : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd_real, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - tag => 'libvirt-cert', - require => Class['::certmonger'], - } - - # Just register the files in puppet's resource catalog. Certmonger should - # give the right permissions. - file { $service_certificate : - require => Certmonger_certificate[$name], - } - file { $service_key : - require => Certmonger_certificate[$name], - } - - File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |> - File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |> -} diff --git a/manifests/certmonger/libvirt_dirs.pp b/manifests/certmonger/libvirt_dirs.pp deleted file mode 100644 index 68381585a..000000000 --- a/manifests/certmonger/libvirt_dirs.pp +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::libvirt_dirs -# -# Creates the necessary directories for libvirt's certificates and keys in the -# assigned locations if specified. It also assigns the correct SELinux tags. -# -# === Parameters: -# -# [*certificate_dir*] -# (Optional) Directory where libvirt's certificates will be stored. If left -# unspecified, it won't be created. -# Defaults to undef -# -# [*key_dir*] -# (Optional) Directory where libvirt's keys will be stored. -# Defaults to undef -# -class tripleo::certmonger::libvirt_dirs( - $certificate_dir = undef, - $key_dir = undef, -){ - - if $certificate_dir { - file { $certificate_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |> - } - - if $key_dir { - file { $key_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |> - } - -} diff --git a/manifests/certmonger/libvirt_vnc.pp b/manifests/certmonger/libvirt_vnc.pp deleted file mode 100644 index d7134879a..000000000 --- a/manifests/certmonger/libvirt_vnc.pp +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Resource: tripleo::certmonger::libvirt_vnc -# -# Request a certificate for libvirt-vnc and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca_vnc', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# If nothing is given, it will default to: "systemctl reload ${service name}" -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*cacertfile*] -# (Optional) Specifies that path to write the CA cerftificate to. -# Defaults to undef -# -# [*notify_service*] -# (Optional) Service to reload when certificate is created/renewed -# Defaults to $::nova::params::libvirt_service_name -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -define tripleo::certmonger::libvirt_vnc ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca_vnc', 'local'), - $postsave_cmd = undef, - $principal = undef, - $cacertfile = undef, - $notify_service = undef, - $key_size = 2048, -) { - include certmonger - include nova::params - - $notify_service_real = pick($notify_service, $::nova::params::libvirt_service_name) - - $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${notify_service_real}") - - certmonger_certificate { $name : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd_real, - ca => $certmonger_ca, - key_size => $key_size, - cacertfile => $cacertfile, - wait => true, - tag => 'libvirt-cert', - require => Class['::certmonger'], - } - - if $cacertfile { - # Sometimes certmonger returns before creating the cacert file. This has - # been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281 - # Until this is fixed, add this workaround. - exec { $cacertfile : - require => Certmonger_certificate[$name], - command => "test -f ${cacertfile}", - unless => "test -f ${cacertfile}", - tries => 60, - try_sleep => 1, - timeout => 60, - path => '/usr/bin:/bin', - } - - file { $cacertfile : - require => Exec[$cacertfile], - mode => '0644' - } - ~> Service<| title == $notify_service_real |> - } - - file { $service_certificate : - require => Certmonger_certificate[$name], - mode => '0644' - } - file { $service_key : - require => Certmonger_certificate[$name], - group => 'qemu', - mode => '0640' - } - - File[$service_certificate] ~> Service<| title == $notify_service_real |> - File[$service_key] ~> Service<| title == $notify_service_real |> -} diff --git a/manifests/certmonger/libvirt_vnc_dirs.pp b/manifests/certmonger/libvirt_vnc_dirs.pp deleted file mode 100644 index d58ad58cc..000000000 --- a/manifests/certmonger/libvirt_vnc_dirs.pp +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::libvirt_vnc_dirs -# -# Creates the necessary directories for libvirt vnc certificates and keys in the -# assigned locations if specified. It also assigns the correct SELinux tags. -# -# === Parameters: -# -# [*certificate_dir*] -# (Optional) Directory where libvirt-vnc's certificates will be stored. If left -# unspecified, it won't be created. -# Defaults to undef -# -# [*key_dir*] -# (Optional) Directory where libvirt-vnc's keys will be stored. -# Defaults to undef -# -class tripleo::certmonger::libvirt_vnc_dirs( - $certificate_dir = undef, - $key_dir = undef, -){ - - if $certificate_dir { - file { $certificate_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |> - } - - if $key_dir { - file { $key_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |> - } - -} diff --git a/manifests/certmonger/memcached.pp b/manifests/certmonger/memcached.pp deleted file mode 100644 index 4c6c1f532..000000000 --- a/manifests/certmonger/memcached.pp +++ /dev/null @@ -1,85 +0,0 @@ -# Copyright 2020 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::memcached -# -# Request a certificate for Memcached and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# If nothing is given, it will default to: "systemctl restart ${service name}" -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::memcached ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = '/usr/bin/certmonger-memcached-refresh.sh', - $principal = undef, - $key_size = 2048, -) { - include certmonger - - ensure_resource('file', '/usr/bin/certmonger-memcached-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-memcached-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'memcached' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - - file { $service_certificate : - require => Certmonger_certificate['memcached'], - } - file { $service_key : - require => Certmonger_certificate['memcached'], - } -} diff --git a/manifests/certmonger/metrics_qdr.pp b/manifests/certmonger/metrics_qdr.pp deleted file mode 100644 index b25ec9c56..000000000 --- a/manifests/certmonger/metrics_qdr.pp +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 2016 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::metrics_qdr -# -# Request a certificate for the MetricsQdr service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# If nothing is given, it will default to: "systemctl restart ${service name}" -# Defaults to undef. -# -# [*principal*] -# (Optional) The haproxy service principal that is set for metrics_qdr in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::metrics_qdr ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - include qdr::params - - ensure_resource('file', '/usr/bin/certmonger-metrics-qdr-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-metrics-qdr-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'metrics_qdr' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - - file { $service_certificate : - require => Certmonger_certificate['metrics_qdr'], - } - file { $service_key : - require => Certmonger_certificate['metrics_qdr'], - } - - File[$service_certificate] ~> Service<| title == $::qdr::params::service_name |> - File[$service_key] ~> Service<| title == $::qdr::params::service_name |> -} diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp deleted file mode 100644 index 6e2bdcb9a..000000000 --- a/manifests/certmonger/mysql.pp +++ /dev/null @@ -1,78 +0,0 @@ -# Copyright 2016 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::mysql -# -# Request a certificate for the MySQL/Mariadb service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*dnsnames*] -# (Optional) The DNS names that will be added for the SubjectAltNames entry -# in the certificate. If left unset, the value will be set to the $hostname. -# This parameter can take both a string or an array of strings. -# Defaults to $hostname -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# If nothing is given, it will default to: "systemctl restart ${service name}" -# Defaults to undef. -# -# [*principal*] -# (Optional) The haproxy service principal that is set for MySQL in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::mysql ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $dnsnames = $hostname, - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - certmonger_certificate { 'mysql' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $dnsnames, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } -} diff --git a/manifests/certmonger/neutron.pp b/manifests/certmonger/neutron.pp deleted file mode 100644 index 2c1d4c78f..000000000 --- a/manifests/certmonger/neutron.pp +++ /dev/null @@ -1,84 +0,0 @@ -# Copyright 2018 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::neutron -# -# Request a certificate for the Neutron service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# -# [*principal*] -# (Optional) The haproxy service principal that is set for neutron in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::neutron ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - ensure_resource('file', '/usr/bin/certmonger-neutron-dhcpd-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-neutron-dhcpd-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'neutron' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - file { $service_certificate : - require => Certmonger_certificate['neutron'] - } - file { $service_key : - require => Certmonger_certificate['neutron'] - } - - Certmonger_certificate['neutron'] ~> Service<| tag == 'neutron-service' |> -} diff --git a/manifests/certmonger/neutron_ovn.pp b/manifests/certmonger/neutron_ovn.pp deleted file mode 100644 index f19e8f5b6..000000000 --- a/manifests/certmonger/neutron_ovn.pp +++ /dev/null @@ -1,76 +0,0 @@ -# Copyright 2019 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::neutron_ovn -# -# Request a certificate for the ovn_controller service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# -# [*principal*] -# (Optional) The haproxy service principal that is set for neutron in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::neutron_ovn ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - certmonger_certificate { 'neutron_ovn' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - file { $service_certificate : - require => Certmonger_certificate['neutron_ovn'] - } - file { $service_key : - require => Certmonger_certificate['neutron_ovn'] - } - -} diff --git a/manifests/certmonger/novnc_proxy.pp b/manifests/certmonger/novnc_proxy.pp deleted file mode 100644 index 01ad59beb..000000000 --- a/manifests/certmonger/novnc_proxy.pp +++ /dev/null @@ -1,97 +0,0 @@ -# Copyright 2018 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::novnc_proxy -# -# Request a certificate for novnc_proxy and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*notify_service*] -# (Optional) Service to reload when certificate is created/renewed -# Defaults to $::nova::params::libvirt_service_name -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::novnc_proxy ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $notify_service = undef, - $postsave_cmd = undef, - $key_size = 2048, - $principal = undef, -) { - include certmonger - include nova::params - - $notify_service_real = pick($notify_service, $::nova::params::vncproxy_service_name) - - ensure_resource('file', '/usr/bin/certmonger-novnc-proxy-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-novnc-proxy-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'novnc-proxy' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - tag => 'novnc-proxy', - require => Class['::certmonger'], - } - - file { $service_certificate : - require => Certmonger_certificate['novnc-proxy'], - mode => '0644' - } - file { $service_key : - require => Certmonger_certificate['novnc-proxy'], - mode => '0640' - } - - File[$service_certificate] ~> Service<| title == $notify_service_real |> - File[$service_key] ~> Service<| title == $notify_service_real |> -} diff --git a/manifests/certmonger/openvswitch.pp b/manifests/certmonger/openvswitch.pp deleted file mode 100644 index caab570ec..000000000 --- a/manifests/certmonger/openvswitch.pp +++ /dev/null @@ -1,80 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::openvswitch -# -# Request a certificate for the openvswitch service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to "systemctl reload openvswitch" -# -# [*principal*] -# (Optional) The haproxy service principal that is set for openvswitch in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::openvswitch ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = 'systemctl reload openvswitch', - $principal = undef, - $key_size = 2048, -) { - include certmonger - - certmonger_certificate { 'openvswitch' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - file { $service_certificate : - owner => 'openvswitch', - group => 'hugetlbfs', - require => Certmonger_certificate['openvswitch'], - } - file { $service_key : - owner => 'openvswitch', - group => 'hugetlbfs', - require => Certmonger_certificate['openvswitch'], - } -} diff --git a/manifests/certmonger/ovn_controller.pp b/manifests/certmonger/ovn_controller.pp deleted file mode 100644 index 96b598230..000000000 --- a/manifests/certmonger/ovn_controller.pp +++ /dev/null @@ -1,76 +0,0 @@ -# Copyright 2019 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ovn_controller -# -# Request a certificate for the ovn_controller service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# -# [*principal*] -# (Optional) The haproxy service principal that is set for neutron in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::ovn_controller ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - certmonger_certificate { 'ovn_controller' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - file { $service_certificate : - require => Certmonger_certificate['ovn_controller'] - } - file { $service_key : - require => Certmonger_certificate['ovn_controller'] - } - -} diff --git a/manifests/certmonger/ovn_dbs.pp b/manifests/certmonger/ovn_dbs.pp deleted file mode 100644 index f28c221bd..000000000 --- a/manifests/certmonger/ovn_dbs.pp +++ /dev/null @@ -1,75 +0,0 @@ -# Copyright 2019 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ovn_sbdb -# -# Request a certificate for the ovn_sbdb service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# -# [*principal*] -# (Optional) The haproxy service principal that is set for neutron in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::ovn_dbs ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - certmonger_certificate { 'ovn_dbs' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - file { $service_certificate : - require => Certmonger_certificate['ovn_dbs'] - } - file { $service_key : - require => Certmonger_certificate['ovn_dbs'] - } -} diff --git a/manifests/certmonger/ovn_metadata.pp b/manifests/certmonger/ovn_metadata.pp deleted file mode 100644 index e330286cf..000000000 --- a/manifests/certmonger/ovn_metadata.pp +++ /dev/null @@ -1,76 +0,0 @@ -# Copyright 2019 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ovn_metadata -# -# Request a certificate for the ovn_controller service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# -# [*principal*] -# (Optional) The haproxy service principal that is set for neutron in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::ovn_metadata ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - certmonger_certificate { 'ovn_metadata' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - file { $service_certificate : - require => Certmonger_certificate['ovn_metadata'] - } - file { $service_key : - require => Certmonger_certificate['ovn_metadata'] - } - -} diff --git a/manifests/certmonger/ovn_octavia.pp b/manifests/certmonger/ovn_octavia.pp deleted file mode 100644 index 42e3481f6..000000000 --- a/manifests/certmonger/ovn_octavia.pp +++ /dev/null @@ -1,76 +0,0 @@ -# Copyright 2020 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::ovn_octavia -# -# Request a certificate for the ovn_controller service and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# -# [*principal*] -# (Optional) The haproxy service principal that is set for neutron in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::ovn_octavia ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - certmonger_certificate { 'ovn_octavia' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - file { $service_certificate : - require => Certmonger_certificate['ovn_octavia'] - } - file { $service_key : - require => Certmonger_certificate['ovn_octavia'] - } - -} diff --git a/manifests/certmonger/qemu.pp b/manifests/certmonger/qemu.pp deleted file mode 100644 index fe53f02ac..000000000 --- a/manifests/certmonger/qemu.pp +++ /dev/null @@ -1,108 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Resource: tripleo::certmonger::qemu -# -# Request a certificate for quemu and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*cacertfile*] -# (Optional) Specifies that path to write the CA cerftificate to. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -define tripleo::certmonger::qemu ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca_qemu', 'local'), - $cacertfile = undef, - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - include nova::params - - certmonger_certificate { $name : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - cacertfile => $cacertfile, - wait => true, - tag => 'qemu-cert', - require => Class['::certmonger'], - } - - if $cacertfile { - # Sometimes certmonger returns before creating the cacert file. This has - # been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281 - # Until this is fixed, add this workaround. - exec { $cacertfile : - require => Certmonger_certificate[$name], - command => "test -f ${cacertfile}", - unless => "test -f ${cacertfile}", - tries => 60, - try_sleep => 1, - timeout => 60, - path => '/usr/bin:/bin', - } - - file { $cacertfile : - require => Exec[$cacertfile], - mode => '0644' - } - } - - file { $service_certificate : - require => Certmonger_certificate[$name], - mode => '0644' - } - file { $service_key : - require => Certmonger_certificate[$name], - group => 'qemu', - mode => '0640' - } -} diff --git a/manifests/certmonger/qemu_dirs.pp b/manifests/certmonger/qemu_dirs.pp deleted file mode 100644 index 1f46a0f7a..000000000 --- a/manifests/certmonger/qemu_dirs.pp +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::qemu_dirs -# -# Creates the necessary directories for qemu certificates and keys in the -# assigned locations if specified. It also assigns the correct SELinux tags. -# -# === Parameters: -# -# [*certificate_dir*] -# (Optional) Directory where qemu server certificates will be stored. If left -# unspecified, it won't be created. -# Defaults to undef -# -class tripleo::certmonger::qemu_dirs( - $certificate_dir = undef, -){ - - if $certificate_dir { - file { $certificate_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-server-cert' |> - } - -} diff --git a/manifests/certmonger/qemu_nbd_dirs.pp b/manifests/certmonger/qemu_nbd_dirs.pp deleted file mode 100644 index 4ef2cc691..000000000 --- a/manifests/certmonger/qemu_nbd_dirs.pp +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::qemu_nbd_dirs -# -# Creates the necessary directories for qemu nbd client certificates and keys -# in the assigned locations if specified. It also assigns the correct SELinux -# tags. -# -# === Parameters: -# -# [*certificate_dir*] -# (Optional) Directory where qemu-nbd's client certificates will be stored. -# If left unspecified, it won't be created. -# Defaults to undef -# -class tripleo::certmonger::qemu_nbd_dirs( - $certificate_dir = undef, -){ - - if $certificate_dir { - file { $certificate_dir : - ensure => 'directory', - selrole => 'object_r', - seltype => 'cert_t', - seluser => 'system_u', - } - File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-cert' |> - } - -} diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp deleted file mode 100644 index 6ca9c9974..000000000 --- a/manifests/certmonger/rabbitmq.pp +++ /dev/null @@ -1,84 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::rabbitmq -# -# Request a certificate for RabbitMQ and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::rabbitmq ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - ensure_resource('file', '/usr/bin/certmonger-rabbitmq-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-rabbitmq-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'rabbitmq' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $hostname, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - - file { $service_certificate : - require => Certmonger_certificate['rabbitmq'], - } - file { $service_key : - require => Certmonger_certificate['rabbitmq'], - } -} diff --git a/manifests/certmonger/redis.pp b/manifests/certmonger/redis.pp deleted file mode 100644 index 45e2b6f24..000000000 --- a/manifests/certmonger/redis.pp +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# == Class: tripleo::certmonger::redis -# -# Request a certificate for Redis and do the necessary setup. -# -# === Parameters -# -# [*hostname*] -# The hostname of the node. this will be set in the CN of the certificate. -# -# [*service_certificate*] -# The path to the certificate that will be used for TLS in this service. -# -# [*service_key*] -# The path to the key that will be used for TLS in this service. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# [*dnsnames*] -# (Optional) The DNS names that will be added for the SubjectAltNames entry -# in the certificate. If left unset, the value will be set to the $hostname. -# This parameter can take both a string or an array of strings. -# Defaults to $hostname -# -# [*postsave_cmd*] -# (Optional) Specifies the command to execute after requesting a certificate. -# Defaults to undef. -# -# [*principal*] -# (Optional) The service principal that is set for the service in kerberos. -# Defaults to undef -# -# [*key_size*] -# (Optional) Specifies the private key size used when creating the certificate. -# Defaults to 2048bits. -# -class tripleo::certmonger::redis ( - $hostname, - $service_certificate, - $service_key, - $certmonger_ca = hiera('certmonger_ca', 'local'), - $dnsnames = $hostname, - $postsave_cmd = undef, - $principal = undef, - $key_size = 2048, -) { - include certmonger - - ensure_resource('file', '/usr/bin/certmonger-redis-refresh.sh', { - source => 'puppet:///modules/tripleo/certmonger-redis-refresh.sh', - mode => '0700', - seltype => 'bin_t', - notify => Service['certmonger'] - }) - - certmonger_certificate { 'redis' : - ensure => 'present', - certfile => $service_certificate, - keyfile => $service_key, - hostname => $hostname, - dnsname => $dnsnames, - principal => $principal, - postsave_cmd => $postsave_cmd, - ca => $certmonger_ca, - key_size => $key_size, - wait => true, - require => Class['::certmonger'], - } - - file { $service_certificate : - require => Certmonger_certificate['redis'], - } - file { $service_key : - require => Certmonger_certificate['redis'], - } -} diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp deleted file mode 100644 index ae88feb03..000000000 --- a/manifests/profile/base/certmonger_user.pp +++ /dev/null @@ -1,322 +0,0 @@ -# Copyright 2017 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# [*certmonger_ca*] -# (Optional) The CA that certmonger will use to generate the certificates. -# Defaults to hiera('certmonger_ca', 'local'). -# -# == class: tripleo::profile::base::certmonger_user -# -# Profile that ensures that the relevant certmonger certificates have been -# requested. The certificates come from the hiera set by the specific profiles -# and come in a pre-defined format. -# For a service that has several certificates (one per network name): -# apache_certificates_specs: -# httpd-internal_api: -# hostname: -# service_certificate: -# service_key: -# principal: "HTTP/" -# For a service that uses a single certificate: -# mysql_certificates_specs: -# hostname: -# service_certificate: -# service_key: -# principal: "mysql/" -# -# === Parameters -# -# [*step*] -# (Optional) The current step in deployment. See tripleo-heat-templates -# for more details. -# Defaults to hiera('step') -# -# [*apache_certificates_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('apache_certificate_specs', {}). -# -# [*haproxy_certificates_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}). -# -# [*libvirt_certificates_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('libvirt_certificates_specs', {}). -# -# [*libvirt_postsave_cmd*] -# (Optional) If set, it overrides the default way to restart libvirt when the -# certificate is renewed. -# Defaults to undef -# -# [*libvirt_vnc_certificates_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('libvirt_vnc_certificates_specs', {}). -# -# [*libvirt_vnc_postsave_cmd*] -# (Optional) If set, it overrides the default way to restart services when the -# certificate is renewed. -# Defaults to undef -# -# [*qemu_certificates_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('qemu_certificates_specs', {}). -# -# [*qemu_postsave_cmd*] -# (Optional) If set, it overrides the default way to restart services when the -# certificate is renewed. -# Defaults to undef -# -# [*qdr_certificate_specs*] -# (Optional) The specifications to give to certmonger fot the certificate(s) -# it will create. -# Defaults to hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}). -# -# [*mysql_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). -# -# [*memcached_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('tripleo::profile::base::memcached::certificate_specs', {}). -# -# [*rabbitmq_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}). -# -# [*redis_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('redis_certificate_specs', {}). -# -# [*ceph_grafana_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('ceph_grafana_certificate_specs', {}). -# -# [*ceph_dashboard_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('ceph_dashboard_certificate_specs', {}). -# -# [*ceph_rgw_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('ceph_rgw_certificate_specs', {}). -# -# [*etcd_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}). -# -# [*neutron_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('tripleo::profile::base::neutron::certificate_specs', {}). -# -# [*novnc_proxy_certificates_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('novnc_proxy_certificates_specs',{}) -# -# [*novnc_proxy_postsave_cmd*] -# (Optional) If set, it overrides the default way to restart novnc proxy when the -# certificate is renewed. -# Defaults to undef -# -# [*ovn_dbs_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('ovn_dbs_certificate_specs', {}) -# -# [*ovn_controller_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('ovn_controller_certificate_specs', {}) -# -# [*ovn_metadata_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('ovn_metadata_certificate_specs', {}) -# -# [*neutron_ovn_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('neutron_ovn_certificate_specs', {}) -# -# [*ovn_octavia_certificate_specs*] -# (Optional) The specifications to give to certmonger for the certificate(s) -# it will create. -# Defaults to hiera('ovn_octavia_certificate_specs', {}) -# -# === Deprecated -# -# [*haproxy_postsave_cmd*] -# (Optional) If set, it overrides the default way to restart haproxy when the -# certificate is renewed. -# Defaults to undef -# -# [*apache_postsave_cmd*] -# (Optional) If set, it overrides the default way to restart apache when the -# certificate is renewed. -# Defaults to undef -# -class tripleo::profile::base::certmonger_user ( - $step = Integer(hiera('step')), - $certmonger_ca = hiera('certmonger_ca', 'local'), - $apache_certificates_specs = hiera('apache_certificates_specs', {}), - $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), - $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), - $libvirt_postsave_cmd = undef, - $libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}), - $libvirt_vnc_postsave_cmd = undef, - $qemu_certificates_specs = hiera('qemu_certificates_specs', {}), - $qemu_postsave_cmd = undef, - $qdr_certificate_specs = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}), - $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), - $memcached_certificate_specs = hiera('tripleo::profile::base::memcached::certificate_specs', {}), - $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), - $redis_certificate_specs = hiera('redis_certificate_specs', {}), - $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}), - $neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}), - $novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}), - $ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}), - $ceph_dashboard_certificate_specs = hiera('ceph_dashboard_certificate_specs', {}), - $ceph_rgw_certificate_specs = hiera('ceph_rgw_certificate_specs', {}), - $ovn_dbs_certificate_specs = hiera('ovn_dbs_certificate_specs', {}), - $ovn_controller_certificate_specs = hiera('ovn_controller_certificate_specs', {}), - $ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}), - $neutron_ovn_certificate_specs = hiera('neutron_ovn_certificate_specs', {}), - $ovn_octavia_certificate_specs = hiera('ovn_octavia_certificate_specs', {}), - $novnc_proxy_postsave_cmd = undef, - # Deprecated - $haproxy_postsave_cmd = undef, - $apache_postsave_cmd = undef, -) { - include certmonger - - if $step == 1 { - # This is only needed for certmonger's local CA. For any other CA this - # operation (trusting the CA) should be done by the deployer. - if $certmonger_ca == 'local' { - include tripleo::certmonger::ca::local - } - - # Remove haproxy_certificates_specs where hostname is empty. - # Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1905604 - $haproxy_certificates_specs_filtered = $haproxy_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) } - unless empty($haproxy_certificates_specs_filtered) { - $reload_haproxy = ['systemctl reload tripleo_haproxy'] - Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||> - if defined(Class['::haproxy']) { - Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] - } - } else { - $reload_haproxy = [] - } - class { 'tripleo::certmonger::ca::crl' : - reload_cmds => $reload_haproxy, - } - Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl'] - include tripleo::certmonger::ca::libvirt_vnc - include tripleo::certmonger::ca::qemu - - # Remove apache_certificates_specs where hostname is empty. - # Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1811207 - $apache_certificates_specs_filtered = $apache_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) } - unless empty($apache_certificates_specs_filtered) { - include tripleo::certmonger::apache_dirs - ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs_filtered) - } - unless empty($libvirt_certificates_specs) { - include tripleo::certmonger::libvirt_dirs - ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs, - {'postsave_cmd' => $libvirt_postsave_cmd}) - } - unless empty($libvirt_vnc_certificates_specs) { - include tripleo::certmonger::libvirt_vnc_dirs - ensure_resources('tripleo::certmonger::libvirt_vnc', $libvirt_vnc_certificates_specs, - {'postsave_cmd' => $libvirt_vnc_postsave_cmd}) - } - unless empty($qemu_certificates_specs) { - include tripleo::certmonger::qemu_dirs - include tripleo::certmonger::qemu_nbd_dirs - ensure_resources('tripleo::certmonger::qemu', $qemu_certificates_specs, - {'postsave_cmd' => $qemu_postsave_cmd}) - } - unless empty($haproxy_certificates_specs_filtered) { - include tripleo::certmonger::haproxy_dirs - ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs_filtered) - # The haproxy fronends (or listen resources) depend on the certificate - # existing and need to be refreshed if it changed. - Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||> - } - unless empty($qdr_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::metrics_qdr', $qdr_certificate_specs) - } - unless empty($memcached_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::memcached', $memcached_certificate_specs) - } - unless empty($mysql_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs) - } - unless empty($rabbitmq_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs) - } - unless empty($redis_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::redis', $redis_certificate_specs) - } - unless empty($etcd_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs) - } - unless empty($neutron_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::neutron', $neutron_certificate_specs) - } - unless empty($novnc_proxy_certificates_specs) { - ensure_resource('class', 'tripleo::certmonger::novnc_proxy', $novnc_proxy_certificates_specs, - {'postsave_cmd' => $novnc_proxy_postsave_cmd}) - } - unless empty($ceph_grafana_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::ceph_grafana', $ceph_grafana_certificate_specs) - } - unless empty($ceph_dashboard_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::ceph_dashboard', $ceph_dashboard_certificate_specs) - } - unless empty($ceph_rgw_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::ceph_rgw', $ceph_rgw_certificate_specs) - } - unless empty($ovn_dbs_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs) - } - unless empty($ovn_controller_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::ovn_controller', $ovn_controller_certificate_specs) - } - unless empty($ovn_metadata_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::ovn_metadata', $ovn_metadata_certificate_specs) - } - unless empty($neutron_ovn_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs) - } - unless empty($ovn_octavia_certificate_specs) { - ensure_resource('class', 'tripleo::certmonger::ovn_octavia', $ovn_octavia_certificate_specs) - } - } -} diff --git a/releasenotes/notes/remove_puppet_certmonger-843205d2ef88d6e4.yaml b/releasenotes/notes/remove_puppet_certmonger-843205d2ef88d6e4.yaml new file mode 100644 index 000000000..8b12d42c0 --- /dev/null +++ b/releasenotes/notes/remove_puppet_certmonger-843205d2ef88d6e4.yaml @@ -0,0 +1,6 @@ +--- +deprecations: + - | + Remove support for puppet_certmonger. All certificates are now managed by + the linux-system-roles.certificate ansible role configured from each + service's heat template. ::tripleo::certmonger puppet files are removed. diff --git a/spec/classes/tripleo_certmonger_ca_crl_spec.rb b/spec/classes/tripleo_certmonger_ca_crl_spec.rb deleted file mode 100644 index 3c45a58bf..000000000 --- a/spec/classes/tripleo_certmonger_ca_crl_spec.rb +++ /dev/null @@ -1,116 +0,0 @@ -# -# Copyright (C) 2017 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::ca::crl' do - - shared_examples_for 'tripleo::certmonger::ca::crl' do - - context 'with default parameters (no crl_source)' do - it 'should ensure no CRL nor cron job are present' do - is_expected.not_to contain_exec('tripleo-ca-crl') - is_expected.to contain_cron('tripleo-refresh-crl-file').with( - :ensure => 'absent' - ) - end - end - - context 'with defined CRL source' do - let :params do - { - :crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem', - :crl_preprocessed => '/etc/pki/CA/crl/overcloud-crl.bin', - :crl_source => 'file://tmp/some/crl.bin', - } - end - - let :process_cmd do - "openssl crl -in #{params[:crl_preprocessed]} -inform DER -outform PEM -out #{params[:crl_dest]}" - end - - let :cron_cmd do - "curl -g -s -L -o #{params[:crl_preprocessed]} #{params[:crl_source]} && #{process_cmd}" - end - - it 'should create and process CRL file' do - is_expected.to contain_exec('tripleo-ca-crl').with( - :command => "curl -Ls --connect-timeout 120 -o #{params[:crl_preprocessed]} #{params[:crl_source]}", - :tries => 5, - :try_sleep => 5 - ) - is_expected.to contain_file('tripleo-ca-crl-file').with( - :group => 'root', - :mode => '0644', - :owner => 'root', - :path => "#{params[:crl_preprocessed]}" - ) - is_expected.to contain_exec('tripleo-ca-crl-process-command').with( - :command => process_cmd - ) - is_expected.to contain_cron('tripleo-refresh-crl-file').with( - :ensure => 'present', - :command => cron_cmd - ) - end - end - - context 'with defined CRL source and no processing' do - let :params do - { - :crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem', - :crl_source => 'file://tmp/some/crl.pem', - :process => false - } - end - - let :cron_cmd do - "curl -g -s -L -o #{params[:crl_dest]} #{params[:crl_source]}" - end - - it 'should create and process CRL file' do - is_expected.to contain_exec('tripleo-ca-crl').with( - :command => "curl -Ls --connect-timeout 120 -o #{params[:crl_dest]} #{params[:crl_source]}", - :tries => 5, - :try_sleep => 5 - ) - is_expected.to contain_file('tripleo-ca-crl-file').with( - :group => 'root', - :mode => '0644', - :owner => 'root', - :path => "#{params[:crl_dest]}" - ) - is_expected.to_not contain_exec('tripleo-ca-crl-process-command') - is_expected.to contain_cron('tripleo-refresh-crl-file').with( - :ensure => 'present', - :command => cron_cmd - ) - end - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::ca::crl' - end - end -end diff --git a/spec/classes/tripleo_certmonger_ca_local_spec.rb b/spec/classes/tripleo_certmonger_ca_local_spec.rb deleted file mode 100644 index 03d1516e9..000000000 --- a/spec/classes/tripleo_certmonger_ca_local_spec.rb +++ /dev/null @@ -1,57 +0,0 @@ -# -# Copyright (C) 2017 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::ca::local' do - - shared_examples_for 'tripleo::certmonger::ca::local' do - - let :pre_condition do - "include certmonger" - end - - let :params do - { - :ca_pem => '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem', - } - end - - it 'should extract CA cert' do - is_expected.to contain_exec('extract-and-trust-ca') - end - - it 'set the correct permissions for the CA certificate file' do - is_expected.to contain_file(params[:ca_pem]).with( - :ensure => 'present', - :mode => '0644', - :owner => 'root' - ) - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::ca::local' - end - end -end diff --git a/spec/classes/tripleo_certmonger_etcd_spec.rb b/spec/classes/tripleo_certmonger_etcd_spec.rb deleted file mode 100644 index 7d0d25943..000000000 --- a/spec/classes/tripleo_certmonger_etcd_spec.rb +++ /dev/null @@ -1,82 +0,0 @@ -# -# Copyright (C) 2017 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::etcd' do - - shared_examples_for 'tripleo::certmonger::etcd' do - let :params do - { - :hostname => 'localhost', - :service_certificate => '/etc/pki/cert.crt', - :service_key => '/etc/pki/key.pem', - } - end - - context 'with defaults' do - it 'should include the base for using certmonger' do - is_expected.to contain_class('certmonger') - end - - it 'should request a certificate' do - is_expected.to contain_certmonger_certificate('etcd').with( - :ensure => 'present', - :certfile => '/etc/pki/cert.crt', - :keyfile => '/etc/pki/key.pem', - :hostname => 'localhost', - :dnsname => 'localhost', - :principal => nil, - :postsave_cmd => nil, - :ca => 'local', - :wait => true, - ) - is_expected.to contain_file('/etc/pki/cert.crt') - is_expected.to contain_file('/etc/pki/key.pem') - end - end - context 'with overrides' do - before :each do - params.merge!({ - :certmonger_ca => 'IPA', - :dnsnames => 'host1,127.0.0.42', - :postsave_cmd => '/usr/bin/refresh_me.sh', - :principal => 'Principal_Lewis', - }) - end - it 'should request a certificate with overrides' do - is_expected.to contain_certmonger_certificate('etcd').with( - :dnsname => 'host1,127.0.0.42', - :principal => 'Principal_Lewis', - :postsave_cmd => '/usr/bin/refresh_me.sh', - :ca => 'IPA', - ) - end - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::etcd' - end - end -end diff --git a/spec/classes/tripleo_certmonger_memcached_spec.rb b/spec/classes/tripleo_certmonger_memcached_spec.rb deleted file mode 100644 index a53c1d9c2..000000000 --- a/spec/classes/tripleo_certmonger_memcached_spec.rb +++ /dev/null @@ -1,60 +0,0 @@ -# -# Copyright (C) 2020 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::memcached' do - - shared_examples_for 'tripleo::certmonger::memcached' do - let :params do - { - :hostname => 'localhost', - :service_certificate => '/etc/pki/cert.crt', - :service_key => '/etc/pki/key.pem', - } - end - - it 'should include the base for using certmonger' do - is_expected.to contain_class('certmonger') - end - - it 'should request a certificate' do - is_expected.to contain_certmonger_certificate('memcached').with( - :ensure => 'present', - :certfile => '/etc/pki/cert.crt', - :keyfile => '/etc/pki/key.pem', - :hostname => 'localhost', - :dnsname => 'localhost', - :ca => 'local', - :wait => true, - ) - is_expected.to contain_file('/etc/pki/cert.crt') - is_expected.to contain_file('/etc/pki/key.pem') - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::memcached' - end - end -end diff --git a/spec/classes/tripleo_certmonger_mysql_spec.rb b/spec/classes/tripleo_certmonger_mysql_spec.rb deleted file mode 100644 index 27ef2592d..000000000 --- a/spec/classes/tripleo_certmonger_mysql_spec.rb +++ /dev/null @@ -1,58 +0,0 @@ -# -# Copyright (C) 2017 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::mysql' do - - shared_examples_for 'tripleo::certmonger::mysql' do - let :params do - { - :hostname => 'localhost', - :service_certificate => '/etc/pki/cert.crt', - :service_key => '/etc/pki/key.pem', - } - end - - it 'should include the base for using certmonger' do - is_expected.to contain_class('certmonger') - end - - it 'should request a certificate' do - is_expected.to contain_certmonger_certificate('mysql').with( - :ensure => 'present', - :certfile => '/etc/pki/cert.crt', - :keyfile => '/etc/pki/key.pem', - :hostname => 'localhost', - :dnsname => 'localhost', - :ca => 'local', - :wait => true, - ) - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::mysql' - end - end -end diff --git a/spec/classes/tripleo_certmonger_openvswitch_spec.rb b/spec/classes/tripleo_certmonger_openvswitch_spec.rb deleted file mode 100644 index 0061f1dab..000000000 --- a/spec/classes/tripleo_certmonger_openvswitch_spec.rb +++ /dev/null @@ -1,68 +0,0 @@ -# -# Copyright (C) 2017 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::openvswitch' do - - shared_examples_for 'tripleo::certmonger::openvswitch' do - let :params do - { - :hostname => 'localhost', - :service_certificate => '/etc/pki/cert.crt', - :service_key => '/etc/pki/key.pem', - } - end - - it 'should include the base for using certmonger' do - is_expected.to contain_class('certmonger') - end - - it 'should request a certificate' do - is_expected.to contain_certmonger_certificate('openvswitch').with( - :ensure => 'present', - :certfile => '/etc/pki/cert.crt', - :keyfile => '/etc/pki/key.pem', - :hostname => 'localhost', - :dnsname => 'localhost', - :ca => 'local', - :wait => true, - ) - is_expected.to contain_file('/etc/pki/cert.crt').with( - :owner => 'openvswitch', - :group => 'hugetlbfs', - :require => 'Certmonger_certificate[openvswitch]' - ) - is_expected.to contain_file('/etc/pki/key.pem').with( - :owner => 'openvswitch', - :group => 'hugetlbfs', - :require => 'Certmonger_certificate[openvswitch]' - ) - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::openvswitch' - end - end -end diff --git a/spec/classes/tripleo_certmonger_ovn_dbs_spec.rb b/spec/classes/tripleo_certmonger_ovn_dbs_spec.rb deleted file mode 100644 index 0c5cb608e..000000000 --- a/spec/classes/tripleo_certmonger_ovn_dbs_spec.rb +++ /dev/null @@ -1,60 +0,0 @@ -# -# Copyright (C) 2019 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::ovn_dbs' do - - shared_examples_for 'tripleo::certmonger::ovn_dbs' do - let :params do - { - :hostname => 'localhost', - :service_certificate => '/etc/pki/cert.crt', - :service_key => '/etc/pki/key.pem', - } - end - - it 'should include the base for using certmonger' do - is_expected.to contain_class('certmonger') - end - - it 'should request a certificate' do - is_expected.to contain_certmonger_certificate('ovn_dbs').with( - :ensure => 'present', - :certfile => '/etc/pki/cert.crt', - :keyfile => '/etc/pki/key.pem', - :hostname => 'localhost', - :dnsname => 'localhost', - :ca => 'local', - :wait => true, - ) - is_expected.to contain_file('/etc/pki/cert.crt') - is_expected.to contain_file('/etc/pki/key.pem') - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::ovn_dbs' - end - end -end diff --git a/spec/classes/tripleo_certmonger_rabbitmq_spec.rb b/spec/classes/tripleo_certmonger_rabbitmq_spec.rb deleted file mode 100644 index ca5d16d5c..000000000 --- a/spec/classes/tripleo_certmonger_rabbitmq_spec.rb +++ /dev/null @@ -1,60 +0,0 @@ -# -# Copyright (C) 2017 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::rabbitmq' do - - shared_examples_for 'tripleo::certmonger::rabbitmq' do - let :params do - { - :hostname => 'localhost', - :service_certificate => '/etc/pki/cert.crt', - :service_key => '/etc/pki/key.pem', - } - end - - it 'should include the base for using certmonger' do - is_expected.to contain_class('certmonger') - end - - it 'should request a certificate' do - is_expected.to contain_certmonger_certificate('rabbitmq').with( - :ensure => 'present', - :certfile => '/etc/pki/cert.crt', - :keyfile => '/etc/pki/key.pem', - :hostname => 'localhost', - :dnsname => 'localhost', - :ca => 'local', - :wait => true, - ) - is_expected.to contain_file('/etc/pki/cert.crt') - is_expected.to contain_file('/etc/pki/key.pem') - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::rabbitmq' - end - end -end diff --git a/spec/defines/tripleo_certmonger_httpd_spec.rb b/spec/defines/tripleo_certmonger_httpd_spec.rb deleted file mode 100644 index f01e594aa..000000000 --- a/spec/defines/tripleo_certmonger_httpd_spec.rb +++ /dev/null @@ -1,65 +0,0 @@ -# -# Copyright (C) 2017 Red Hat Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# Unit tests for tripleo -# - -require 'spec_helper' - -describe 'tripleo::certmonger::httpd' do - - let(:title) { 'httpd-cert' } - - shared_examples_for 'tripleo::certmonger::httpd' do - let :params do - { - :name => 'httpd-cert', - :hostname => 'localhost', - :service_certificate => '/etc/pki/cert.crt', - :service_key => '/etc/pki/key.pem', - } - end - - it 'should include the base for using certmonger' do - is_expected.to contain_class('certmonger') - end - - it 'should include the httpd parameters' do - is_expected.to contain_class('apache::params') - end - - it 'should request a certificate' do - is_expected.to contain_certmonger_certificate('httpd-cert').with( - :ensure => 'present', - :certfile => '/etc/pki/cert.crt', - :keyfile => '/etc/pki/key.pem', - :hostname => 'localhost', - :dnsname => 'localhost', - :ca => 'local', - :wait => true, - ) - end - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts.merge({}) - end - - it_behaves_like 'tripleo::certmonger::httpd' - end - end -end