Remove puppet-certmonger related puppet-files
Implements: blueprint ansible-certmonger Depends-On: https://review.opendev.org/771832 Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/786053 Change-Id: I5305bce78e9bbf382b00e3f3b5803b983a059db7
This commit is contained in:
parent
e3ebbb1143
commit
48832c961c
@ -33,10 +33,6 @@ mod 'fdio',
|
|||||||
:git => 'https://git.fd.io/puppet-fdio',
|
:git => 'https://git.fd.io/puppet-fdio',
|
||||||
:ref => 'master'
|
:ref => 'master'
|
||||||
|
|
||||||
mod 'certmonger',
|
|
||||||
:git => 'https://github.com/saltedsignal/puppet-certmonger',
|
|
||||||
:ref => 'v2.6.0'
|
|
||||||
|
|
||||||
mod 'ptp',
|
mod 'ptp',
|
||||||
:git => 'https://github.com/redhat-nfvpe/ptp',
|
:git => 'https://github.com/redhat-nfvpe/ptp',
|
||||||
:ref => 'master'
|
:ref => 'master'
|
||||||
|
@ -1,10 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Get mgr systemd unit
|
|
||||||
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
|
|
||||||
|
|
||||||
# Restart the mgr systemd unit
|
|
||||||
if [ -n "$mgr_unit" ]; then
|
|
||||||
systemctl restart "$mgr_unit"
|
|
||||||
fi
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
||||||
|
|
||||||
# cinder uses etcd, so its containers also need to be refreshed
|
|
||||||
container_names=$($container_cli ps --format="{{.Names}}" | grep -E 'cinder|etcd')
|
|
||||||
|
|
||||||
service_crt="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_certificate)"
|
|
||||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::etcd::certificate_specs.service_key)"
|
|
||||||
|
|
||||||
kolla_dir="/var/lib/kolla/config_files/src-tls"
|
|
||||||
|
|
||||||
# For each container, check whether the cert and key files need to be updated.
|
|
||||||
# The check is necessary because the original THT design directly bind mounted
|
|
||||||
# the files to their final location, and did not copy them in via $kolla_dir.
|
|
||||||
# Regardless of whether the container is directly using the files, or a copy,
|
|
||||||
# there's no need to trigger a reload because the cert is not cached.
|
|
||||||
|
|
||||||
for container_name in ${container_names[*]}; do
|
|
||||||
$container_cli exec -u root "$container_name" bash -c "
|
|
||||||
[[ -f ${kolla_dir}/${service_crt} ]] && cp ${kolla_dir}/${service_crt} $service_crt;
|
|
||||||
[[ -f ${kolla_dir}/${service_key} ]] && cp ${kolla_dir}/${service_key} $service_key;
|
|
||||||
true
|
|
||||||
"
|
|
||||||
done
|
|
@ -1,9 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Get grafana systemd unit
|
|
||||||
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
|
||||||
|
|
||||||
# Restart the grafana systemd unit
|
|
||||||
if [ -z "$grafana_unit" ]; then
|
|
||||||
systemctl restart "$grafana_unit"
|
|
||||||
fi
|
|
@ -1,54 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# This script is meant to reload HAProxy when certmonger triggers a certificate
|
|
||||||
# renewal. It'll concatenate the needed certificates for the PEM file that
|
|
||||||
# HAProxy reads.
|
|
||||||
|
|
||||||
die() { echo "$*" 1>&2 ; exit 1; }
|
|
||||||
|
|
||||||
[[ $# -eq 2 ]] || die "Invalid number of arguments"
|
|
||||||
[[ $1 == @(reload|restart) ]] || die "First argument must be one of 'reload' or 'restart'."
|
|
||||||
|
|
||||||
|
|
||||||
ACTION=$1
|
|
||||||
NETWORK=$2
|
|
||||||
|
|
||||||
certmonger_ca=$(hiera -c /etc/puppet/hiera.yaml certmonger_ca)
|
|
||||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
||||||
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.crt"
|
|
||||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir)/overcloud-haproxy-$NETWORK.key"
|
|
||||||
ca_path=""
|
|
||||||
|
|
||||||
if [ "$certmonger_ca" == "local" ]; then
|
|
||||||
ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
|
|
||||||
elif [ "$certmonger_ca" == "IPA" ]; then
|
|
||||||
ca_path="/etc/ipa/ca.crt"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$NETWORK" != "external" ]; then
|
|
||||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir)/overcloud-haproxy-$NETWORK.pem"
|
|
||||||
else
|
|
||||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat "$service_certificate" "$ca_path" "$service_key" > "$service_pem"
|
|
||||||
|
|
||||||
haproxy_container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
|
||||||
|
|
||||||
if [ "$ACTION" == "reload" ]; then
|
|
||||||
# Refresh the cert at the mount-point
|
|
||||||
$container_cli cp $service_pem "$haproxy_container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
|
||||||
|
|
||||||
# Copy the new cert from the mount-point to the real path
|
|
||||||
$container_cli exec "$haproxy_container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
|
||||||
|
|
||||||
# Set appropriate permissions
|
|
||||||
$container_cli exec "$haproxy_container_name" chown haproxy:haproxy "$service_pem"
|
|
||||||
|
|
||||||
# Trigger a reload for HAProxy to read the new certificates
|
|
||||||
$container_cli kill --signal HUP "$haproxy_container_name"
|
|
||||||
elif [ "$ACTION" == "restart" ]; then
|
|
||||||
# Copying the certificate and permissions will be handled by kolla's start
|
|
||||||
# script.
|
|
||||||
$container_cli restart "$haproxy_container_name"
|
|
||||||
fi
|
|
@ -1,20 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
||||||
container_name=$($container_cli ps --format="{{.Names}}" | grep memcached)
|
|
||||||
|
|
||||||
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_certificate)"
|
|
||||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_key)"
|
|
||||||
|
|
||||||
# Copy the new cert and key from the mount-point to the real path
|
|
||||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
|
|
||||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
|
||||||
|
|
||||||
# Set appropriate permissions
|
|
||||||
$container_cli exec "$container_name" chown memcached:memcached "$service_certificate"
|
|
||||||
$container_cli exec "$container_name" chown memcached:memcached "$service_key"
|
|
||||||
|
|
||||||
# Send refresh_certs command to memcached
|
|
||||||
memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen.0 127.0.0.1)"
|
|
||||||
memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)"
|
|
||||||
echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port
|
|
@ -1,24 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
|
|
||||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
||||||
|
|
||||||
container_name=$($container_cli ps --format="{{.Names}}" | grep metrics_qdr)
|
|
||||||
|
|
||||||
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_certificate)"
|
|
||||||
|
|
||||||
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::metrics::qdr::service_key)"
|
|
||||||
|
|
||||||
# Copy the new cert from the mount-point to the real path
|
|
||||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
|
|
||||||
|
|
||||||
# Copy the new key from the mount-point to the real path
|
|
||||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
|
||||||
|
|
||||||
# Set appropriate permissions
|
|
||||||
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_certificate"
|
|
||||||
|
|
||||||
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
|
||||||
|
|
||||||
# Trigger a container restart to read the new certificates
|
|
||||||
$container_cli restart $container_name
|
|
@ -1,21 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
|
|
||||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
||||||
|
|
||||||
container_name=$($container_cli ps --format="{{.Names}}" | grep neutron_dhcp)
|
|
||||||
|
|
||||||
# The certificate is also installed on the computes, but neutron_dhcp is only
|
|
||||||
# present on the controllers, so we exit if the container could not be found.
|
|
||||||
[[ -z $container_name ]] && exit 0
|
|
||||||
|
|
||||||
service_crt="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_cert_file)"
|
|
||||||
service_key="$(hiera -c /etc/puppet/hiera.yaml neutron::agents::dhcp::ovsdb_agent_ssl_key_file)"
|
|
||||||
|
|
||||||
# Copy the new cert from the mount-point to the real path
|
|
||||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
|
||||||
|
|
||||||
# Copy the new key from the mount-point to the real path
|
|
||||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
|
||||||
|
|
||||||
# No need to trigger a reload for neutron dhcpd since the cert is not cached
|
|
@ -1,17 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
|
|
||||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
||||||
|
|
||||||
container_name=$($container_cli ps --format="{{.Names}}" | grep nova_vnc_proxy)
|
|
||||||
|
|
||||||
service_crt="$(hiera -c /etc/puppet/hiera.yaml nova::cert)"
|
|
||||||
service_key="$(hiera -c /etc/puppet/hiera.yaml nova::key)"
|
|
||||||
|
|
||||||
# Copy the new cert from the mount-point to the real path
|
|
||||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
|
||||||
|
|
||||||
# Copy the new key from the mount-point to the real path
|
|
||||||
$container_cli exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
|
||||||
|
|
||||||
# No need to trigger a reload for novnc proxy since the cert is not cached
|
|
@ -1,17 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
|
|
||||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
||||||
|
|
||||||
container_name=$($container_cli ps --format="{{.Names}}" | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
|
||||||
|
|
||||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::rabbitmq::service_certificate)"
|
|
||||||
|
|
||||||
# Copy the new cert from the mount-point to the real path
|
|
||||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
|
||||||
|
|
||||||
# Set appropriate permissions
|
|
||||||
$container_cli exec "$container_name" chown rabbitmq:rabbitmq "$service_pem"
|
|
||||||
|
|
||||||
# Trigger a pem cache clear in RabbitMQ to read the new certificates
|
|
||||||
$container_cli exec $container_name rabbitmqctl eval "ssl:clear_pem_cache()."
|
|
@ -1,14 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
|
|
||||||
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
|
||||||
|
|
||||||
container_name=$($container_cli ps --format="{{.Names}}" | grep redis_tls_proxy)
|
|
||||||
|
|
||||||
service_pem="$(hiera -c /etc/puppet/hiera.yaml tripleo::redis::service_certificate)"
|
|
||||||
|
|
||||||
# Copy the new cert from the mount-point to the real path
|
|
||||||
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
|
||||||
|
|
||||||
# Trigger a reload for stunnel to read the new certificates
|
|
||||||
pkill -o -HUP stunnel
|
|
@ -1,9 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Get ceph rgw systemd unit
|
|
||||||
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
|
|
||||||
|
|
||||||
# Restart the rgw systemd unit
|
|
||||||
if [ -n "$rgw_unit" ]; then
|
|
||||||
systemctl restart "$rgw_unit"
|
|
||||||
fi
|
|
@ -1,74 +0,0 @@
|
|||||||
#!/usr/bin/python
|
|
||||||
try:
|
|
||||||
import ConfigParser as configparser
|
|
||||||
except ImportError:
|
|
||||||
import configparser
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
CM_SUBMIT_STATUS_ISSUED = 0
|
|
||||||
CM_SUBMIT_STATUS_UNCONFIGURED = 4
|
|
||||||
|
|
||||||
def main():
|
|
||||||
if len(sys.argv) < 3:
|
|
||||||
return CM_SUBMIT_STATUS_UNCONFIGURED
|
|
||||||
sub_ca = sys.argv[1]
|
|
||||||
wrapped_command = sys.argv[2:]
|
|
||||||
|
|
||||||
operation = os.environ.get('CERTMONGER_OPERATION')
|
|
||||||
os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA'
|
|
||||||
|
|
||||||
if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa':
|
|
||||||
config = configparser.ConfigParser()
|
|
||||||
try:
|
|
||||||
with open('/etc/ipa/default.conf') as fp:
|
|
||||||
config.readfp(fp)
|
|
||||||
except:
|
|
||||||
return CM_SUBMIT_STATUS_UNCONFIGURED
|
|
||||||
host = config.get('global', 'host')
|
|
||||||
realm = config.get('global', 'realm')
|
|
||||||
if host is None or realm is None:
|
|
||||||
return CM_SUBMIT_STATUS_UNCONFIGURED
|
|
||||||
principal = 'host/{}@{}'.format(host, realm)
|
|
||||||
os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper'
|
|
||||||
try:
|
|
||||||
subprocess.check_call([
|
|
||||||
'/usr/bin/kinit', '-k', principal
|
|
||||||
])
|
|
||||||
except:
|
|
||||||
return CM_SUBMIT_STATUS_UNCONFIGURED
|
|
||||||
|
|
||||||
try:
|
|
||||||
data = subprocess.check_output([
|
|
||||||
'/usr/bin/ipa', 'ca-show', sub_ca
|
|
||||||
])
|
|
||||||
except:
|
|
||||||
return CM_SUBMIT_STATUS_ISSUED
|
|
||||||
|
|
||||||
config = {}
|
|
||||||
for line in data.split('\n'):
|
|
||||||
line = line.strip()
|
|
||||||
try:
|
|
||||||
key, value = line.split(': ')
|
|
||||||
except:
|
|
||||||
continue
|
|
||||||
config[key] = value
|
|
||||||
|
|
||||||
if config.get('Name').lower() != sub_ca.lower():
|
|
||||||
return CM_SUBMIT_STATUS_ISSUED
|
|
||||||
|
|
||||||
print(realm, sub_ca, 'CA')
|
|
||||||
print('-----BEGIN CERTIFICATE-----')
|
|
||||||
certificate = config['Certificate']
|
|
||||||
for i in range((len(certificate)/64) + 1):
|
|
||||||
print(certificate[i*64:(i+1)*64])
|
|
||||||
print('-----END CERTIFICATE-----')
|
|
||||||
sys.stdout.flush()
|
|
||||||
else:
|
|
||||||
os.environ['CERTMONGER_CA_ISSUER'] = sub_ca
|
|
||||||
|
|
||||||
os.execl(wrapped_command[0], *wrapped_command)
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
main()
|
|
@ -1,55 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# : = Class: tripleo::certmonger::apache_dirs
|
|
||||||
#
|
|
||||||
# Creates the necessary directories for apache's certificates and keys in the
|
|
||||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*certificate_dir*]
|
|
||||||
# (Optional) Directory where apache's certificates will be stored. If left
|
|
||||||
# unspecified, it won't be created.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_dir*]
|
|
||||||
# (Optional) Directory where apache's keys will be stored.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::apache_dirs(
|
|
||||||
$certificate_dir = undef,
|
|
||||||
$key_dir = undef,
|
|
||||||
){
|
|
||||||
|
|
||||||
if $certificate_dir {
|
|
||||||
file { $certificate_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
|
|
||||||
}
|
|
||||||
|
|
||||||
if $key_dir {
|
|
||||||
file { $key_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,165 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == class: tripleo::certmonger::ca::crl
|
|
||||||
#
|
|
||||||
# Class that downloads the appropriate CRL file from the CA. This can
|
|
||||||
# furtherly be used by services in order for proper certificate revocation to
|
|
||||||
# come into effect. The class also sets up a cron job that will refresh the CRL
|
|
||||||
# once a week. Also, processing of the CRL file might be needed. e.g. most CAs
|
|
||||||
# use DER format to distribute the CRLs, while services such as HAProxy expect
|
|
||||||
# the CRL to be in PEM format.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*crl_dest*]
|
|
||||||
# (Optional) The file where the CRL file will be stored.
|
|
||||||
# Defaults to '/etc/pki/CA/crl/overcloud-crl.pem'
|
|
||||||
#
|
|
||||||
# [*crl_source*]
|
|
||||||
# (Optional) The URI where the CRL file will be fetched from.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*process*]
|
|
||||||
# (Optional) Whether the CRL needs processing before being used. This means
|
|
||||||
# transforming from DER to PEM format or viceversa. This is because most CRLs
|
|
||||||
# by default come in DER format, so most likely it needs to be transformed.
|
|
||||||
# Defaults to true
|
|
||||||
#
|
|
||||||
# [*crl_preprocessed*]
|
|
||||||
# (Optional) The pre-processed CRL file which will be transformed.
|
|
||||||
# Defaults to '/etc/pki/CA/crl/overcloud-crl.bin'
|
|
||||||
#
|
|
||||||
# [*crl_preprocessed_format*]
|
|
||||||
# (Optional) The pre-processed CRL file's format which will be transformed.
|
|
||||||
# Defaults to 'DER'
|
|
||||||
#
|
|
||||||
# [*minute*]
|
|
||||||
# (optional) Defaults to '0'.
|
|
||||||
#
|
|
||||||
# [*hour*]
|
|
||||||
# (optional) Defaults to '*/2'.
|
|
||||||
#
|
|
||||||
# [*monthday*]
|
|
||||||
# (optional) Defaults to '*'.
|
|
||||||
#
|
|
||||||
# [*month*]
|
|
||||||
# (optional) Defaults to '*'.
|
|
||||||
#
|
|
||||||
# [*weekday*]
|
|
||||||
# (optional) Defaults to '6'.
|
|
||||||
#
|
|
||||||
# [*maxdelay*]
|
|
||||||
# (optional) Seconds. Defaults to 0. Should be a positive integer.
|
|
||||||
# Induces a random delay before running the cronjob to avoid running all
|
|
||||||
# cron jobs at the same time on all hosts this job is configured.
|
|
||||||
#
|
|
||||||
# [*reload_cmds*]
|
|
||||||
# (Optional) list of commands to be executed after fetching the CRL list in
|
|
||||||
# the cron job. This will usually be a list of reload commands issued to
|
|
||||||
# services that use the CRL.
|
|
||||||
# Defaults to []
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ca::crl (
|
|
||||||
$crl_dest = '/etc/pki/CA/crl/overcloud-crl.pem',
|
|
||||||
$crl_source = undef,
|
|
||||||
$process = true,
|
|
||||||
$crl_preprocessed = '/etc/pki/CA/crl/overcloud-crl.bin',
|
|
||||||
$crl_preprocessed_format = 'DER',
|
|
||||||
$minute = '0',
|
|
||||||
$hour = '*/2',
|
|
||||||
$monthday = '*',
|
|
||||||
$month = '*',
|
|
||||||
$weekday = '*',
|
|
||||||
$maxdelay = 0,
|
|
||||||
$reload_cmds = [],
|
|
||||||
) {
|
|
||||||
if $process {
|
|
||||||
$fetched_crl = $crl_preprocessed
|
|
||||||
} else {
|
|
||||||
$fetched_crl = $crl_dest
|
|
||||||
}
|
|
||||||
|
|
||||||
$esc_fetched_crl = shell_escape($fetched_crl)
|
|
||||||
$esc_crl_src = shell_escape($crl_source)
|
|
||||||
|
|
||||||
if $crl_source {
|
|
||||||
$ensure = 'present'
|
|
||||||
# LP(1787878): We need to use an explicit command instead of the file
|
|
||||||
# resource, because puppet won't use query parameters when handling
|
|
||||||
# redirects.
|
|
||||||
# If FreeIPA is being installed in a similar time as the overcloud, the tries
|
|
||||||
# and time in between tries gives it a chance to generate the CRL.
|
|
||||||
exec {'tripleo-ca-crl':
|
|
||||||
command => "curl -Ls --connect-timeout 120 -o ${esc_fetched_crl} ${esc_crl_src}",
|
|
||||||
path => '/usr/bin/',
|
|
||||||
creates => $fetched_crl,
|
|
||||||
tries => 5,
|
|
||||||
try_sleep => 5,
|
|
||||||
} ~> file {'tripleo-ca-crl-file':
|
|
||||||
group => 'root',
|
|
||||||
mode => '0644',
|
|
||||||
owner => 'root',
|
|
||||||
path => $fetched_crl,
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$ensure = 'absent'
|
|
||||||
}
|
|
||||||
|
|
||||||
if $maxdelay == 0 {
|
|
||||||
$sleep = ''
|
|
||||||
} else {
|
|
||||||
$sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
|
|
||||||
}
|
|
||||||
|
|
||||||
if $process and $ensure == 'present' {
|
|
||||||
$crl_dest_format = $crl_preprocessed_format ? {
|
|
||||||
'PEM' => 'DER',
|
|
||||||
'DER' => 'PEM'
|
|
||||||
}
|
|
||||||
# transform CRL from DER to PEM or viceversa
|
|
||||||
$process_cmd = "openssl crl -in ${crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}"
|
|
||||||
exec { 'tripleo-ca-crl-process-command' :
|
|
||||||
command => $process_cmd,
|
|
||||||
path => '/usr/bin',
|
|
||||||
refreshonly => true,
|
|
||||||
subscribe => [
|
|
||||||
Exec['tripleo-ca-crl'],
|
|
||||||
File['tripleo-ca-crl-file']
|
|
||||||
]
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$process_cmd = []
|
|
||||||
}
|
|
||||||
|
|
||||||
if $ensure == 'present' {
|
|
||||||
# Fetch CRL in cron job and notify needed services
|
|
||||||
$cmd_list = concat(["${sleep}curl -g -s -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds)
|
|
||||||
$cron_cmd = join($cmd_list, ' && ')
|
|
||||||
} else {
|
|
||||||
$cron_cmd = absent
|
|
||||||
}
|
|
||||||
|
|
||||||
cron { 'tripleo-refresh-crl-file':
|
|
||||||
ensure => $ensure,
|
|
||||||
command => $cron_cmd,
|
|
||||||
environment => 'PATH=/usr/bin:/bin SHELL=/bin/sh',
|
|
||||||
user => 'root',
|
|
||||||
minute => $minute,
|
|
||||||
hour => $hour,
|
|
||||||
monthday => $monthday,
|
|
||||||
month => $month,
|
|
||||||
weekday => $weekday,
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,65 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ca::libvirt_vnc
|
|
||||||
#
|
|
||||||
# Sets the necessary file that will be used libvirt vnc servers and
|
|
||||||
# clients.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*origin_ca_pem*]
|
|
||||||
# (Optional) Path to the CA certificate that libvirt vnc will use. This is not
|
|
||||||
# assumed automatically or uses the system CA bundle as is the case of other
|
|
||||||
# services because a limitation with the file sizes in GNU TLS, which libvirt
|
|
||||||
# uses as a TLS backend.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA name that certmonger will use to generate VNC certificates.
|
|
||||||
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be
|
|
||||||
# added to the certmonger CA list.
|
|
||||||
# Defaults to hiera('certmonger_ca_vnc', 'local').
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ca::libvirt_vnc(
|
|
||||||
$origin_ca_pem = undef,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
|
|
||||||
){
|
|
||||||
if $origin_ca_pem {
|
|
||||||
$ensure_file = 'link'
|
|
||||||
} else {
|
|
||||||
$ensure_file = 'absent'
|
|
||||||
}
|
|
||||||
file { '/etc/pki/libvirt-vnc/ca-cert.pem':
|
|
||||||
ensure => $ensure_file,
|
|
||||||
mode => '0644',
|
|
||||||
target => $origin_ca_pem,
|
|
||||||
}
|
|
||||||
|
|
||||||
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
|
|
||||||
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
|
|
||||||
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
|
|
||||||
file { $wrapper_path:
|
|
||||||
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
|
|
||||||
mode => '0755',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
}
|
|
||||||
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
|
|
||||||
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
|
|
||||||
path => ['/usr/bin', '/bin'],
|
|
||||||
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
|
|
||||||
notify => Service['certmonger']
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,45 +0,0 @@
|
|||||||
# Copyright 2016 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ca::local
|
|
||||||
#
|
|
||||||
# Does the necessary action to extract and trust certmonger's local CA.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*ca_pem*]
|
|
||||||
# (optional) PEM file that will contain the local CA certificate.
|
|
||||||
# Defaults to '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ca::local(
|
|
||||||
$ca_pem = '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem',
|
|
||||||
){
|
|
||||||
$ca_pkcs12 = '/var/lib/certmonger/local/creds'
|
|
||||||
$extract_cmd = "openssl pkcs12 -in ${ca_pkcs12} -out ${ca_pem} -nokeys -nodes -passin pass:''"
|
|
||||||
$trust_ca_cmd = 'update-ca-trust extract'
|
|
||||||
|
|
||||||
file { "${ca_pem}":
|
|
||||||
ensure => present,
|
|
||||||
mode => '0644',
|
|
||||||
owner => 'root',
|
|
||||||
}
|
|
||||||
exec { 'extract-and-trust-ca':
|
|
||||||
command => "${extract_cmd} && ${trust_ca_cmd}",
|
|
||||||
path => '/usr/bin',
|
|
||||||
tries => 5,
|
|
||||||
try_sleep => 1,
|
|
||||||
notify => File[$ca_pem]
|
|
||||||
}
|
|
||||||
Service['certmonger'] ~> Exec<| title == 'extract-and-trust-ca' |>
|
|
||||||
}
|
|
@ -1,65 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ca::qemu
|
|
||||||
#
|
|
||||||
# Sets the necessary file that will be used by qemu servers and
|
|
||||||
# clients.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*origin_ca_pem*]
|
|
||||||
# (Optional) Path to the CA certificate that qemu will use. This is not
|
|
||||||
# assumed automatically or uses the system CA bundle as is the case of other
|
|
||||||
# services because a limitation with the file sizes in GNU TLS, which qemu
|
|
||||||
# uses as a TLS backend.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA name that certmonger will use to generate qemu certificates.
|
|
||||||
# If this is not local or IPA then is assumed to be an IPA sub-CA and will be
|
|
||||||
# added to the certmonger CA list.
|
|
||||||
# Defaults to hiera('certmonger_ca_qemu', 'local').
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ca::qemu(
|
|
||||||
$origin_ca_pem = undef,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca_qemu', 'local'),
|
|
||||||
){
|
|
||||||
if $origin_ca_pem {
|
|
||||||
$ensure_file = 'link'
|
|
||||||
} else {
|
|
||||||
$ensure_file = 'absent'
|
|
||||||
}
|
|
||||||
file { '/etc/pki/qemu/ca-cert.pem':
|
|
||||||
ensure => $ensure_file,
|
|
||||||
mode => '0644',
|
|
||||||
target => $origin_ca_pem,
|
|
||||||
}
|
|
||||||
|
|
||||||
if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
|
|
||||||
$wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
|
|
||||||
$ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
|
|
||||||
file { $wrapper_path:
|
|
||||||
source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
|
|
||||||
mode => '0755',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
}
|
|
||||||
-> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
|
|
||||||
command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
|
|
||||||
path => ['/usr/bin', '/bin'],
|
|
||||||
unless => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
|
|
||||||
notify => Service['certmonger']
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,87 +0,0 @@
|
|||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ceph_dashboard
|
|
||||||
#
|
|
||||||
# Request a certificate for Ceph Dashboard and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ceph_dashboard (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-dashboard-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'ceph_dashboard' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['ceph_dashboard'],
|
|
||||||
owner => 472,
|
|
||||||
group => 472,
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['ceph_dashboard'],
|
|
||||||
owner => 472,
|
|
||||||
group => 472,
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,87 +0,0 @@
|
|||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ceph_grafana
|
|
||||||
#
|
|
||||||
# Request a certificate for Ceph Grafana and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ceph_grafana (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-grafana-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'ceph_grafana' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['ceph_grafana'],
|
|
||||||
owner => 472,
|
|
||||||
group => 472,
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['ceph_grafana'],
|
|
||||||
owner => 472,
|
|
||||||
group => 472,
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,123 +0,0 @@
|
|||||||
# Copyright 2020 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ceph_rgw
|
|
||||||
#
|
|
||||||
# Request a certificate for Ceph RGW and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_pem*]
|
|
||||||
# The file in PEM format that the HAProxy service will use as a certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ceph_rgw (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$service_pem,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-rgw-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'ceph_rgw' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
concat { $service_pem :
|
|
||||||
ensure => present,
|
|
||||||
mode => '0640',
|
|
||||||
owner => 472,
|
|
||||||
group => 472,
|
|
||||||
tag => 'ceph-rgw-cert',
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { "${title}-cert-fragment":
|
|
||||||
target => $service_pem,
|
|
||||||
source => $service_certificate,
|
|
||||||
order => '01',
|
|
||||||
tag => 'ceph_rgw-cert',
|
|
||||||
require => Concat["${service_pem}"]
|
|
||||||
}
|
|
||||||
|
|
||||||
if $certmonger_ca == 'local' {
|
|
||||||
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
|
|
||||||
concat::fragment { "${title}-ca-fragment":
|
|
||||||
target => $service_pem,
|
|
||||||
source => $ca_pem,
|
|
||||||
order => '10',
|
|
||||||
tag => 'ceph_rgw-cert',
|
|
||||||
require => [ Class['tripleo::certmonger::ca::local'], Concat::Fragment["${title}-cert-fragment"] ]
|
|
||||||
}
|
|
||||||
} elsif $certmonger_ca == 'IPA' {
|
|
||||||
concat::fragment { "${title}-ca-fragment":
|
|
||||||
target => $service_pem,
|
|
||||||
source => '/etc/ipa/ca.crt',
|
|
||||||
order => '10',
|
|
||||||
tag => 'ceph_rgw-cert',
|
|
||||||
require => Concat::Fragment["${title}-cert-fragment"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { "${title}-key-fragment":
|
|
||||||
target => $service_pem,
|
|
||||||
source => $service_key,
|
|
||||||
order => 20,
|
|
||||||
tag => 'ceph_rgw-cert',
|
|
||||||
require => Concat::Fragment["${title}-ca-fragment"],
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,92 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::etcd
|
|
||||||
#
|
|
||||||
# Request a certificate for the etcd service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*dnsnames*]
|
|
||||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
|
||||||
# in the certificate.
|
|
||||||
# Defaults to $hostname
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for etcd in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::etcd (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$dnsnames = $hostname,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-etcd-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-etcd-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'etcd' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $dnsnames,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
key_size => $key_size,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['etcd'],
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['etcd'],
|
|
||||||
}
|
|
||||||
|
|
||||||
File[$service_certificate] ~> Service<| title == 'etcd' |>
|
|
||||||
File[$service_key] ~> Service<| title == 'etcd' |>
|
|
||||||
}
|
|
@ -1,159 +0,0 @@
|
|||||||
# Copyright 2016 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Resource: tripleo::certmonger::haproxy
|
|
||||||
#
|
|
||||||
# Request a certificate for the HAProxy service and does the necessary logic to
|
|
||||||
# get it into a format that the service understands.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*service_pem*]
|
|
||||||
# The file in PEM format that the HAProxy service will use as a certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The certificate file that certmonger will be tracking.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The key file that certmonger will use for the certificate.
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname that certmonger will use as the common name for the
|
|
||||||
# certificate.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*dnsnames*]
|
|
||||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
|
||||||
# in the certificate. If left unset, the value will be set to the $hostname.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# The haproxy service principal that is set for HAProxy in kerberos.
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# The post-save-command that certmonger will use once it renews the
|
|
||||||
# certificate.
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
define tripleo::certmonger::haproxy (
|
|
||||||
$service_pem,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$hostname,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$dnsnames = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
){
|
|
||||||
include certmonger
|
|
||||||
include haproxy::params
|
|
||||||
if $certmonger_ca == 'local' {
|
|
||||||
if defined(Class['::haproxy']) {
|
|
||||||
Class['::tripleo::certmonger::ca::local'] ~> Class['::haproxy']
|
|
||||||
}
|
|
||||||
$principal_real = undef
|
|
||||||
} else {
|
|
||||||
$principal_real = $principal
|
|
||||||
}
|
|
||||||
|
|
||||||
# If we have HAProxy in the resource catalog, we can use the haproxy user
|
|
||||||
# and group.
|
|
||||||
if defined(Class['::haproxy']) {
|
|
||||||
$cert_user = 'haproxy'
|
|
||||||
$cert_group = 'haproxy'
|
|
||||||
# If it's not in the resource catalog, it means that we're running in
|
|
||||||
# containers. So we have to rely on the container to set the appropriate
|
|
||||||
# permissions.
|
|
||||||
} else {
|
|
||||||
$cert_user = 'root'
|
|
||||||
$cert_group = 'root'
|
|
||||||
}
|
|
||||||
|
|
||||||
if $dnsnames {
|
|
||||||
$dnsnames_real = $dnsnames
|
|
||||||
} else {
|
|
||||||
$dnsnames_real = $hostname
|
|
||||||
}
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-haproxy-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-haproxy-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
certmonger_certificate { "${title}-cert":
|
|
||||||
ensure => 'present',
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $dnsnames_real,
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
principal => $principal_real,
|
|
||||||
key_size => $key_size,
|
|
||||||
eku => ['id-kp-clientAuth', 'id-kp-serverAuth'],
|
|
||||||
wait => true,
|
|
||||||
tag => 'haproxy-cert',
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
concat { $service_pem :
|
|
||||||
ensure => present,
|
|
||||||
mode => '0640',
|
|
||||||
owner => $cert_user,
|
|
||||||
group => $cert_group,
|
|
||||||
tag => 'haproxy-cert',
|
|
||||||
}
|
|
||||||
Package<| name == $::haproxy::params::package_name |> -> Concat[$service_pem]
|
|
||||||
|
|
||||||
concat::fragment { "${title}-cert-fragment":
|
|
||||||
target => $service_pem,
|
|
||||||
source => $service_certificate,
|
|
||||||
order => '01',
|
|
||||||
tag => 'haproxy-cert',
|
|
||||||
require => Certmonger_certificate["${title}-cert"],
|
|
||||||
}
|
|
||||||
|
|
||||||
if $certmonger_ca == 'local' {
|
|
||||||
$ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem')
|
|
||||||
concat::fragment { "${title}-ca-fragment":
|
|
||||||
target => $service_pem,
|
|
||||||
source => $ca_pem,
|
|
||||||
order => '10',
|
|
||||||
tag => 'haproxy-cert',
|
|
||||||
require => Class['tripleo::certmonger::ca::local'],
|
|
||||||
}
|
|
||||||
} elsif $certmonger_ca == 'IPA' {
|
|
||||||
concat::fragment { "${title}-ca-fragment":
|
|
||||||
target => $service_pem,
|
|
||||||
source => '/etc/ipa/ca.crt',
|
|
||||||
order => '10',
|
|
||||||
tag => 'haproxy-cert',
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
concat::fragment { "${title}-key-fragment":
|
|
||||||
target => $service_pem,
|
|
||||||
source => $service_key,
|
|
||||||
order => 20,
|
|
||||||
tag => 'haproxy-cert',
|
|
||||||
require => Certmonger_certificate["${title}-cert"],
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,55 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# : = Class: tripleo::certmonger::haproxy_dirs
|
|
||||||
#
|
|
||||||
# Creates the necessary directories for haproxy's certificates and keys in the
|
|
||||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*certificate_dir*]
|
|
||||||
# (Optional) Directory where haproxy's certificates will be stored. If left
|
|
||||||
# unspecified, it won't be created.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_dir*]
|
|
||||||
# (Optional) Directory where haproxy's keys will be stored.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::haproxy_dirs(
|
|
||||||
$certificate_dir = undef,
|
|
||||||
$key_dir = undef,
|
|
||||||
){
|
|
||||||
|
|
||||||
if $certificate_dir {
|
|
||||||
file { $certificate_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
|
|
||||||
}
|
|
||||||
|
|
||||||
if $key_dir {
|
|
||||||
file { $key_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$key_dir] ~> Certmonger_certificate<| tag == 'haproxy-cert' |>
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,86 +0,0 @@
|
|||||||
# Copyright 2016 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Resource: tripleo::certmonger::httpd
|
|
||||||
#
|
|
||||||
# Request a certificate for the httpd service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*dnsnames*]
|
|
||||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
|
||||||
# in the certificate. If left unset, the value will be set to the $hostname.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# The haproxy service principal that is set for HAProxy in kerberos.
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
define tripleo::certmonger::httpd (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$dnsnames = undef,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
include apache::params
|
|
||||||
|
|
||||||
if $dnsnames {
|
|
||||||
$dnsnames_real = $dnsnames
|
|
||||||
} else {
|
|
||||||
$dnsnames_real = $hostname
|
|
||||||
}
|
|
||||||
|
|
||||||
certmonger_certificate { $name :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $dnsnames_real,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
tag => 'apache-cert',
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
Certmonger_certificate[$name] ~> Service<| title == $::apache::params::service_name |>
|
|
||||||
}
|
|
@ -1,86 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Resource: tripleo::certmonger::libvirt
|
|
||||||
#
|
|
||||||
# Request a certificate for libvirt and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# If nothing is given, it will default to: "systemctl reload ${service name}"
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
define tripleo::certmonger::libvirt (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
include nova::params
|
|
||||||
|
|
||||||
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${::nova::params::libvirt_service_name}")
|
|
||||||
certmonger_certificate { $name :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd_real,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
tag => 'libvirt-cert',
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Just register the files in puppet's resource catalog. Certmonger should
|
|
||||||
# give the right permissions.
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate[$name],
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate[$name],
|
|
||||||
}
|
|
||||||
|
|
||||||
File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |>
|
|
||||||
File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |>
|
|
||||||
}
|
|
@ -1,56 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::libvirt_dirs
|
|
||||||
#
|
|
||||||
# Creates the necessary directories for libvirt's certificates and keys in the
|
|
||||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*certificate_dir*]
|
|
||||||
# (Optional) Directory where libvirt's certificates will be stored. If left
|
|
||||||
# unspecified, it won't be created.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_dir*]
|
|
||||||
# (Optional) Directory where libvirt's keys will be stored.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::libvirt_dirs(
|
|
||||||
$certificate_dir = undef,
|
|
||||||
$key_dir = undef,
|
|
||||||
){
|
|
||||||
|
|
||||||
if $certificate_dir {
|
|
||||||
file { $certificate_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
|
|
||||||
}
|
|
||||||
|
|
||||||
if $key_dir {
|
|
||||||
file { $key_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,122 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Resource: tripleo::certmonger::libvirt_vnc
|
|
||||||
#
|
|
||||||
# Request a certificate for libvirt-vnc and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca_vnc', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# If nothing is given, it will default to: "systemctl reload ${service name}"
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*cacertfile*]
|
|
||||||
# (Optional) Specifies that path to write the CA cerftificate to.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*notify_service*]
|
|
||||||
# (Optional) Service to reload when certificate is created/renewed
|
|
||||||
# Defaults to $::nova::params::libvirt_service_name
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
define tripleo::certmonger::libvirt_vnc (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$cacertfile = undef,
|
|
||||||
$notify_service = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
include nova::params
|
|
||||||
|
|
||||||
$notify_service_real = pick($notify_service, $::nova::params::libvirt_service_name)
|
|
||||||
|
|
||||||
$postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${notify_service_real}")
|
|
||||||
|
|
||||||
certmonger_certificate { $name :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd_real,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
cacertfile => $cacertfile,
|
|
||||||
wait => true,
|
|
||||||
tag => 'libvirt-cert',
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
if $cacertfile {
|
|
||||||
# Sometimes certmonger returns before creating the cacert file. This has
|
|
||||||
# been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281
|
|
||||||
# Until this is fixed, add this workaround.
|
|
||||||
exec { $cacertfile :
|
|
||||||
require => Certmonger_certificate[$name],
|
|
||||||
command => "test -f ${cacertfile}",
|
|
||||||
unless => "test -f ${cacertfile}",
|
|
||||||
tries => 60,
|
|
||||||
try_sleep => 1,
|
|
||||||
timeout => 60,
|
|
||||||
path => '/usr/bin:/bin',
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $cacertfile :
|
|
||||||
require => Exec[$cacertfile],
|
|
||||||
mode => '0644'
|
|
||||||
}
|
|
||||||
~> Service<| title == $notify_service_real |>
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate[$name],
|
|
||||||
mode => '0644'
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate[$name],
|
|
||||||
group => 'qemu',
|
|
||||||
mode => '0640'
|
|
||||||
}
|
|
||||||
|
|
||||||
File[$service_certificate] ~> Service<| title == $notify_service_real |>
|
|
||||||
File[$service_key] ~> Service<| title == $notify_service_real |>
|
|
||||||
}
|
|
@ -1,56 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::libvirt_vnc_dirs
|
|
||||||
#
|
|
||||||
# Creates the necessary directories for libvirt vnc certificates and keys in the
|
|
||||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*certificate_dir*]
|
|
||||||
# (Optional) Directory where libvirt-vnc's certificates will be stored. If left
|
|
||||||
# unspecified, it won't be created.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_dir*]
|
|
||||||
# (Optional) Directory where libvirt-vnc's keys will be stored.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::libvirt_vnc_dirs(
|
|
||||||
$certificate_dir = undef,
|
|
||||||
$key_dir = undef,
|
|
||||||
){
|
|
||||||
|
|
||||||
if $certificate_dir {
|
|
||||||
file { $certificate_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |>
|
|
||||||
}
|
|
||||||
|
|
||||||
if $key_dir {
|
|
||||||
file { $key_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |>
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,85 +0,0 @@
|
|||||||
# Copyright 2020 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::memcached
|
|
||||||
#
|
|
||||||
# Request a certificate for Memcached and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::memcached (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = '/usr/bin/certmonger-memcached-refresh.sh',
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-memcached-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-memcached-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'memcached' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['memcached'],
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['memcached'],
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,89 +0,0 @@
|
|||||||
# Copyright 2016 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::metrics_qdr
|
|
||||||
#
|
|
||||||
# Request a certificate for the MetricsQdr service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for metrics_qdr in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::metrics_qdr (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
include qdr::params
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-metrics-qdr-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-metrics-qdr-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'metrics_qdr' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['metrics_qdr'],
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['metrics_qdr'],
|
|
||||||
}
|
|
||||||
|
|
||||||
File[$service_certificate] ~> Service<| title == $::qdr::params::service_name |>
|
|
||||||
File[$service_key] ~> Service<| title == $::qdr::params::service_name |>
|
|
||||||
}
|
|
@ -1,78 +0,0 @@
|
|||||||
# Copyright 2016 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::mysql
|
|
||||||
#
|
|
||||||
# Request a certificate for the MySQL/Mariadb service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*dnsnames*]
|
|
||||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
|
||||||
# in the certificate. If left unset, the value will be set to the $hostname.
|
|
||||||
# This parameter can take both a string or an array of strings.
|
|
||||||
# Defaults to $hostname
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::mysql (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$dnsnames = $hostname,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
certmonger_certificate { 'mysql' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $dnsnames,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,84 +0,0 @@
|
|||||||
# Copyright 2018 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::neutron
|
|
||||||
#
|
|
||||||
# Request a certificate for the Neutron service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::neutron (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-neutron-dhcpd-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-neutron-dhcpd-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'neutron' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['neutron']
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['neutron']
|
|
||||||
}
|
|
||||||
|
|
||||||
Certmonger_certificate['neutron'] ~> Service<| tag == 'neutron-service' |>
|
|
||||||
}
|
|
@ -1,76 +0,0 @@
|
|||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::neutron_ovn
|
|
||||||
#
|
|
||||||
# Request a certificate for the ovn_controller service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::neutron_ovn (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
certmonger_certificate { 'neutron_ovn' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['neutron_ovn']
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['neutron_ovn']
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,97 +0,0 @@
|
|||||||
# Copyright 2018 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::novnc_proxy
|
|
||||||
#
|
|
||||||
# Request a certificate for novnc_proxy and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*notify_service*]
|
|
||||||
# (Optional) Service to reload when certificate is created/renewed
|
|
||||||
# Defaults to $::nova::params::libvirt_service_name
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::novnc_proxy (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$notify_service = undef,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
$principal = undef,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
include nova::params
|
|
||||||
|
|
||||||
$notify_service_real = pick($notify_service, $::nova::params::vncproxy_service_name)
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-novnc-proxy-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-novnc-proxy-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'novnc-proxy' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
tag => 'novnc-proxy',
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['novnc-proxy'],
|
|
||||||
mode => '0644'
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['novnc-proxy'],
|
|
||||||
mode => '0640'
|
|
||||||
}
|
|
||||||
|
|
||||||
File[$service_certificate] ~> Service<| title == $notify_service_real |>
|
|
||||||
File[$service_key] ~> Service<| title == $notify_service_real |>
|
|
||||||
}
|
|
@ -1,80 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::openvswitch
|
|
||||||
#
|
|
||||||
# Request a certificate for the openvswitch service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to "systemctl reload openvswitch"
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for openvswitch in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::openvswitch (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = 'systemctl reload openvswitch',
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
certmonger_certificate { 'openvswitch' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
file { $service_certificate :
|
|
||||||
owner => 'openvswitch',
|
|
||||||
group => 'hugetlbfs',
|
|
||||||
require => Certmonger_certificate['openvswitch'],
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
owner => 'openvswitch',
|
|
||||||
group => 'hugetlbfs',
|
|
||||||
require => Certmonger_certificate['openvswitch'],
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,76 +0,0 @@
|
|||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ovn_controller
|
|
||||||
#
|
|
||||||
# Request a certificate for the ovn_controller service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ovn_controller (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
certmonger_certificate { 'ovn_controller' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['ovn_controller']
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['ovn_controller']
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,75 +0,0 @@
|
|||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ovn_sbdb
|
|
||||||
#
|
|
||||||
# Request a certificate for the ovn_sbdb service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ovn_dbs (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
certmonger_certificate { 'ovn_dbs' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['ovn_dbs']
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['ovn_dbs']
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,76 +0,0 @@
|
|||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ovn_metadata
|
|
||||||
#
|
|
||||||
# Request a certificate for the ovn_controller service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ovn_metadata (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
certmonger_certificate { 'ovn_metadata' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['ovn_metadata']
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['ovn_metadata']
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,76 +0,0 @@
|
|||||||
# Copyright 2020 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::ovn_octavia
|
|
||||||
#
|
|
||||||
# Request a certificate for the ovn_controller service and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The haproxy service principal that is set for neutron in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::ovn_octavia (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
certmonger_certificate { 'ovn_octavia' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['ovn_octavia']
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['ovn_octavia']
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,108 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Resource: tripleo::certmonger::qemu
|
|
||||||
#
|
|
||||||
# Request a certificate for quemu and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*cacertfile*]
|
|
||||||
# (Optional) Specifies that path to write the CA cerftificate to.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
define tripleo::certmonger::qemu (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca_qemu', 'local'),
|
|
||||||
$cacertfile = undef,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
include nova::params
|
|
||||||
|
|
||||||
certmonger_certificate { $name :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
cacertfile => $cacertfile,
|
|
||||||
wait => true,
|
|
||||||
tag => 'qemu-cert',
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
if $cacertfile {
|
|
||||||
# Sometimes certmonger returns before creating the cacert file. This has
|
|
||||||
# been reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1759281
|
|
||||||
# Until this is fixed, add this workaround.
|
|
||||||
exec { $cacertfile :
|
|
||||||
require => Certmonger_certificate[$name],
|
|
||||||
command => "test -f ${cacertfile}",
|
|
||||||
unless => "test -f ${cacertfile}",
|
|
||||||
tries => 60,
|
|
||||||
try_sleep => 1,
|
|
||||||
timeout => 60,
|
|
||||||
path => '/usr/bin:/bin',
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $cacertfile :
|
|
||||||
require => Exec[$cacertfile],
|
|
||||||
mode => '0644'
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate[$name],
|
|
||||||
mode => '0644'
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate[$name],
|
|
||||||
group => 'qemu',
|
|
||||||
mode => '0640'
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,41 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::qemu_dirs
|
|
||||||
#
|
|
||||||
# Creates the necessary directories for qemu certificates and keys in the
|
|
||||||
# assigned locations if specified. It also assigns the correct SELinux tags.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*certificate_dir*]
|
|
||||||
# (Optional) Directory where qemu server certificates will be stored. If left
|
|
||||||
# unspecified, it won't be created.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::qemu_dirs(
|
|
||||||
$certificate_dir = undef,
|
|
||||||
){
|
|
||||||
|
|
||||||
if $certificate_dir {
|
|
||||||
file { $certificate_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-server-cert' |>
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,42 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::qemu_nbd_dirs
|
|
||||||
#
|
|
||||||
# Creates the necessary directories for qemu nbd client certificates and keys
|
|
||||||
# in the assigned locations if specified. It also assigns the correct SELinux
|
|
||||||
# tags.
|
|
||||||
#
|
|
||||||
# === Parameters:
|
|
||||||
#
|
|
||||||
# [*certificate_dir*]
|
|
||||||
# (Optional) Directory where qemu-nbd's client certificates will be stored.
|
|
||||||
# If left unspecified, it won't be created.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::qemu_nbd_dirs(
|
|
||||||
$certificate_dir = undef,
|
|
||||||
){
|
|
||||||
|
|
||||||
if $certificate_dir {
|
|
||||||
file { $certificate_dir :
|
|
||||||
ensure => 'directory',
|
|
||||||
selrole => 'object_r',
|
|
||||||
seltype => 'cert_t',
|
|
||||||
seluser => 'system_u',
|
|
||||||
}
|
|
||||||
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-cert' |>
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,84 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::rabbitmq
|
|
||||||
#
|
|
||||||
# Request a certificate for RabbitMQ and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::rabbitmq (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-rabbitmq-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-rabbitmq-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'rabbitmq' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $hostname,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['rabbitmq'],
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['rabbitmq'],
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,91 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# == Class: tripleo::certmonger::redis
|
|
||||||
#
|
|
||||||
# Request a certificate for Redis and do the necessary setup.
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*hostname*]
|
|
||||||
# The hostname of the node. this will be set in the CN of the certificate.
|
|
||||||
#
|
|
||||||
# [*service_certificate*]
|
|
||||||
# The path to the certificate that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*service_key*]
|
|
||||||
# The path to the key that will be used for TLS in this service.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# [*dnsnames*]
|
|
||||||
# (Optional) The DNS names that will be added for the SubjectAltNames entry
|
|
||||||
# in the certificate. If left unset, the value will be set to the $hostname.
|
|
||||||
# This parameter can take both a string or an array of strings.
|
|
||||||
# Defaults to $hostname
|
|
||||||
#
|
|
||||||
# [*postsave_cmd*]
|
|
||||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
||||||
# Defaults to undef.
|
|
||||||
#
|
|
||||||
# [*principal*]
|
|
||||||
# (Optional) The service principal that is set for the service in kerberos.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*key_size*]
|
|
||||||
# (Optional) Specifies the private key size used when creating the certificate.
|
|
||||||
# Defaults to 2048bits.
|
|
||||||
#
|
|
||||||
class tripleo::certmonger::redis (
|
|
||||||
$hostname,
|
|
||||||
$service_certificate,
|
|
||||||
$service_key,
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$dnsnames = $hostname,
|
|
||||||
$postsave_cmd = undef,
|
|
||||||
$principal = undef,
|
|
||||||
$key_size = 2048,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
ensure_resource('file', '/usr/bin/certmonger-redis-refresh.sh', {
|
|
||||||
source => 'puppet:///modules/tripleo/certmonger-redis-refresh.sh',
|
|
||||||
mode => '0700',
|
|
||||||
seltype => 'bin_t',
|
|
||||||
notify => Service['certmonger']
|
|
||||||
})
|
|
||||||
|
|
||||||
certmonger_certificate { 'redis' :
|
|
||||||
ensure => 'present',
|
|
||||||
certfile => $service_certificate,
|
|
||||||
keyfile => $service_key,
|
|
||||||
hostname => $hostname,
|
|
||||||
dnsname => $dnsnames,
|
|
||||||
principal => $principal,
|
|
||||||
postsave_cmd => $postsave_cmd,
|
|
||||||
ca => $certmonger_ca,
|
|
||||||
key_size => $key_size,
|
|
||||||
wait => true,
|
|
||||||
require => Class['::certmonger'],
|
|
||||||
}
|
|
||||||
|
|
||||||
file { $service_certificate :
|
|
||||||
require => Certmonger_certificate['redis'],
|
|
||||||
}
|
|
||||||
file { $service_key :
|
|
||||||
require => Certmonger_certificate['redis'],
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,322 +0,0 @@
|
|||||||
# Copyright 2017 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# [*certmonger_ca*]
|
|
||||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
||||||
# Defaults to hiera('certmonger_ca', 'local').
|
|
||||||
#
|
|
||||||
# == class: tripleo::profile::base::certmonger_user
|
|
||||||
#
|
|
||||||
# Profile that ensures that the relevant certmonger certificates have been
|
|
||||||
# requested. The certificates come from the hiera set by the specific profiles
|
|
||||||
# and come in a pre-defined format.
|
|
||||||
# For a service that has several certificates (one per network name):
|
|
||||||
# apache_certificates_specs:
|
|
||||||
# httpd-internal_api:
|
|
||||||
# hostname: <overcloud controller fqdn>
|
|
||||||
# service_certificate: <service certificate path>
|
|
||||||
# service_key: <service key path>
|
|
||||||
# principal: "HTTP/<overcloud controller fqdn>"
|
|
||||||
# For a service that uses a single certificate:
|
|
||||||
# mysql_certificates_specs:
|
|
||||||
# hostname: <overcloud controller fqdn>
|
|
||||||
# service_certificate: <service certificate path>
|
|
||||||
# service_key: <service key path>
|
|
||||||
# principal: "mysql/<overcloud controller fqdn>"
|
|
||||||
#
|
|
||||||
# === Parameters
|
|
||||||
#
|
|
||||||
# [*step*]
|
|
||||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
|
||||||
# for more details.
|
|
||||||
# Defaults to hiera('step')
|
|
||||||
#
|
|
||||||
# [*apache_certificates_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('apache_certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*haproxy_certificates_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*libvirt_certificates_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('libvirt_certificates_specs', {}).
|
|
||||||
#
|
|
||||||
# [*libvirt_postsave_cmd*]
|
|
||||||
# (Optional) If set, it overrides the default way to restart libvirt when the
|
|
||||||
# certificate is renewed.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*libvirt_vnc_certificates_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('libvirt_vnc_certificates_specs', {}).
|
|
||||||
#
|
|
||||||
# [*libvirt_vnc_postsave_cmd*]
|
|
||||||
# (Optional) If set, it overrides the default way to restart services when the
|
|
||||||
# certificate is renewed.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*qemu_certificates_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('qemu_certificates_specs', {}).
|
|
||||||
#
|
|
||||||
# [*qemu_postsave_cmd*]
|
|
||||||
# (Optional) If set, it overrides the default way to restart services when the
|
|
||||||
# certificate is renewed.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*qdr_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger fot the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*mysql_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*memcached_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('tripleo::profile::base::memcached::certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*rabbitmq_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*redis_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('redis_certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*ceph_grafana_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('ceph_grafana_certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*ceph_dashboard_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('ceph_dashboard_certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*ceph_rgw_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('ceph_rgw_certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*etcd_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*neutron_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('tripleo::profile::base::neutron::certificate_specs', {}).
|
|
||||||
#
|
|
||||||
# [*novnc_proxy_certificates_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('novnc_proxy_certificates_specs',{})
|
|
||||||
#
|
|
||||||
# [*novnc_proxy_postsave_cmd*]
|
|
||||||
# (Optional) If set, it overrides the default way to restart novnc proxy when the
|
|
||||||
# certificate is renewed.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*ovn_dbs_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('ovn_dbs_certificate_specs', {})
|
|
||||||
#
|
|
||||||
# [*ovn_controller_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('ovn_controller_certificate_specs', {})
|
|
||||||
#
|
|
||||||
# [*ovn_metadata_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('ovn_metadata_certificate_specs', {})
|
|
||||||
#
|
|
||||||
# [*neutron_ovn_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('neutron_ovn_certificate_specs', {})
|
|
||||||
#
|
|
||||||
# [*ovn_octavia_certificate_specs*]
|
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
|
||||||
# it will create.
|
|
||||||
# Defaults to hiera('ovn_octavia_certificate_specs', {})
|
|
||||||
#
|
|
||||||
# === Deprecated
|
|
||||||
#
|
|
||||||
# [*haproxy_postsave_cmd*]
|
|
||||||
# (Optional) If set, it overrides the default way to restart haproxy when the
|
|
||||||
# certificate is renewed.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
# [*apache_postsave_cmd*]
|
|
||||||
# (Optional) If set, it overrides the default way to restart apache when the
|
|
||||||
# certificate is renewed.
|
|
||||||
# Defaults to undef
|
|
||||||
#
|
|
||||||
class tripleo::profile::base::certmonger_user (
|
|
||||||
$step = Integer(hiera('step')),
|
|
||||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
||||||
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
|
|
||||||
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
|
|
||||||
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
|
|
||||||
$libvirt_postsave_cmd = undef,
|
|
||||||
$libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
|
|
||||||
$libvirt_vnc_postsave_cmd = undef,
|
|
||||||
$qemu_certificates_specs = hiera('qemu_certificates_specs', {}),
|
|
||||||
$qemu_postsave_cmd = undef,
|
|
||||||
$qdr_certificate_specs = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
|
|
||||||
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
|
|
||||||
$memcached_certificate_specs = hiera('tripleo::profile::base::memcached::certificate_specs', {}),
|
|
||||||
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
|
|
||||||
$redis_certificate_specs = hiera('redis_certificate_specs', {}),
|
|
||||||
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
|
|
||||||
$neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
|
|
||||||
$novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
|
|
||||||
$ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}),
|
|
||||||
$ceph_dashboard_certificate_specs = hiera('ceph_dashboard_certificate_specs', {}),
|
|
||||||
$ceph_rgw_certificate_specs = hiera('ceph_rgw_certificate_specs', {}),
|
|
||||||
$ovn_dbs_certificate_specs = hiera('ovn_dbs_certificate_specs', {}),
|
|
||||||
$ovn_controller_certificate_specs = hiera('ovn_controller_certificate_specs', {}),
|
|
||||||
$ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}),
|
|
||||||
$neutron_ovn_certificate_specs = hiera('neutron_ovn_certificate_specs', {}),
|
|
||||||
$ovn_octavia_certificate_specs = hiera('ovn_octavia_certificate_specs', {}),
|
|
||||||
$novnc_proxy_postsave_cmd = undef,
|
|
||||||
# Deprecated
|
|
||||||
$haproxy_postsave_cmd = undef,
|
|
||||||
$apache_postsave_cmd = undef,
|
|
||||||
) {
|
|
||||||
include certmonger
|
|
||||||
|
|
||||||
if $step == 1 {
|
|
||||||
# This is only needed for certmonger's local CA. For any other CA this
|
|
||||||
# operation (trusting the CA) should be done by the deployer.
|
|
||||||
if $certmonger_ca == 'local' {
|
|
||||||
include tripleo::certmonger::ca::local
|
|
||||||
}
|
|
||||||
|
|
||||||
# Remove haproxy_certificates_specs where hostname is empty.
|
|
||||||
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1905604
|
|
||||||
$haproxy_certificates_specs_filtered = $haproxy_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
|
|
||||||
unless empty($haproxy_certificates_specs_filtered) {
|
|
||||||
$reload_haproxy = ['systemctl reload tripleo_haproxy']
|
|
||||||
Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
|
|
||||||
if defined(Class['::haproxy']) {
|
|
||||||
Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$reload_haproxy = []
|
|
||||||
}
|
|
||||||
class { 'tripleo::certmonger::ca::crl' :
|
|
||||||
reload_cmds => $reload_haproxy,
|
|
||||||
}
|
|
||||||
Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl']
|
|
||||||
include tripleo::certmonger::ca::libvirt_vnc
|
|
||||||
include tripleo::certmonger::ca::qemu
|
|
||||||
|
|
||||||
# Remove apache_certificates_specs where hostname is empty.
|
|
||||||
# Workaround bug: https://bugs.launchpad.net/tripleo/+bug/1811207
|
|
||||||
$apache_certificates_specs_filtered = $apache_certificates_specs.filter | $specs, $keys | { ! empty($keys[hostname]) }
|
|
||||||
unless empty($apache_certificates_specs_filtered) {
|
|
||||||
include tripleo::certmonger::apache_dirs
|
|
||||||
ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs_filtered)
|
|
||||||
}
|
|
||||||
unless empty($libvirt_certificates_specs) {
|
|
||||||
include tripleo::certmonger::libvirt_dirs
|
|
||||||
ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs,
|
|
||||||
{'postsave_cmd' => $libvirt_postsave_cmd})
|
|
||||||
}
|
|
||||||
unless empty($libvirt_vnc_certificates_specs) {
|
|
||||||
include tripleo::certmonger::libvirt_vnc_dirs
|
|
||||||
ensure_resources('tripleo::certmonger::libvirt_vnc', $libvirt_vnc_certificates_specs,
|
|
||||||
{'postsave_cmd' => $libvirt_vnc_postsave_cmd})
|
|
||||||
}
|
|
||||||
unless empty($qemu_certificates_specs) {
|
|
||||||
include tripleo::certmonger::qemu_dirs
|
|
||||||
include tripleo::certmonger::qemu_nbd_dirs
|
|
||||||
ensure_resources('tripleo::certmonger::qemu', $qemu_certificates_specs,
|
|
||||||
{'postsave_cmd' => $qemu_postsave_cmd})
|
|
||||||
}
|
|
||||||
unless empty($haproxy_certificates_specs_filtered) {
|
|
||||||
include tripleo::certmonger::haproxy_dirs
|
|
||||||
ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs_filtered)
|
|
||||||
# The haproxy fronends (or listen resources) depend on the certificate
|
|
||||||
# existing and need to be refreshed if it changed.
|
|
||||||
Tripleo::Certmonger::Haproxy<||> ~> Haproxy::Listen<||>
|
|
||||||
}
|
|
||||||
unless empty($qdr_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::metrics_qdr', $qdr_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($memcached_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::memcached', $memcached_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($mysql_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($rabbitmq_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($redis_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::redis', $redis_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($etcd_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($neutron_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::neutron', $neutron_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($novnc_proxy_certificates_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::novnc_proxy', $novnc_proxy_certificates_specs,
|
|
||||||
{'postsave_cmd' => $novnc_proxy_postsave_cmd})
|
|
||||||
}
|
|
||||||
unless empty($ceph_grafana_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::ceph_grafana', $ceph_grafana_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($ceph_dashboard_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::ceph_dashboard', $ceph_dashboard_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($ceph_rgw_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::ceph_rgw', $ceph_rgw_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($ovn_dbs_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($ovn_controller_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::ovn_controller', $ovn_controller_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($ovn_metadata_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::ovn_metadata', $ovn_metadata_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($neutron_ovn_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs)
|
|
||||||
}
|
|
||||||
unless empty($ovn_octavia_certificate_specs) {
|
|
||||||
ensure_resource('class', 'tripleo::certmonger::ovn_octavia', $ovn_octavia_certificate_specs)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
Remove support for puppet_certmonger. All certificates are now managed by
|
||||||
|
the linux-system-roles.certificate ansible role configured from each
|
||||||
|
service's heat template. ::tripleo::certmonger puppet files are removed.
|
@ -1,116 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2017 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::ca::crl' do
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::ca::crl' do
|
|
||||||
|
|
||||||
context 'with default parameters (no crl_source)' do
|
|
||||||
it 'should ensure no CRL nor cron job are present' do
|
|
||||||
is_expected.not_to contain_exec('tripleo-ca-crl')
|
|
||||||
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
|
||||||
:ensure => 'absent'
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'with defined CRL source' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem',
|
|
||||||
:crl_preprocessed => '/etc/pki/CA/crl/overcloud-crl.bin',
|
|
||||||
:crl_source => 'file://tmp/some/crl.bin',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
let :process_cmd do
|
|
||||||
"openssl crl -in #{params[:crl_preprocessed]} -inform DER -outform PEM -out #{params[:crl_dest]}"
|
|
||||||
end
|
|
||||||
|
|
||||||
let :cron_cmd do
|
|
||||||
"curl -g -s -L -o #{params[:crl_preprocessed]} #{params[:crl_source]} && #{process_cmd}"
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should create and process CRL file' do
|
|
||||||
is_expected.to contain_exec('tripleo-ca-crl').with(
|
|
||||||
:command => "curl -Ls --connect-timeout 120 -o #{params[:crl_preprocessed]} #{params[:crl_source]}",
|
|
||||||
:tries => 5,
|
|
||||||
:try_sleep => 5
|
|
||||||
)
|
|
||||||
is_expected.to contain_file('tripleo-ca-crl-file').with(
|
|
||||||
:group => 'root',
|
|
||||||
:mode => '0644',
|
|
||||||
:owner => 'root',
|
|
||||||
:path => "#{params[:crl_preprocessed]}"
|
|
||||||
)
|
|
||||||
is_expected.to contain_exec('tripleo-ca-crl-process-command').with(
|
|
||||||
:command => process_cmd
|
|
||||||
)
|
|
||||||
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:command => cron_cmd
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'with defined CRL source and no processing' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:crl_dest => '/etc/pki/CA/crl/overcloud-crl.pem',
|
|
||||||
:crl_source => 'file://tmp/some/crl.pem',
|
|
||||||
:process => false
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
let :cron_cmd do
|
|
||||||
"curl -g -s -L -o #{params[:crl_dest]} #{params[:crl_source]}"
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should create and process CRL file' do
|
|
||||||
is_expected.to contain_exec('tripleo-ca-crl').with(
|
|
||||||
:command => "curl -Ls --connect-timeout 120 -o #{params[:crl_dest]} #{params[:crl_source]}",
|
|
||||||
:tries => 5,
|
|
||||||
:try_sleep => 5
|
|
||||||
)
|
|
||||||
is_expected.to contain_file('tripleo-ca-crl-file').with(
|
|
||||||
:group => 'root',
|
|
||||||
:mode => '0644',
|
|
||||||
:owner => 'root',
|
|
||||||
:path => "#{params[:crl_dest]}"
|
|
||||||
)
|
|
||||||
is_expected.to_not contain_exec('tripleo-ca-crl-process-command')
|
|
||||||
is_expected.to contain_cron('tripleo-refresh-crl-file').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:command => cron_cmd
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::ca::crl'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,57 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2017 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::ca::local' do
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::ca::local' do
|
|
||||||
|
|
||||||
let :pre_condition do
|
|
||||||
"include certmonger"
|
|
||||||
end
|
|
||||||
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:ca_pem => '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should extract CA cert' do
|
|
||||||
is_expected.to contain_exec('extract-and-trust-ca')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'set the correct permissions for the CA certificate file' do
|
|
||||||
is_expected.to contain_file(params[:ca_pem]).with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:mode => '0644',
|
|
||||||
:owner => 'root'
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::ca::local'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,82 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2017 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::etcd' do
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::etcd' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:service_certificate => '/etc/pki/cert.crt',
|
|
||||||
:service_key => '/etc/pki/key.pem',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'with defaults' do
|
|
||||||
it 'should include the base for using certmonger' do
|
|
||||||
is_expected.to contain_class('certmonger')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should request a certificate' do
|
|
||||||
is_expected.to contain_certmonger_certificate('etcd').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:certfile => '/etc/pki/cert.crt',
|
|
||||||
:keyfile => '/etc/pki/key.pem',
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:dnsname => 'localhost',
|
|
||||||
:principal => nil,
|
|
||||||
:postsave_cmd => nil,
|
|
||||||
:ca => 'local',
|
|
||||||
:wait => true,
|
|
||||||
)
|
|
||||||
is_expected.to contain_file('/etc/pki/cert.crt')
|
|
||||||
is_expected.to contain_file('/etc/pki/key.pem')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
context 'with overrides' do
|
|
||||||
before :each do
|
|
||||||
params.merge!({
|
|
||||||
:certmonger_ca => 'IPA',
|
|
||||||
:dnsnames => 'host1,127.0.0.42',
|
|
||||||
:postsave_cmd => '/usr/bin/refresh_me.sh',
|
|
||||||
:principal => 'Principal_Lewis',
|
|
||||||
})
|
|
||||||
end
|
|
||||||
it 'should request a certificate with overrides' do
|
|
||||||
is_expected.to contain_certmonger_certificate('etcd').with(
|
|
||||||
:dnsname => 'host1,127.0.0.42',
|
|
||||||
:principal => 'Principal_Lewis',
|
|
||||||
:postsave_cmd => '/usr/bin/refresh_me.sh',
|
|
||||||
:ca => 'IPA',
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::etcd'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,60 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2020 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::memcached' do
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::memcached' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:service_certificate => '/etc/pki/cert.crt',
|
|
||||||
:service_key => '/etc/pki/key.pem',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should include the base for using certmonger' do
|
|
||||||
is_expected.to contain_class('certmonger')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should request a certificate' do
|
|
||||||
is_expected.to contain_certmonger_certificate('memcached').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:certfile => '/etc/pki/cert.crt',
|
|
||||||
:keyfile => '/etc/pki/key.pem',
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:dnsname => 'localhost',
|
|
||||||
:ca => 'local',
|
|
||||||
:wait => true,
|
|
||||||
)
|
|
||||||
is_expected.to contain_file('/etc/pki/cert.crt')
|
|
||||||
is_expected.to contain_file('/etc/pki/key.pem')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::memcached'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,58 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2017 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::mysql' do
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::mysql' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:service_certificate => '/etc/pki/cert.crt',
|
|
||||||
:service_key => '/etc/pki/key.pem',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should include the base for using certmonger' do
|
|
||||||
is_expected.to contain_class('certmonger')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should request a certificate' do
|
|
||||||
is_expected.to contain_certmonger_certificate('mysql').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:certfile => '/etc/pki/cert.crt',
|
|
||||||
:keyfile => '/etc/pki/key.pem',
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:dnsname => 'localhost',
|
|
||||||
:ca => 'local',
|
|
||||||
:wait => true,
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::mysql'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,68 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2017 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::openvswitch' do
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::openvswitch' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:service_certificate => '/etc/pki/cert.crt',
|
|
||||||
:service_key => '/etc/pki/key.pem',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should include the base for using certmonger' do
|
|
||||||
is_expected.to contain_class('certmonger')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should request a certificate' do
|
|
||||||
is_expected.to contain_certmonger_certificate('openvswitch').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:certfile => '/etc/pki/cert.crt',
|
|
||||||
:keyfile => '/etc/pki/key.pem',
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:dnsname => 'localhost',
|
|
||||||
:ca => 'local',
|
|
||||||
:wait => true,
|
|
||||||
)
|
|
||||||
is_expected.to contain_file('/etc/pki/cert.crt').with(
|
|
||||||
:owner => 'openvswitch',
|
|
||||||
:group => 'hugetlbfs',
|
|
||||||
:require => 'Certmonger_certificate[openvswitch]'
|
|
||||||
)
|
|
||||||
is_expected.to contain_file('/etc/pki/key.pem').with(
|
|
||||||
:owner => 'openvswitch',
|
|
||||||
:group => 'hugetlbfs',
|
|
||||||
:require => 'Certmonger_certificate[openvswitch]'
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::openvswitch'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,60 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2019 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::ovn_dbs' do
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::ovn_dbs' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:service_certificate => '/etc/pki/cert.crt',
|
|
||||||
:service_key => '/etc/pki/key.pem',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should include the base for using certmonger' do
|
|
||||||
is_expected.to contain_class('certmonger')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should request a certificate' do
|
|
||||||
is_expected.to contain_certmonger_certificate('ovn_dbs').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:certfile => '/etc/pki/cert.crt',
|
|
||||||
:keyfile => '/etc/pki/key.pem',
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:dnsname => 'localhost',
|
|
||||||
:ca => 'local',
|
|
||||||
:wait => true,
|
|
||||||
)
|
|
||||||
is_expected.to contain_file('/etc/pki/cert.crt')
|
|
||||||
is_expected.to contain_file('/etc/pki/key.pem')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::ovn_dbs'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,60 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2017 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::rabbitmq' do
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::rabbitmq' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:service_certificate => '/etc/pki/cert.crt',
|
|
||||||
:service_key => '/etc/pki/key.pem',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should include the base for using certmonger' do
|
|
||||||
is_expected.to contain_class('certmonger')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should request a certificate' do
|
|
||||||
is_expected.to contain_certmonger_certificate('rabbitmq').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:certfile => '/etc/pki/cert.crt',
|
|
||||||
:keyfile => '/etc/pki/key.pem',
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:dnsname => 'localhost',
|
|
||||||
:ca => 'local',
|
|
||||||
:wait => true,
|
|
||||||
)
|
|
||||||
is_expected.to contain_file('/etc/pki/cert.crt')
|
|
||||||
is_expected.to contain_file('/etc/pki/key.pem')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::rabbitmq'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
@ -1,65 +0,0 @@
|
|||||||
#
|
|
||||||
# Copyright (C) 2017 Red Hat Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
#
|
|
||||||
# Unit tests for tripleo
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'spec_helper'
|
|
||||||
|
|
||||||
describe 'tripleo::certmonger::httpd' do
|
|
||||||
|
|
||||||
let(:title) { 'httpd-cert' }
|
|
||||||
|
|
||||||
shared_examples_for 'tripleo::certmonger::httpd' do
|
|
||||||
let :params do
|
|
||||||
{
|
|
||||||
:name => 'httpd-cert',
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:service_certificate => '/etc/pki/cert.crt',
|
|
||||||
:service_key => '/etc/pki/key.pem',
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should include the base for using certmonger' do
|
|
||||||
is_expected.to contain_class('certmonger')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should include the httpd parameters' do
|
|
||||||
is_expected.to contain_class('apache::params')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'should request a certificate' do
|
|
||||||
is_expected.to contain_certmonger_certificate('httpd-cert').with(
|
|
||||||
:ensure => 'present',
|
|
||||||
:certfile => '/etc/pki/cert.crt',
|
|
||||||
:keyfile => '/etc/pki/key.pem',
|
|
||||||
:hostname => 'localhost',
|
|
||||||
:dnsname => 'localhost',
|
|
||||||
:ca => 'local',
|
|
||||||
:wait => true,
|
|
||||||
)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
on_supported_os.each do |os, facts|
|
|
||||||
context "on #{os}" do
|
|
||||||
let(:facts) do
|
|
||||||
facts.merge({})
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'tripleo::certmonger::httpd'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
Loading…
Reference in New Issue
Block a user