diff --git a/manifests/certmonger/ca/crl.pp b/manifests/certmonger/ca/crl.pp index e1d8072c5..1e0db58e9 100644 --- a/manifests/certmonger/ca/crl.pp +++ b/manifests/certmonger/ca/crl.pp @@ -85,8 +85,35 @@ class tripleo::certmonger::ca::crl ( $maxdelay = 0, $reload_cmds = [], ) { + if $process { + $fetched_crl = $crl_preprocessed + } else { + $fetched_crl = $crl_dest + } + + $esc_fetched_crl = shell_escape($fetched_crl) + $esc_crl_src = shell_escape($crl_source) + if $crl_source { $ensure = 'present' + # LP(1787878): We need to use an explicit command instead of the file + # resource, because puppet won't use query parameters when handling + # redirects. + # If FreeIPA is being installed in a similar time as the overcloud, the tries + # and time in between tries gives it a chance to generate the CRL. + exec {'tripleo-ca-crl': + command => "curl -Ls --connect-timeout 120 -o ${esc_fetched_crl} ${esc_crl_src}", + path => '/usr/bin/', + creates => $fetched_crl, + tries => 5, + try_sleep => 5, + } ~> + file {'tripleo-ca-crl-file': + group => 'root', + mode => '0644', + owner => 'root', + path => $fetched_crl, + } } else { $ensure = 'absent' } @@ -97,31 +124,21 @@ class tripleo::certmonger::ca::crl ( $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " } - if $process { - $fetched_crl = $crl_preprocessed - } else { - $fetched_crl = $crl_dest - } - - file { 'tripleo-ca-crl' : - ensure => $ensure, - path => $fetched_crl, - source => $crl_source, - mode => '0644', - } - if $process and $ensure == 'present' { $crl_dest_format = $crl_preprocessed_format ? { 'PEM' => 'DER', 'DER' => 'PEM' } # transform CRL from DER to PEM or viceversa - $process_cmd = "openssl crl -in ${$crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}" + $process_cmd = "openssl crl -in ${crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}" exec { 'tripleo-ca-crl-process-command' : command => $process_cmd, path => '/usr/bin', refreshonly => true, - subscribe => File['tripleo-ca-crl'] + subscribe => [ + Exec['tripleo-ca-crl'], + File['tripleo-ca-crl-file'] + ] } } else { $process_cmd = [] diff --git a/spec/classes/tripleo_certmonger_ca_crl_spec.rb b/spec/classes/tripleo_certmonger_ca_crl_spec.rb index d557a1bc7..3c45a58bf 100644 --- a/spec/classes/tripleo_certmonger_ca_crl_spec.rb +++ b/spec/classes/tripleo_certmonger_ca_crl_spec.rb @@ -24,9 +24,7 @@ describe 'tripleo::certmonger::ca::crl' do context 'with default parameters (no crl_source)' do it 'should ensure no CRL nor cron job are present' do - is_expected.to contain_file('tripleo-ca-crl').with( - :ensure => 'absent' - ) + is_expected.not_to contain_exec('tripleo-ca-crl') is_expected.to contain_cron('tripleo-refresh-crl-file').with( :ensure => 'absent' ) @@ -51,9 +49,16 @@ describe 'tripleo::certmonger::ca::crl' do end it 'should create and process CRL file' do - is_expected.to contain_file('tripleo-ca-crl').with( - :ensure => 'present', - :source => params[:crl_source] + is_expected.to contain_exec('tripleo-ca-crl').with( + :command => "curl -Ls --connect-timeout 120 -o #{params[:crl_preprocessed]} #{params[:crl_source]}", + :tries => 5, + :try_sleep => 5 + ) + is_expected.to contain_file('tripleo-ca-crl-file').with( + :group => 'root', + :mode => '0644', + :owner => 'root', + :path => "#{params[:crl_preprocessed]}" ) is_expected.to contain_exec('tripleo-ca-crl-process-command').with( :command => process_cmd @@ -79,9 +84,16 @@ describe 'tripleo::certmonger::ca::crl' do end it 'should create and process CRL file' do - is_expected.to contain_file('tripleo-ca-crl').with( - :ensure => 'present', - :source => params[:crl_source] + is_expected.to contain_exec('tripleo-ca-crl').with( + :command => "curl -Ls --connect-timeout 120 -o #{params[:crl_dest]} #{params[:crl_source]}", + :tries => 5, + :try_sleep => 5 + ) + is_expected.to contain_file('tripleo-ca-crl-file').with( + :group => 'root', + :mode => '0644', + :owner => 'root', + :path => "#{params[:crl_dest]}" ) is_expected.to_not contain_exec('tripleo-ca-crl-process-command') is_expected.to contain_cron('tripleo-refresh-crl-file').with(