Defined Type: certs::vhost

Defined in:
manifests/vhost.pp

Overview

Examples:

Without Hiera:

  $cname = www.example.com
  certs::vhost{ $cname:
    source_path => 'puppet:///site_certificates',
  }

With Hiera:

  server.yaml
  ---
  certsvhost:
    'www.example.com':
      source_path: 'puppet:///modules/site_certificates/'

  manifest.pp
  ---
  certsvhost = hiera_hash('certsvhost')
  create_resources(certs::vhost, certsvhost)
  Certs::Vhost<| |> -> Apache::Vhost<| |>

Parameters:

  • title

    The title of the resource matches the certificate's name # e.g. 'www.example.com' matches the certificate for the hostname # 'www.example.com'

  • source_path (String) (defaults to: undef)

    Required. The location of the certificate files. Typically references a module's files. e.g. 'puppet:///site_certs' will search $modulepath/site_certs/files on the master for the specified files.

  • target_path (String) (defaults to: '/etc/ssl/certs')

    Location where the certificate files will be stored on the managed node. Default: '/etc/ssl/certs'

  • service (String) (defaults to: 'httpd')

    Name of the web server service to notify when certificates are updated. Default: 'http'

  • source_name (String) (defaults to: $name)

    Name of the file to use if different than the title of the resource Default: '$name'

  • vault (Boolean) (defaults to: false)

    Use vault_lookup to query vault service for crt/key pair Default: 'undef'

  • crt_target_path (String) (defaults to: '')
  • key_target_path (String) (defaults to: '')
  • base64_vault_crt (Boolean) (defaults to: false)
  • notify_service (Boolean) (defaults to: true)
  • cert_extension (Enum['crt','pem']) (defaults to: 'crt')
  • file_options (Hash) (defaults to: {})


41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# File 'manifests/vhost.pp', line 41

define certs::vhost (
  String $source_name               = $name,
  String $source_path               = undef,
  String $target_path               = '/etc/ssl/certs',
  String $crt_target_path           = '',
  String $key_target_path           = '',
  String $service                   = 'httpd',
  Boolean $vault                    = false,
  Boolean $base64_vault_crt         = false,
  Boolean $notify_service           = true,
  Enum['crt','pem'] $cert_extension = 'crt',
  Hash $file_options                = {},
) {
  if ($name == undef) {
    fail('You must provide a name value for the vhost to certs::vhost.')
  }
  if ($source_path == undef) {
    fail('You must provide a source_path for the SSL files to certs::vhost.')
  }

  $cert_name = "${name}.${cert_extension}"
  $key_name = "${name}.key"


  if $crt_target_path != '' {
    $crt_target_path_final = $crt_target_path
  }
  else {
    $crt_target_path_final = $target_path
  }
  if $key_target_path != '' {
    $key_target_path_final = $key_target_path
  }
  else {
    $key_target_path_final = $target_path
  }


  if $vault {
    $vault_ssl_hash = vault_lookup("${source_path}/${source_name}")

    if $base64_vault_crt {
      $crt_content = base64('decode', $vault_ssl_hash['crt'])
    }
    else {
      $crt_content = $vault_ssl_hash['crt']
    }
    $key_content = $vault_ssl_hash['key']

    file { $cert_name:
      ensure  => file,
      path    => "${crt_target_path_final}/${cert_name}",
      content => inline_epp('<%= $data %>', {'data' => $crt_content}),
      * => $file_options
    }
    -> file { $key_name:
      ensure  => file,
      path    => "${key_target_path_final}/${key_name}",
      content => inline_epp('<%= $data %>', {'data' => $key_content}),
      * => $file_options
    }
  }
  else {
    file { $cert_name:
      ensure => file,
      path   => "${crt_target_path_final}/${cert_name}",
      source => "${source_path}/${source_name}.crt",
      * => $file_options
    }
    -> file { $key_name:
      ensure => file,
      path   => "${key_target_path_final}/${key_name}",
      source => "${source_path}/${source_name}.key",
      * => $file_options
    }
  }
  if $notify_service { Certs::Vhost[$title] ~> Service[$service] }
}