Puppet Class: lsys::webserver::client_auth

Defined in:
manifests/webserver/client_auth.pp

Summary

Enables verification of client certificates

Overview

Setup certificates in predefined location Provides 2 variables

Examples:

include lsys::webserver::client_auth

Parameters:

  • ssl_client_ca_certs (Optional[Array[Stdlib::Fqdn]]) (defaults to: undef)

    list of certificates’ lookup keys to look for in Hiera It will look for these keys with suffix ‘_certificate’



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# File 'manifests/webserver/client_auth.pp', line 12

class lsys::webserver::client_auth (
  Optional[Array[Stdlib::Fqdn]] $ssl_client_ca_certs = undef,
) {
  include puppet::params
  include lsys::webserver::params

  $localcacert = $puppet::params::localcacert
  $internal_certdir = $lsys::webserver::params::internal_certdir
  $internal_cacert  = $lsys::webserver::params::internal_cacert

  # CA certificate
  # create CA certificate directory
  file { $internal_certdir:
    ensure => directory,
  }

  if $ssl_client_ca_certs {
    $cacertdata = $ssl_client_ca_certs.map |$ca_name| { tlsinfo::lookup($ca_name) }

    file { $internal_cacert:
      ensure  => file,
      content => $cacertdata.join("\n"),
    }
  }
  else {
    file { $internal_cacert:
      ensure => file,
      source => "file://${localcacert}",
    }
  }

  $ssl_cert = $internal_cacert
  # rule to deny non-authenticated users
  $ssl_check = [
    file('lsys/nginx/chunks/enable-client-auth.conf'),
  ]
}