Puppet Class: certs

Inherits:
certs::params
Inherited by:
certs::qpid
certs::apache
certs::puppet
certs::foreman
certs::candlepin
certs::foreman_proxy
certs::qpid_router::client
certs::qpid_router::server
Defined in:
manifests/init.pp

Overview

Class: certs

Base for installing and configuring certs. It holds the basic configuration aournd certificates generation and deployment. The per-subsystem configuratoin of certificates should go into ‘subsystem_module/manifests/certs.pp`.

Parameters:

$node_fqdn

The fqdn of the host the generated certificates should be for

$cname

The alternative names of the host the generated certificates should be for

$server_ca_cert

Path to the CA that issued the ssl certificates for https if not specified, the default CA will be used

$server_cert

Path to the ssl certificate for https if not specified, the default CA will generate one

$server_key

Path to the ssl key for https if not specified, the default CA will generate one

$server_cert_req

Path to the ssl certificate request for https if not specified, the default CA will generate one

$tar_file

Use a tarball with certificates rather than generate new ones. This can be used on another node which is not the CA.

Advanced parameters:

$generate

Should the generation of the certs be part of the configuration

$regenerate

Force regeneration of the certificates (excluding CA certificates)

$deploy

Deploy the certs on the configured system. False means we want to apply it to a different system

$ca_common_name

Common name for the generated CA certificate

$country

Country attribute for managed certificates

$state

State attribute for managed certificates

$city

City attribute for managed certificates

$org

Org attribute for managed certificates

$org_unit

Org unit attribute for managed certificates

$expiration

Expiration attribute for managed certificates

$ca_expiration

CA expiration attribute for managed certificates

$pki_dir

The PKI directory under which to place certs

$ssl_build_dir

The directory where SSL keys, certs and RPMs will be generated

$user

The system user name who should own the certs

$group

The group who should own the certs

$default_ca_name

The name of the default CA

$server_ca_name

The name of the server CA (used for https)

Parameters:

  • node_fqdn (Stdlib::Fqdn) (defaults to: $certs::params::node_fqdn)
  • cname (Array[Stdlib::Fqdn]) (defaults to: $certs::params::cname)
  • generate (Boolean) (defaults to: true)
  • regenerate (Boolean) (defaults to: false)
  • deploy (Boolean) (defaults to: true)
  • ca_common_name (String) (defaults to: $certs::params::ca_common_name)
  • country (String[2,2]) (defaults to: 'US')
  • state (String) (defaults to: 'North Carolina')
  • city (String) (defaults to: 'Raleigh')
  • org (String) (defaults to: 'Katello')
  • org_unit (String) (defaults to: 'SomeOrgUnit')
  • expiration (String) (defaults to: '7300')
  • ca_expiration (String) (defaults to: '36500')
  • server_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • server_key (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • server_cert_req (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • server_ca_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • pki_dir (Stdlib::Absolutepath) (defaults to: $certs::params::pki_dir)
  • ssl_build_dir (Stdlib::Absolutepath) (defaults to: '/root/ssl-build')
  • user (String) (defaults to: 'root')
  • group (String) (defaults to: 'root')
  • default_ca_name (String) (defaults to: 'katello-default-ca')
  • server_ca_name (String) (defaults to: 'katello-server-ca')
  • tar_file (Optional[Stdlib::Absolutepath]) (defaults to: undef) 


70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 
# File 'manifests/init.pp', line 70

class certs (
  Stdlib::Fqdn $node_fqdn = $certs::params::node_fqdn,
  Array[Stdlib::Fqdn] $cname = $certs::params::cname,
  Boolean $generate = true,
  Boolean $regenerate = false,
  Boolean $deploy = true,
  String $ca_common_name = $certs::params::ca_common_name,
  String[2,2] $country = 'US',
  String $state = 'North Carolina',
  String $city = 'Raleigh',
  String $org = 'Katello',
  String $org_unit = 'SomeOrgUnit',
  String $expiration = '7300', # 20 years
  String $ca_expiration = '36500', # 100 years
  Optional[Stdlib::Absolutepath] $server_cert = undef,
  Optional[Stdlib::Absolutepath] $server_key = undef,
  Optional[Stdlib::Absolutepath] $server_cert_req = undef,
  Optional[Stdlib::Absolutepath] $server_ca_cert = undef,
  Stdlib::Absolutepath $pki_dir = $certs::params::pki_dir,
  Stdlib::Absolutepath $ssl_build_dir = '/root/ssl-build',
  String $user = 'root',
  String $group = 'root',
  String $default_ca_name = 'katello-default-ca',
  String $server_ca_name = 'katello-server-ca',
  Optional[Stdlib::Absolutepath] $tar_file = undef,
) inherits certs::params {
  if $server_cert {
    validate_file_exists($server_cert, $server_key, $server_ca_cert)
    if $server_cert_req {
      validate_file_exists($server_cert_req)
    }
  }

  $ca_key = "${pki_dir}/private/${default_ca_name}.key"
  $ca_cert = "${pki_dir}/certs/${default_ca_name}.crt"
  $ca_cert_stripped = "${pki_dir}/certs/${default_ca_name}-stripped.crt"
  $ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24))
  $ca_key_password_file = "${ssl_build_dir}/${default_ca_name}.pwd"

  $katello_server_ca_cert = "${pki_dir}/certs/${server_ca_name}.crt"
  $katello_default_ca_cert = "${pki_dir}/certs/${default_ca_name}.crt"

  if $tar_file {
    certs::tar_extract { $tar_file:
      before => Class['certs::install'],
    }
  }

  contain certs::install
  contain certs::config
  contain certs::ca

  Class['certs::install'] ->
  Class['certs::config'] ->
  Class['certs::ca']

  $default_ca = $certs::ca::default_ca
}