Puppet Class: certs::candlepin

Inherits:
certs
Defined in:
manifests/candlepin.pp

Overview

Constains certs specific configurations for candlepin

Parameters:

  • hostname (Stdlib::Fqdn) (defaults to: $certs::node_fqdn)
  • cname (Array[Stdlib::Fqdn]) (defaults to: $certs::cname)
  • generate (Boolean) (defaults to: $certs::generate)
  • regenerate (Boolean) (defaults to: $certs::regenerate)
  • deploy (Boolean) (defaults to: $certs::deploy)
  • ca_cert (Stdlib::Absolutepath) (defaults to: $certs::candlepin_ca_cert)
  • ca_key (Stdlib::Absolutepath) (defaults to: $certs::candlepin_ca_key)
  • pki_dir (Stdlib::Absolutepath) (defaults to: $certs::pki_dir)
  • keystore (Stdlib::Absolutepath) (defaults to: $certs::candlepin_keystore)
  • keystore_password_file (String) (defaults to: 'keystore_password-file')
  • truststore (Stdlib::Absolutepath) (defaults to: $certs::candlepin_truststore)
  • truststore_password_file (String) (defaults to: 'truststore_password-file')
  • country (String[2,2]) (defaults to: $certs::country)
  • state (String) (defaults to: $certs::state)
  • city (String) (defaults to: $certs::city)
  • org (String) (defaults to: $certs::org)
  • org_unit (String) (defaults to: $certs::org_unit)
  • expiration (String) (defaults to: $certs::expiration)
  • ca_key_password_file (Stdlib::Absolutepath) (defaults to: $certs::ca_key_password_file)
  • user (String) (defaults to: 'root')
  • group (String) (defaults to: 'tomcat')
  • client_keypair_group (String) (defaults to: 'tomcat') 


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
 
# File 'manifests/candlepin.pp', line 2

class certs::candlepin (
  Stdlib::Fqdn $hostname = $certs::node_fqdn,
  Array[Stdlib::Fqdn] $cname = $certs::cname,
  Boolean $generate = $certs::generate,
  Boolean $regenerate = $certs::regenerate,
  Boolean $deploy = $certs::deploy,
  Stdlib::Absolutepath $ca_cert = $certs::candlepin_ca_cert,
  Stdlib::Absolutepath $ca_key = $certs::candlepin_ca_key,
  Stdlib::Absolutepath $pki_dir = $certs::pki_dir,
  Stdlib::Absolutepath $keystore = $certs::candlepin_keystore,
  String $keystore_password_file = 'keystore_password-file',
  Stdlib::Absolutepath $truststore = $certs::candlepin_truststore,
  String $truststore_password_file = 'truststore_password-file',
  String[2,2] $country = $certs::country,
  String $state = $certs::state,
  String $city = $certs::city,
  String $org = $certs::org,
  String $org_unit = $certs::org_unit,
  String $expiration = $certs::expiration,
  Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
  String $user = 'root',
  String $group = 'tomcat',
  String $client_keypair_group = 'tomcat',
) inherits certs {
  include certs::foreman

  $java_client_cert_name = 'java-client'
  $artemis_alias = 'artemis-client'
  $artemis_client_dn = $certs::foreman::client_dn

  cert { $java_client_cert_name:
    ensure        => absent,
    hostname      => $hostname,
    cname         => $cname,
    country       => $country,
    state         => $state,
    city          => $city,
    org           => 'candlepin',
    org_unit      => $org_unit,
    expiration    => $expiration,
    ca            => $certs::default_ca,
    generate      => $generate,
    regenerate    => $regenerate,
    deploy        => false,
    password_file => $ca_key_password_file,
    build_dir     => $certs::ssl_build_dir,
  }

  $tomcat_cert_name = "${hostname}-tomcat"

  cert { $tomcat_cert_name:
    ensure        => present,
    hostname      => $hostname,
    cname         => $cname,
    country       => $country,
    state         => $state,
    city          => $city,
    org           => $org,
    org_unit      => $org_unit,
    expiration    => $expiration,
    ca            => $certs::default_ca,
    generate      => $generate,
    regenerate    => $regenerate,
    deploy        => false,
    password_file => $ca_key_password_file,
    build_dir     => $certs::ssl_build_dir,
  }

  $keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32))
  $truststore_password = extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32))
  $keystore_password_path = "${pki_dir}/${keystore_password_file}"
  $truststore_password_path = "${pki_dir}/${truststore_password_file}"
  $client_key = $certs::foreman::client_key
  $client_cert = $certs::foreman::client_cert
  $alias = 'candlepin-ca'

  if $deploy {
    certs::keypair { $certs::default_ca_name:
      source_dir        => $certs::ssl_build_dir,
      key_file          => $ca_key,
      key_owner         => $user,
      key_group         => $group,
      key_mode          => '0440',
      cert_file         => $ca_cert,
      cert_owner        => $user,
      cert_group        => $group,
      cert_mode         => '0440',
      require           => $certs::default_ca,
      key_password_file => $ca_key_password_file,
      key_decrypt       => true,
    }

    file { "${pki_dir}/private/katello-tomcat.key":
      ensure  => absent,
    }

    file { "${pki_dir}/certs/katello-tomcat.crt":
      ensure  => absent,
    }

    file { "${pki_dir}/private/${java_client_cert_name}.key":
      ensure  => absent,
    }

    file { "${pki_dir}/certs/${java_client_cert_name}.crt":
      ensure  => absent,
    }

    file { $keystore_password_path:
      ensure    => file,
      content   => $keystore_password,
      owner     => 'root',
      group     => $group,
      mode      => '0440',
      show_diff => false,
    }

    keystore { $keystore:
      ensure        => present,
      password_file => $keystore_password_path,
      owner         => 'root',
      group         => $group,
      mode          => '0640',
    }

    keystore_certificate { "${keystore}:tomcat":
      ensure        => present,
      password_file => $keystore_password_path,
      certificate   => "${certs::ssl_build_dir}/${hostname}/${tomcat_cert_name}.crt",
      private_key   => "${certs::ssl_build_dir}/${hostname}/${tomcat_cert_name}.key",
      ca            => $ca_cert,
    }

    file { $truststore_password_path:
      ensure    => file,
      content   => $truststore_password,
      owner     => 'root',
      group     => $group,
      mode      => '0440',
      show_diff => false,
    }

    truststore { $truststore:
      ensure        => present,
      password_file => $truststore_password_path,
      owner         => 'root',
      group         => $group,
      mode          => '0640',
    }

    truststore_certificate { "${truststore}:${alias}":
      ensure        => present,
      password_file => $truststore_password_path,
      certificate   => $ca_cert,
    }

    truststore_certificate { "${truststore}:${artemis_alias}":
      ensure        => present,
      password_file => $truststore_password_path,
      certificate   => $client_cert,
    }
  }
}