Skip to content

Commit

Permalink
Copy the server CA certificate with file resource
Browse files Browse the repository at this point in the history
ehelms committed Apr 23, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 39713ae commit 433dadc
Showing 2 changed files with 47 additions and 20 deletions.
40 changes: 20 additions & 20 deletions manifests/ca.pp
Original file line number Diff line number Diff line change
@@ -12,17 +12,17 @@
String $ca_expiration = $certs::ca_expiration,
Boolean $generate = $certs::generate,
Boolean $deploy = $certs::deploy,
Optional[Stdlib::Absolutepath] $server_cert = $certs::server_cert,
Optional[Stdlib::Absolutepath] $ssl_build_dir = $certs::ssl_build_dir,
String $group = $certs::group,
String $owner = $certs::user,
String $group = $certs::group,
Stdlib::Absolutepath $katello_server_ca_cert = $certs::katello_server_ca_cert,
Stdlib::Absolutepath $ca_key = $certs::ca_key,
Stdlib::Absolutepath $ca_cert = $certs::ca_cert,
Stdlib::Absolutepath $ca_cert_stripped = $certs::ca_cert_stripped,
String $ca_key_password = $certs::ca_key_password,
Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
) {
$server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt"

file { "${certs::pki_dir}/private/${default_ca_name}.pwd":
ensure => absent,
}
@@ -51,29 +51,29 @@
}
$default_ca = Ca[$default_ca_name]

if $server_cert {
ca { $server_ca_name:
ensure => present,
generate => $generate,
deploy => false,
custom_pubkey => $certs::server_ca_cert,
build_dir => $certs::ssl_build_dir,
if $certs::server_ca_cert {
file { $server_ca_path:
ensure => file,
source => $certs::server_ca_cert,
owner => 'root',
group => 'root',
mode => '0644',
}
} else {
ca { $server_ca_name:
ensure => present,
generate => $generate,
deploy => false,
custom_pubkey => "${certs::ssl_build_dir}/${default_ca_name}.crt",
build_dir => $certs::ssl_build_dir,
file { $server_ca_path:
ensure => file,
source => "${certs::ssl_build_dir}/${default_ca_name}.crt",
owner => 'root',
group => 'root',
mode => '0644',
}
}

if $generate {
file { "${ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
ensure => link,
target => "${ssl_build_dir}/${server_ca_name}.crt",
require => Ca[$server_ca_name],
target => $server_ca_path,
require => File[$server_ca_path],
}
}

@@ -94,7 +94,7 @@

file { $katello_server_ca_cert:
ensure => file,
source => "${certs::ssl_build_dir}/${server_ca_name}.crt",
source => $server_ca_path,
owner => $owner,
group => $group,
mode => '0644',
27 changes: 27 additions & 0 deletions spec/acceptance/certs_spec.rb
Original file line number Diff line number Diff line change
@@ -124,4 +124,31 @@ class { 'certs':
it { should_not exist }
end
end

context 'with server CA cert' do
before(:context) do
source_path = "fixtures/example.partial.solutions-chain.pem"
dest_path = "/server-ca.crt"
scp_to(hosts, source_path, dest_path)
end

it_behaves_like 'an idempotent resource' do
let(:manifest) do
<<-PUPPET
class { 'certs':
server_ca_cert => '/server-ca.crt',
}
PUPPET
end
end

describe x509_certificate('/root/ssl-build/katello-server-ca.crt') do
it { should be_certificate }
# Doesn't have to be valid - can be expired since it's a static resource
it { should have_purpose 'CA' }
its(:issuer) { should eq('CN = Fake LE Root X1') }
its(:subject) { should eq('CN = Fake LE Intermediate X1') }
its(:keylength) { should be >= 2048 }
end
end
end

0 comments on commit 433dadc

Please sign in to comment.