Skip to content

Commit

Permalink
Copy the server CA certificate with file resource
Browse files Browse the repository at this point in the history
ehelms committed Apr 23, 2024
1 parent 39713ae commit 433dadc
Showing 2 changed files with 47 additions and 20 deletions.
40 changes: 20 additions & 20 deletions manifests/ca.pp
Original file line number Diff line number Diff line change
@@ -12,17 +12,17 @@
String $ca_expiration = $certs::ca_expiration,
Boolean $generate = $certs::generate,
Boolean $deploy = $certs::deploy,
Optional[Stdlib::Absolutepath] $server_cert = $certs::server_cert,
Optional[Stdlib::Absolutepath] $ssl_build_dir = $certs::ssl_build_dir,
String $group = $certs::group,
String $owner = $certs::user,
String $group = $certs::group,
Stdlib::Absolutepath $katello_server_ca_cert = $certs::katello_server_ca_cert,
Stdlib::Absolutepath $ca_key = $certs::ca_key,
Stdlib::Absolutepath $ca_cert = $certs::ca_cert,
Stdlib::Absolutepath $ca_cert_stripped = $certs::ca_cert_stripped,
String $ca_key_password = $certs::ca_key_password,
Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
) {
$server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt"

file { "${certs::pki_dir}/private/${default_ca_name}.pwd":
ensure => absent,
}
@@ -51,29 +51,29 @@
}
$default_ca = Ca[$default_ca_name]

if $server_cert {
ca { $server_ca_name:
ensure => present,
generate => $generate,
deploy => false,
custom_pubkey => $certs::server_ca_cert,
build_dir => $certs::ssl_build_dir,
if $certs::server_ca_cert {
file { $server_ca_path:
ensure => file,
source => $certs::server_ca_cert,
owner => 'root',
group => 'root',
mode => '0644',
}
} else {
ca { $server_ca_name:
ensure => present,
generate => $generate,
deploy => false,
custom_pubkey => "${certs::ssl_build_dir}/${default_ca_name}.crt",
build_dir => $certs::ssl_build_dir,
file { $server_ca_path:
ensure => file,
source => "${certs::ssl_build_dir}/${default_ca_name}.crt",
owner => 'root',
group => 'root',
mode => '0644',
}
}

if $generate {
file { "${ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
ensure => link,
target => "${ssl_build_dir}/${server_ca_name}.crt",
require => Ca[$server_ca_name],
target => $server_ca_path,
require => File[$server_ca_path],
}
}

@@ -94,7 +94,7 @@

file { $katello_server_ca_cert:
ensure => file,
source => "${certs::ssl_build_dir}/${server_ca_name}.crt",
source => $server_ca_path,
owner => $owner,
group => $group,
mode => '0644',
27 changes: 27 additions & 0 deletions spec/acceptance/certs_spec.rb
Original file line number Diff line number Diff line change
@@ -124,4 +124,31 @@ class { 'certs':
it { should_not exist }
end
end

context 'with server CA cert' do
before(:context) do
source_path = "fixtures/example.partial.solutions-chain.pem"
dest_path = "/server-ca.crt"
scp_to(hosts, source_path, dest_path)
end

it_behaves_like 'an idempotent resource' do
let(:manifest) do
<<-PUPPET
class { 'certs':
server_ca_cert => '/server-ca.crt',
}
PUPPET
end
end

describe x509_certificate('/root/ssl-build/katello-server-ca.crt') do
it { should be_certificate }
# Doesn't have to be valid - can be expired since it's a static resource
it { should have_purpose 'CA' }
its(:issuer) { should eq('CN = Fake LE Root X1') }
its(:subject) { should eq('CN = Fake LE Intermediate X1') }
its(:keylength) { should be >= 2048 }
end
end
end

0 comments on commit 433dadc

Please sign in to comment.