Merge pull request #41 from iNecas/issue/8372

Refs #8372 - generate client certificates to be used by the smart proxy
theforeman · Jan 26, 2015 · ae87768 · ae87768
2 parents 61e92bf + 5c8a700
commit ae87768
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 7 deletions.
diff --git a/manifests/foreman_proxy.pp b/manifests/foreman_proxy.pp
@@ -1,13 +1,16 @@
 # Handles Foreman Proxy cert configuration
 class certs::foreman_proxy (
 
-  $hostname   = $::certs::node_fqdn,
-  $generate   = $::certs::generate,
-  $regenerate = $::certs::regenerate,
-  $deploy     = $::certs::deploy,
-  $proxy_cert = $::certs::params::foreman_proxy_cert,
-  $proxy_key  = $::certs::params::foreman_proxy_key,
-  $proxy_ca_cert = $::certs::params::foreman_proxy_ca_cert
+  $hostname            = $::certs::node_fqdn,
+  $generate            = $::certs::generate,
+  $regenerate          = $::certs::regenerate,
+  $deploy              = $::certs::deploy,
+  $proxy_cert          = $::certs::params::foreman_proxy_cert,
+  $proxy_key           = $::certs::params::foreman_proxy_key,
+  $proxy_ca_cert       = $::certs::params::foreman_proxy_ca_cert,
+  $foreman_ssl_cert    = $::certs::params::foreman_proxy_foreman_ssl_cert,
+  $foreman_ssl_key     = $::certs::params::foreman_proxy_foreman_ssl_key,
+  $foreman_ssl_ca_cert = $::certs::params::foreman_proxy_foreman_ssl_ca_cert
 
   ) inherits certs::params {
 
@@ -43,6 +46,25 @@
     }
   }
 
+  $foreman_proxy_client_cert_name = "${::certs::foreman_proxy::hostname}-foreman-proxy-client"
+
+  # cert for authentication of foreman_proxy against foreman
+  cert { $foreman_proxy_client_cert_name:
+    hostname      => $::certs::foreman_proxy::hostname,
+    purpose       => client,
+    country       => $::certs::country,
+    state         => $::certs::state,
+    city          => $::certs::sity,
+    org           => 'FOREMAN',
+    org_unit      => 'FOREMAN_PROXY',
+    expiration    => $::certs::expiration,
+    ca            => $::certs::default_ca,
+    generate      => $generate,
+    regenerate    => $regenerate,
+    deploy        => $deploy,
+    password_file => $certs::ca_key_password_file,
+  }
+
   if $deploy {
 
     Cert[$proxy_cert_name] ~>
@@ -66,5 +88,21 @@
     } ~>
     Service['foreman-proxy']
 
+    Cert[$foreman_proxy_client_cert_name] ~>
+    pubkey { $foreman_ssl_cert:
+      key_pair => Cert[$foreman_proxy_client_cert_name],
+    } ~>
+    privkey { $foreman_ssl_key:
+      key_pair => Cert[$foreman_proxy_client_cert_name],
+    } ->
+    pubkey { $foreman_ssl_ca_cert:
+      key_pair => $::certs::server_ca
+    } ~>
+    file { $foreman_ssl_key:
+      ensure => file,
+      owner  => 'foreman-proxy',
+      mode   => '0400',
+    }
+
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -57,6 +57,11 @@
   # for verifying the foreman client certs at the proxy side
   $foreman_proxy_ca_cert = '/etc/foreman-proxy/ssl_ca.pem'
 
+  $foreman_proxy_foreman_ssl_cert    = '/etc/foreman-proxy/foreman_ssl_cert.pem'
+  $foreman_proxy_foreman_ssl_key     = '/etc/foreman-proxy/foreman_ssl_key.pem'
+  # for verifying the foreman https
+  $foreman_proxy_foreman_ssl_ca_cert = '/etc/foreman-proxy/foreman_ssl_ca.pem'
+
   $puppet_client_cert = '/etc/puppet/client_cert.pem'
   $puppet_client_key  = '/etc/puppet/client_key.pem'
   # for verifying the foreman https