Skip to content

Commit

Permalink
Fixes #6544 - creates the qpidd_group param & updates filenames for a…
Browse files Browse the repository at this point in the history 
…mqp trustore and

keystores
  • Loading branch information
root authored and Dustin Tsang committed Sep 23, 2014
1 parent d3dd35c commit e6faf88
Show file tree
Hide file tree
Showing 12 changed files with 94 additions and 90 deletions.
1 change: 1 addition & 0 deletions Rakefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,6 @@ PuppetLint.configuration.log_format = '%{path}:%{linenumber}:%{KIND}: %{message}
PuppetLint.configuration.fail_on_warnings = true
PuppetLint.configuration.send("disable_class_inherits_from_params_class")
PuppetLint.configuration.send("disable_80chars")
PuppetLint.configuration.send('disable_autoloader_layout')

task :default => [:lint]
22 changes: 11 additions & 11 deletions manifests/apache.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,14 @@

if $::certs::server_cert {
cert { $apache_cert_name:
ensure => present,
hostname => $hostname,
generate => $generate,
deploy => $deploy,
regenerate => $regenerate,
custom_pubkey => $::certs::server_cert,
custom_privkey => $::certs::server_key,
custom_req => $::certs::server_cert_req,
ensure => present,
hostname => $hostname,
generate => $generate,
deploy => $deploy,
regenerate => $regenerate,
custom_pubkey => $::certs::server_cert,
custom_privkey => $::certs::server_key,
custom_req => $::certs::server_cert_req,
}
} else {
cert { $apache_cert_name:
Expand Down Expand Up @@ -51,9 +51,9 @@
notify => Service['httpd']
} ~>
privkey { $apache_key:
ensure => present,
key_pair => Cert[$apache_cert_name],
notify => Service['httpd']
ensure => present,
key_pair => Cert[$apache_cert_name],
notify => Service['httpd']
} ->
file { $apache_key:
owner => $::apache::user,
Expand Down
36 changes: 18 additions & 18 deletions manifests/candlepin.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,15 +55,15 @@
mode => '0440',
} ~>
exec { 'candlepin-generate-ssl-keystore':
command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${certs::ca_key_password_file}\" ",
creates => $keystore,
command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${certs::ca_key_password_file}\" ",
creates => $keystore,
} ~>
file { "/usr/share/${candlepin::tomcat}/conf/keystore":
ensure => link,
target => $keystore,
owner => 'tomcat',
group => $::certs::group,
notify => Service[$candlepin::tomcat]
ensure => link,
target => $keystore,
owner => 'tomcat',
group => $::certs::group,
notify => Service[$candlepin::tomcat]
}

Cert[$java_client_cert_name] ~>
Expand All @@ -86,26 +86,26 @@
mode => '0750',
} ~>
exec { 'create candlepin qpid exchange':
command => "qpid-config --ssl-certificate ${client_cert} --ssl-key ${client_key} -b 'amqps://${::fqdn}:5671' add exchange topic event --durable",
unless => "qpid-config --ssl-certificate ${client_cert} --ssl-key ${client_key} -b 'amqps://${::fqdn}:5671' exchanges event",
command => "qpid-config --ssl-certificate ${client_cert} --ssl-key ${client_key} -b 'amqps://${::fqdn}:5671' add exchange topic ${certs::candlepin_qpid_exchange} --durable",
unless => "qpid-config --ssl-certificate ${client_cert} --ssl-key ${client_key} -b 'amqps://${::fqdn}:5671' exchanges ${certs::candlepin_qpid_exchange}",
require => Service['qpidd'],
} ~>
exec { 'import CA into Candlepin truststore':
command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${certs::default_ca_name} -file ${ca_cert} -noprompt",
creates => $amqp_truststore,
command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${certs::default_ca_name} -file ${ca_cert} -noprompt",
creates => $amqp_truststore,
} ~>
exec { 'import client certificate into Candlepin keystore':
# Stupid keytool doesn't allow you to import a keypair. You can only import a cert. Hence, we have to
# create the store as an PKCS12 and convert to JKS. See http://stackoverflow.com/a/8224863
command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12",
unless => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias ${certs::default_ca_name}",
command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12",
unless => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias ${certs::default_ca_name}",
} ~>
file { $amqp_keystore:
ensure => file,
owner => 'tomcat',
group => $::certs::group,
mode => '0640',
notify => Service[$candlepin::tomcat],
ensure => file,
owner => 'tomcat',
group => $::certs::group,
mode => '0640',
notify => Service[$candlepin::tomcat],
}
}
}
24 changes: 12 additions & 12 deletions manifests/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,24 @@
class certs::config {

file { $certs::pki_dir:
ensure => directory,
owner => 'root',
group => $certs::group,
mode => '0755',
ensure => directory,
owner => 'root',
group => $certs::group,
mode => '0755',
}

file { "${certs::pki_dir}/certs":
ensure => directory,
owner => 'root',
group => $certs::group,
mode => '0755',
ensure => directory,
owner => 'root',
group => $certs::group,
mode => '0755',
}

file { "${certs::pki_dir}/private":
ensure => directory,
owner => 'root',
group => $certs::group,
mode => '0750',
ensure => directory,
owner => 'root',
group => $certs::group,
mode => '0750',
}

}
6 changes: 3 additions & 3 deletions manifests/foreman.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@
key_pair => $::certs::server_ca
} ~>
file { $client_key:
ensure => file,
owner => 'foreman',
mode => '0400',
ensure => file,
owner => 'foreman',
mode => '0400',
}

$foreman_config_cmd = "${::foreman::app_root}/script/foreman-config\
Expand Down
24 changes: 12 additions & 12 deletions manifests/foreman_proxy.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@

if $::certs::server_cert {
cert { $proxy_cert_name:
ensure => present,
hostname => $::certs::foreman_proxy::hostname,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
custom_pubkey => $::certs::server_cert,
custom_privkey => $::certs::server_key,
custom_req => $::certs::server_cert_req,
ensure => present,
hostname => $::certs::foreman_proxy::hostname,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
custom_pubkey => $::certs::server_cert,
custom_privkey => $::certs::server_key,
custom_req => $::certs::server_cert_req,
}
} else {
# cert for ssl of foreman-proxy
Expand Down Expand Up @@ -59,10 +59,10 @@
notify => Service['foreman-proxy'],
} ~>
file { $proxy_key:
ensure => file,
owner => 'foreman-proxy',
group => $certs::group,
mode => '0400'
ensure => file,
owner => 'foreman-proxy',
group => $certs::group,
mode => '0400'
} ~>
Service['foreman-proxy']

Expand Down
22 changes: 11 additions & 11 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,17 +179,17 @@

Ca[$default_ca_name] ~>
pubkey { $ca_cert:
key_pair => $default_ca
key_pair => $default_ca
} ~>
pubkey { $ca_cert_stripped:
strip => true,
key_pair => $default_ca
strip => true,
key_pair => $default_ca
} ~>
file { $ca_cert:
ensure => file,
owner => 'root',
group => $certs::group,
mode => '0644',
ensure => file,
owner => 'root',
group => $certs::group,
mode => '0644',
}

if $generate {
Expand All @@ -200,10 +200,10 @@
password_file => $ca_key_password_file
} ~>
file { $ca_key:
ensure => file,
owner => 'root',
group => $certs::group,
mode => '0440',
ensure => file,
owner => 'root',
group => $certs::group,
mode => '0440',
}
}
}
Expand Down
7 changes: 5 additions & 2 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,9 @@
$candlepin_ca_cert = "${candlepin_certs_dir}/candlepin-ca.crt"
$candlepin_ca_key = "${candlepin_certs_dir}/candlepin-ca.key"
$candlepin_amqp_store_dir = "${candlepin_certs_dir}/amqp"
$candlepin_amqp_truststore = "${candlepin_amqp_store_dir}/truststore"
$candlepin_amqp_keystore = "${candlepin_amqp_store_dir}/keystore"
$candlepin_amqp_truststore = "${candlepin_amqp_store_dir}/candlepin.truststore"
$candlepin_amqp_keystore = "${candlepin_amqp_store_dir}/candlepin.jks"
$candlepin_qpid_exchange = 'event'

$certs_tar = undef
# Settings for uploading packages to Katello
Expand All @@ -86,4 +87,6 @@
# Pulp expects the node certificate to be located on this very location
$nodes_cert_dir = '/etc/pki/pulp/nodes'
$nodes_cert_name = 'node.crt'

$qpidd_group = 'qpidd'
}
6 changes: 3 additions & 3 deletions manifests/pulp_child.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,9 +51,9 @@
key_pair => Cert["${::certs::pulp_child::hostname}-qpid-client-cert"],
} ~>
file { $pulp::messaging_client_cert:
owner => 'apache',
group => 'apache',
mode => '0640',
owner => 'apache',
group => 'apache',
mode => '0640',
}

}
Expand Down
6 changes: 3 additions & 3 deletions manifests/pulp_parent.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,9 @@
key_pair => Cert["${::certs::pulp_parent::hostname}-qpid-client-cert"],
} ~>
file { $messaging_client_cert:
owner => 'apache',
group => 'apache',
mode => '0640',
owner => 'apache',
group => 'apache',
mode => '0640',
} -> Class['pulp::config']

}
Expand Down
6 changes: 3 additions & 3 deletions manifests/puppet.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@
key_pair => $::certs::server_ca
} ~>
file { $client_key:
ensure => file,
owner => 'puppet',
mode => '0400',
ensure => file,
owner => 'puppet',
mode => '0400',
}

}
Expand Down
24 changes: 12 additions & 12 deletions manifests/qpid.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,15 +44,15 @@
key_pair => Cert["${::certs::qpid::hostname}-qpid-broker"]
} ~>
file { $client_key:
ensure => file,
owner => 'root',
group => 'apache',
mode => '0440',
ensure => file,
owner => 'root',
group => 'apache',
mode => '0440',
} ~>
file { $::certs::nss_db_dir:
ensure => directory,
owner => 'root',
group => 'qpidd',
group => $certs::qpidd_group,
mode => '0755',
} ~>
exec { 'generate-nss-password':
Expand All @@ -61,10 +61,10 @@
creates => $nss_db_password_file
} ->
file { $nss_db_password_file:
ensure => file,
owner => 'root',
group => 'qpidd',
mode => '0640',
ensure => file,
owner => 'root',
group => $certs::qpidd_group,
mode => '0640',
} ~>
exec { 'create-nss-db':
command => "certutil -N -d '${::certs::nss_db_dir}' -f '${nss_db_password_file}'",
Expand All @@ -77,9 +77,9 @@
refreshonly => true,
} ~>
file { $nssdb_files:
owner => 'root',
group => 'qpidd',
mode => '0640',
owner => 'root',
group => $certs::qpidd_group,
mode => '0640',
} ~>
exec { 'add-broker-cert-to-nss-db':
command => "certutil -A -d '${::certs::nss_db_dir}' -n 'broker' -t ',,' -a -i '${client_cert}'",
Expand Down

0 comments on commit e6faf88

Please sign in to comment.