From e6faf88d21a562682533f259266834be768012c0 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 15 Sep 2014 04:35:19 -0400 Subject: [PATCH] Fixes #6544 - creates the qpidd_group param & updates filenames for amqp trustore and keystores --- Rakefile | 1 + manifests/apache.pp | 22 +++++++++++----------- manifests/candlepin.pp | 36 ++++++++++++++++++------------------ manifests/config.pp | 24 ++++++++++++------------ manifests/foreman.pp | 6 +++--- manifests/foreman_proxy.pp | 24 ++++++++++++------------ manifests/init.pp | 22 +++++++++++----------- manifests/params.pp | 7 +++++-- manifests/pulp_child.pp | 6 +++--- manifests/pulp_parent.pp | 6 +++--- manifests/puppet.pp | 6 +++--- manifests/qpid.pp | 24 ++++++++++++------------ 12 files changed, 94 insertions(+), 90 deletions(-) diff --git a/Rakefile b/Rakefile index 2b0c8381..12b3752e 100644 --- a/Rakefile +++ b/Rakefile @@ -4,5 +4,6 @@ PuppetLint.configuration.log_format = '%{path}:%{linenumber}:%{KIND}: %{message} PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.send("disable_class_inherits_from_params_class") PuppetLint.configuration.send("disable_80chars") +PuppetLint.configuration.send('disable_autoloader_layout') task :default => [:lint] diff --git a/manifests/apache.pp b/manifests/apache.pp index a6deb9f9..a6a5ba14 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -13,14 +13,14 @@ if $::certs::server_cert { cert { $apache_cert_name: - ensure => present, - hostname => $hostname, - generate => $generate, - deploy => $deploy, - regenerate => $regenerate, - custom_pubkey => $::certs::server_cert, - custom_privkey => $::certs::server_key, - custom_req => $::certs::server_cert_req, + ensure => present, + hostname => $hostname, + generate => $generate, + deploy => $deploy, + regenerate => $regenerate, + custom_pubkey => $::certs::server_cert, + custom_privkey => $::certs::server_key, + custom_req => $::certs::server_cert_req, } } else { cert { $apache_cert_name: @@ -51,9 +51,9 @@ notify => Service['httpd'] } ~> privkey { $apache_key: - ensure => present, - key_pair => Cert[$apache_cert_name], - notify => Service['httpd'] + ensure => present, + key_pair => Cert[$apache_cert_name], + notify => Service['httpd'] } -> file { $apache_key: owner => $::apache::user, diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index 22905a11..3ee196ec 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -55,15 +55,15 @@ mode => '0440', } ~> exec { 'candlepin-generate-ssl-keystore': - command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${certs::ca_key_password_file}\" ", - creates => $keystore, + command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${certs::ca_key_password_file}\" ", + creates => $keystore, } ~> file { "/usr/share/${candlepin::tomcat}/conf/keystore": - ensure => link, - target => $keystore, - owner => 'tomcat', - group => $::certs::group, - notify => Service[$candlepin::tomcat] + ensure => link, + target => $keystore, + owner => 'tomcat', + group => $::certs::group, + notify => Service[$candlepin::tomcat] } Cert[$java_client_cert_name] ~> @@ -86,26 +86,26 @@ mode => '0750', } ~> exec { 'create candlepin qpid exchange': - command => "qpid-config --ssl-certificate ${client_cert} --ssl-key ${client_key} -b 'amqps://${::fqdn}:5671' add exchange topic event --durable", - unless => "qpid-config --ssl-certificate ${client_cert} --ssl-key ${client_key} -b 'amqps://${::fqdn}:5671' exchanges event", + command => "qpid-config --ssl-certificate ${client_cert} --ssl-key ${client_key} -b 'amqps://${::fqdn}:5671' add exchange topic ${certs::candlepin_qpid_exchange} --durable", + unless => "qpid-config --ssl-certificate ${client_cert} --ssl-key ${client_key} -b 'amqps://${::fqdn}:5671' exchanges ${certs::candlepin_qpid_exchange}", require => Service['qpidd'], } ~> exec { 'import CA into Candlepin truststore': - command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${certs::default_ca_name} -file ${ca_cert} -noprompt", - creates => $amqp_truststore, + command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${certs::default_ca_name} -file ${ca_cert} -noprompt", + creates => $amqp_truststore, } ~> exec { 'import client certificate into Candlepin keystore': # Stupid keytool doesn't allow you to import a keypair. You can only import a cert. Hence, we have to # create the store as an PKCS12 and convert to JKS. See http://stackoverflow.com/a/8224863 - command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12", - unless => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias ${certs::default_ca_name}", + command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12", + unless => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias ${certs::default_ca_name}", } ~> file { $amqp_keystore: - ensure => file, - owner => 'tomcat', - group => $::certs::group, - mode => '0640', - notify => Service[$candlepin::tomcat], + ensure => file, + owner => 'tomcat', + group => $::certs::group, + mode => '0640', + notify => Service[$candlepin::tomcat], } } } diff --git a/manifests/config.pp b/manifests/config.pp index 7025bc47..d0f43083 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -2,24 +2,24 @@ class certs::config { file { $certs::pki_dir: - ensure => directory, - owner => 'root', - group => $certs::group, - mode => '0755', + ensure => directory, + owner => 'root', + group => $certs::group, + mode => '0755', } file { "${certs::pki_dir}/certs": - ensure => directory, - owner => 'root', - group => $certs::group, - mode => '0755', + ensure => directory, + owner => 'root', + group => $certs::group, + mode => '0755', } file { "${certs::pki_dir}/private": - ensure => directory, - owner => 'root', - group => $certs::group, - mode => '0750', + ensure => directory, + owner => 'root', + group => $certs::group, + mode => '0750', } } diff --git a/manifests/foreman.pp b/manifests/foreman.pp index 13e76a1b..b893786e 100644 --- a/manifests/foreman.pp +++ b/manifests/foreman.pp @@ -43,9 +43,9 @@ key_pair => $::certs::server_ca } ~> file { $client_key: - ensure => file, - owner => 'foreman', - mode => '0400', + ensure => file, + owner => 'foreman', + mode => '0400', } $foreman_config_cmd = "${::foreman::app_root}/script/foreman-config\ diff --git a/manifests/foreman_proxy.pp b/manifests/foreman_proxy.pp index 9e68e67e..15e33f47 100644 --- a/manifests/foreman_proxy.pp +++ b/manifests/foreman_proxy.pp @@ -15,14 +15,14 @@ if $::certs::server_cert { cert { $proxy_cert_name: - ensure => present, - hostname => $::certs::foreman_proxy::hostname, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, - custom_pubkey => $::certs::server_cert, - custom_privkey => $::certs::server_key, - custom_req => $::certs::server_cert_req, + ensure => present, + hostname => $::certs::foreman_proxy::hostname, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + custom_pubkey => $::certs::server_cert, + custom_privkey => $::certs::server_key, + custom_req => $::certs::server_cert_req, } } else { # cert for ssl of foreman-proxy @@ -59,10 +59,10 @@ notify => Service['foreman-proxy'], } ~> file { $proxy_key: - ensure => file, - owner => 'foreman-proxy', - group => $certs::group, - mode => '0400' + ensure => file, + owner => 'foreman-proxy', + group => $certs::group, + mode => '0400' } ~> Service['foreman-proxy'] diff --git a/manifests/init.pp b/manifests/init.pp index df05ed39..9312364b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -179,17 +179,17 @@ Ca[$default_ca_name] ~> pubkey { $ca_cert: - key_pair => $default_ca + key_pair => $default_ca } ~> pubkey { $ca_cert_stripped: - strip => true, - key_pair => $default_ca + strip => true, + key_pair => $default_ca } ~> file { $ca_cert: - ensure => file, - owner => 'root', - group => $certs::group, - mode => '0644', + ensure => file, + owner => 'root', + group => $certs::group, + mode => '0644', } if $generate { @@ -200,10 +200,10 @@ password_file => $ca_key_password_file } ~> file { $ca_key: - ensure => file, - owner => 'root', - group => $certs::group, - mode => '0440', + ensure => file, + owner => 'root', + group => $certs::group, + mode => '0440', } } } diff --git a/manifests/params.pp b/manifests/params.pp index 3f857d06..bea542b2 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -68,8 +68,9 @@ $candlepin_ca_cert = "${candlepin_certs_dir}/candlepin-ca.crt" $candlepin_ca_key = "${candlepin_certs_dir}/candlepin-ca.key" $candlepin_amqp_store_dir = "${candlepin_certs_dir}/amqp" - $candlepin_amqp_truststore = "${candlepin_amqp_store_dir}/truststore" - $candlepin_amqp_keystore = "${candlepin_amqp_store_dir}/keystore" + $candlepin_amqp_truststore = "${candlepin_amqp_store_dir}/candlepin.truststore" + $candlepin_amqp_keystore = "${candlepin_amqp_store_dir}/candlepin.jks" + $candlepin_qpid_exchange = 'event' $certs_tar = undef # Settings for uploading packages to Katello @@ -86,4 +87,6 @@ # Pulp expects the node certificate to be located on this very location $nodes_cert_dir = '/etc/pki/pulp/nodes' $nodes_cert_name = 'node.crt' + + $qpidd_group = 'qpidd' } diff --git a/manifests/pulp_child.pp b/manifests/pulp_child.pp index 6607f7ea..e802756f 100644 --- a/manifests/pulp_child.pp +++ b/manifests/pulp_child.pp @@ -51,9 +51,9 @@ key_pair => Cert["${::certs::pulp_child::hostname}-qpid-client-cert"], } ~> file { $pulp::messaging_client_cert: - owner => 'apache', - group => 'apache', - mode => '0640', + owner => 'apache', + group => 'apache', + mode => '0640', } } diff --git a/manifests/pulp_parent.pp b/manifests/pulp_parent.pp index 34d1cee5..75d56fef 100644 --- a/manifests/pulp_parent.pp +++ b/manifests/pulp_parent.pp @@ -68,9 +68,9 @@ key_pair => Cert["${::certs::pulp_parent::hostname}-qpid-client-cert"], } ~> file { $messaging_client_cert: - owner => 'apache', - group => 'apache', - mode => '0640', + owner => 'apache', + group => 'apache', + mode => '0640', } -> Class['pulp::config'] } diff --git a/manifests/puppet.pp b/manifests/puppet.pp index b617aea2..8b6ec857 100644 --- a/manifests/puppet.pp +++ b/manifests/puppet.pp @@ -44,9 +44,9 @@ key_pair => $::certs::server_ca } ~> file { $client_key: - ensure => file, - owner => 'puppet', - mode => '0400', + ensure => file, + owner => 'puppet', + mode => '0400', } } diff --git a/manifests/qpid.pp b/manifests/qpid.pp index 7282d8c4..933649f0 100644 --- a/manifests/qpid.pp +++ b/manifests/qpid.pp @@ -44,15 +44,15 @@ key_pair => Cert["${::certs::qpid::hostname}-qpid-broker"] } ~> file { $client_key: - ensure => file, - owner => 'root', - group => 'apache', - mode => '0440', + ensure => file, + owner => 'root', + group => 'apache', + mode => '0440', } ~> file { $::certs::nss_db_dir: ensure => directory, owner => 'root', - group => 'qpidd', + group => $certs::qpidd_group, mode => '0755', } ~> exec { 'generate-nss-password': @@ -61,10 +61,10 @@ creates => $nss_db_password_file } -> file { $nss_db_password_file: - ensure => file, - owner => 'root', - group => 'qpidd', - mode => '0640', + ensure => file, + owner => 'root', + group => $certs::qpidd_group, + mode => '0640', } ~> exec { 'create-nss-db': command => "certutil -N -d '${::certs::nss_db_dir}' -f '${nss_db_password_file}'", @@ -77,9 +77,9 @@ refreshonly => true, } ~> file { $nssdb_files: - owner => 'root', - group => 'qpidd', - mode => '0640', + owner => 'root', + group => $certs::qpidd_group, + mode => '0640', } ~> exec { 'add-broker-cert-to-nss-db': command => "certutil -A -d '${::certs::nss_db_dir}' -n 'broker' -t ',,' -a -i '${client_cert}'",