Skip to content

Commit

Permalink
Refs #29715: Add mongodb server and client certs
Browse files Browse the repository at this point in the history
  • Loading branch information
ehelms committed May 12, 2020
1 parent d7d6ac9 commit e798cdb
Show file tree
Hide file tree
Showing 3 changed files with 153 additions and 0 deletions.
98 changes: 98 additions & 0 deletions manifests/mongodb.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
# Certs configurations for MongoDB
class certs::mongodb (
$hostname = $certs::node_fqdn,
$cname = $certs::cname,
$generate = $certs::generate,
$regenerate = $certs::regenerate,
$deploy = $certs::deploy,
$pki_dir = $certs::pki_dir,
$server_cert = $certs::server_cert,
$country = $certs::country,
$state = $certs::state,
$city = $certs::city,
$org = $certs::org,
$org_unit = $certs::org_unit,
$expiration = $certs::expiration,
$default_ca = $certs::default_ca,
$ca_key_password_file = $certs::ca_key_password_file,
$group = $certs::group,
) inherits certs {

$mongodb_server_cert_name = 'mongodb-server-certificate'
$mongodb_server_bundle = "${pki_dir}/mongodb/${mongodb_server_cert_name}-bundle.pem"
$mongodb_server_ca_cert = $certs::katello_server_ca_cert

$mongodb_client_cert_name = 'mongodb-client-certificate'
$mongodb_client_cert = "/etc/pulp/${mongodb_client_cert_name}.crt"
$mongodb_client_key = "/etc/pulp/${mongodb_client_cert_name}.key"
$mongodb_client_ca_cert = $certs::katello_server_ca_cert

cert { $mongodb_server_cert_name:
ensure => present,
hostname => $hostname,
cname => $cname,
country => $country,
state => $state,
city => $city,
org => $org,
org_unit => $org_unit,
expiration => $expiration,
ca => $default_ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
password_file => $ca_key_password_file,
}

cert { $mongodb_client_cert_name:
ensure => present,
hostname => $hostname,
cname => $cname,
purpose => 'client',
country => $country,
state => $state,
city => $city,
org => $org,
org_unit => $org_unit,
expiration => $expiration,
ca => $default_ca,
generate => $generate,
regenerate => $regenerate,
deploy => $deploy,
password_file => $ca_key_password_file,
}

if $deploy {
file { "${pki_dir}/mongodb":
ensure => directory,
mode => '0750',
owner => 'mongodb',
group => 'mongodb',
}

key_bundle { $mongodb_server_bundle:
key_pair => Cert[$mongodb_server_cert_name],
force_rsa => true,
} ~>
file { $mongodb_server_bundle:
ensure => file,
mode => '0440',
owner => 'mongodb',
group => 'mongodb',
}

certs::keypair { 'mongodb_client':
key_pair => Cert[$mongodb_client_cert_name],
key_file => $mongodb_client_key,
manage_key => true,
key_owner => 'root',
key_group => 'pulp',
key_mode => '0440',
manage_cert => true,
cert_owner => 'root',
cert_group => 'pulp',
cert_mode => '0440',
cert_file => $mongodb_client_cert,
}
}
}
44 changes: 44 additions & 0 deletions spec/acceptance/mongodb_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
require 'spec_helper_acceptance'

describe 'certs::mongodb' do
context 'with default parameters' do
let(:pp) do
'include certs::mongodb'
end

it_behaves_like 'a idempotent resource'

describe x509_private_key('/etc/pki/katello/mongodb/mongodb-server-certificate-bundle.pem') do
it { should_not be_encrypted }
it { should be_certificate }
it { should be_valid }
it { should have_purpose 'server' }
include_examples 'certificate issuer', "C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}"
include_examples 'certificate subject', "C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}"
its(:keylength) { should be >= 2048 }
end

describe x509_certificate('/etc/pulp/mongodb-client-certificate.crt') do
it { should be_certificate }
it { should be_valid }
it { should have_purpose 'server' }
include_examples 'certificate issuer', "C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}"
include_examples 'certificate subject', "C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}"
its(:keylength) { should be >= 2048 }
end

describe x509_private_key('/etc/pulp/mongodb-client-certificate.key') do
it { should_not be_encrypted }
it { should be_valid }
it { should have_matching_certificate('/etc/pulp/mongodb-client-certificate.crt') }
end

describe package("mongodb-server-certificate") do
it { should be_installed }
end

describe package("mongodb-client-certificate") do
it { should be_installed }
end
end
end
11 changes: 11 additions & 0 deletions spec/classes/certs_mongodb_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
require 'spec_helper'

describe 'certs::mongodb' do
let :facts do
on_supported_os['redhat-7-x86_64']
end

describe 'with default parameters' do
it { should compile.with_all_deps }
end
end

0 comments on commit e798cdb

Please sign in to comment.