From 98bd7b381f94c73a72e4bb093214d2a2cc423e79 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Thu, 29 Dec 2016 15:38:51 +0100 Subject: [PATCH 1/2] refs #15931 - allow passing the cname parameter to all cert classes this enables Kafo to set the subjectAltName of the certificates via --certs-node-cname. The option can be given multiple times to add multple cnames. --- manifests/apache.pp | 3 +++ manifests/candlepin.pp | 2 ++ manifests/foreman.pp | 2 ++ manifests/foreman_proxy.pp | 4 ++++ manifests/init.pp | 5 +++++ manifests/params.pp | 1 + manifests/pulp_client.pp | 2 ++ manifests/puppet.pp | 2 ++ manifests/qpid.pp | 3 ++- manifests/qpid_client.pp | 2 ++ manifests/qpid_router.pp | 3 +++ 11 files changed, 28 insertions(+), 1 deletion(-) diff --git a/manifests/apache.pp b/manifests/apache.pp index 7e9b7ff5..919e74f9 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -2,6 +2,7 @@ class certs::apache ( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -15,6 +16,7 @@ cert { $apache_cert_name: ensure => present, hostname => $hostname, + cname => $cname, generate => $generate, deploy => $deploy, regenerate => $regenerate, @@ -26,6 +28,7 @@ cert { $apache_cert_name: ensure => present, hostname => $hostname, + cname => $cname, country => $::certs::country, state => $::certs::state, city => $::certs::city, diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index db3ae517..2a55bb40 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -2,6 +2,7 @@ class certs::candlepin ( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -26,6 +27,7 @@ cert { $java_client_cert_name: ensure => present, hostname => $hostname, + cname => $cname, country => $::certs::country, state => $::certs::state, city => $::certs::city, diff --git a/manifests/foreman.pp b/manifests/foreman.pp index f6b2e9d5..f2387f77 100644 --- a/manifests/foreman.pp +++ b/manifests/foreman.pp @@ -2,6 +2,7 @@ class certs::foreman ( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -16,6 +17,7 @@ # cert for authentication of puppetmaster against foreman cert { $client_cert_name: hostname => $::certs::foreman::hostname, + cname => $::certs::foreman::cname, purpose => client, country => $::certs::country, state => $::certs::state, diff --git a/manifests/foreman_proxy.pp b/manifests/foreman_proxy.pp index 19f2b2e2..a5b9ed28 100644 --- a/manifests/foreman_proxy.pp +++ b/manifests/foreman_proxy.pp @@ -2,6 +2,7 @@ class certs::foreman_proxy ( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -22,6 +23,7 @@ cert { $proxy_cert_name: ensure => present, hostname => $::certs::foreman_proxy::hostname, + cname => $::certs::foreman_proxy::cname, generate => $generate, regenerate => $regenerate, deploy => $deploy, @@ -33,6 +35,7 @@ # cert for ssl of foreman-proxy cert { $proxy_cert_name: hostname => $::certs::foreman_proxy::hostname, + cname => $::certs::foreman_proxy::cname, purpose => server, country => $::certs::country, state => $::certs::state, @@ -51,6 +54,7 @@ # cert for authentication of foreman_proxy against foreman cert { $foreman_proxy_client_cert_name: hostname => $::certs::foreman_proxy::hostname, + cname => $::certs::foreman_proxy::cname, purpose => client, country => $::certs::country, state => $::certs::state, diff --git a/manifests/init.pp b/manifests/init.pp index 15cf67a4..9b28d044 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -10,6 +10,10 @@ # should be for # type:String # +# $cname:: The alternative names of the host the generated certificates +# should be for +# type:array +# # $server_ca_cert:: Path to the CA that issued the ssl certificates for https # if not specified, the default CA will be used # type:Optional[Stdlib::Absolutepath] @@ -92,6 +96,7 @@ $log_dir = $certs::params::log_dir, $node_fqdn = $certs::params::node_fqdn, + $cname = $certs::params::cname, $generate = $certs::params::generate, $regenerate = $certs::params::regenerate, $regenerate_ca = $certs::params::regenerate_ca, diff --git a/manifests/params.pp b/manifests/params.pp index ffacdcb1..3a35c965 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -8,6 +8,7 @@ $ssl_build_dir = '/root/ssl-build' $node_fqdn = $::fqdn + $cname = [] $custom_repo = false diff --git a/manifests/pulp_client.pp b/manifests/pulp_client.pp index 63fa8dd3..a3af8653 100644 --- a/manifests/pulp_client.pp +++ b/manifests/pulp_client.pp @@ -1,6 +1,7 @@ # Pulp Client Certs class certs::pulp_client ( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -14,6 +15,7 @@ cert { $client_cert_name: hostname => $hostname, + cname => $cname, common_name => $common_name, purpose => client, country => $::certs::country, diff --git a/manifests/puppet.pp b/manifests/puppet.pp index 3181a59e..d6abe92f 100644 --- a/manifests/puppet.pp +++ b/manifests/puppet.pp @@ -2,6 +2,7 @@ class certs::puppet ( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -17,6 +18,7 @@ # cert for authentication of puppetmaster against foreman cert { $puppet_client_cert_name: hostname => $::certs::puppet::hostname, + cname => $::certs::puppet::cname, purpose => client, country => $::certs::country, state => $::certs::state, diff --git a/manifests/qpid.pp b/manifests/qpid.pp index 93c176ac..54ba3e5d 100644 --- a/manifests/qpid.pp +++ b/manifests/qpid.pp @@ -2,6 +2,7 @@ class certs::qpid ( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -14,7 +15,7 @@ cert { $qpid_cert_name: ensure => present, hostname => $::certs::qpid::hostname, - cname => 'localhost', + cname => concat($::certs::qpid::cname, 'localhost'), country => $::certs::country, state => $::certs::state, city => $::certs::city, diff --git a/manifests/qpid_client.pp b/manifests/qpid_client.pp index 6287f439..1757df84 100644 --- a/manifests/qpid_client.pp +++ b/manifests/qpid_client.pp @@ -2,6 +2,7 @@ class certs::qpid_client ( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -12,6 +13,7 @@ cert { "${hostname}-qpid-client-cert": hostname => $hostname, + cname => $cname, common_name => 'pulp-qpid-client-cert', purpose => client, country => $::certs::country, diff --git a/manifests/qpid_router.pp b/manifests/qpid_router.pp index 09ed6036..dc2a7cb6 100644 --- a/manifests/qpid_router.pp +++ b/manifests/qpid_router.pp @@ -1,6 +1,7 @@ # Constains certs specific configurations for qpid dispatch router class certs::qpid_router( $hostname = $::certs::node_fqdn, + $cname = $::certs::cname, $generate = $::certs::generate, $regenerate = $::certs::regenerate, $deploy = $::certs::deploy, @@ -18,6 +19,7 @@ cert { $server_keypair: ensure => present, hostname => $hostname, + cname => $cname, country => $::certs::country, state => $::certs::state, city => $::certs::city, @@ -35,6 +37,7 @@ cert { $client_keypair: ensure => present, hostname => $hostname, + cname => $cname, country => $::certs::country, state => $::certs::state, city => $::certs::city, From 887a232435a34b7eac57a820e1393f4cd87f471b Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Thu, 29 Dec 2016 15:39:33 +0100 Subject: [PATCH 2/2] refs #15931 - foreman_proxy_content: pass the cname parameter from the cli this enables Kafo to set the subjectAltName of the certificates via --foreman-proxy-cname. The option can be given multiple times to add multple cnames. --- manifests/foreman_proxy_content.pp | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/manifests/foreman_proxy_content.pp b/manifests/foreman_proxy_content.pp index c244ec68..c74408be 100644 --- a/manifests/foreman_proxy_content.pp +++ b/manifests/foreman_proxy_content.pp @@ -9,13 +9,17 @@ # $foreman_proxy_fqdn:: FQDN of the foreman proxy # type:String # +# $foreman_proxy_cname:: additional names of the foreman proxy +# type:Array +# # $certs_tar:: Path to tar file with certs to generate # type:Optional[Stdlib::Absolutepath] # class certs::foreman_proxy_content ( - $parent_fqdn = $fqdn, - $foreman_proxy_fqdn = $certs::node_fqdn, - $certs_tar = $certs::params::certs_tar + $parent_fqdn = $fqdn, + $foreman_proxy_fqdn = $certs::node_fqdn, + $foreman_proxy_cname = $certs::cname, + $certs_tar = $certs::params::certs_tar ) inherits certs::params { # until we support again pushing the cert rpms to the Katello, @@ -23,13 +27,13 @@ validate_present($certs_tar) validate_present($foreman_proxy_fqdn) - class { '::certs::puppet': hostname => $foreman_proxy_fqdn } - class { '::certs::foreman': hostname => $foreman_proxy_fqdn } - class { '::certs::foreman_proxy': hostname => $foreman_proxy_fqdn } - class { '::certs::apache': hostname => $foreman_proxy_fqdn } - class { '::certs::qpid': hostname => $foreman_proxy_fqdn } - class { '::certs::qpid_router': hostname => $foreman_proxy_fqdn } - class { '::certs::qpid_client': hostname => $foreman_proxy_fqdn } + class { '::certs::puppet': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } + class { '::certs::foreman': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } + class { '::certs::foreman_proxy': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } + class { '::certs::apache': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } + class { '::certs::qpid': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } + class { '::certs::qpid_router': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } + class { '::certs::qpid_client': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname } if $certs_tar { certs::tar_create { $certs_tar: