From 57f483ac07cf6774fda580abe0c603cc5bb3d499 Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Wed, 21 Jan 2015 11:24:07 -0500 Subject: [PATCH] Refs #7745: Deploy client cert bundle specifically for use by the Capsule. Note this is a bundle since that is required by the reverse proxy feature being added to the Capsule. --- manifests/apache.pp | 2 +- manifests/foreman_proxy.pp | 12 ++++++++++-- manifests/katello.pp | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/manifests/apache.pp b/manifests/apache.pp index 9715d957..a121856a 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -57,7 +57,7 @@ } -> file { $apache_key: owner => $::apache::user, - group => $::foreman::group, + group => $::certs::group, mode => '0440', } -> Service['httpd'] diff --git a/manifests/foreman_proxy.pp b/manifests/foreman_proxy.pp index 4f8ebf61..78c4b5b5 100644 --- a/manifests/foreman_proxy.pp +++ b/manifests/foreman_proxy.pp @@ -15,6 +15,8 @@ ) inherits certs::params { $proxy_cert_name = "${::certs::foreman_proxy::hostname}-foreman-proxy" + $foreman_proxy_client_cert_name = "${::certs::foreman_proxy::hostname}-foreman-proxy-client" + $foreman_proxy_ssl_client_bundle = "${certs::pki_dir}/private/${foreman_proxy_client_cert_name}-bundle.pem" if $::certs::server_cert { cert { $proxy_cert_name: @@ -46,8 +48,6 @@ } } - $foreman_proxy_client_cert_name = "${::certs::foreman_proxy::hostname}-foreman-proxy-client" - # cert for authentication of foreman_proxy against foreman cert { $foreman_proxy_client_cert_name: hostname => $::certs::foreman_proxy::hostname, @@ -98,6 +98,14 @@ pubkey { $foreman_ssl_ca_cert: key_pair => $::certs::server_ca } ~> + key_bundle { $foreman_proxy_ssl_client_bundle: + key_pair => Cert[$foreman_proxy_client_cert_name], + } ~> + file { $foreman_proxy_ssl_client_bundle: + ensure => file, + owner => $::certs::group, + mode => '0644' + } ~> file { $foreman_ssl_key: ensure => file, owner => 'foreman-proxy', diff --git a/manifests/katello.pp b/manifests/katello.pp index c1ebfed4..b8e9841d 100644 --- a/manifests/katello.pp +++ b/manifests/katello.pp @@ -30,7 +30,7 @@ owner => 'root', group => 'root', mode => '0644', - } -> + } ~> # We need to deliver the server_ca for yum and rhsm to trust the server # and the default_ca for goferd to trust the qpid certs_bootstrap_rpm { $candlepin_consumer_name: