Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Capsule related certs settings #8

Merged
merged 1 commit into from
Feb 17, 2014
Merged

Capsule related certs settings #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions manifests/capsule.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# Prepare the certificates for the node from the parent node
#
# === Parameters:
#
# $parent_fqdn:: fqdn of the parent node. Does not usually
# need to be set.
#
# $child_fqdn:: fqdn of the child node. REQUIRED
#
# $certs_tar:: path to tar file with certs to generate
#
# $katello_user:: Katello username used for creating repo with certs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify my understanding, this is a username coming from the application itself?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this are the credentials needed to creating the certificates repositories in Katello and uploading the cert packages

# This param indicates that we want to distribute the certs via
# Katello repo
#
# $katello_password:: Katello password
#
# $katello_org:: Organization name to create a repository in
#
# $katello_repo_provider:: Provider name to create a repository in
#
# $katello_product:: Product name to create a repository in
#
# $katello_activation_key:: Activation key that registers the system
# with access to the cert repo (OPTIONAL)
#
class certs::capsule (
$parent_fqdn = $fqdn,
$child_fqdn = $certs::params::node_fqdn,
$certs_tar = $certs::params::certs_tar,
$katello_user = $certs::params::katello_user,
$katello_password = $certs::params::katello_password,
$katello_org = $certs::params::katello_org,
$katello_repo_provider = $certs::params::katello_repo_provider,
$katello_product = $certs::params::katello_product,
$katello_activation_key = $certs::params::katello_activation_key
) inherits certs::params {

validate_present($child_fqdn)

class { 'certs::puppet': }
class { 'certs::foreman_proxy': }
class { 'certs::apache': }
class { 'certs::pulp_child': }
class { 'certs::pulp_parent':
hostname => $parent_fqdn,
deploy => true,
}

if $certs_tar {
certs::tar_create { $certs_tar:
subscribe => [Class['certs::puppet'],
Class['certs::foreman'],
Class['certs::foreman_proxy'],
Class['certs::apache'],
Class['certs::pulp_child']]
}
}

if $katello_user {

katello_repo { $child_fqdn:
user => $katello_user,
password => $katello_password,
org => $katello_org,
repo_provider => $katello_repo_provider,
product => $katello_product,
package_files => ['/root/ssl-build/*.noarch.rpm',
"/root/ssl-build/${child_fqdn}/*.noarch.rpm"],
subscribe => [Class['certs::puppet'],
Class['certs::foreman'],
Class['certs::foreman_proxy'],
Class['certs::apache'],
Class['certs::pulp_child']],
}

if $katello_activation_key {
katello_activation_key { $katello_activation_key:
user => $katello_user,
password => $katello_password,
org => $katello_org,
product => $katello_product,
require => Katello_repo[$child_fqdn]
}
}

}
}
14 changes: 14 additions & 0 deletions manifests/foreman.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,5 +44,19 @@
pubkey { $client_ca:
cert => $ca,
}

$foreman_config_cmd = "${::foreman::app_root}/script/foreman-config\
-k ssl_ca_file -v '${client_ca}'\
-k ssl_certificate -v '${client_cert}'\
-k ssl_priv_key -v '${client_key}'"
exec { 'foreman_certs_config':
environment => ["HOME=${::foreman::app_root}"],
cwd => $::foreman::app_root,
command => $foreman_config_cmd,
unless => "${foreman_config_cmd} --dry-run",
user => $::foreman::user,
require => Class['foreman::service']
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like we should add an explicit include ::foreman to ensure that the Foreman class is loaded by the time it reaches this manifest.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

include ::foreman will not help you here, as it needs to be not just included, but also initialized: the include doesn't make $::foreman::user to be set. Actually, it would cause more troubles, as it would use the defaults, instead the real params for foreman module, that would work for base cases, but start failing if you actually would change same foreman params. That's the reason why there is order setting for kafo, to define the right order of initializing of the classes

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough. My only worry with this being required by one class but ordering ensured by kafo is that it will be easy but not obvious that there is a required ordering. And further, ensuring that that isn't broken.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only other solution I can think of is having one entry-point class, that would make sure the ordering is right (something the capsule module does), but it has downsides of having to maintain the list of parameters twice: one in the entry class and one in the sub-classes. Therefore, letting kafo to deal with that is better from maintainability POV (not saying it's ideal)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds reasonable given the alternative - ACK


}
}
10 changes: 10 additions & 0 deletions manifests/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,4 +60,14 @@
$candlepin_keystore = '/etc/pki/katello/keystore'
$candlepin_certs_dir = '/etc/candlepin/certs'

$certs_tar = undef
# Settings for uploading packages to Katello
$katello_user = undef
$katello_password = undef
$katello_org = 'Katello Infrastructure'
$katello_repo_provider = 'node-installer'
$katello_product = 'node-certs'
$katello_activation_key = undef


}