From d4a730d70e02a393a9dc265184e3e8f87a7b86e8 Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Wed, 5 Mar 2014 12:20:04 -0500 Subject: [PATCH] Addresses changes made to katello-certs-tools regarding location of cert generation and password arguments to katello-certs-tools. Provies cleanup and simplification of where and what certs are used as well as changing the naming conventions to reflect the fact that Katello is the project controlling and generating the CA and certs. --- .gitignore | 2 + lib/puppet/provider/ca/katello_ssl_tool.rb | 45 +-------- lib/puppet/provider/cert/katello_ssl_tool.rb | 2 +- lib/puppet/provider/katello_ssl_tool.rb | 48 +++------ .../provider/key_bundle/katello_ssl_tool.rb | 8 +- .../provider/privkey/katello_ssl_tool.rb | 8 +- .../provider/pubkey/katello_ssl_tool.rb | 8 +- lib/puppet/type/certs_common.rb | 30 +++--- lib/puppet/type/key_bundle.rb | 3 + lib/puppet/type/privkey.rb | 2 +- lib/puppet/type/pubkey.rb | 5 +- manifests/apache.pp | 71 +++++++------- manifests/candlepin.pp | 74 +++++--------- manifests/config.pp | 14 +++ manifests/foreman.pp | 67 +++++++------ manifests/foreman_proxy.pp | 67 +++++++------ manifests/init.pp | 86 ++++++++++++---- manifests/katello.pp | 19 ++-- manifests/params.pp | 27 +++-- manifests/pulp_parent.pp | 81 ++++++++------- manifests/puppet.pp | 64 ++++++------ manifests/qpid.pp | 98 +++++++++---------- 22 files changed, 416 insertions(+), 413 deletions(-) diff --git a/.gitignore b/.gitignore index 133e989c..27254b81 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,8 @@ .vagrant *.swp *.swo +*.swm +*.swn .bundle vendor/ diff --git a/lib/puppet/provider/ca/katello_ssl_tool.rb b/lib/puppet/provider/ca/katello_ssl_tool.rb index c7f18ead..52e51ae8 100644 --- a/lib/puppet/provider/ca/katello_ssl_tool.rb +++ b/lib/puppet/provider/ca/katello_ssl_tool.rb @@ -3,30 +3,13 @@ Puppet::Type.type(:ca).provide(:katello_ssl_tool, :parent => Puppet::Provider::KatelloSslTool::Cert) do - def self.privkey(name) - # TODO: just temporarily until we have this changes in katello installer as well - if name == 'candlepin-ca' - build_path('candlepin-cert.key') - else - target_path("private/#{name}.key") - end - end - protected - def generate_passphrase - @passphrase ||= generate_random_password - passphrase_dir = File.dirname(passphrase_file) - FileUtils.mkdir_p(passphrase_dir) unless File.exists?(passphrase_dir) - File.open(passphrase_file, 'w') { |f| f << @passphrase } - return @passphrase - end - def generate! - passphrase = generate_passphrase katello_ssl_tool('--gen-ca', - '-p', passphrase, + '-p', "file:#{resource[:password_file]}", '--force', + '--ca-cert-dir', target_path('certs'), '--set-common-name', resource[:common_name], '--ca-cert', File.basename(pubkey), '--ca-key', File.basename(privkey), @@ -35,33 +18,15 @@ def generate! end def files_to_generate - [rpmfile, privkey, passphrase_file] + [rpmfile, privkey] end def files_to_deploy [pubkey] end - # TODO: just temporarily until we have this changes in katello installer as well - def rpmfile_base_name - if resource[:name] == 'candlepin-ca' - 'katello-candlepin-cert-key-pair' - else - super - end - end - - def generate_random_password - size = 20 - # These are quite often confusing ... - ambiguous_characters = %w(0 1 O I l) - - # Get allowed characters set ... - set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a - set = set - ambiguous_characters - - # Shuffle characters in the set at random and return desired number of them ... - return size.times.collect {|i| set[rand(set.size)] }.join + def self.privkey(name) + build_path("#{name}.key") end end diff --git a/lib/puppet/provider/cert/katello_ssl_tool.rb b/lib/puppet/provider/cert/katello_ssl_tool.rb index 724c8d73..4262a584 100644 --- a/lib/puppet/provider/cert/katello_ssl_tool.rb +++ b/lib/puppet/provider/cert/katello_ssl_tool.rb @@ -7,7 +7,7 @@ def generate! resource[:common_name] ||= resource[:hostname] purpose = resource[:purpose] katello_ssl_tool("--gen-#{purpose}", - '-p', ca_details[:passphrase], + '-p', "file:#{resource[:password_file]}", '--set-hostname', resource[:hostname], '--set-common-name', resource[:common_name], '--ca-cert', ca_details[:pubkey], diff --git a/lib/puppet/provider/katello_ssl_tool.rb b/lib/puppet/provider/katello_ssl_tool.rb index d5db5647..23a4f815 100644 --- a/lib/puppet/provider/katello_ssl_tool.rb +++ b/lib/puppet/provider/katello_ssl_tool.rb @@ -22,40 +22,15 @@ def self.details(cert_name) details = { :pubkey => pubkey(cert_name), :privkey => privkey(cert_name) } - passphrase_file = passphrase_file(cert_name) - if File.exists?(passphrase_file) - details[:passphrase_file] = passphrase_file - details[:passphrase] = File.read(passphrase_file).chomp - end - return details end def self.pubkey(name) - # TODO: just temporarily until we have this changes in katello installer as well - if name == 'candlepin-ca' - '/usr/share/katello/candlepin-ca.crt' - else - target_path("certs/#{name}.crt") - end + target_path("certs/#{name}.crt") end def self.privkey(name) - # TODO: just temporarily until we have this changes in katello installer as well - if name == 'candlepin-ca' - build_path('candlepin-cert.key') - else - target_path("private/#{name}.key") - end - end - - def self.passphrase_file(name) - # TODO: just temporarily until we have this changes in katello installer as well - if name == 'candlepin-ca' - '/etc/katello/candlepin_ca_password-file' - else - build_path("#{name}.pwd") - end + target_path("private/#{name}.key") end protected @@ -142,23 +117,23 @@ def privkey self.class.privkey(resource[:name]) end - def passphrase_file - self.class.passphrase_file(resource[:name]) - end - def full_path(file_name) self.class.full_path(file_name) end - def self.target_path(file_name = nil) - File.join("/etc/pki/tls", file_name) + def target_path(file_name = '') + self.class.target_path(file_name) + end + + def self.target_path(file_name = '') + File.join("/etc/pki/katello-certs-tools", file_name) end def build_path(file_name) self.class.build_path(file_name) end - def self.build_path(file_name = nil) + def self.build_path(file_name = '') File.join("/root/ssl-build", file_name) end @@ -191,7 +166,6 @@ def current_content File.read(resource[:path]) end - def checksum(content) md5(content) end @@ -207,11 +181,11 @@ def mode def cert_details return @cert_details if defined? @cert_details - if cert_resource = @resource[:cert] + if cert_resource = @resource[:key_pair] name = cert_resource.to_hash[:name] @cert_details = Puppet::Provider::KatelloSslTool::Cert.details(name) else - raise 'Cert was not specified' + raise 'Cert or Ca was not specified' end end diff --git a/lib/puppet/provider/key_bundle/katello_ssl_tool.rb b/lib/puppet/provider/key_bundle/katello_ssl_tool.rb index 49d10d88..b8a6209d 100644 --- a/lib/puppet/provider/key_bundle/katello_ssl_tool.rb +++ b/lib/puppet/provider/key_bundle/katello_ssl_tool.rb @@ -9,8 +9,12 @@ def expected_content end def pubkey - # strips the textual info from the certificate file - openssl('x509', '-in', pubkey_source_path) + if resource[:strip] + # strips the textual info from the certificate file + openssl('x509', '-in', pubkey_source_path) + else + File.read(pubkey_source_path) + end end def privkey diff --git a/lib/puppet/provider/privkey/katello_ssl_tool.rb b/lib/puppet/provider/privkey/katello_ssl_tool.rb index 5c259711..2ed08cd9 100644 --- a/lib/puppet/provider/privkey/katello_ssl_tool.rb +++ b/lib/puppet/provider/privkey/katello_ssl_tool.rb @@ -11,7 +11,7 @@ def expected_content openssl('rsa', '-in', source_path, '-out', tmp_file, - '-passin', "file:#{cert_details[:passphrase_file]}") + '-passin', "file:#{resource[:password_file]}") File.read(tmp_file) ensure File.delete(tmp_file) if File.exists?(tmp_file) @@ -22,7 +22,11 @@ def expected_content end def source_path - cert_details[:privkey] + if @resource[:key_pair].type == 'Cert' + cert_details[:privkey] + elsif @resource[:key_pair].type == 'Ca' + Puppet::Type::Ca::ProviderKatello_ssl_tool.privkey(@resource[:key_pair].to_hash[:name]) + end end def mode diff --git a/lib/puppet/provider/pubkey/katello_ssl_tool.rb b/lib/puppet/provider/pubkey/katello_ssl_tool.rb index 8594b250..6b820a0e 100644 --- a/lib/puppet/provider/pubkey/katello_ssl_tool.rb +++ b/lib/puppet/provider/pubkey/katello_ssl_tool.rb @@ -5,8 +5,12 @@ protected def expected_content - # strips the textual info from the certificate file - openssl('x509', '-in', source_path) + if resource[:strip] + # strips the textual info from the certificate file + openssl('x509', '-in', source_path) + else + File.read(source_path) + end end def source_path diff --git a/lib/puppet/type/certs_common.rb b/lib/puppet/type/certs_common.rb index ba2e914a..7395242e 100644 --- a/lib/puppet/type/certs_common.rb +++ b/lib/puppet/type/certs_common.rb @@ -29,6 +29,8 @@ module Certs newparam(:regenerate) newparam(:deploy) + + newparam(:password_file) end FILE_COMMON_PARAMS = Proc.new do @@ -36,35 +38,27 @@ module Certs newparam(:path, :namevar => true) + newparam(:password_file) + # make ensure present default define_method(:managed?) { true } - newparam(:cert) do - # TODO: should be required + newparam(:key_pair) do validate do |value| - unless value.is_a?(Puppet::Resource) && [:ca, :cert].include?(value.resource_type.name) - raise ArgumentError, "Expected Cert or Ca resource" + unless value.is_a?(Puppet::Resource) && (value.resource_type.name == :ca || value.resource_type.name == :cert) + raise ArgumentError, "Expected Ca or Cert resource" end end end - autorequire(:file) do - @parameters[:path] - end - - autorequire(:cert) do - # TODO: find better way how to determine the type - if @parameters.has_key?(:cert) && - @parameters[:cert].value.resource_type.name == :cert - @parameters[:cert].value.to_hash[:name] + autorequire(:key_pair) do + if @parameters.has_key?(:key_pair) + @parameters[:key_pair].value.to_hash[:name] end end - autorequire(:ca) do - if @parameters.has_key?(:cert) && - @parameters[:cert].value.resource_type.name == :ca - @parameters[:cert].value.to_hash[:name] - end + autorequire(:file) do + @parameters[:path] end end diff --git a/lib/puppet/type/key_bundle.rb b/lib/puppet/type/key_bundle.rb index fda4a08d..edf95154 100644 --- a/lib/puppet/type/key_bundle.rb +++ b/lib/puppet/type/key_bundle.rb @@ -8,4 +8,7 @@ newparam(:pubkey) newparam(:privkey) + + # Whether to strip the certificate information from the pubkey + newparam(:strip) end diff --git a/lib/puppet/type/privkey.rb b/lib/puppet/type/privkey.rb index 200997da..2db9d143 100644 --- a/lib/puppet/type/privkey.rb +++ b/lib/puppet/type/privkey.rb @@ -1,7 +1,7 @@ require File.expand_path('../certs_common', __FILE__) Puppet::Type.newtype(:privkey) do - desc 'Stores the private key file on a location' + desc 'Stores the private key file in a location' instance_eval(&Certs::FILE_COMMON_PARAMS) diff --git a/lib/puppet/type/pubkey.rb b/lib/puppet/type/pubkey.rb index 6ce21dec..0e0b62fa 100644 --- a/lib/puppet/type/pubkey.rb +++ b/lib/puppet/type/pubkey.rb @@ -1,7 +1,10 @@ require File.expand_path('../certs_common', __FILE__) Puppet::Type.newtype(:pubkey) do - desc 'Stores the public key file on a location' + desc 'Stores the public key file in a location' instance_eval(&Certs::FILE_COMMON_PARAMS) + + # will generate a key with the certificate information stripped + newparam(:strip) end diff --git a/manifests/apache.pp b/manifests/apache.pp index 7d014165..f63bd803 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -1,53 +1,52 @@ -# == Class: certs::apache -# # Certs configurations for Apache -# class certs::apache ( - $hostname = $::certs::node_fqdn, - $generate = $::certs::generate, - $regenerate = $::certs::regenerate, - $deploy = $::certs::deploy, - $ca = $::certs::default_ca, - $apache_ssl_cert = $::certs::params::apache_ssl_cert, - $apache_ssl_key = $::certs::params::apache_ssl_key, - $apache_ca_cert = $::certs::params::apache_ca_cert + + $hostname = $::certs::node_fqdn, + $generate = $::certs::generate, + $regenerate = $::certs::regenerate, + $deploy = $::certs::deploy, + + $ca = $::certs::default_ca, + $apache_cert_name = $::certs::params::apache_cert_name, + ) inherits certs::params { require '::apache' - cert { "${::certs::node_fqdn}-ssl": - ensure => present, - hostname => $::certs::node_fqdn, - country => $::certs::country, - state => $::certs::state, - city => $::certs::sity, - org => $::certs::org, - org_unit => $::certs::org_unit, - expiration => $::certs::expiration, - ca => $ca, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, + $apache_cert = "${certs::pki_dir}/certs/${apache_cert_name}.crt" + $apache_key = "${certs::pki_dir}/private/${apache_cert_name}.key" + + cert { $apache_cert_name: + ensure => present, + hostname => $::certs::node_fqdn, + country => $::certs::country, + state => $::certs::state, + city => $::certs::sity, + org => $::certs::org, + org_unit => $::certs::org_unit, + expiration => $::certs::expiration, + ca => $ca, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + password_file => $certs::ca_key_password_file, } if $deploy { - pubkey { $apache_ssl_cert: - ensure => present, - cert => Cert["${::certs::node_fqdn}-ssl"] - } ~> - pubkey { $apache_ca_cert: - ensure => present, - cert => $ca + Cert[$apache_cert_name] ~> + pubkey { $apache_cert: + ensure => present, + key_pair => Cert[$apache_cert_name] } ~> - privkey { $apache_ssl_key: - ensure => present, - cert => Cert["${::certs::node_fqdn}-ssl"] + privkey { $apache_key: + ensure => present, + key_pair => Cert[$apache_cert_name] } -> - file { $apache_ssl_key: + file { $apache_key: owner => $::apache::user, group => $::apache::group, - mode => '0400'; + mode => '0400', } -> Service['httpd'] diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index 13229ebe..44d40a1c 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -1,66 +1,46 @@ # Constains certs specific configurations for candlepin class certs::candlepin ( - $hostname = $::certs::node_fqdn, - $generate = $::certs::generate, - $regenerate = $::certs::regenerate, - $deploy = $::certs::deploy, - $ca = $::certs::default_ca, - $storage = $::certs::params::candlepin_certs_storage, - $ca_cert = $::certs::params::candlepin_ca_cert, - $ca_key = $::certs::params::candlepin_ca_key, - $pki_dir = $::certs::params::candlepin_pki_dir, - $keystore = $::certs::params::candlepin_keystore, - $keystore_password_file = $::certs::candlepin_keystore_password_file, - $keystore_password = $::certs::candlepin_keystore_password, - $candlepin_certs_dir = $::certs::params::candlepin_certs_dir + + $hostname = $::certs::node_fqdn, + $generate = $::certs::generate, + $regenerate = $::certs::regenerate, + $deploy = $::certs::deploy, + $ca = $::certs::default_ca, + $storage = $::certs::params::candlepin_certs_storage, + $ca_cert = $::certs::ca_cert_stripped, + $ca_key = $::certs::ca_key, + $pki_dir = $::certs::params::pki_dir, + $keystore = $::certs::params::candlepin_keystore, + $keystore_password_file = $::certs::params::keystore_password_file, + $candlepin_certs_dir = $::certs::params::candlepin_certs_dir + ) inherits certs::params { Exec { logoutput => 'on_failure' } + $keystore_password = cache_data($keystore_password_file, random_password(32)) + $password_file = "${certs::pki_dir}/keystore_password-file" + if $deploy { - File[$certs::pki_dir] ~> - file { $keystore_password_file: + file { $password_file: ensure => file, content => $keystore_password, - mode => '0600', - owner => 'tomcat', - group => $::certs::group, - replace => false; - } ~> - pubkey { $ca_cert: - cert => $ca, - } ~> - file { $ca_cert: - ensure => file, - owner => 'root', - group => $::certs::group, - mode => '0644'; - } ~> - privkey { $ca_key: - cert => $ca, - unprotect => true; - } ~> - file { $ca_key: - ensure => file, - owner => 'root', - group => $::certs::group, - mode => '0640', + owner => $certs::user, + group => $certs::group, + mode => '0440', } ~> exec { 'generate-ssl-keystore': - command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${keystore_password_file}\"", + command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${certs::ca_key_password_file}\" ", path => '/bin:/usr/bin', - creates => $keystore; + creates => $keystore, } ~> file { "/usr/share/${candlepin::tomcat}/conf/keystore": ensure => link, - target => $keystore; - } ~> - exec { 'add-candlepin-cert-to-nss-db': - command => "certutil -A -d '${::certs::nss_db_dir}' -n 'ca' -t 'TCu,Cu,Tuw' -a -i '${ca_cert}'", - path => '/usr/bin', - subscribe => Exec['create-nss-db'], - refreshonly => true, + target => $keystore, + owner => 'tomcat', + group => $::certs::group, + notify => Service[$candlepin::tomcat] } } diff --git a/manifests/config.pp b/manifests/config.pp index c9c41393..7025bc47 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -2,6 +2,20 @@ class certs::config { file { $certs::pki_dir: + ensure => directory, + owner => 'root', + group => $certs::group, + mode => '0755', + } + + file { "${certs::pki_dir}/certs": + ensure => directory, + owner => 'root', + group => $certs::group, + mode => '0755', + } + + file { "${certs::pki_dir}/private": ensure => directory, owner => 'root', group => $certs::group, diff --git a/manifests/foreman.pp b/manifests/foreman.pp index 930c8f61..aadab69e 100644 --- a/manifests/foreman.pp +++ b/manifests/foreman.pp @@ -1,54 +1,59 @@ # Handles Foreman certs configuration class certs::foreman ( - $hostname = $::certs::node_fqdn, - $generate = $::certs::generate, - $regenerate = $::certs::regenerate, - $deploy = $::certs::deploy, - $ca = $::certs::default_ca, - $client_cert = $::certs::params::foreman_client_cert, - $client_key = $::certs::params::foreman_client_key, - $client_ca = $::certs::params::foreman_client_ca + + $hostname = $::certs::node_fqdn, + $generate = $::certs::generate, + $regenerate = $::certs::regenerate, + $deploy = $::certs::deploy, + $ca = $::certs::default_ca, + $client_cert = $::certs::params::foreman_client_cert, + $client_key = $::certs::params::foreman_client_key, + $client_ca_cert = $::certs::params::foreman_client_ca_cert + ) inherits certs::params { + $client_cert_name = "${::certs::foreman::hostname}-foreman-client" + # cert for authentication of puppetmaster against foreman - cert { "${::certs::foreman::hostname}-foreman-client": - hostname => $::certs::foreman::hostname, - purpose => client, - country => $::certs::country, - state => $::certs::state, - city => $::certs::sity, - org => 'FOREMAN', - org_unit => 'PUPPET', - expiration => $::certs::expiration, - ca => $ca, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, + cert { $client_cert_name: + hostname => $::certs::foreman::hostname, + purpose => client, + country => $::certs::country, + state => $::certs::state, + city => $::certs::sity, + org => 'FOREMAN', + org_unit => 'PUPPET', + expiration => $::certs::expiration, + ca => $ca, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + password_file => $certs::ca_key_password_file, } if $deploy { - pubkey { $client_cert: - cert => Cert["${::certs::foreman::hostname}-foreman-client"], - } + Cert[$client_cert_name] ~> + pubkey { $client_cert: + key_pair => Cert[$client_cert_name], + } ~> privkey { $client_key: - cert => Cert["${::certs::foreman::hostname}-foreman-client"], + key_pair => Cert[$client_cert_name], } -> - + pubkey { $client_ca_cert: + key_pair => $ca + } ~> file { $client_key: ensure => file, owner => 'foreman', mode => '0400', } - pubkey { $client_ca: - cert => $ca, - } - $foreman_config_cmd = "${::foreman::app_root}/script/foreman-config\ - -k ssl_ca_file -v '${client_ca}'\ + -k ssl_ca_file -v '${client_ca_cert}'\ -k ssl_certificate -v '${client_cert}'\ -k ssl_priv_key -v '${client_key}'" + exec { 'foreman_certs_config': environment => ["HOME=${::foreman::app_root}"], cwd => $::foreman::app_root, diff --git a/manifests/foreman_proxy.pp b/manifests/foreman_proxy.pp index b3c7487f..748fb619 100644 --- a/manifests/foreman_proxy.pp +++ b/manifests/foreman_proxy.pp @@ -1,48 +1,55 @@ # Handles Foreman Proxy cert configuration class certs::foreman_proxy ( - $hostname = $::certs::node_fqdn, - $generate = $::certs::generate, - $regenerate = $::certs::regenerate, - $deploy = $::certs::deploy, - $ca = $::certs::default_ca, - $proxy_cert = $::certs::params::foreman_proxy_cert, - $proxy_key = $::certs::params::foreman_proxy_key, - $proxy_ca = $::certs::params::foreman_proxy_ca + + $hostname = $::certs::node_fqdn, + $generate = $::certs::generate, + $regenerate = $::certs::regenerate, + $deploy = $::certs::deploy, + $ca = $::certs::default_ca, + $proxy_cert = $::certs::params::foreman_proxy_cert, + $proxy_key = $::certs::params::foreman_proxy_key, + $proxy_ca_cert = $::certs::params::foreman_proxy_ca_cert + ) inherits certs::params { + $proxy_cert_name = "${::certs::foreman_proxy::hostname}-foreman-proxy" + # cert for ssl of foreman-proxy - cert { "${::certs::foreman_proxy::hostname}-foreman-proxy": - hostname => $::certs::foreman_proxy::hostname, - purpose => server, - country => $::certs::country, - state => $::certs::state, - city => $::certs::sity, - org => 'FOREMAN', - org_unit => 'SMART_PROXY', - expiration => $::certs::expiration, - ca => $ca, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, + cert { $proxy_cert_name: + hostname => $::certs::foreman_proxy::hostname, + purpose => server, + country => $::certs::country, + state => $::certs::state, + city => $::certs::sity, + org => 'FOREMAN', + org_unit => 'SMART_PROXY', + expiration => $::certs::expiration, + ca => $ca, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + password_file => $certs::ca_key_password_file, } if $deploy { - pubkey { $proxy_cert: - cert => Cert["${::certs::foreman_proxy::hostname}-foreman-proxy"], - } + Cert[$proxy_cert_name] ~> + pubkey { $proxy_cert: + key_pair => Cert[$proxy_cert_name], + } ~> privkey { $proxy_key: - cert => Cert["${::certs::foreman_proxy::hostname}-foreman-proxy"], + key_pair => Cert[$proxy_cert_name], } -> - + pubkey { $proxy_ca_cert: + key_pair => $ca + } ~> file { $proxy_key: ensure => file, owner => 'foreman-proxy', + group => $certs::group, mode => '0400' - } + } ~> + Service['foreman-proxy'] - pubkey { $proxy_ca: - cert => $ca, - } } } diff --git a/manifests/init.pp b/manifests/init.pp index 28b195e1..e5952e4b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -52,6 +52,8 @@ # # $pki_dir:: The PKI directory under which to place certs # +# $ssl_build_dir:: The directory where SSL keys, certs and RPMs will be generated +# # $user:: The system user name who should own the certs; # default 'foreman' # @@ -60,6 +62,9 @@ # # $password_file_dir:: The location to store password files # +# $default_ca_name:: The name of the default CA; +# default 'katello' +# class certs ( $log_dir = $certs::params::log_dir, @@ -78,38 +83,77 @@ $expiration = $certs::params::expiration, $ca_expiration = $certs::params::ca_expiration, - $pki_dir = $::certs::params::candlepin_pki_dir, + $pki_dir = $certs::params::pki_dir, + $ssl_build_dir = $certs::params::ssl_build_dir, $password_file_dir = $certs::params::password_file_dir, $user = $certs::params::user, - $group = $certs::params::group + $group = $certs::params::group, - ) inherits certs::params { + $default_ca_name = $certs::params::default_ca_name - $nss_db_dir = $certs::params::nss_db_dir - $default_ca = Ca['candlepin-ca'] + ) inherits certs::params { - $candlepin_keystore_password_file = "${password_file_dir}/keystore_password-file" - $candlepin_keystore_password = find_or_create_password($candlepin_keystore_password_file) + $nss_db_dir = "${pki_dir}/nssdb" + $default_ca = Ca[$default_ca_name] - $ssl_pk12_password_file = "${password_file_dir}/pk12_password-file" - $nss_db_password_file = "${password_file_dir}/nss_db_password-file" + $ca_key = "${certs::pki_dir}/private/${default_ca_name}.key" + $ca_cert = "${certs::pki_dir}/certs/${default_ca_name}.crt" + $ca_cert_stripped = "${certs::pki_dir}/certs/${default_ca_name}-stripped.crt" + $ca_key_password = cache_data('ca_key_password', generate_password()) + $ca_key_password_file = "${certs::pki_dir}/private/${default_ca_name}.pwd" class { 'certs::install': } -> class { 'certs::config': } -> - ca { 'candlepin-ca': - ensure => present, - common_name => $certs::ca_common_name, - country => $certs::country, - state => $certs::state, - city => $certs::city, - org => $certs::org, - org_unit => $certs::org_unit, - expiration => $certs::ca_expiration, - generate => $certs::generate, - regenerate => $certs::regenerate_ca, - deploy => true, + file { $ca_key_password_file: + ensure => file, + content => $ca_key_password, + owner => 'root', + group => 'root', + mode => '0400' + } ~> + ca { $default_ca_name: + ensure => present, + common_name => $certs::ca_common_name, + country => $certs::country, + state => $certs::state, + city => $certs::city, + org => $certs::org, + org_unit => $certs::org_unit, + expiration => $certs::ca_expiration, + generate => $certs::generate, + deploy => $certs::deploy, + password_file => $ca_key_password_file + } + + if $deploy { + + Ca[$default_ca_name] ~> + pubkey { $ca_cert: + key_pair => $default_ca + } ~> + pubkey { $ca_cert_stripped: + strip => true, + key_pair => $default_ca + } ~> + privkey { $ca_key: + key_pair => $default_ca, + unprotect => true, + password_file => $ca_key_password_file + } ~> + file { $ca_key: + ensure => file, + owner => 'root', + group => $certs::group, + mode => '0440', + } ~> + file { $ca_cert: + ensure => file, + owner => 'root', + group => $certs::group, + mode => '0644', + } } } diff --git a/manifests/katello.pp b/manifests/katello.pp index 5578ffb6..7c3989bf 100644 --- a/manifests/katello.pp +++ b/manifests/katello.pp @@ -1,10 +1,8 @@ # Katello specific certs settings class certs::katello { - $ssl_build_path = '/root/ssl-build' $katello_www_pub_dir = '/var/www/html/pub' - $candlepin_cert_name = 'candlepin-ca' - $candlepin_consumer_name = "${candlepin_cert_name}-consumer-${::fqdn}" + $candlepin_consumer_name = "${$certs::default_ca_name}-consumer-${::fqdn}" $candlepin_consumer_summary = "Subscription-manager consumer certificate for Katello instance ${::fqdn}" $candlepin_consumer_description = 'Consumer certificate and post installation script that configures rhsm.' @@ -14,13 +12,7 @@ group => 'apache', mode => '0755'; } -> - file { $ssl_build_path: - ensure => directory, - owner => 'root', - group => 'root', - mode => '0700'; - } -> - file { "${ssl_build_path}/rhsm-katello-reconfigure": + file { "${certs::ssl_build_dir}/rhsm-katello-reconfigure": content => template('certs/rhsm-katello-reconfigure.erb'), owner => 'root', group => 'root', @@ -28,13 +20,14 @@ } ~> exec { 'generate-candlepin-consumer-certificate': cwd => $katello_www_pub_dir, - command => "gen-rpm.sh --name '${candlepin_consumer_name}' --version 1.0 --release 1 --packager None --vendor None --group 'Applications/System' --summary '${candlepin_consumer_summary}' --description '${candlepin_consumer_description}' --requires subscription-manager --post ${ssl_build_path}/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:644=${ssl_build_path}/${candlepin_cert_name}.crt && /sbin/restorecon ./*rpm", - path => '/usr/share/katello/certs:/usr/bin:/bin', + command => "katello-certs-gen-rpm --name '${candlepin_consumer_name}' --version 1.0 --release 1 --packager None --vendor None --group 'Applications/System' --summary '${candlepin_consumer_summary}' --description '${candlepin_consumer_description}' --requires subscription-manager --post ${certs::ssl_build_dir}/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:644=${certs::ssl_build_dir}/${$certs::default_ca_name}.crt && /sbin/restorecon ./*rpm", + path => '/usr/bin:/bin', creates => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm", logoutput => 'on_failure'; } ~> - file { "${katello_www_pub_dir}/${candlepin_cert_name}-consumer-latest.noarch.rpm": + file { "${katello_www_pub_dir}/${$certs::default_ca_name}-consumer-latest.noarch.rpm": ensure => 'link', target => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm", } + } diff --git a/manifests/params.pp b/manifests/params.pp index fc69e5fb..4d0f190c 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -11,6 +11,8 @@ } $log_dir = '/var/log/certs' + $pki_dir = '/etc/pki/katello' + $ssl_build_dir = '/root/ssl-build' $node_fqdn = $::fqdn @@ -23,6 +25,7 @@ $regenerate_ca = false $deploy = true + $default_ca_name = 'katello-ca' $country = 'US' $state = 'North Carolina' $city = 'Raleigh' @@ -31,32 +34,29 @@ $expiration = '365' $ca_expiration = '36500' - $password_file_dir = '/etc/katello' - $nss_db_dir = '/etc/pki/katello/nssdb' + $keystore_password_file = 'keystore_password-file' + $nss_db_dir = "${pki_dir}/nssdb" $user = 'root' $group = 'root' - $foreman_client_cert = '/etc/foreman/client_cert.pem' - $foreman_client_key = '/etc/foreman/client_key.pem' - $foreman_client_ca = '/etc/foreman/client_ca.pem' + $foreman_client_cert = '/etc/foreman/client_cert.pem' + $foreman_client_key = '/etc/foreman/client_key.pem' + $foreman_client_ca_cert = '/etc/foreman/client_ca.pem' - $foreman_proxy_cert = '/etc/foreman-proxy/ssl_cert.pem' - $foreman_proxy_key = '/etc/foreman-proxy/ssl_key.pem' - $foreman_proxy_ca = '/etc/foreman-proxy/ssl_ca.pem' + $foreman_proxy_cert = '/etc/foreman-proxy/ssl_cert.pem' + $foreman_proxy_key = '/etc/foreman-proxy/ssl_key.pem' + $foreman_proxy_ca_cert = '/etc/foreman-proxy/ssl_ca.pem' $puppet_client_cert = '/etc/puppet/client_cert.pem' $puppet_client_key = '/etc/puppet/client_key.pem' - $puppet_client_ca = '/etc/puppet/client_ca.pem' + $puppet_client_ca_cert = '/etc/puppet/client_ca.pem' - $apache_ssl_cert = '/etc/pki/tls/certs/katello-node.crt' - $apache_ssl_key = '/etc/pki/tls/private/katello-node.key' - $apache_ca_cert = '/etc/pki/tls/certs/katello-ca.crt' + $apache_cert_name = 'katello-apache' $candlepin_certs_storage = '/etc/candlepin/certs' $candlepin_ca_cert = '/etc/candlepin/certs/candlepin-ca.crt' $candlepin_ca_key = '/etc/candlepin/certs/candlepin-ca.key' - $candlepin_pki_dir = '/etc/pki/katello' $candlepin_keystore = '/etc/pki/katello/keystore' $candlepin_certs_dir = '/etc/candlepin/certs' @@ -69,5 +69,4 @@ $katello_product = 'node-certs' $katello_activation_key = undef - } diff --git a/manifests/pulp_parent.pp b/manifests/pulp_parent.pp index 96b35e8d..446db774 100644 --- a/manifests/pulp_parent.pp +++ b/manifests/pulp_parent.pp @@ -1,54 +1,58 @@ # Pulp Master Certs configuration class certs::pulp_parent ( - $hostname = $::certs::node_fqdn, - $generate = $::certs::generate, - $regenerate = $::certs::regenerate, - $deploy = $::certs::deploy, - $ca = $::certs::default_ca, - $nodes_cert_dir = '/etc/pki/pulp/nodes', - $nodes_cert = 'node.crt', + $hostname = $::certs::node_fqdn, + $generate = $::certs::generate, + $regenerate = $::certs::regenerate, + $deploy = $::certs::deploy, + $ca = $::certs::default_ca, - $messaging_ca_cert = $pulp::params::messaging_ca_cert, - $messaging_client_cert = $pulp::params::messaging_client_cert + $nodes_cert_dir = '/etc/pki/pulp/nodes', + $nodes_cert = 'node.crt', + + $messaging_ca_cert = $certs::ca_cert, + $messaging_client_cert = '/etc/pki/pulp/qpid_client_striped.crt', ) inherits pulp::params { # cert for nodes authenitcation cert { "${::certs::pulp_parent::hostname}-parent-cert": - hostname => $certs::pulp_parent::hostname, - common_name => 'pulp-child-node-cert', - purpose => client, - country => $::certs::country, - state => $::certs::state, - city => $::certs::sity, - org => 'PULP', - org_unit => 'NODES', - expiration => $::certs::expiration, - ca => $ca, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, + hostname => $certs::pulp_parent::hostname, + common_name => 'pulp-child-node-cert', + purpose => client, + country => $::certs::country, + state => $::certs::state, + city => $::certs::sity, + org => 'PULP', + org_unit => 'NODES', + expiration => $::certs::expiration, + ca => $ca, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + password_file => $certs::ca_key_password_file, } cert { "${::certs::pulp_parent::hostname}-qpid-client-cert": - hostname => $::certs::pulp_parent::hostname, - common_name => 'pulp-qpid-client-cert', - purpose => client, - country => $::certs::country, - state => $::certs::state, - city => $::certs::sity, - org => 'PULP', - org_unit => $::certs::org_unit, - expiration => $::certs::expiration, - ca => $ca, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, + hostname => $::certs::pulp_parent::hostname, + common_name => 'pulp-qpid-client-cert', + purpose => client, + country => $::certs::country, + state => $::certs::state, + city => $::certs::sity, + org => 'PULP', + org_unit => $::certs::org_unit, + expiration => $::certs::expiration, + ca => $ca, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + password_file => $certs::ca_key_password_file, } if $deploy { + Cert["${::certs::pulp_parent::hostname}-parent-cert"] ~> file { $nodes_cert_dir: ensure => directory, owner => $certs::user, @@ -56,16 +60,19 @@ mode => '0755', } -> key_bundle { "${nodes_cert_dir}/${::certs::pulp_parent::nodes_cert}": - cert => Cert["${::certs::pulp_parent::hostname}-parent-cert"], + key_pair => Cert["${::certs::pulp_parent::hostname}-parent-cert"], } + Cert["${::certs::pulp_parent::hostname}-qpid-client-cert"] ~> key_bundle { $messaging_client_cert: - cert => Cert["${::certs::pulp_parent::hostname}-qpid-client-cert"], + key_pair => Cert["${::certs::pulp_parent::hostname}-qpid-client-cert"], } ~> file { $messaging_client_cert: owner => 'apache', group => 'apache', mode => '0640', } + } + } diff --git a/manifests/puppet.pp b/manifests/puppet.pp index 2fd2f193..984d9b96 100644 --- a/manifests/puppet.pp +++ b/manifests/puppet.pp @@ -1,48 +1,54 @@ # Class for handling Puppet cert configuration class certs::puppet ( - $hostname = $::certs::node_fqdn, - $generate = $::certs::generate, - $regenerate = $::certs::regenerate, - $deploy = $::certs::deploy, - $ca = $::certs::default_ca, - $client_cert = $::certs::params::puppet_client_cert, - $client_key = $::certs::params::puppet_client_key, - $client_ca = $::certs::params::puppet_client_ca + + $hostname = $::certs::node_fqdn, + $generate = $::certs::generate, + $regenerate = $::certs::regenerate, + $deploy = $::certs::deploy, + + $ca = $::certs::default_ca, + $client_cert = $::certs::params::puppet_client_cert, + $client_key = $::certs::params::puppet_client_key, + $client_ca_cert = $::certs::params::puppet_client_ca_cert + ) inherits certs::params { + $puppet_client_cert_name = "${::certs::puppet::hostname}-puppet-client" + # cert for authentication of puppetmaster against foreman - cert { "${::certs::puppet::hostname}-puppet-client": - hostname => $::certs::puppet::hostname, - purpose => client, - country => $::certs::country, - state => $::certs::state, - city => $::certs::sity, - org => 'FOREMAN', - org_unit => 'PUPPET', - expiration => $::certs::expiration, - ca => $ca, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, + cert { $puppet_client_cert_name: + hostname => $::certs::puppet::hostname, + purpose => client, + country => $::certs::country, + state => $::certs::state, + city => $::certs::sity, + org => 'FOREMAN', + org_unit => 'PUPPET', + expiration => $::certs::expiration, + ca => $ca, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + password_file => $certs::ca_key_password_file, } if $deploy { - pubkey { $client_cert: - cert => Cert["${::certs::puppet::hostname}-puppet-client"], - } + Cert[$puppet_client_cert_name] ~> + pubkey { $client_cert: + key_pair => Cert[$puppet_client_cert_name], + } ~> privkey { $client_key: - cert => Cert["${::certs::puppet::hostname}-puppet-client"], + key_pair => Cert[$puppet_client_cert_name], } -> - + pubkey { $client_ca_cert: + key_pair => $ca + } ~> file { $client_key: ensure => file, owner => 'puppet', mode => '0400', } - pubkey { $client_ca: - cert => $ca, - } } } diff --git a/manifests/qpid.pp b/manifests/qpid.pp index 467ab8ae..c01fdf62 100644 --- a/manifests/qpid.pp +++ b/manifests/qpid.pp @@ -1,53 +1,61 @@ # Handles Qpid cert configuration class certs::qpid ( - $hostname = $::certs::node_fqdn, - $generate = $::certs::generate, + $hostname = $::certs::node_fqdn, + $generate = $::certs::generate, $regenerate = $::certs::regenerate, - $deploy = $::certs::deploy, - $ca = $::certs::default_ca + $deploy = $::certs::deploy, + + $ca = $::certs::default_ca ){ Exec { logoutput => 'on_failure' } - cert { "${::certs::qpid::hostname}-qpid-broker": - ensure => present, - hostname => $::certs::qpid::hostname, - country => $::certs::country, - state => $::certs::state, - city => $::certs::sity, - org => 'pulp', - org_unit => $::certs::org_unit, - expiration => $::certs::expiration, - ca => $ca, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, + $qpid_cert_name = "${certs::qpid::hostname}-qpid-broker" + + cert { $qpid_cert_name: + ensure => present, + hostname => $::certs::qpid::hostname, + country => $::certs::country, + state => $::certs::state, + city => $::certs::sity, + org => 'pulp', + org_unit => $::certs::org_unit, + expiration => $::certs::expiration, + ca => $ca, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + password_file => $certs::ca_key_password_file, } if $deploy { - $nss_db_password_file = $certs::nss_db_password_file - $ssl_pk12_password_file = $certs::ssl_pk12_password_file - $qpid_cert_name = 'qpid-broker' - $client_cert = "/etc/pki/katello/${qpid_cert_name}.crt" - $client_key = "/etc/pki/katello/${qpid_cert_name}.key" - $pfx_path = "/etc/pki/katello/${qpid_cert_name}.pfx" + $nss_db_password_file = "${certs::nss_db_dir}/nss_db_password-file" + $client_cert = "${certs::pki_dir}/certs/${qpid_cert_name}.crt" + $client_key = "${certs::pki_dir}/private/${qpid_cert_name}.key" + $pfx_path = "${certs::pki_dir}/${qpid_cert_name}.pfx" $nssdb_files = ["${::certs::nss_db_dir}/cert8.db", "${::certs::nss_db_dir}/key3.db", "${::certs::nss_db_dir}/secmod.db"] - File[$certs::pki_dir] ~> + Cert[$qpid_cert_name] ~> pubkey { $client_cert: - cert => Cert["${::certs::qpid::hostname}-qpid-broker"] + key_pair => Cert["${::certs::qpid::hostname}-qpid-broker"] } ~> privkey { $client_key: - cert => Cert["${::certs::qpid::hostname}-qpid-broker"] + key_pair => Cert["${::certs::qpid::hostname}-qpid-broker"] } ~> file { $client_key: ensure => file, owner => 'root', - group => $::certs::group, - mode => '0400', + group => 'apache', + mode => '0440', + } ~> + file { $::certs::nss_db_dir: + ensure => directory, + owner => 'root', + group => 'qpidd', + mode => '0755', } ~> exec { 'generate-nss-password': command => "openssl rand -base64 24 > ${nss_db_password_file}", @@ -57,35 +65,22 @@ file { $nss_db_password_file: ensure => file, owner => 'root', - group => $::certs::group, + group => 'qpidd', mode => '0640', } ~> - exec { 'generate-pk12-password': - path => '/usr/bin', - command => "openssl rand -base64 24 > ${ssl_pk12_password_file}", - creates => $ssl_pk12_password_file - } ~> - file { $ssl_pk12_password_file: - ensure => file, - owner => 'root', - group => $::certs::group, - mode => '0600', - require => Exec['generate-pk12-password'] - } ~> - file { $::certs::nss_db_dir: - ensure => directory, - owner => 'root', - group => $::certs::group, - mode => '0744', - } ~> exec { 'create-nss-db': command => "certutil -N -d '${::certs::nss_db_dir}' -f '${nss_db_password_file}'", path => '/usr/bin', creates => $nssdb_files, } ~> + exec { 'add-ca-cert-to-nss-db': + command => "certutil -A -d '${::certs::nss_db_dir}' -n 'ca' -t 'TCu,Cu,Tuw' -a -i '${certs::ca_cert}'", + path => '/usr/bin', + refreshonly => true, + } ~> file { $nssdb_files: owner => 'root', - group => $::certs::group, + group => 'qpidd', mode => '0640', } ~> exec { 'add-broker-cert-to-nss-db': @@ -94,15 +89,16 @@ refreshonly => true, } ~> exec { 'generate-pfx-for-nss-db': - command => "openssl pkcs12 -in ${client_cert} -inkey ${client_key} -export -out '${pfx_path}' -password 'file:${ssl_pk12_password_file}'", + command => "openssl pkcs12 -in ${client_cert} -inkey ${client_key} -export -out '${pfx_path}' -password 'file:${nss_db_password_file}'", path => '/usr/bin', refreshonly => true, } ~> exec { 'add-private-key-to-nss-db': - command => "pk12util -i '${pfx_path}' -d '${::certs::nss_db_dir}' -w '${ssl_pk12_password_file}' -k '${nss_db_password_file}'", + command => "pk12util -i '${pfx_path}' -d '${::certs::nss_db_dir}' -w '${nss_db_password_file}' -k '${nss_db_password_file}'", path => '/usr/bin', refreshonly => true, - } + } ~> + Service['qpidd'] }