diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-05-04 13:23:33 +0300 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-08 16:57:15 +0300 |
commit | 2bb37b6189693d7588730eeb080f85009c3b6d6c (patch) | |
tree | 634b798f27cee19fc33aa9b0afaed6fed6f58775 /manifests/certmonger/ca | |
parent | 0a75929adeea9ea7a53ad5a45c9bb1f1b6962b9b (diff) |
Add resource to fetch CRL
This will fetch the CRL file from the specified file or URL. Furtherly
it will set up a cron job to refresh the crl file once a week and notify
the needed services.
bp tls-via-certmonger
Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
Diffstat (limited to 'manifests/certmonger/ca')
-rw-r--r-- | manifests/certmonger/ca/crl.pp | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/manifests/certmonger/ca/crl.pp b/manifests/certmonger/ca/crl.pp new file mode 100644 index 0000000..59a3681 --- /dev/null +++ b/manifests/certmonger/ca/crl.pp @@ -0,0 +1,149 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == class: tripleo::certmonger::ca::crl +# +# Class that downloads the appropriate CRL file from the CA. This can +# furtherly be used by services in order for proper certificate revocation to +# come into effect. The class also sets up a cron job that will refresh the CRL +# once a week. Also, processing of the CRL file might be needed. e.g. most CAs +# use DER format to distribute the CRLs, while services such as HAProxy expect +# the CRL to be in PEM format. +# +# === Parameters +# +# [*crl_dest*] +# (Optional) The file where the CRL file will be stored. +# Defaults to '/etc/pki/CA/crl/overcloud-crl.pem' +# +# [*crl_source*] +# (Optional) The URI where the CRL file will be fetched from. +# Defaults to undef +# +# [*process*] +# (Optional) Whether the CRL needs processing before being used. This means +# transforming from DER to PEM format or viceversa. This is because most CRLs +# by default come in DER format, so most likely it needs to be transformed. +# Defaults to true +# +# [*crl_preprocessed*] +# (Optional) The pre-processed CRL file which will be transformed. +# Defaults to '/etc/pki/CA/crl/overcloud-crl.bin' +# +# [*crl_preprocessed_format*] +# (Optional) The pre-processed CRL file's format which will be transformed. +# Defaults to 'DER' +# +# [*minute*] +# (optional) Defaults to '0'. +# +# [*hour*] +# (optional) Defaults to '1'. +# +# [*monthday*] +# (optional) Defaults to '*'. +# +# [*month*] +# (optional) Defaults to '*'. +# +# [*weekday*] +# (optional) Defaults to '6'. +# +# [*maxdelay*] +# (optional) Seconds. Defaults to 0. Should be a positive integer. +# Induces a random delay before running the cronjob to avoid running all +# cron jobs at the same time on all hosts this job is configured. +# +# [*reload_cmds*] +# (Optional) list of commands to be executed after fetching the CRL list in +# the cron job. This will usually be a list of reload commands issued to +# services that use the CRL. +# Defaults to [] +# +class tripleo::certmonger::ca::crl ( + $crl_dest = '/etc/pki/CA/crl/overcloud-crl.pem', + $crl_source = undef, + $process = true, + $crl_preprocessed = '/etc/pki/CA/crl/overcloud-crl.bin', + $crl_preprocessed_format = 'DER', + $minute = '0', + $hour = '1', + $monthday = '*', + $month = '*', + $weekday = '6', + $maxdelay = 0, + $reload_cmds = [], +) { + if $crl_source { + $ensure = 'present' + } else { + $ensure = 'absent' + } + + if $maxdelay == 0 { + $sleep = '' + } else { + $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; " + } + + if $process { + $fetched_crl = $crl_preprocessed + } else { + $fetched_crl = $crl_dest + } + + file { 'tripleo-ca-crl' : + ensure => $ensure, + path => $fetched_crl, + source => $crl_source, + mode => '0644', + } + + if $process and $ensure == 'present' { + $crl_dest_format = $crl_preprocessed_format ? { + 'PEM' => 'DER', + 'DER' => 'PEM' + } + # transform CRL from DER to PEM or viceversa + $process_cmd = "openssl crl -in ${$crl_preprocessed} -inform ${crl_preprocessed_format} -outform ${crl_dest_format} -out ${crl_dest}" + exec { 'tripleo-ca-crl-process-command' : + command => $process_cmd, + path => '/usr/bin', + refreshonly => true, + subscribe => File['tripleo-ca-crl'] + } + } else { + $process_cmd = [] + } + + if $ensure == 'present' { + # Fetch CRL in cron job and notify needed services + $cmd_list = concat(["${sleep}curl -L -o ${fetched_crl} ${crl_source}"], $process_cmd, $reload_cmds) + $cron_cmd = join($cmd_list, ' && ') + } else { + $cron_cmd = absent + } + + cron { 'tripleo-refresh-crl-file': + ensure => $ensure, + command => $cron_cmd, + environment => 'PATH=/usr/bin SHELL=/bin/sh', + user => 'root', + minute => $minute, + hour => $hour, + monthday => $monthday, + month => $month, + weekday => $weekday, + } +} |