diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-03-24 11:31:12 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-11 11:45:43 +0000 |
commit | bbe603a2608c43d9b68f998204e75b55621a9e8f (patch) | |
tree | 709ae2d6c21a10b960508864bec7179dd6769edc /manifests | |
parent | b8a11a5d80e4b2f345a7a4d249c1aafcbbf937fe (diff) |
Ensure directory exists for certificates for httpd
We used to rely on a standard directory for the certificates and keys
that are requested by certmonger. However, given the approach we plan to
take for containers that's described in the blueprint, we need to use
service-specific directories for the certs/keys, since we plan to
bind-mount these into the containers, and we don't want to bind mount
any keys/certs from other services.
Thus, we start by creating this directories if they don't exist in the
filesystem and adding the proper selinux labels.
bp tls-via-certmonger-containers
Change-Id: I0b71902358b754fa8bd7fdbb213479503c87aa46
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/certmonger/apache_dirs.pp | 55 | ||||
-rw-r--r-- | manifests/certmonger/httpd.pp | 1 | ||||
-rw-r--r-- | manifests/profile/base/certmonger_user.pp | 1 |
3 files changed, 57 insertions, 0 deletions
diff --git a/manifests/certmonger/apache_dirs.pp b/manifests/certmonger/apache_dirs.pp new file mode 100644 index 0000000..2588e46 --- /dev/null +++ b/manifests/certmonger/apache_dirs.pp @@ -0,0 +1,55 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# : = Class: tripleo::certmonger::apache_dirs +# +# Creates the necessary directories for apache's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where apache's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where apache's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::apache_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> + } +} diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp index 94b48b7..74c0b5a 100644 --- a/manifests/certmonger/httpd.pp +++ b/manifests/certmonger/httpd.pp @@ -55,6 +55,7 @@ define tripleo::certmonger::httpd ( postsave_cmd => $postsave_cmd, ca => $certmonger_ca, wait => true, + tag => 'apache-cert', require => Class['::certmonger'], } diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 424ef09..4d91ac9 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -68,6 +68,7 @@ class tripleo::profile::base::certmonger_user ( include ::tripleo::certmonger::ca::libvirt unless empty($apache_certificates_specs) { + include ::tripleo::certmonger::apache_dirs ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs) } unless empty($libvirt_certificates_specs) { |