diff options
Diffstat (limited to 'manifests/certmonger')
-rw-r--r-- | manifests/certmonger/apache_dirs.pp | 55 | ||||
-rw-r--r-- | manifests/certmonger/ca/libvirt.pp | 42 | ||||
-rw-r--r-- | manifests/certmonger/httpd.pp | 1 | ||||
-rw-r--r-- | manifests/certmonger/libvirt.pp | 78 | ||||
-rw-r--r-- | manifests/certmonger/libvirt_dirs.pp | 60 | ||||
-rw-r--r-- | manifests/certmonger/rabbitmq.pp | 4 |
6 files changed, 236 insertions, 4 deletions
diff --git a/manifests/certmonger/apache_dirs.pp b/manifests/certmonger/apache_dirs.pp new file mode 100644 index 0000000..2588e46 --- /dev/null +++ b/manifests/certmonger/apache_dirs.pp @@ -0,0 +1,55 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# : = Class: tripleo::certmonger::apache_dirs +# +# Creates the necessary directories for apache's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where apache's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where apache's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::apache_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |> + } +} diff --git a/manifests/certmonger/ca/libvirt.pp b/manifests/certmonger/ca/libvirt.pp new file mode 100644 index 0000000..9fa9e74 --- /dev/null +++ b/manifests/certmonger/ca/libvirt.pp @@ -0,0 +1,42 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::ca::libvirt +# +# Sets the necessary file that will be used by both libvirt servers and +# clients. +# +# === Parameters: +# +# [*origin_ca_pem*] +# (Optional) Path to the CA certificate that libvirt will use. This is not +# assumed automatically or uses the system CA bundle as is the case of other +# services because a limitation with the file sizes in GNU TLS, which libvirt +# uses as a TLS backend. +# Defaults to undef +# +class tripleo::certmonger::ca::libvirt( + $origin_ca_pem = undef +){ + if $origin_ca_pem { + $ensure_file = 'link' + } else { + $ensure_file = 'absent' + } + file { '/etc/pki/CA/cacert.pem': + ensure => $ensure_file, + mode => '0644', + target => $origin_ca_pem, + } +} diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp index 94b48b7..74c0b5a 100644 --- a/manifests/certmonger/httpd.pp +++ b/manifests/certmonger/httpd.pp @@ -55,6 +55,7 @@ define tripleo::certmonger::httpd ( postsave_cmd => $postsave_cmd, ca => $certmonger_ca, wait => true, + tag => 'apache-cert', require => Class['::certmonger'], } diff --git a/manifests/certmonger/libvirt.pp b/manifests/certmonger/libvirt.pp new file mode 100644 index 0000000..b7dbb0a --- /dev/null +++ b/manifests/certmonger/libvirt.pp @@ -0,0 +1,78 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Resource: tripleo::certmonger::libvirt +# +# Request a certificate for libvirt and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*file_owner*] +# (Optional) The user which the certificate and key files belong to. +# Defaults to 'root' +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +define tripleo::certmonger::libvirt ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + include ::nova::params + + $postsave_cmd = "systemctl restart ${::nova::params::libvirt_service_name}" + certmonger_certificate { $name : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + tag => 'libvirt-cert', + require => Class['::certmonger'], + } + + # Just register the files in puppet's resource catalog. Certmonger should + # give the right permissions. + file { $service_certificate : + require => Certmonger_certificate[$name], + } + file { $service_key : + require => Certmonger_certificate[$name], + } + + File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |> + File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |> +} diff --git a/manifests/certmonger/libvirt_dirs.pp b/manifests/certmonger/libvirt_dirs.pp new file mode 100644 index 0000000..c42ca0d --- /dev/null +++ b/manifests/certmonger/libvirt_dirs.pp @@ -0,0 +1,60 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::libvirt_dirs +# +# Creates the necessary directories for libvirt's certificates and keys in the +# assigned locations if specified. It also assigns the correct SELinux tags. +# +# === Parameters: +# +# [*certificate_dir*] +# (Optional) Directory where libvirt's certificates will be stored. If left +# unspecified, it won't be created. +# Defaults to undef +# +# [*certificate_dir*] +# (Optional) Directory where libvirt's certificates will be stored. +# Defaults to undef +# +# [*key_dir*] +# (Optional) Directory where libvirt's keys will be stored. +# Defaults to undef +# +class tripleo::certmonger::libvirt_dirs( + $certificate_dir = undef, + $key_dir = undef, +){ + + if $certificate_dir { + file { $certificate_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |> + } + + if $key_dir { + file { $key_dir : + ensure => 'directory', + selrole => 'object_r', + seltype => 'cert_t', + seluser => 'system_u', + } + File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |> + } + +} diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp index 344adef..4a47938 100644 --- a/manifests/certmonger/rabbitmq.pp +++ b/manifests/certmonger/rabbitmq.pp @@ -31,10 +31,6 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # -# [*file_owner*] -# (Optional) The user which the certificate and key files belong to. -# Defaults to 'root' -# # [*principal*] # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef |