aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/certmonger
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/certmonger')
-rw-r--r--manifests/certmonger/apache_dirs.pp55
-rw-r--r--manifests/certmonger/ca/libvirt.pp42
-rw-r--r--manifests/certmonger/httpd.pp1
-rw-r--r--manifests/certmonger/libvirt.pp78
-rw-r--r--manifests/certmonger/libvirt_dirs.pp60
-rw-r--r--manifests/certmonger/rabbitmq.pp4
6 files changed, 236 insertions, 4 deletions
diff --git a/manifests/certmonger/apache_dirs.pp b/manifests/certmonger/apache_dirs.pp
new file mode 100644
index 0000000..2588e46
--- /dev/null
+++ b/manifests/certmonger/apache_dirs.pp
@@ -0,0 +1,55 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# : = Class: tripleo::certmonger::apache_dirs
+#
+# Creates the necessary directories for apache's certificates and keys in the
+# assigned locations if specified. It also assigns the correct SELinux tags.
+#
+# === Parameters:
+#
+# [*certificate_dir*]
+# (Optional) Directory where apache's certificates will be stored. If left
+# unspecified, it won't be created.
+# Defaults to undef
+#
+# [*key_dir*]
+# (Optional) Directory where apache's keys will be stored.
+# Defaults to undef
+#
+class tripleo::certmonger::apache_dirs(
+ $certificate_dir = undef,
+ $key_dir = undef,
+){
+
+ if $certificate_dir {
+ file { $certificate_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$certificate_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
+ }
+
+ if $key_dir {
+ file { $key_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$key_dir] ~> Certmonger_certificate<| tag == 'apache-cert' |>
+ }
+}
diff --git a/manifests/certmonger/ca/libvirt.pp b/manifests/certmonger/ca/libvirt.pp
new file mode 100644
index 0000000..9fa9e74
--- /dev/null
+++ b/manifests/certmonger/ca/libvirt.pp
@@ -0,0 +1,42 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ca::libvirt
+#
+# Sets the necessary file that will be used by both libvirt servers and
+# clients.
+#
+# === Parameters:
+#
+# [*origin_ca_pem*]
+# (Optional) Path to the CA certificate that libvirt will use. This is not
+# assumed automatically or uses the system CA bundle as is the case of other
+# services because a limitation with the file sizes in GNU TLS, which libvirt
+# uses as a TLS backend.
+# Defaults to undef
+#
+class tripleo::certmonger::ca::libvirt(
+ $origin_ca_pem = undef
+){
+ if $origin_ca_pem {
+ $ensure_file = 'link'
+ } else {
+ $ensure_file = 'absent'
+ }
+ file { '/etc/pki/CA/cacert.pem':
+ ensure => $ensure_file,
+ mode => '0644',
+ target => $origin_ca_pem,
+ }
+}
diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp
index 94b48b7..74c0b5a 100644
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@@ -55,6 +55,7 @@ define tripleo::certmonger::httpd (
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
+ tag => 'apache-cert',
require => Class['::certmonger'],
}
diff --git a/manifests/certmonger/libvirt.pp b/manifests/certmonger/libvirt.pp
new file mode 100644
index 0000000..b7dbb0a
--- /dev/null
+++ b/manifests/certmonger/libvirt.pp
@@ -0,0 +1,78 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Resource: tripleo::certmonger::libvirt
+#
+# Request a certificate for libvirt and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*file_owner*]
+# (Optional) The user which the certificate and key files belong to.
+# Defaults to 'root'
+#
+# [*principal*]
+# (Optional) The service principal that is set for the service in kerberos.
+# Defaults to undef
+#
+define tripleo::certmonger::libvirt (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $principal = undef,
+) {
+ include ::certmonger
+ include ::nova::params
+
+ $postsave_cmd = "systemctl restart ${::nova::params::libvirt_service_name}"
+ certmonger_certificate { $name :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ tag => 'libvirt-cert',
+ require => Class['::certmonger'],
+ }
+
+ # Just register the files in puppet's resource catalog. Certmonger should
+ # give the right permissions.
+ file { $service_certificate :
+ require => Certmonger_certificate[$name],
+ }
+ file { $service_key :
+ require => Certmonger_certificate[$name],
+ }
+
+ File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |>
+ File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |>
+}
diff --git a/manifests/certmonger/libvirt_dirs.pp b/manifests/certmonger/libvirt_dirs.pp
new file mode 100644
index 0000000..c42ca0d
--- /dev/null
+++ b/manifests/certmonger/libvirt_dirs.pp
@@ -0,0 +1,60 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::libvirt_dirs
+#
+# Creates the necessary directories for libvirt's certificates and keys in the
+# assigned locations if specified. It also assigns the correct SELinux tags.
+#
+# === Parameters:
+#
+# [*certificate_dir*]
+# (Optional) Directory where libvirt's certificates will be stored. If left
+# unspecified, it won't be created.
+# Defaults to undef
+#
+# [*certificate_dir*]
+# (Optional) Directory where libvirt's certificates will be stored.
+# Defaults to undef
+#
+# [*key_dir*]
+# (Optional) Directory where libvirt's keys will be stored.
+# Defaults to undef
+#
+class tripleo::certmonger::libvirt_dirs(
+ $certificate_dir = undef,
+ $key_dir = undef,
+){
+
+ if $certificate_dir {
+ file { $certificate_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
+ }
+
+ if $key_dir {
+ file { $key_dir :
+ ensure => 'directory',
+ selrole => 'object_r',
+ seltype => 'cert_t',
+ seluser => 'system_u',
+ }
+ File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
+ }
+
+}
diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp
index 344adef..4a47938 100644
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -31,10 +31,6 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
-# [*file_owner*]
-# (Optional) The user which the certificate and key files belong to.
-# Defaults to 'root'
-#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef