Faidon Liambotis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/197333
Change subject: certs: inline create_pkcs12's only use and remove
......................................................................
certs: inline create_pkcs12's only use and remove
The quite complicated create_pkcs12 definition is now only used in one
single place, OpenDJ manifests, with non-default values. OpenDJ isn't
here to stay, so instead of burdening a core manifest with a definition,
inline it and remove the definition from certs.pp.
Change-Id: Ic3773fd1ca13bf5c7616a9aa7f2dc9ce1d4986b2
---
M manifests/certs.pp
M modules/ldap/manifests/role/server.pp
2 files changed, 18 insertions(+), 50 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/33/197333/1
diff --git a/manifests/certs.pp b/manifests/certs.pp
index f740b00..f13e848 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -1,46 +1,3 @@
-define create_pkcs12(
- $certname = $name,
- $cert_alias = '',
- $password = '',
- $user = 'root',
- $group = 'ssl-cert',
- $location = '/etc/ssl/private',
-) {
-
- include passwords::certs
-
- if ( $cert_alias == '' ) {
- $certalias = $certname
- } else {
- $certalias = $cert_alias
- }
-
- if ( $password == '' ) {
- $defaultpassword = $passwords::certs::certs_default_pass
- } else {
- $defaultpassword = $password
- }
- # pkcs12 file, used by things like opendj, nss, and tomcat
- exec { "${name}_create_pkcs12":
- creates => "${location}/${certname}.p12",
- command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\"
-passout pass:${defaultpassword} -in /etc/ssl/localcerts/${certname}.crt -inkey
/etc/ssl/private/${certname}.key -out ${location}/${certname}.p12",
- onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key",
- require => [Package['openssl'],
- File["/etc/ssl/private/${certname}.key"],
- File["/etc/ssl/localcerts/${certname}.crt"],
- ],
- }
- # Fix permissions on the p12 file, and make it available as
- # a puppet resource
- file { "${location}/${certname}.p12":
- ensure => 'file',
- mode => '0440',
- owner => $user,
- group => $group,
- require => Exec["${name}_create_pkcs12"],
- }
-}
-
define create_chained_cert(
$ca,
$certname = $name,
diff --git a/modules/ldap/manifests/role/server.pp
b/modules/ldap/manifests/role/server.pp
index c12d74e..a9281ef 100644
--- a/modules/ldap/manifests/role/server.pp
+++ b/modules/ldap/manifests/role/server.pp
@@ -38,15 +38,26 @@
}
install_certificate{ $certificate: ca => $ca_name }
+
# Add a pkcs12 file to be used for start_tls, ldaps, and opendj's admin
connector.
# Add it into the instance location, and ensure opendj can read it.
- create_pkcs12{ "${certificate}.opendj":
- certname => $certificate,
- user => 'opendj',
- group => 'opendj',
- location => $certificate_location,
- password => $cert_pass,
- require => Package['opendj'],
+ exec { "${certificate}_pkcs12":
+ creates => "${certificate_location}/${certificate}.p12",
+ command => "/usr/bin/openssl pkcs12 -export -name \"${certificate}\"
-passout pass:${cert_pass} -in /etc/ssl/localcerts/${certificate}.crt -inkey
/etc/ssl/private/${certificate}.key -out
${certificate_location}/${certname}.p12",
+ onlyif => "/usr/bin/test -s /etc/ssl/private/${certificate}.key",
+ require => [
+ Package['openssl'],
+ Package['opendj'],
+ File["/etc/ssl/localcerts/${certname}.crt"],
+ File["/etc/ssl/private/${certname}.key"],
+ ],
+ }
+ file { "${certificate_location}/${certificate}.p12":
+ ensure => present,
+ mode => '0440',
+ owner => 'opendj',
+ group => 'opendj',
+ require => Exec["${certificate}_pkcs12"],
}
include ldap::server::schema::sudo,
--
To view, visit https://gerrit.wikimedia.org/r/197333
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic3773fd1ca13bf5c7616a9aa7f2dc9ce1d4986b2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
