[MediaWiki-commits] [Gerrit] sslcert: add sslcert::certificate - change (operations/puppet)

[Faidon Liambotis (Code Review)]

Faidon Liambotis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/197337

Change subject: sslcert: add sslcert::certificate
......................................................................

sslcert: add sslcert::certificate

Create a new definition, responsible for installing server certificates
to hosts. Replace parts of install_certificate, which now calls
sslcert::certificate to do half of its work.

Change-Id: Id34ba1fb75377b58ed841bce9792978c1ef9992c
---
M manifests/certs.pp
A modules/sslcert/manifests/certificate.pp
2 files changed, 91 insertions(+), 22 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/37/197337/1

diff --git a/manifests/certs.pp b/manifests/certs.pp
index b292eec..594a04f 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -47,32 +47,19 @@
     require certificates::wmf_ca_2014_2017
     require certificates::rapidssl_sha256_ca_G3
 
-    # Public key
-    file { "/etc/ssl/localcerts/${name}.crt":
-        owner   => 'root',
-        group   => $group,
-        mode    => '0444',
-        source  => "puppet:///files/ssl/${name}.crt",
-        require => File['/etc/ssl/localcerts'],
+    sslcert::certificate { $name:
+        group  => $group,
+        source => "puppet:///files/ssl/${name}.crt",
+    }
+
+    if ( $privatekey == true ) {
+        Sslcert::Certificate[$name] {
+            private => file("puppet:///private/ssl/${name}.key"),
+        }
     }
 
     file { "/etc/ssl/certs/${name}.pem":
         ensure  => absent,
-    }
-
-    if ( $privatekey == true ) {
-        # Private key
-        file { "/etc/ssl/private/${name}.key":
-            owner  => 'root',
-            group  => $group,
-            mode   => '0440',
-            source => "puppet:///private/ssl/${name}.key",
-        }
-    } else {
-        # empty Private key
-        file { "/etc/ssl/private/${name}.key":
-            ensure => 'present',
-        }
     }
 
     # create_combined_cert/create_pkcs12 created those
diff --git a/modules/sslcert/manifests/certificate.pp 
b/modules/sslcert/manifests/certificate.pp
new file mode 100644
index 0000000..9844242
--- /dev/null
+++ b/modules/sslcert/manifests/certificate.pp
@@ -0,0 +1,82 @@
+# == Define: sslcert::certificate
+#
+# Installs a X.509 certificate -and, optionally, its private key- to the
+# system's predefined local certificate directory.
+#
+# Certificates are installed to the custom-made directory /etc/ssl/localcerts
+# rather than /etc/ssl/certs, as the latter is used often as the CA path in
+# many default configurations and examples on the web.
+#
+# NOTE: while both 'source' and 'content' are provided for the certificate,
+# only the equivalent of 'content' is provided for the private key. This is
+# done purposefully, as serving sensitive key material using the puppet
+# fileserver is dangerous and should be avoided. Use puppet's file() function
+# to serve files on the puppetmaster's filesystem.
+#
+# === Parameters
+#
+# [*ensure*]
+#   If 'present', the certificate will be installed; if 'absent', it will be
+#   removed. The default is 'present'.
+#
+# [*content*]
+#   If defined, will be used as the content of the X.509 certificate file.
+#   Undefined by default. Mutually exclusive with 'source'.
+#
+# [*source*]
+#   Path to file containing the X.509 certificate file. Undefined by default.
+#   Mutually exclusive with 'content'.
+#
+# [*private*]
+#   The content of the private key to the certificate. Undefined by default.
+#
+# === Examples
+#
+#  sslcert::certificate { 'pinkunicorn.wikimedia.org':
+#    ensure => present,
+#    source => 'puppet:///files/ssl/pinkunicorn.wikimedia.org.crt',
+#  }
+#
+
+define sslcert::certificate(
+  $ensure=present,
+  $group='ssl-cert',
+  $source=undef,
+  $content=undef,
+  $private=undef,
+) {
+    require sslcert
+
+    if $source == undef and $content == undef  {
+        fail('you must provide either "source" or "content"')
+    }
+
+    if $source != undef and $content != undef  {
+        fail('"source" and "content" are mutually exclusive')
+    }
+
+    file { "/etc/ssl/localcerts/${title}.crt":
+        ensure  => $ensure,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0444',
+        source  => $source,
+        content => $content,
+    }
+
+    if $private {
+        # only support "content"; serving sensitive material over the puppet
+        # fileserver isn't a very good security practice
+        file { "/etc/ssl/private/${name}.key":
+            ensure  => $ensure,
+            owner   => 'root',
+            group   => $group,
+            mode    => '0440',
+            content => $private,
+        }
+    } else {
+        file { "/etc/ssl/private/${name}.key":
+            ensure  => absent,
+        }
+    }
+}

-- 
To view, visit https://gerrit.wikimedia.org/r/197337
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id34ba1fb75377b58ed841bce9792978c1ef9992c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits