BBlack has submitted this change and it was merged.
Change subject: Introduce a new sslcert module (to replace certs.pp)
......................................................................
Introduce a new sslcert module (to replace certs.pp)
Cleanup certificates::base and move it in its init.pp.
Change-Id: I668d311a543b0ff5613e2e2eb867a2533c447288
---
M manifests/certs.pp
R modules/sslcert/files/apparmor/ssl_certs
A modules/sslcert/manifests/init.pp
3 files changed, 50 insertions(+), 45 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/certs.pp b/manifests/certs.pp
index d00683e..2cb422b 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -108,49 +108,7 @@
}
class certificates::base {
-
- package { [ 'openssl', 'ssl-cert' ]:
- ensure => 'latest',
- }
-
- exec { 'update-ca-certificates':
- command => '/usr/sbin/update-ca-certificates',
- refreshonly => true,
- }
-
- package { 'ca-certificates':
- ensure => 'latest',
- notify => Exec['update-ca-certificates'],
- }
-
- # Server certificates now uniformly go in there
- file { '/etc/ssl/localcerts':
- ensure => directory,
- owner => 'root',
- group => 'ssl-cert',
- mode => '0755',
- require => Package['ssl-cert'],
- }
-
- if $::operatingsystem == 'Ubuntu' {
- ## NOTE: The ssl_certs abstraction for apparmor is known to exist
- ## and be mutually compatible up to Trusty; new versions will need
- ## validation before they are cleared.
-
- include apparmor
-
- if versioncmp($::lsbdistrelease, '14.04') > 0 {
- fail("The apparmor profile for certificates::base is only known to
work up to Trusty")
- }
- file { '/etc/apparmor.d/abstractions/ssl_certs':
- ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0444',
- source => 'puppet:///files/ssl/ssl_certs',
- notify => Service['apparmor'],
- }
- }
+ include ::sslcert
}
class certificates::star_wmflabs_org {
diff --git a/files/ssl/ssl_certs b/modules/sslcert/files/apparmor/ssl_certs
similarity index 93%
rename from files/ssl/ssl_certs
rename to modules/sslcert/files/apparmor/ssl_certs
index a2a1c6f..00a9815 100644
--- a/files/ssl/ssl_certs
+++ b/modules/sslcert/files/apparmor/ssl_certs
@@ -9,8 +9,6 @@
#
# ------------------------------------------------------------------
# THIS FILE IS MANAGED BY PUPPET
-# Source: files/ssl/ssl_cert
-# From : certificates::base
/etc/ssl/ r,
/etc/ssl/certs/ r,
diff --git a/modules/sslcert/manifests/init.pp
b/modules/sslcert/manifests/init.pp
new file mode 100644
index 0000000..d671fe9
--- /dev/null
+++ b/modules/sslcert/manifests/init.pp
@@ -0,0 +1,49 @@
+# == Class: sslcert
+#
+# Base class to manage X.509/TLS/SSL certificates.
+#
+# === Parameters
+#
+# === Examples
+#
+# include sslcert
+#
+
+class sslcert {
+ package { [ 'openssl', 'ssl-cert', 'ca-certificates' ]:
+ ensure => present,
+ }
+
+ exec { 'update-ca-certificates':
+ command => '/usr/sbin/update-ca-certificates',
+ refreshonly => true,
+ require => Package['ca-certificates'],
+ }
+
+ # server certificates go in here; /etc/ssl/certs is a misnomer and actually
+ # is just for CAs. See e.g. <https://bugs.debian.org/608719>
+ file { '/etc/ssl/localcerts':
+ ensure => directory,
+ owner => 'root',
+ group => 'ssl-cert',
+ mode => '0755',
+ require => Package['ssl-cert'],
+ }
+
+ # Limit AppArmor support to just Ubuntu, for now
+ if $::operatingsystem == 'Ubuntu' {
+ include apparmor
+
+ # modify the default ssl_certs abstraction to support
+ # /etc/ssl/localcerts, as defined above
+ file { '/etc/apparmor.d/abstractions/ssl_certs':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///modules/sslcert/apparmor/ssl_certs',
+ require => Package['apparmor'],
+ notify => Service['apparmor'],
+ }
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/197335
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I668d311a543b0ff5613e2e2eb867a2533c447288
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
