Giuseppe Lavagetto has submitted this change and it was merged. Change subject: puppetmaster::web_frontend: use secret() for non-fqdn sites ......................................................................
puppetmaster::web_frontend: use secret() for non-fqdn sites Instead of limiting non-fqdn frontends to the ca_server, use secret() to provide the certs, which can be then generated manually on the ca_server with puppet cert generate and committed to the private repository. Change-Id: I2e6557aefe2c154f66b23a709c4479cd61d52070 --- M modules/puppetmaster/manifests/web_frontend.pp 1 file changed, 18 insertions(+), 23 deletions(-) Approvals: Giuseppe Lavagetto: Looks good to me, approved Alexandros Kosiaris: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/modules/puppetmaster/manifests/web_frontend.pp b/modules/puppetmaster/manifests/web_frontend.pp index f4b4215..cf5e094 100644 --- a/modules/puppetmaster/manifests/web_frontend.pp +++ b/modules/puppetmaster/manifests/web_frontend.pp @@ -32,32 +32,27 @@ $ssldir = $::puppetmaster::ssl::ssldir $ssl_settings = ssl_ciphersuite('apache', 'compat') - if $alt_names { - $alt_names_list = join(sort($alt_names), ',') - $alt_names_cmd = " --dns_alt_names=${alt_names_list}" - } else { - $alt_names_cmd = '' - } - if $server_name != $::fqdn { - # This is unfortunate, but "puppet cert generate" - # just works locally, even if ca=false and a different ca server is - # setup. - # We will make it work writing a proper puppet resource once we are - # settled on a PKI infrastructure to use, or we surrender to using the - # puppet one forever. - if $master != $::fqdn { - fail('Alternative names are not supported for secundary puppetmasters.') - } - # Have puppet generate the certificate for this virtualhost - # BEWARE: SSL key length cannot be controlled here - exec { "generate hostcert for ${title}": - require => File["${ssldir}/certs"], - command => "/usr/bin/puppet cert generate ${server_name}${alt_names_cmd}", - creates => "${ssldir}/certs/${server_name}.pem", - before => Service['apache2'], + # The files called with secret() should be generated on the current + # puppetmaster::ca_server with "puppet cert generate" and committed to + # the private repository. + # We use the private repo for the public key as well as it gets + # generated on the puppet ca server. + file { "${ssldir}/certs/${server_name}.pem": + content => secret("puppetmaster/${server_name}_pubkey.pem"), + owner => 'root', + group => 'root', + mode => '0640', + before => Apache::Site[$server_name], } + file { "${ssldir}/private_keys/${server_name}.pem": + content => secret("puppetmaster/${server_name}_privkey.pem"), + owner => 'root', + group => 'root', + mode => '0640', + before => Apache::Site[$server_name], + } } apache::site { $server_name: ensure => present, -- To view, visit https://gerrit.wikimedia.org/r/310501 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I2e6557aefe2c154f66b23a709c4479cd61d52070 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits