Giuseppe Lavagetto has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/326910 )
Change subject: puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert ...................................................................... puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert Bug: T153042 Change-Id: I2b9bdd18a68b77c0c0bd132efb6d469bfbeca958 --- M modules/puppetmaster/files/puppet_ecdsacert.rb A modules/puppetmaster/files/puppet_wildcardsign.rb M modules/puppetmaster/manifests/init.pp 3 files changed, 39 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/10/326910/1 diff --git a/modules/puppetmaster/files/puppet_ecdsacert.rb b/modules/puppetmaster/files/puppet_ecdsacert.rb old mode 100644 new mode 100755 index 9ee5515..0a33719 --- a/modules/puppetmaster/files/puppet_ecdsacert.rb +++ b/modules/puppetmaster/files/puppet_ecdsacert.rb @@ -1,3 +1,4 @@ +#!/usr/bin/env ruby # Copyright (c) 2016 Giuseppe Lavagetto, Wikimedia Foundation # Loosely based on https://github.com/ripienaar/mcollective-choria/blob/master/lib/mcollective/util/choria.rb require 'net/http' diff --git a/modules/puppetmaster/files/puppet_wildcardsign.rb b/modules/puppetmaster/files/puppet_wildcardsign.rb new file mode 100755 index 0000000..35b5c64 --- /dev/null +++ b/modules/puppetmaster/files/puppet_wildcardsign.rb @@ -0,0 +1,31 @@ +#!/usr/bin/env ruby +# Copyright (c) 2016 Giuseppe Lavagetto, Wikimedia Foundation +# Shameful hack to allow signing certs with wildcard SANs when we want it +# Useful for issuing internal certificates for exposing services. +require 'puppet' +require 'puppet/ssl/certificate_authority' + +module Puppet + module SSL + # Extend the signing checks + module CertificateAuthorityExtensions + def check_internal_signing_policies(hostname, csr, _allow_dns_alt_names) + super(hostname, csr, true) + rescue Puppet::SSL::CertificateAuthority::CertificateSigningError => e + if e.message.start_with?("CSR '#{csr.name}' subjectAltName contains a wildcard") + true + else + raise + end + end + end + # Extend the base class + class CertificateAuthority + prepend Puppet::SSL::CertificateAuthorityExtensions + end + end +end + +$0 = 'cert' +require 'puppet/util/command_line' +Puppet::Util::CommandLine.new.execute diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp index 0acfcdb..4f32975 100644 --- a/modules/puppetmaster/manifests/init.pp +++ b/modules/puppetmaster/manifests/init.pp @@ -184,7 +184,13 @@ # Small utility to generate ECDSA certs and submit the CSR to the puppet master file { '/usr/local/bin/puppet-ecdsacert': source => 'puppet:///modules/puppetmaster/puppet_ecdsacert.rb', - mode => '0660', + mode => '0550', + owner => 'root', + group => 'root', + } + file { '/usr/local/bin/puppet-wildcardsign': + source => 'puppet:///modules/puppetmaster/puppet_wildcardsign.rb', + mode => '0550', owner => 'root', group => 'root', } -- To view, visit https://gerrit.wikimedia.org/r/326910 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2b9bdd18a68b77c0c0bd132efb6d469bfbeca958 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
