Giuseppe Lavagetto has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/326910 )
Change subject: puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert ...................................................................... puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert Bug: T153042 Change-Id: I2b9bdd18a68b77c0c0bd132efb6d469bfbeca958 --- M modules/puppetmaster/files/puppet_ecdsacert.rb A modules/puppetmaster/files/puppet_wildcardsign.rb M modules/puppetmaster/manifests/init.pp 3 files changed, 38 insertions(+), 1 deletion(-) Approvals: Giuseppe Lavagetto: Looks good to me, approved jenkins-bot: Verified Volans: Looks good to me, but someone else must approve diff --git a/modules/puppetmaster/files/puppet_ecdsacert.rb b/modules/puppetmaster/files/puppet_ecdsacert.rb old mode 100644 new mode 100755 index 9ee5515..0a33719 --- a/modules/puppetmaster/files/puppet_ecdsacert.rb +++ b/modules/puppetmaster/files/puppet_ecdsacert.rb @@ -1,3 +1,4 @@ +#!/usr/bin/env ruby # Copyright (c) 2016 Giuseppe Lavagetto, Wikimedia Foundation # Loosely based on https://github.com/ripienaar/mcollective-choria/blob/master/lib/mcollective/util/choria.rb require 'net/http' diff --git a/modules/puppetmaster/files/puppet_wildcardsign.rb b/modules/puppetmaster/files/puppet_wildcardsign.rb new file mode 100755 index 0000000..6818bac --- /dev/null +++ b/modules/puppetmaster/files/puppet_wildcardsign.rb @@ -0,0 +1,30 @@ +#!/usr/bin/env ruby +# Copyright (c) 2016 Giuseppe Lavagetto, Wikimedia Foundation +# Shameful hack to allow signing certs with wildcard SANs when we want it +# Useful for issuing internal certificates for exposing services. +require 'puppet' +require 'puppet/ssl/certificate_authority' +require 'puppet/util/command_line' +module Puppet + module SSL + # Extend the signing checks + module CertificateAuthorityExtensions + def check_internal_signing_policies(hostname, csr, _allow_dns_alt_names) + super(hostname, csr, true) + rescue Puppet::SSL::CertificateAuthority::CertificateSigningError => e + if e.message.start_with?("CSR '#{csr.name}' subjectAltName contains a wildcard") + true + else + raise + end + end + end + # Extend the base class + class CertificateAuthority + prepend Puppet::SSL::CertificateAuthorityExtensions + end + end +end + +name = ARGV.shift || fail('The name of the certificate to sign must be provided.') +Puppet::Util::CommandLine.new('cert', ['sign', name]).execute diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp index 0acfcdb..4f32975 100644 --- a/modules/puppetmaster/manifests/init.pp +++ b/modules/puppetmaster/manifests/init.pp @@ -184,7 +184,13 @@ # Small utility to generate ECDSA certs and submit the CSR to the puppet master file { '/usr/local/bin/puppet-ecdsacert': source => 'puppet:///modules/puppetmaster/puppet_ecdsacert.rb', - mode => '0660', + mode => '0550', + owner => 'root', + group => 'root', + } + file { '/usr/local/bin/puppet-wildcardsign': + source => 'puppet:///modules/puppetmaster/puppet_wildcardsign.rb', + mode => '0550', owner => 'root', group => 'root', } -- To view, visit https://gerrit.wikimedia.org/r/326910 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I2b9bdd18a68b77c0c0bd132efb6d469bfbeca958 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Volans <rcocci...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits