Alexandros Kosiaris has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/344606 )
Change subject: Update bacula::client to use base::expose_puppet_certs
......................................................................
Update bacula::client to use base::expose_puppet_certs
expose the puppet certificate, key and keypair via
base::expose_puppet_certs and use them in the configurations
Update the RSpec tests as well
Bug: T161281
Change-Id: I8d49f96cbd4aa5542ac4eae6e01ee9a32aace734
---
M modules/bacula/.fixtures.yml
M modules/bacula/manifests/client.pp
M modules/bacula/spec/classes/bacula_client_spec.rb
M modules/bacula/templates/bacula-client.erb
M modules/bacula/templates/bacula-fd.conf.erb
5 files changed, 20 insertions(+), 22 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/06/344606/1
diff --git a/modules/bacula/.fixtures.yml b/modules/bacula/.fixtures.yml
index f66bf01..9eda903 100644
--- a/modules/bacula/.fixtures.yml
+++ b/modules/bacula/.fixtures.yml
@@ -1,3 +1,6 @@
fixtures:
symlinks:
bacula: "#{source_dir}"
+ base: "../../../../base"
+ wmflib: "../../../../wmflib"
+ stdlib: "../../../../stdlib"
diff --git a/modules/bacula/manifests/client.pp
b/modules/bacula/manifests/client.pp
index 467482a..811da19 100644
--- a/modules/bacula/manifests/client.pp
+++ b/modules/bacula/manifests/client.pp
@@ -44,6 +44,13 @@
require => Package['bacula-fd'],
}
+ base::expose_puppet_certs { '/etc/bacula':
+ provide_private => true,
+ provide_keypair => true,
+ user => 'bacula',
+ group => 'bacula',
+ }
+
file { '/etc/bacula/bacula-fd.conf':
ensure => present,
owner => 'root',
@@ -55,17 +62,6 @@
Package['bacula-fd'],
Exec['concat-bacula-keypair'],
],
- }
-
- # To avoid reimplementing a PKI infrastructure we use puppet's already well
- # managed one. Bacula needs the keypair in one single file though hence
this
- # resource
- exec { 'concat-bacula-keypair':
- command => "/bin/cat \
- /var/lib/puppet/ssl/private_keys/${::fqdn}.pem \
- /var/lib/puppet/ssl/certs/${::fqdn}.pem > \
- /var/lib/puppet/ssl/private_keys/bacula-keypair-${::fqdn}.pem",
- creates =>
"/var/lib/puppet/ssl/private_keys/bacula-keypair-${::fqdn}.pem",
}
# We export oufself to the director
diff --git a/modules/bacula/spec/classes/bacula_client_spec.rb
b/modules/bacula/spec/classes/bacula_client_spec.rb
index c289d4c..c1f43ec 100644
--- a/modules/bacula/spec/classes/bacula_client_spec.rb
+++ b/modules/bacula/spec/classes/bacula_client_spec.rb
@@ -14,7 +14,6 @@
it { should contain_package('bacula-fd') }
it { should contain_service('bacula-fd') }
- it { should contain_exec('concat-bacula-keypair') }
it 'should generate valid content for /etc/bacula/bacula-fd.conf' do
should contain_file('/etc/bacula/bacula-fd.conf').with({
'ensure' => 'present',
@@ -24,10 +23,10 @@
}) \
.with_content(/Name = "testdirector"/) \
.with_content(/Password = "testdirectorpass"/) \
- .with_content(/TLS Certificate =
"\/var\/lib\/puppet\/ssl\/certs\/testhost.example.com.pem"/) \
- .with_content(/TLS Key =
"\/var\/lib\/puppet\/ssl\/private_keys\/testhost.example.com.pem"/) \
+ .with_content(/TLS Certificate = "\/etc\/bacula\/ssl\/server.pem"/) \
+ .with_content(/TLS Key = "\/etc\/bacula\/ssl\/server.key"/) \
.with_content(/Name = "testhost.example.com-fd"/) \
.with_content(/FDport = 2000/) \
- .with_content(/PKI Keypair =
"\/var\/lib\/puppet\/ssl\/private_keys\/bacula-keypair-testhost.example.com.pem"/)
+ .with_content(/PKI Keypair = "\/etc\/bacula\/ssl\/server-keypair.pem"/)
end
end
diff --git a/modules/bacula/templates/bacula-client.erb
b/modules/bacula/templates/bacula-client.erb
index 018a3d7..5156019 100644
--- a/modules/bacula/templates/bacula-client.erb
+++ b/modules/bacula/templates/bacula-client.erb
@@ -12,8 +12,8 @@
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = "/var/lib/puppet/ssl/certs/ca.pem"
- TLS Certificate = "/var/lib/puppet/ssl/certs/<%= @director -%>.pem"
- TLS Key = "/var/lib/puppet/ssl/private_keys/bacula-<%= @director -%>.pem"
+ TLS Certificate = "/etc/bacula/ssl/server.key"
+ TLS Key = "/etc/bacula/ssl/server-keypair.pem"
# Priority = 10
# Maximum Bandwith Per Job =
# Autoprune = yes
diff --git a/modules/bacula/templates/bacula-fd.conf.erb
b/modules/bacula/templates/bacula-fd.conf.erb
index 0f9d655..0287848 100644
--- a/modules/bacula/templates/bacula-fd.conf.erb
+++ b/modules/bacula/templates/bacula-fd.conf.erb
@@ -9,8 +9,8 @@
TLS Require = yes
TLS CA Certificate File = "/var/lib/puppet/ssl/certs/ca.pem"
TLS Verify Peer = yes
- TLS Certificate = "/var/lib/puppet/ssl/certs/<%= @fqdn %>.pem"
- TLS Key = "/var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem"
+ TLS Certificate = "/etc/bacula/ssl/server.pem"
+ TLS Key = "/etc/bacula/ssl/server.key"
}
#
@@ -26,13 +26,13 @@
# Have all data stored encrypted
PKI Encryption = Yes
PKI Signatures = Yes
- PKI Keypair = "/var/lib/puppet/ssl/private_keys/bacula-keypair-<%= @fqdn
%>.pem"
+ PKI Keypair = "/etc/bacula/ssl/server-keypair.pem"
PKI Master Key = "/var/lib/puppet/ssl/certs/ca.pem"
# Do enable Data channel encryption.
TLS Enable = yes
TLS Require = yes
- TLS Certificate = "/var/lib/puppet/ssl/certs/<%= @fqdn %>.pem"
- TLS Key = "/var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem"
+ TLS Certificate = "/etc/bacula/ssl/server.pem"
+ TLS Key = "/etc/bacula/ssl/server.key"
TLS CA Certificate File = "/var/lib/puppet/ssl/certs/ca.pem"
# Heartbeat inverval = 0 # in secs
# FDAddresses = # For director connections
--
To view, visit https://gerrit.wikimedia.org/r/344606
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8d49f96cbd4aa5542ac4eae6e01ee9a32aace734
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
