Ottomata has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/391134 )
Change subject: [WIP] Add cergen module ...................................................................... [WIP] Add cergen module has not been tested, just some ideas atm. Bug: T166167 Change-Id: I26c3072f4f4d1b8dd73b9e123263b09b5972b045 --- A modules/cergen/manifests/certificate.pp A modules/cergen/manifests/init.pp A modules/cergen/manifests/manifest.pp A modules/cergen/templates/certificate.yaml.erb 4 files changed, 131 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/34/391134/1 diff --git a/modules/cergen/manifests/certificate.pp b/modules/cergen/manifests/certificate.pp new file mode 100644 index 0000000..1e11b69 --- /dev/null +++ b/modules/cergen/manifests/certificate.pp @@ -0,0 +1,78 @@ +# == Define cergen::certificate +# == Parameters +# arguments +# +define cergen::certificate ( + $destination, + $manifest, + # TODO: use ensure + $ensure = 'present', + $owner = 'root', + $group = 'root', + $include_private_key = false, +) { + include ::passwords::certificates + $password = $::passwords::certificates::certificates[$title] + + $defaults = { + 'authority' => 'puppet_ca', + 'subject' => { + 'country_name' => 'US', + 'state_or_province_name' => 'CA', + 'locality_name' => 'San Francisco', + 'organization_name' => 'Wikimedia Foundation', + }, + 'expiry' => 'null', + 'key' => { + 'algorithm' => 'ec', + 'password' => $password, + } + } + $certificate_manifest = deep_merge($manifest, $defaults) + + @@cergen::manifest { $title: + ensure => $ensure, + content => template('cergen/certificate.yaml.erb'), + } + + # TODO: automatically run cergen --generate using puppet generate() function?! + + # TODO: Assuming the file is on the puppet master, now render it? + # Or, should this be a separate define? + + # base-path: /etc/puppet/private/modules/secret/files/certificates/certs/$name/ + # base-private-path: /etc/puppet/private/modules/secret/secrets/certficates/private/$name/ + + # Default subsequent file resources with these. + File { + owner => $owner, + group => $group, + mode => '0400', + } + + file { $destination: + ensure => 'directory', + mode => '0555', + # Puppet will fully manage this directory. Any files in + # this directory that are not managed by puppet will be deleted. + recurse => true, + purge => true, + } + + file { "${destination}": + ensure => 'directory', + mode => '0555', + # Puppet will fully manage this directory. Any files in + # this directory that are not managed by puppet will be deleted. + recurse => true, + purge => true, + source => "puppet:///secret/certificates/certs/${title}" + } + + if $include_private_key { + file { "${destination}/{title}.key.private.pem": + ensure => 'directory', + content => secret("certificates/private/${title}/${title}.key.private.pem"), + } + } +} diff --git a/modules/cergen/manifests/init.pp b/modules/cergen/manifests/init.pp new file mode 100644 index 0000000..8ee3af6 --- /dev/null +++ b/modules/cergen/manifests/init.pp @@ -0,0 +1,16 @@ +# == Class cergen +# Installs cergen and ensure that /etc/cergen/manifests.d exists. +# +class cergen +{ + require_package('cergen') + + $manifests_path = '/etc/cergen/manifests.d' + + file { ['/etc/cergen', $manifests_path]: + ensure => 'directory', + } + + # Collect all exported cergen certificate manifests. + Cergen_manifest <<||>> +} diff --git a/modules/cergen/manifests/manifest.pp b/modules/cergen/manifests/manifest.pp new file mode 100644 index 0000000..3cf8169 --- /dev/null +++ b/modules/cergen/manifests/manifest.pp @@ -0,0 +1,35 @@ +# == Define cergen +# Installs a cergen certificate manifest file into /etc/cergen/manifests.d +# This does not handle generation of certificates with cergen CLI. +# You should manually run cergen CLI and commit the resulting files to puppet and private +# repositories. +# +# Parameters: +# [*ensure*] +# +# [*source*] +# +# [*content*] +# +define cergen::manifest( + $ensure = 'present', + $source = undef, + $content = undef, +) { + require ::cergen + + if $source == undef and $content == undef and $ensure == 'present' { + fail('you must provide either "source" or "content", or ensure must be "absent"') + } + + if $source != undef and $content != undef { + fail('"source" and "content" are mutually exclusive') + } + + file { "${::cergen::manifests_path}/${title}.yaml": + ensure => $ensure, + mode => '0400' + content => $content, + source => $source, + } +} diff --git a/modules/cergen/templates/certificate.yaml.erb b/modules/cergen/templates/certificate.yaml.erb new file mode 100644 index 0000000..3659efa --- /dev/null +++ b/modules/cergen/templates/certificate.yaml.erb @@ -0,0 +1,2 @@ +<% require 'yaml' -%> +<%= @certificate_manifest.to_yaml %> -- To view, visit https://gerrit.wikimedia.org/r/391134 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I26c3072f4f4d1b8dd73b9e123263b09b5972b045 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ottomata <ao...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits