diff --git a/data/common.yaml b/data/common.yaml new file mode 100644 index 00000000..ae0bcc66 --- /dev/null +++ b/data/common.yaml @@ -0,0 +1,36 @@ +--- +certs::node_fqdn: "%{facts.networking.fqdn}" +certs::cname: [] +certs::generate: true +certs::regenerate: false +certs::deploy: true +certs::ca_common_name: "%{facts.networking.fqdn}" +certs::country: 'US' +certs::state: 'North Carolina' +certs::city: 'Raleigh' +certs::org: 'Katello' +certs::org_unit: 'SomeOrgUnit' +certs::expiration: '7300' # 20 years +certs::ca_expiration: '36500' # 100 years +certs::pki_dir: '/etc/pki/katello' +certs::ssl_build_dir: '/root/ssl-build' +certs::user: 'root' +certs::group: 'root' +certs::default_ca_name: 'katello-default-ca' +certs::server_ca_name: 'katello-server-ca' + +certs::apache::hostname: '%{alias("certs::node_fqdn")}' +certs::apache::cname: '%{alias("certs::cname")}' +certs::apache::generate: '%{alias("certs::generate")}' +certs::apache::regenerate: '%{alias("certs::regenerate")}' +certs::apache::deploy: '%{alias("certs::deploy")}' +certs::apache::pki_dir: '%{alias("certs::pki_dir")}' +certs::apache::country: '%{alias("certs::country")}' +certs::apache::state: '%{alias("certs::state")}' +certs::apache::city: '%{alias("certs::city")}' +certs::apache::org: '%{alias("certs::org")}' +certs::apache::org_unit: '%{alias("certs::org_unit")}' +certs::apache::expiration: '%{alias("certs::expiration")}' +certs::apache::default_ca: '%{alias("certs::default_ca")}' +certs::apache::ca_key_password_file: '%{alias("certs::ca_key_password_file")}' +certs::apache::group: '%{alias("certs::group")}' diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 00000000..530ef69e --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,22 @@ +--- +version: 5 + +defaults: + datadir: data + data_hash: 'yaml_data' + +hierarchy: + - name: 'Full Version' + path: '%{facts.os.name}-%{facts.os.release.full}.yaml' + + - name: 'Major Version' + path: '%{facts.os.name}-%{facts.os.release.major}.yaml' + + - name: 'Distribution Name' + path: '%{facts.os.name}.yaml' + + - name: 'Operating System Family' + path: '%{facts.os.family}.yaml' + + - name: 'common' + path: 'common.yaml' diff --git a/manifests/apache.pp b/manifests/apache.pp index ee20b56d..0dd6c587 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -44,28 +44,25 @@ # # $group:: The group who should own the certs # -# $default_ca:: The internal CA -# # $ca_key_password_file:: Location of the password file for the CA key class certs::apache ( - Stdlib::Fqdn $hostname = $certs::node_fqdn, - Array[Stdlib::Fqdn] $cname = $certs::cname, - Boolean $generate = $certs::generate, - Boolean $regenerate = $certs::regenerate, - Boolean $deploy = $certs::deploy, - Stdlib::Absolutepath $pki_dir = $certs::pki_dir, - Optional[Stdlib::Absolutepath] $server_cert = $certs::server_cert, - Optional[Stdlib::Absolutepath] $server_key = $certs::server_key, - Optional[Stdlib::Absolutepath] $server_cert_req = $certs::server_cert_req, - String[2,2] $country = $certs::country, - String $state = $certs::state, - String $city = $certs::city, - String $org = $certs::org, - String $org_unit = $certs::org_unit, - String $expiration = $certs::expiration, - Type[Ca] $default_ca = $certs::default_ca, - Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, - String $group = $certs::group, + Stdlib::Fqdn $hostname, + Array[Stdlib::Fqdn] $cname, + Boolean $generate, + Boolean $regenerate, + Boolean $deploy, + Stdlib::Absolutepath $pki_dir, + String[2,2] $country, + String $state, + String $city, + String $org, + String $org_unit, + String $expiration, + Stdlib::Absolutepath $ca_key_password_file, + String $group, + Optional[Stdlib::Absolutepath] $server_cert = undef, + Optional[Stdlib::Absolutepath] $server_key = undef, + Optional[Stdlib::Absolutepath] $server_cert_req = undef, ) inherits certs { $apache_cert_name = "${hostname}-apache" $apache_cert = "${pki_dir}/certs/katello-apache.crt" @@ -81,9 +78,9 @@ generate => $generate, deploy => false, regenerate => $regenerate, - custom_pubkey => $server_cert, - custom_privkey => $server_key, - custom_req => $server_cert_req, + custom_pubkey => pick($server_cert, $certs::server_cert), + custom_privkey => pick($server_key, $certs::server_key), + custom_req => pick($server_cert_req, $certs::server_cert_req), build_dir => $certs::ssl_build_dir, } } else { @@ -97,7 +94,7 @@ org => $org, org_unit => $org_unit, expiration => $expiration, - ca => $default_ca, + ca => $certs::default_ca, generate => $generate, regenerate => $regenerate, deploy => false, diff --git a/manifests/init.pp b/manifests/init.pp index 372dff1f..d7317063 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -68,31 +68,31 @@ # $server_ca_name:: The name of the server CA (used for https) # class certs ( - Stdlib::Fqdn $node_fqdn = $certs::params::node_fqdn, - Array[Stdlib::Fqdn] $cname = $certs::params::cname, - Boolean $generate = true, - Boolean $regenerate = false, - Boolean $deploy = true, - String $ca_common_name = $certs::params::ca_common_name, - String[2,2] $country = 'US', - String $state = 'North Carolina', - String $city = 'Raleigh', - String $org = 'Katello', - String $org_unit = 'SomeOrgUnit', - String $expiration = '7300', # 20 years - String $ca_expiration = '36500', # 100 years + Stdlib::Fqdn $node_fqdn, + Array[Stdlib::Fqdn] $cname, + Boolean $generate, + Boolean $regenerate, + Boolean $deploy, + String $ca_common_name, + String[2,2] $country, + String $state, + String $city, + String $org, + String $org_unit, + String $expiration, + String $ca_expiration, + Stdlib::Absolutepath $pki_dir, + Stdlib::Absolutepath $ssl_build_dir, + String $user, + String $group, + String $default_ca_name, + String $server_ca_name, Optional[Stdlib::Absolutepath] $server_cert = undef, Optional[Stdlib::Absolutepath] $server_key = undef, Optional[Stdlib::Absolutepath] $server_cert_req = undef, Optional[Stdlib::Absolutepath] $server_ca_cert = undef, - Stdlib::Absolutepath $pki_dir = $certs::params::pki_dir, - Stdlib::Absolutepath $ssl_build_dir = '/root/ssl-build', - String $user = 'root', - String $group = 'root', - String $default_ca_name = 'katello-default-ca', - String $server_ca_name = 'katello-server-ca', Optional[Stdlib::Absolutepath] $tar_file = undef, -) inherits certs::params { +) { if $server_cert { validate_file_exists($server_cert, $server_key, $server_ca_cert) if $server_cert_req { diff --git a/manifests/params.pp b/manifests/params.pp index 62c29d7f..1407527b 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,12 +1,5 @@ # Certs Parameters class certs::params { - $pki_dir = '/etc/pki/katello' - $node_fqdn = $facts['networking']['fqdn'] - - $ca_common_name = $facts['networking']['fqdn'] # we need fqdn as CA common name as candlepin uses it as a ssl cert - - $cname = [] # Kafo cannot handle Array types as static parameters, https://projects.theforeman.org/issues/31565 - $puppet_client_cert = "${pki_dir}/puppet/puppet_client.crt" $puppet_client_key = "${pki_dir}/puppet/puppet_client.key" # for verifying the foreman https @@ -18,8 +11,6 @@ $candlepin_ca_cert = "${candlepin_certs_dir}/candlepin-ca.crt" $candlepin_ca_key = "${candlepin_certs_dir}/candlepin-ca.key" - $pulp_pki_dir = '/etc/pki/pulp' - $qpid_client_cert = "${pulp_pki_dir}/qpid/client.crt" $qpid_client_ca_cert = "${pulp_pki_dir}/qpid/ca.crt"