Puppet Class: cfssl::client

Defined in:
modules/cfssl/manifests/client.pp

Summary

configure cfssl client

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ensure (Wmflib::Ensure) (defaults to: 'present')

    whether to ensure the resource

  • conf_dir

    location of the configuration directory

  • auth_key (Sensitive[String[1]])

    The sha256 hmac key

  • enable_proxy (Boolean) (defaults to: false)

    if true configure cfssl api to listen on $listen_addr:$listen_port

  • signer (Stdlib::HTTPUrl)
  • bundles_source (Stdlib::Filesource)
  • log_level (Cfssl::Loglevel) (defaults to: 'info')
  • listen_addr (Stdlib::IP::Address) (defaults to: '127.0.0.1')
  • listen_port (Stdlib::Port) (defaults to: 8888)
  • mutual_tls_client_cert (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • mutual_tls_client_key (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • tls_remote_ca (Optional[Stdlib::Unixpath]) (defaults to: undef) 


7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# File 'modules/cfssl/manifests/client.pp', line 7

class cfssl::client (
    Stdlib::HTTPUrl            $signer,
    Stdlib::Filesource         $bundles_source,
    Sensitive[String[1]]       $auth_key,
    Wmflib::Ensure             $ensure                 = 'present',
    Cfssl::Loglevel            $log_level              = 'info',
    Boolean                    $enable_proxy           = false,
    Stdlib::IP::Address        $listen_addr            = '127.0.0.1',
    Stdlib::Port               $listen_port            = 8888,
    Optional[Stdlib::Unixpath] $mutual_tls_client_cert = undef,
    Optional[Stdlib::Unixpath] $mutual_tls_client_key  = undef,
    Optional[Stdlib::Unixpath] $tls_remote_ca          = undef,
) {
    if $ensure == 'present' {
        include cfssl
    }
    $conf_file = "${cfssl::conf_dir}/client-cfssl.conf"
    $default_auth_remote = {'remote' => 'default_remote', 'auth_key' => 'default_auth'}
    # for now we need to unwrap the sensitive value otherwise it is not interpreted
    # Related bug: PUP-8969
    $auth_keys = {'default_auth'     => { 'type' => 'standard', 'key' => $auth_key.unwrap}}
    $remotes = {'default_remote' => $signer}
    cfssl::config {'client-cfssl':
        ensure              => $ensure,
        default_auth_remote => $default_auth_remote,
        auth_keys           => $auth_keys,
        remotes             => $remotes,
        path                => $conf_file,
    }
    file {'/usr/local/sbin/cfssl-client':
        ensure  => stdlib::ensure($ensure, 'file'),
        owner   => 'root',
        group   => 'root',
        mode    => '0550',
        content => "#!/bin/sh\n/usr/bin/cfssl \"$@\" -config ${conf_file}";
    }
    systemd::service {'cfssl-serve@proxy-client':
        ensure  => $enable_proxy.bool2str('present', 'absent'),
        content => template('cfssl/cfssl.service.erb'),
        restart => true,
    }
}