Puppet Class: k8s::ssl

Defined in:
modules/k8s/manifests/ssl.pp

Overview

Copy of etcd::ssl Copies appropriate cert files from the puppet CA infrastructure To be usable by the k8s binaries Note: Only copies public components, no private keys

Parameters:

  • provide_private (Any) (defaults to: false)
  • user (Any) (defaults to: 'root')
  • group (Any) (defaults to: 'root')
  • ssldir (Any) (defaults to: '/var/lib/puppet/ssl')
  • target_basedir (Any) (defaults to: '/var/lib/kubernetes')


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# File 'modules/k8s/manifests/ssl.pp', line 5

class k8s::ssl(
    $provide_private = false,
    $user = 'root',
    $group = 'root',
    $ssldir = '/var/lib/puppet/ssl',
    $target_basedir = '/var/lib/kubernetes'
) {
    $puppet_cert_name = $::fqdn

    file { $target_basedir:
        ensure => directory,
        owner  => $user,
        group  => $group,
        mode   => '0755', # more permissive!
    }

    file { [
        "${target_basedir}/ssl",
        "${target_basedir}/ssl/certs",
        "${target_basedir}/ssl/private_keys",
    ]:
        ensure  => directory,
        owner   => $user,
        group   => $group,
        mode    => '0555',
        require => File[$target_basedir], # less permissive
    }


    file { "${target_basedir}/ssl/certs/ca.pem":
        ensure  => present,
        owner   => $user,
        group   => $group,
        mode    => '0444',
        source  => "${ssldir}/certs/ca.pem",
        require => File["${target_basedir}/ssl/certs"],
    }

    file { "${target_basedir}/ssl/certs/cert.pem":
        ensure  => present,
        owner   => $user,
        group   => $group,
        mode    => '0400',
        source  => "${ssldir}/certs/${puppet_cert_name}.pem",
        require => File["${target_basedir}/ssl/certs/ca.pem"],
    }

    if $provide_private {
        file { "${target_basedir}/ssl/private_keys/server.key":
            ensure  => present,
            owner   => $user,
            group   => $group,
            mode    => '0400',
            source  => "${ssldir}/private_keys/${puppet_cert_name}.pem",
            require => File["${target_basedir}/ssl/private_keys"],
        }
    }
}