4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
# File 'modules/pontoon/manifests/pki_root.pp', line 4
class pontoon::pki_root (
Array[String[3]] $intermediates,
Cfssl::Ca_name $root_ca_name,
) {
include cfssl # lint:ignore:wmf_styleguide
$pki_base = '/etc/pontoon/pki'
$public_base = '/var/lib/puppet/volatile/pontoon/pki'
file { $pki_base:
ensure => directory,
owner => 'root',
group => 'puppet',
mode => '0440',
}
wmflib::dir::mkdir_p($public_base)
# The CA public cert for clients to trust (via profile::pontoon::base)
["${pki_base}/ca.pem", "${public_base}/ca.pem"].each |$dest| {
file { $dest:
ensure => present,
owner => 'root',
group => 'puppet',
mode => '0440',
source => "${cfssl::signer_dir}/${root_ca_name}/ca/ca.pem",
}
}
# The intermediates keypairs to serve to the multiroot CA host.
$intermediates.each |$int| {
["${int}.pem", "${int}-key.pem"].each |$file| {
$source = "${cfssl::ssl_dir}/${int}/${file}"
$dest = "${pki_base}/${file}"
file { $dest:
source => $source,
show_diff => false,
mode => '0440',
owner => 'root',
group => 'puppet',
subscribe => Cfssl::Cert[$int]
}
}
# Make the public cert available via puppet:///
file { "${public_base}/${int}.pem":
source => "${cfssl::ssl_dir}/${int}/${int}.pem",
subscribe => Cfssl::Cert[$int],
}
}
}
|