Puppet Class: pontoon::service_certs

Defined in:
modules/pontoon/manifests/service_certs.pp

Overview

Parameters:

  • ca_server (Stdlib::Fqdn)
  • services_config (Hash[String, Wmflib::Service])


18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'modules/pontoon/manifests/service_certs.pp', line 18

class pontoon::service_certs (
    Stdlib::Fqdn $ca_server,
    Hash[String, Wmflib::Service] $services_config,
) {
    $service_names = pontoon::service_names($services_config)

    # Local Puppet CA
    $ca_manifest = {
        'pontoon_puppet_ca' => {
            'class_name' => 'puppet',
            'hostname' => $ca_server
        },
    }

    # The manifest for each requested service
    $services_manifest = $services_config.reduce({}) |$memo, $el| {
        $service = $el[0]
        $config = $el[1]

        $memo.merge(
            $service => {
                'authority' => 'pontoon_puppet_ca',
                'expiry'    => '6/6/6666',
                'key'       => {'algorithm' => 'ec'},
                'alt_names' => $service_names[$service],
            }
        )
    }

    $secrets_base = '/etc/puppet/private/modules/secret/secrets'
    $cergen_manifest = "${secrets_base}/certificates/certificates.manifests.d/pontoon.yaml"

    file { $cergen_manifest:
        content => ordered_yaml($services_manifest + $ca_manifest),
        notify  => [Exec['cergen pontoon'], Exec['git-commit secrets pontoon']],
    }

    exec { 'cergen pontoon':
        command     => "/usr/bin/cergen --base-path ${secrets_base}/certificates/ --generate ${cergen_manifest}",
        refreshonly => true,
    }

    exec { 'git-commit secrets pontoon':
        command     => 'git add . && git commit -m "Automatic commit from pontoon::service_certs"',
        refreshonly => true,
        provider    => shell,
        cwd         => $secrets_base,
    }

    # Make the SSL keypair available for each service name via symlinks
    $services_manifest.keys.each |$service| {
        $service_names[$service].each |$alt_name| {
            if defined(File["${secrets_base}/ssl/${alt_name}.key"]) {
                next()
            }

            file { "${secrets_base}/ssl/${alt_name}.key":
                ensure => 'link',
                target => "../certificates/${service}/${service}.key.private.pem",
                force  => yes,
                notify => Exec['git-commit secrets pontoon'],
            }

            file { "${secrets_base}/ssl/${alt_name}.crt":
                ensure => 'link',
                target => "../certificates/${service}/${service}.crt.pem",
                force  => yes,
                notify => Exec['git-commit secrets pontoon'],
            }
        }
    }
}