19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
# File 'modules/pontoon/manifests/service_certs.pp', line 19
class pontoon::service_certs (
Stdlib::Fqdn $ca_server,
Hash[String, Wmflib::Service] $services_config,
) {
$service_names = pontoon::service_names($services_config)
# Local Puppet CA
$ca_manifest = {
'pontoon_puppet_ca' => {
'class_name' => 'puppet',
'hostname' => $ca_server
},
}
# The manifest for each requested service
$services_manifest = $services_config.reduce({}) |$memo, $el| {
$service = $el[0]
$config = $el[1]
$memo.merge(
$service => {
'authority' => 'pontoon_puppet_ca',
'expiry' => '6/6/6666',
'key' => {'algorithm' => 'ec'},
'alt_names' => $service_names[$service],
}
)
}
$secrets_base = '/etc/puppet/private/modules/secret/secrets'
$cergen_manifest = "${secrets_base}/certificates/certificates.manifests.d/pontoon.yaml"
file { $cergen_manifest:
content => to_yaml($services_manifest + $ca_manifest),
notify => [Exec['cergen pontoon'], Exec['git-commit secrets pontoon']],
}
exec { 'cergen pontoon':
command => "/usr/bin/cergen --base-path ${secrets_base}/certificates/ --generate ${cergen_manifest}",
refreshonly => true,
}
exec { 'git-commit secrets pontoon':
command => 'git add . && git commit -m "Automatic commit from pontoon::service_certs"',
refreshonly => true,
provider => shell,
cwd => $secrets_base,
}
# Make the SSL keypair available for each service name via symlinks
$services_manifest.keys.each |$service| {
$service_names[$service].each |$alt_name| {
if defined(File["${secrets_base}/ssl/${alt_name}.key"]) {
next()
}
file { "${secrets_base}/ssl/${alt_name}.key":
ensure => 'link',
target => "../certificates/${service}/${service}.key.private.pem",
force => yes,
notify => Exec['git-commit secrets pontoon'],
}
file { "${secrets_base}/ssl/${alt_name}.crt":
ensure => 'link',
target => "../certificates/${service}/${service}.crt.pem",
force => yes,
notify => Exec['git-commit secrets pontoon'],
}
}
}
}
|