Puppet Class: profile::pki::client
- Defined in:
- modules/profile/manifests/pki/client.pp
Summary
configure WMF pki clientOverview
SPDX-License-Identifier: Apache-2.0
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 |
# File 'modules/profile/manifests/pki/client.pp', line 18
class profile::pki::client (
Wmflib::Ensure $ensure = lookup('profile::pki::client::ensure'),
Stdlib::Host $signer_host = lookup('profile::pki::client::signer_host'),
Stdlib::Port $signer_port = lookup('profile::pki::client::signer_port'),
Sensitive[String[1]] $auth_key = lookup('profile::pki::client::auth_key'),
Boolean $enable_proxy = lookup('profile::pki::client::enable_proxy'),
Stdlib::IP::Address $listen_addr = lookup('profile::pki::client::listen_addr'),
Stdlib::Port $listen_port = lookup('profile::pki::client::listen_port'),
Stdlib::Filesource $bundles_source = lookup('profile::pki::client::bundles_source'),
Cfssl::Ca_name $root_ca_cn = lookup('profile::pki::client::root_ca_cn'),
Optional[Stdlib::Filesource] $root_ca_source = lookup('profile::pki::client::root_ca_source'),
Optional[Stdlib::Unixpath] $mutual_tls_client_cert = lookup('profile::pki::client::mutual_tls_client_cert'),
Optional[Stdlib::Unixpath] $mutual_tls_client_key = lookup('profile::pki::client::mutual_tls_client_key'),
Optional[Stdlib::Unixpath] $tls_remote_ca = lookup('profile::pki::client::tls_remote_ca'),
Optional[Stdlib::Filesource] $tls_remote_ca_source = lookup('profile::pki::client::tls_remote_ca_source'),
Hash $certs = lookup('profile::pki::client::certs'),
) {
$signer = "https://${signer_host}:${signer_port}"
if $root_ca_source {
file { "/etc/ssl/certs/${root_ca_cn}.pem":
ensure => file,
owner => 'root',
group => 'root',
mode => '0444',
source => $root_ca_source,
}
}
if $tls_remote_ca_source {
if $tls_remote_ca == $facts['puppet_config']['localcacert'] {
fail('When setting \$tls_remote_ca_source you must change \$tls_remote_ca')
}
file{$tls_remote_ca:
ensure => stdlib::ensure($ensure, file),
owner => 'root',
group => 'root',
mode => '0440',
source => $tls_remote_ca_source,
}
}
if $mutual_tls_client_cert == $facts['puppet_config']['hostcert'] {
# If using puppet certs we create a cert file with the puppet cert file and the local ca
# This helps use support puppet infrastructre which that use an intermediate cert.
$_mutual_tls_client_cert = '/etc/cfssl/mutual_tls_client_cert.pem'
concat { $_mutual_tls_client_cert:
ensure => present,
}
concat::fragment { 'mtls_client_cert_leaf':
target => $_mutual_tls_client_cert,
order => '01',
source => $facts['puppet_config']['hostcert'],
}
# Here we add the full chain including the root CA, but we only strictly need
# the intermediate certificate. however its much harder to try and extract the
# intermediate then just adding the hole chain. The down side of adding the root
# means we use a bit more bandwith as we are sending more certificates.
# T340557#8985560
concat::fragment { 'mtls_client_cert_chain':
target => $_mutual_tls_client_cert,
order => '02',
source => $facts['puppet_config']['localcacert'],
}
} else {
$_mutual_tls_client_cert = $mutual_tls_client_cert
}
class {'cfssl::client':
ensure => $ensure,
signer => $signer,
bundles_source => $bundles_source,
auth_key => $auth_key,
enable_proxy => $enable_proxy,
listen_addr => $listen_addr,
listen_port => $listen_port,
mutual_tls_client_cert => $_mutual_tls_client_cert,
mutual_tls_client_key => $mutual_tls_client_key,
tls_remote_ca => $tls_remote_ca,
}
$certs.each |$title, $cert| {
cfssl::cert{$title:
ensure => $ensure,
* => $cert,
}
}
}
|