Puppet Class: profile::pki::client

Defined in:
modules/profile/manifests/pki/client.pp

Overview

Parameters:

  • ensure (Wmflib::Ensure) (defaults to: lookup('profile::pki::client::ensure'))

    whether to ensure the resource

  • signer_host (Stdlib::Host) (defaults to: lookup('profile::pki::client::signer_host'))

    The signer host

  • signer_port (Stdlib::Port) (defaults to: lookup('profile::pki::client::signer_port'))

    The signer port

  • use_stunnel

    use an stunnel encrypt

  • auth_key (Sensitive[String[1]]) (defaults to: lookup('profile::pki::client::auth_key'))

    the cfssl sha256 hmax key

  • enable_proxy (Boolean) (defaults to: lookup('profile::pki::client::enable_proxy'))
  • listen_addr (Stdlib::IP::Address) (defaults to: lookup('profile::pki::client::listen_addr'))
  • listen_port (Stdlib::Port) (defaults to: lookup('profile::pki::client::listen_port'))
  • root_ca (String) (defaults to: lookup('profile::pki::client::root_ca_cn'))
  • mutual_tls_client_cert (Optional[Stdlib::Unixpath]) (defaults to: lookup('profile::pki::client::mutual_tls_client_cert'))
  • mutual_tls_client_key (Optional[Stdlib::Unixpath]) (defaults to: lookup('profile::pki::client::mutual_tls_client_key'))
  • tls_remote_ca (Optional[Stdlib::Unixpath]) (defaults to: lookup('profile::pki::client::tls_remote_ca'))
  • tls_remote_ca_source (Optional[Stdlib::Filesource]) (defaults to: lookup('profile::pki::client::tls_remote_ca_source'))
  • root_ca_source (Optional[Stdlib::Filesource]) (defaults to: lookup('profile::pki::client::root_ca_source'))
  • certs (Hash) (defaults to: lookup('profile::pki::client::certs'))


7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'modules/profile/manifests/pki/client.pp', line 7

class profile::pki::client (
    Wmflib::Ensure               $ensure                 = lookup('profile::pki::client::ensure'),
    Stdlib::Host                 $signer_host            = lookup('profile::pki::client::signer_host'),
    Stdlib::Port                 $signer_port            = lookup('profile::pki::client::signer_port'),
    Sensitive[String[1]]         $auth_key               = lookup('profile::pki::client::auth_key'),
    Boolean                      $enable_proxy           = lookup('profile::pki::client::enable_proxy'),
    Stdlib::IP::Address          $listen_addr            = lookup('profile::pki::client::listen_addr'),
    Stdlib::Port                 $listen_port            = lookup('profile::pki::client::listen_port'),
    String                       $root_ca                = lookup('profile::pki::client::root_ca_cn'),
    Optional[Stdlib::Unixpath]   $mutual_tls_client_cert = lookup('profile::pki::client::mutual_tls_client_cert'),
    Optional[Stdlib::Unixpath]   $mutual_tls_client_key  = lookup('profile::pki::client::mutual_tls_client_key'),
    Optional[Stdlib::Unixpath]   $tls_remote_ca          = lookup('profile::pki::client::tls_remote_ca'),
    Optional[Stdlib::Filesource] $tls_remote_ca_source   = lookup('profile::pki::client::tls_remote_ca_source'),
    Optional[Stdlib::Filesource] $root_ca_source         = lookup('profile::pki::client::root_ca_source'),
    Hash                         $certs                  = lookup('profile::pki::client::certs'),
) {
    $signer = "https://${signer_host}:${signer_port}"
    $bundles_source = 'puppet:///modules/profile/pki/intermediates'
    if $root_ca_source {
        file { "/etc/ssl/certs/${root_ca}.pem":
            ensure => file,
            owner  => 'root',
            group  => 'root',
            mode   => '0444',
            source => $root_ca_source,
        }
    }
    if $tls_remote_ca_source {
        if $tls_remote_ca == $facts['puppet_config']['localcacert'] {
            fail('When setting \$tls_remote_ca_source you must change \$tls_remote_ca')
        }
        file{$tls_remote_ca:
            ensure => stdlib::ensure($ensure, file),
            owner  => 'root',
            group  => 'root',
            mode   => '0440',
            source => $tls_remote_ca_source,
        }
    }
    class {'cfssl::client':
        ensure                 => $ensure,
        signer                 => $signer,
        bundles_source         => $bundles_source,
        auth_key               => $auth_key,
        enable_proxy           => $enable_proxy,
        listen_addr            => $listen_addr,
        listen_port            => $listen_port,
        mutual_tls_client_cert => $mutual_tls_client_cert,
        mutual_tls_client_key  => $mutual_tls_client_key,
        tls_remote_ca          => $tls_remote_ca,

    }
    $certs.each |$title, $cert| {
        cfssl::cert{$title:
            ensure => $ensure,
            *      => $cert,
        }
    }
}