17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
# File 'modules/profile/manifests/pki/client.pp', line 17
class profile::pki::client (
Wmflib::Ensure $ensure = lookup('profile::pki::client::ensure'),
Stdlib::Host $signer_host = lookup('profile::pki::client::signer_host'),
Stdlib::Port $signer_port = lookup('profile::pki::client::signer_port'),
Sensitive[String[1]] $auth_key = lookup('profile::pki::client::auth_key'),
Boolean $enable_proxy = lookup('profile::pki::client::enable_proxy'),
Stdlib::IP::Address $listen_addr = lookup('profile::pki::client::listen_addr'),
Stdlib::Port $listen_port = lookup('profile::pki::client::listen_port'),
Stdlib::Filesource $bundles_source = lookup('profile::pki::client::bundles_source'),
String $root_ca_cn = lookup('profile::pki::client::root_ca_cn'),
Optional[Stdlib::Filesource] $root_ca_source = lookup('profile::pki::client::root_ca_source'),
Optional[Stdlib::Unixpath] $mutual_tls_client_cert = lookup('profile::pki::client::mutual_tls_client_cert'),
Optional[Stdlib::Unixpath] $mutual_tls_client_key = lookup('profile::pki::client::mutual_tls_client_key'),
Optional[Stdlib::Unixpath] $tls_remote_ca = lookup('profile::pki::client::tls_remote_ca'),
Optional[Stdlib::Filesource] $tls_remote_ca_source = lookup('profile::pki::client::tls_remote_ca_source'),
Hash $certs = lookup('profile::pki::client::certs'),
) {
$signer = "https://${signer_host}:${signer_port}"
if $root_ca_source {
file { "/etc/ssl/certs/${root_ca_cn}.pem":
ensure => file,
owner => 'root',
group => 'root',
mode => '0444',
source => $root_ca_source,
}
}
if $tls_remote_ca_source {
if $tls_remote_ca == $facts['puppet_config']['localcacert'] {
fail('When setting \$tls_remote_ca_source you must change \$tls_remote_ca')
}
file{$tls_remote_ca:
ensure => stdlib::ensure($ensure, file),
owner => 'root',
group => 'root',
mode => '0440',
source => $tls_remote_ca_source,
}
}
class {'cfssl::client':
ensure => $ensure,
signer => $signer,
bundles_source => $bundles_source,
auth_key => $auth_key,
enable_proxy => $enable_proxy,
listen_addr => $listen_addr,
listen_port => $listen_port,
mutual_tls_client_cert => $mutual_tls_client_cert,
mutual_tls_client_key => $mutual_tls_client_key,
tls_remote_ca => $tls_remote_ca,
}
$certs.each |$title, $cert| {
cfssl::cert{$title:
ensure => $ensure,
* => $cert,
}
}
}
|