Puppet Class: sslcert::trusted_ca

Defined in:
modules/sslcert/manifests/trusted_ca.pp

Overview

Parameters:

  • trusted_certs (Optional[Sslcert::Trusted_certs]) (defaults to: undef)

    a list of certificate files to add to the tristed cert store

  • p12_truststore_path

    location on the fs where to create the .p12 truststore

  • jks_truststore_path

    location on the fs where to create the .jks truststore

  • owner (String) (defaults to: 'root')

    user set as owner of the files to be created

  • group (String) (defaults to: 'root')

    group set as group-owner of the files to be created

  • ensure (Wmflib::Ensure) (defaults to: 'present')
  • truststore_password (String) (defaults to: 'changeit')
  • include_bundle_jks (Boolean) (defaults to: false) 


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'modules/sslcert/manifests/trusted_ca.pp', line 8

class sslcert::trusted_ca (
    Wmflib::Ensure                   $ensure              = 'present',
    String                           $truststore_password = 'changeit',
    String                           $owner               = 'root',
    String                           $group               = 'root',
    Boolean                          $include_bundle_jks  = false,
    Optional[Sslcert::Trusted_certs] $trusted_certs       = undef,
) {

    contain sslcert

    if $trusted_certs {
        $trusted_ca_path = $trusted_certs['bundle']
        $jks_truststore_path = $include_bundle_jks ? {
            true    => "${sslcert::localcerts}/wmf-java-cacerts",
            default => undef,
        }
        if 'package' in $trusted_certs {
            ensure_packages($trusted_certs['package'])
            $res_subscribe = Package[$trusted_certs['package']]
        } else {
            $trusted_certs['certs'].each |$cert| {
                # The following file resources is only used so we no when the source
                # file changes and thus know when to notify the exec and rebuild the bundle
                file { "${sslcert::localcerts}/${cert.basename}":
                    ensure => file,
                    owner  => $owner,
                    group  => $group,
                    mode   => '0444',
                    source => $cert,
                    notify => Exec['generate trusted_ca'],
                }
            }
            exec { 'generate trusted_ca':
                command     => "/bin/cat ${trusted_certs['certs'].join(' ')} > ${trusted_ca_path}",
                refreshonly => true,
                user        => $owner,
                group       => $group,
            }
            $res_subscribe = Exec['generate trusted_ca']

            # Ensure readability for user/group/others of the cert bundle.
            file { $trusted_ca_path:
                ensure => file,
                owner  => $owner,
                group  => $group,
                mode   => '0644',
            }
        }
        $trusted_certs['certs'].each |$cert| {
            if $include_bundle_jks {
                $cert_basename = '.pem' in $cert.basename ? {
                    true  => $cert.basename('.pem'),
                    false => $cert.basename('.crt'),
                }
                java::cacert { $cert_basename:
                    ensure        => $ensure,
                    owner         => $owner,
                    path          => $cert,
                    storepass     => $truststore_password,
                    keystore_path => $jks_truststore_path,
                    subscribe     => $res_subscribe,
                }
                Class['java'] -> Java::Cacert[$cert_basename]
            }
        }
    } else {
        $trusted_ca_path = $facts['puppet_config']['localcacert']
        $jks_truststore_path = $include_bundle_jks ? {
            true    => '/etc/ssl/certs/java/cacerts',
            default => undef,
        }
    }
}