Puppet Class: sslcert::trusted_ca

Defined in:
modules/sslcert/manifests/trusted_ca.pp

Summary

Deploy a .pem file containing the WMF's internal Root CA crts. Create a .p12 truststore if needed.

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • trusted_certs (Optional[Sslcert::Trusted_certs]) (defaults to: undef)

    a list of certificate files to add to the tristed cert store

  • p12_truststore_path

    location on the fs where to create the .p12 truststore

  • jks_truststore_path

    location on the fs where to create the .jks truststore

  • owner (String) (defaults to: 'root')

    user set as owner of the files to be created

  • group (String) (defaults to: 'root')

    group set as group-owner of the files to be created

  • ensure (Wmflib::Ensure) (defaults to: 'present')
  • truststore_password (String) (defaults to: 'changeit')
  • include_bundle_jks (Boolean) (defaults to: false) 


9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'modules/sslcert/manifests/trusted_ca.pp', line 9

class sslcert::trusted_ca (
    Wmflib::Ensure                   $ensure              = 'present',
    String                           $truststore_password = 'changeit',
    String                           $owner               = 'root',
    String                           $group               = 'root',
    Boolean                          $include_bundle_jks  = false,
    Optional[Sslcert::Trusted_certs] $trusted_certs       = undef,
) {

    contain sslcert

    if $trusted_certs {
        $trusted_ca_path = $trusted_certs['bundle']
        $jks_truststore_path = $include_bundle_jks ? {
            true    => "${sslcert::localcerts}/wmf-java-cacerts",
            default => undef,
        }
        if 'package' in $trusted_certs {
            ensure_packages($trusted_certs['package'])
            $res_subscribe = Package[$trusted_certs['package']]
        } else {
            concat { $trusted_ca_path:
                ensure => present,
                owner  => $owner,
                group  => $group,
                mode   => '0644',
                notify => Exec['generate trusted_ca'],
            }

            $trusted_certs['certs'].each |Integer $index, Stdlib::Unixpath $cert| {
                file { "${sslcert::localcerts}/${cert.basename}":
                    ensure => absent,
                }

                concat::fragment { "ssl-ca-${cert}":
                    source => $cert,
                    target => $trusted_ca_path,
                    order  => $index,
                    notify => Exec['generate trusted_ca'],
                }
            }

            # no-op resource used for propagating notifies
            exec { 'generate trusted_ca':
                command     => '/bin/true',
                refreshonly => true,
            }
            $res_subscribe = Exec['generate trusted_ca']
        }
        $trusted_certs['certs'].each |$cert| {
            if $include_bundle_jks {
                $cert_basename = '.pem' in $cert.basename ? {
                    true  => $cert.basename('.pem'),
                    false => $cert.basename('.crt'),
                }
                java::cacert { $cert_basename:
                    ensure        => $ensure,
                    owner         => $owner,
                    path          => $cert,
                    storepass     => $truststore_password,
                    keystore_path => $jks_truststore_path,
                    subscribe     => $res_subscribe,
                }
                Class['java'] -> Java::Cacert[$cert_basename]
            }
        }
    } else {
        $trusted_ca_path = $facts['puppet_config']['localcacert']
        $jks_truststore_path = $include_bundle_jks ? {
            true    => '/etc/ssl/certs/java/cacerts',
            default => undef,
        }
    }
}