8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
# File 'modules/sslcert/manifests/trusted_ca.pp', line 8
class sslcert::trusted_ca (
Wmflib::Ensure $ensure = 'present',
String $truststore_password = 'changeit',
String $owner = 'root',
String $group = 'root',
Boolean $include_bundle_jks = false,
Optional[Sslcert::Trusted_certs] $trusted_certs = undef,
) {
contain sslcert
if $trusted_certs {
$trusted_ca_path = $trusted_certs['bundle']
$jks_truststore_path = $include_bundle_jks ? {
true => "${sslcert::localcerts}/wmf-java-cacerts",
default => undef,
}
if 'package' in $trusted_certs {
ensure_packages($trusted_certs['package'])
$res_subscribe = Package[$trusted_certs['package']]
} else {
$trusted_certs['certs'].each |$cert| {
# The following file resources is only used so we no when the source
# file changes and thus know when to notify the exec and rebuild the bundle
file { "${sslcert::localcerts}/${cert.basename}":
ensure => file,
owner => $owner,
group => $group,
mode => '0444',
source => $cert,
notify => Exec['generate trusted_ca'],
}
}
exec { 'generate trusted_ca':
command => "/bin/cat ${trusted_certs['certs'].join(' ')} > ${trusted_ca_path}",
refreshonly => true,
user => $owner,
group => $group,
}
$res_subscribe = Exec['generate trusted_ca']
# Ensure readability for user/group/others of the cert bundle.
file { $trusted_ca_path:
ensure => file,
owner => $owner,
group => $group,
mode => '0644',
}
}
$trusted_certs['certs'].each |$cert| {
if $include_bundle_jks {
$cert_basename = '.pem' in $cert.basename ? {
true => $cert.basename('.pem'),
false => $cert.basename('.crt'),
}
java::cacert { $cert_basename:
ensure => $ensure,
owner => $owner,
path => $cert,
storepass => $truststore_password,
keystore_path => $jks_truststore_path,
subscribe => $res_subscribe,
}
Class['java'] -> Java::Cacert[$cert_basename]
}
}
} else {
$trusted_ca_path = $facts['puppet_config']['localcacert']
$jks_truststore_path = $include_bundle_jks ? {
true => '/etc/ssl/certs/java/cacerts',
default => undef,
}
}
}
|