Defined Type: cfssl::cert

Defined in:
modules/cfssl/manifests/cert.pp

Overview

Parameters:

  • signer_config (Cfssl::Signer_config)
  • names (Array[Cfssl::Name]) (defaults to: [])
  • key (Cfssl::Key) (defaults to: {'algo' => 'ecdsa', 'size' => 521})
  • ensure (Wmflib::Ensure) (defaults to: 'present')
  • owner (String) (defaults to: 'root')
  • group (String) (defaults to: 'root')
  • auto_renew (Boolean) (defaults to: true)
  • renew_seconds (Integer[1800]) (defaults to: 604800)
  • label (Optional[String]) (defaults to: undef)
  • profile (Optional[String]) (defaults to: undef)
  • outdir (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • tls_cert (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • tls_key (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • hosts (Optional[Array[Stdlib::Host]]) (defaults to: [])


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# File 'modules/cfssl/manifests/cert.pp', line 2

define cfssl::cert (
    Cfssl::Signer_config          $signer_config,
    Array[Cfssl::Name]            $names         = [],
    Cfssl::Key                    $key           = {'algo' => 'ecdsa', 'size' => 521},
    Wmflib::Ensure                $ensure        = 'present',
    String                        $owner         = 'root',
    String                        $group         = 'root',
    Boolean                       $auto_renew    = true,
    Integer[1800]                 $renew_seconds = 604800,  # 1 week
    Optional[String]              $label         = undef,
    Optional[String]              $profile       = undef,
    Optional[Stdlib::Unixpath]    $outdir        = undef,
    Optional[Stdlib::Unixpath]    $tls_cert      = undef,
    Optional[Stdlib::Unixpath]    $tls_key       = undef,
    Optional[Array[Stdlib::Host]] $hosts         = [],

) {
    include cfssl

    if $key['algo'] == 'rsa' and $key['size'] < 2048 {
        fail('RSA keys must be either 2048, 4096 or 8192 bits')
    }
    if $key['algo'] == 'ecdsa' and $key['size'] > 2048 {
        fail('ECDSA keys must be either 256, 384 or 521 bits')
    }
    $ensure_file = $ensure ? {
        'present' => 'file',
        default   => $ensure,
    }

    $safe_title = $title.regsubst('[^\w\-]', '_', 'G')
    $csr_json_path = "${cfssl::csr_dir}/${safe_title}.csr"
    $_outdir   = $outdir ? {
        undef   => "${cfssl::ssl_dir}/${safe_title}",
        default => $outdir,
    }

    $_names = $names.map |Cfssl::Name $name| {
        {
            'C'  => $name['country'],
            'L'  => $name['locality'],
            'O'  => $name['organisation'],
            'OU' => $name['organisational_unit'],
            'S'  => $name['state'],
        }
    }
    $csr = {
        'CN'    => $title,
        'hosts' => $hosts,
        'key'   => $key,
        'names' => $_names,
    }
    file{$csr_json_path:
        ensure  => $ensure_file,
        owner   => 'root',
        group   => 'root',
        mode    => '0400',
        content => $csr.to_json_pretty()
    }
    file {$_outdir:
        ensure  => ensure_directory($ensure),
        owner   => $owner,
        group   => $group,
        mode    => '0440',
        recurse => true,
        purge   => true,
    }
    $tls_config = ($tls_cert and $tls_key) ? {
        true    => "-mutual-tls-client-cert ${tls_cert} -mutual-tls-client-key ${tls_key}",
        default => '',
    }
    $_label = $label ? {
        undef   => '',
        default => "-label ${label}",
    }
    $_profile = $profile ? {
        undef   => '',
        default => "-profile ${profile}",
    }
    $signer_args = $signer_config ? {
        Stdlib::HTTPUrl              => "-remote ${signer_config} ${tls_config} ${_label}",
        Cfssl::Signer_config::Client => "-config ${signer_config['config_file']} ${tls_config} ${_label}",
        default                      => @("SIGNER_ARGS"/L)
            -ca=${signer_config['config_dir']}/ca/ca.pem \
            -ca-key=${signer_config['config_dir']}/ca/ca_key.pem \
            -config=${signer_config['config_dir']}/cfssl.conf \
            | SIGNER_ARGS
    }
    $cert_path = "${_outdir}/${safe_title}.pem"
    $key_path = "${_outdir}/${safe_title}-key.pem"
    $csr_pem_path = "${_outdir}/${safe_title}.csr"
    $gen_command = @("GEN_COMMAND"/L)
        /usr/bin/cfssl gencert ${signer_args} ${_profile} ${csr_json_path} \
        | /usr/bin/cfssljson -bare ${_outdir}/${safe_title}
        | GEN_COMMAND
    $sign_command = @("SIGN_COMMAND"/L)
        /usr/bin/cfssl gencert ${signer_args} ${_profile} ${csr_pem_path} \
        | /usr/bin/cfssljson -bare ${_outdir}/${safe_title}
        | SIGN_COMMAND

    # TODO: would be nice to check its signed with the correct CA
    $test_command = @("TEST_COMMAND"/L)
        /usr/bin/test \
        "$(/usr/bin/openssl x509 -in ${cert_path} -noout -pubkey 2>&1)" == \
        "$(/usr/bin/openssl pkey -pubout -in ${key_path} 2>&1)"
        | TEST_COMMAND
    if $ensure == 'present' {
        exec{"Generate cert ${title}":
            command => $gen_command,
            unless  => $test_command,
        }
        if $auto_renew {
            exec {"renew certificate - ${title}":
                command => $sign_command,
                unless  => "/usr/bin/openssl x509 -in ${cert_path} -checkend ${renew_seconds}",
                require => Exec["Generate cert ${title}"]
            }
        }
    }

    file{[$cert_path, $key_path, $csr_pem_path]:
        ensure => $ensure_file,
        owner  => $owner,
        group  => $group,
        mode   => '0440',
    }
}