Defined Type: cfssl::signer

Defined in:
modules/cfssl/manifests/signer.pp

Overview

Parameters:

  • ca_key_content (Optional[String]) (defaults to: undef)

    content of the CA private key

  • ca_cert_content (Optional[String]) (defaults to: undef)

    content of the CA public key

  • host (Stdlib::Host) (defaults to: $facts['fqdn'])

    hostname of the cfssl server

  • port (Stdlib::Port) (defaults to: 8888)

    port of the cfssl server

  • ocsp_port (Stdlib::Port) (defaults to: 8889)

    ocsp_port of the cfssl server

  • log_level (Cfssl::Loglevel) (defaults to: 'info')

    the logging level

  • default_auth_key (String) (defaults to: 'default_auth')

    the default authentication key

  • default_expiry (Cfssl::Expiry) (defaults to: '720h')

    the default signing expiry time

  • default_usages (Array[Cfssl::Usage]) (defaults to: ['signing', 'key encipherment', 'client auth'])

    the default signing usages

  • default_crl_url (Stdlib::HTTPUrl) (defaults to: "http://${host}:${port}/crl")

    the URL of the CRL

  • default_ocsp_url (Stdlib::HTTPUrl) (defaults to: "http://${host}:${ocsp_port}")

    the URL of the OCSP responder

  • ocsp_cert_path (Optional[Stdlib::Unixpath]) (defaults to: undef)

    path to the ocsp certificate

  • ocsp_key_path (Optional[Stdlib::Unixpath]) (defaults to: undef)

    path to the ocsp private key

  • profiles (Hash[String, Cfssl::Profile]) (defaults to: {})

    A hash of signing profiles

  • auth_keys (Hash[String, Cfssl::Auth_key]) (defaults to: {})

    A hash of authentication keys, this must contain an entry for the default_auth_key

  • serve_ensure (Wmflib::Ensure) (defaults to: 'absent')
  • ca_key_file (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • ca_file (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • ca_bundle_file (Optional[Stdlib::Unixpath]) (defaults to: undef)


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# File 'modules/cfssl/manifests/signer.pp', line 17

define cfssl::signer (
    Stdlib::Host                  $host             = $facts['fqdn'],
    Stdlib::Port                  $port             = 8888,
    Stdlib::Port                  $ocsp_port        = 8889,
    Cfssl::Loglevel               $log_level        = 'info',
    String                        $default_auth_key = 'default_auth',
    Cfssl::Expiry                 $default_expiry   = '720h',
    Array[Cfssl::Usage]           $default_usages   = ['signing', 'key encipherment', 'client auth'],
    Stdlib::HTTPUrl               $default_crl_url  = "http://${host}:${port}/crl",
    Stdlib::HTTPUrl               $default_ocsp_url = "http://${host}:${ocsp_port}",
    Wmflib::Ensure                $serve_ensure     = 'absent',
    Hash[String, Cfssl::Profile]  $profiles         = {},
    Hash[String, Cfssl::Auth_key] $auth_keys        = {},
    Optional[Stdlib::Unixpath]    $ca_key_file      = undef,
    Optional[Stdlib::Unixpath]    $ca_file          = undef,
    Optional[Stdlib::Unixpath]    $ca_bundle_file   = undef,
    Optional[String]              $ca_key_content   = undef,
    Optional[String]              $ca_cert_content  = undef,
    Optional[Stdlib::Unixpath]    $ocsp_cert_path   = undef,
    Optional[Stdlib::Unixpath]    $ocsp_key_path    = undef,
) {
    include cfssl
    $safe_title         = $title.regsubst('\W', '_', 'G')
    $conf_dir           = "${cfssl::signer_dir}/${safe_title}"
    $conf_file          = "${cfssl::signer_dir}/${safe_title}/cfssl.conf"
    $ca_dir             = "${conf_dir}/ca"
    $db_conf_file       = "${conf_dir}/db.conf"
    $db_path            = "${conf_dir}/cfssl.db"
    $ocsp_response_path = "${ca_dir}/ocspdump.txt"
    $serve_service      = "cfssl-serve@${safe_title}"
    $ocsp_service       = "cfssl-ocsp@${safe_title}"

    $_ca_key_file = $ca_key_file ? {
        undef   => "${ca_dir}/ca_key.pem",
        default => $ca_key_file,
    }
    $_ca_file = $ca_file ? {
        undef   => "${ca_dir}/ca.pem",
        default => $ca_file,
    }

    cfssl::config{$safe_title:
        default_auth_key => $default_auth_key,
        default_expiry   => $default_expiry,
        default_usages   => $default_usages,
        default_crl_url  => $default_crl_url,
        default_ocsp_url => $default_ocsp_url,
        auth_keys        => $auth_keys,
        profiles         => $profiles,
        path             => $conf_file,
        notify           => Service[$serve_service],
    }
    $db_config = {'driver' => 'sqlite3', 'data_source' => $db_path}

    file{
        default:
            owner   => 'root',
            group   => 'root',
            require => Package[$cfssl::packages];
        [$conf_dir, $ca_dir]:
            ensure => directory,
            mode   => '0550';
        $db_conf_file:
            ensure  => file,
            mode    => '0440',
            content => $db_config.to_json(),
            notify  => Service[$serve_service];

    }
    sqlite::db {"cfssl ${title} signer DB":
        db_path    => $db_path,
        sql_schema => "${cfssl::sql_dir}/sqlite_initdb.sql",
        require    => File["${cfssl::sql_dir}/sqlite_initdb.sql"],
    }
    if $ca_key_content and $ca_cert_content {
        file {
            default:
                ensure => file,
                owner  => 'root',
                group  => 'root',
                mode   => '0400',
                notify => Service[$serve_service];
            $_ca_key_file:
                show_diff => false,
                content   => $ca_key_content;
            $_ca_file:
                content => $ca_cert_content,
                mode    => '0444';
        }
    }
    systemd::service {$serve_service:
        ensure  => $serve_ensure,
        content => template('cfssl/cfssl.service.erb'),
        restart => true,
    }
    $ocsp_ensure = ($ocsp_cert_path and $ocsp_key_path) ? {
        true    => 'present',
        default => 'absent',
    }
    systemd::service {$ocsp_service:
        ensure  => $ocsp_ensure,
        content => template('cfssl/cfssl-ocsp.service.erb'),
        restart => true,
    }
}