Defined Type: puppet::expose_agent_certs
- Defined in:
- modules/puppet/manifests/expose_agent_certs.pp
Summary
Overview
Copies appropriate cert files from the puppet CA infrastructure To be usable by the other applications Note: Only copies public components, no private keys, unless specifically asked.
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 |
# File 'modules/puppet/manifests/expose_agent_certs.pp', line 35
define puppet::expose_agent_certs (
Wmflib::Ensure $ensure = 'present',
Boolean $provide_private = false,
Boolean $provide_keypair = false,
Boolean $provide_pem = true,
Boolean $provide_p12 = false,
Optional[String[1]] $p12_password = undef,
String[1] $user = 'root',
String[1] $group = 'root',
Stdlib::Absolutepath $ssldir = puppet_ssldir(),
) {
include puppet::agent
# In the puppet7 infrastructure we have an intermediate certificate as
# such we need to create a bundle wit the chain. It probably safe to
# do this everywhere but we restrict to puppet 7 to contain fallout
$include_chain = versioncmp($facts['puppetversion'], '7') >= 0
$target_basedir = $title
$puppet_cert_name = $facts['networking']['fqdn']
file { "${target_basedir}/ssl":
ensure => stdlib::ensure($ensure, 'directory'),
owner => $user,
group => $group,
mode => '0555',
}
if $ensure == 'absent' {
File["${target_basedir}/ssl"] {
recurse => true,
force => true,
}
}
$pem_ensure = $ensure ? {
'present' => $provide_pem ? {
true => 'present',
default => 'absent',
},
default => 'absent',
}
$cert_dest = "${target_basedir}/ssl/cert.pem"
if $include_chain {
concat { $cert_dest:
ensure => $pem_ensure,
}
concat::fragment { "${title}_puppet_agent_cert":
target => $cert_dest,
order => '01',
source => $facts['puppet_config']['hostcert'],
}
# Here we add the full chain including the root CA, but we only strictly need
# the intermediate certificate. however its much harder to try and extract the
# intermediate then just adding the hole chain. The down side of adding the root
# means we use a bit more bandwith as we are sending more certificates.
concat::fragment { "${title}_puppet_ca_chain":
target => $cert_dest,
order => '02',
source => $facts['puppet_config']['localcacert'],
}
} else {
file { $cert_dest:
ensure => $pem_ensure,
mode => '0444',
owner => $user,
group => $group,
source => "${ssldir}/certs/${puppet_cert_name}.pem",
}
}
# Provide the private key
$private_key_ensure = $ensure ? {
'present' => $provide_private ? {
true => 'present',
default => 'absent',
},
default => 'absent',
}
file { "${target_basedir}/ssl/server.key":
ensure => $private_key_ensure,
mode => '0400',
owner => $user,
group => $group,
show_diff => false,
source => "${ssldir}/private_keys/${puppet_cert_name}.pem",
}
# Provide a keypair of key and cert concatenated. The file resource is used
# to ensure file attributes/presence and the exec resource the contents
$keypair_ensure = $ensure ? {
'present' => $provide_keypair ? {
true => 'present',
default => 'absent',
},
default => 'absent',
}
file { "${target_basedir}/ssl/server-keypair.pem":
ensure => $keypair_ensure,
owner => $user,
group => $group,
mode => '0400',
}
if $provide_keypair {
exec { "create-${title}-keypair":
before => File["${target_basedir}/ssl/server-keypair.pem"],
require => File["${target_basedir}/ssl"],
creates => "${target_basedir}/ssl/server-keypair.pem",
command => "/bin/cat \
${ssldir}/private_keys/${puppet_cert_name}.pem \
${ssldir}/certs/${puppet_cert_name}.pem \
> ${target_basedir}/ssl/server-keypair.pem",
}
}
$p12_key_ensure = $ensure ? {
'present' => $provide_p12 ? {
true => 'present',
default => 'absent',
},
default => 'absent',
}
sslcert::x509_to_pkcs12 {"puppet::expose_agent_cert: ${title}":
ensure => $p12_key_ensure,
owner => $user,
group => $group,
public_key => $facts['puppet_config']['hostcert'],
private_key => $facts['puppet_config']['hostprivkey'],
outfile => "${target_basedir}/ssl/server.p12",
certfile => $facts['puppet_config']['localcacert'],
password => $p12_password,
}
}
|