Alexandros Kosiaris has submitted this change and it was merged.
Change subject: certs: lint
......................................................................
certs: lint
Change-Id: I317fcc1b8a5722759f9830f617830a1004dcf4e4
---
M manifests/certs.pp
1 file changed, 185 insertions(+), 173 deletions(-)
Approvals:
RobH: Looks good to me, but someone else must approve
Alexandros Kosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/certs.pp b/manifests/certs.pp
index 1321448..66335a6 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -1,188 +1,210 @@
-define create_pkcs12( $certname="$name", $cert_alias="", $password="",
$user="root", $group="ssl-cert", $location="/etc/ssl/private" ) {
+define create_pkcs12(
+ $certname = $name,
+ $cert_alias = '',
+ $password = '',
+ $user = 'root',
+ $group = 'ssl-cert',
+ $location = '/etc/ssl/private',
+) {
include passwords::certs
- if ( $cert_alias == "" ) {
+ if ( $cert_alias == '' ) {
$certalias = $certname
} else {
$certalias = $cert_alias
}
- if ( $password == "" ) {
+ if ( $password == '' ) {
$defaultpassword = $passwords::certs::certs_default_pass
} else {
$defaultpassword = $password
}
-
- exec {
- # pkcs12 file, used by things like opendj, nss, and tomcat
- "${name}_create_pkcs12":
- creates => "${location}/${certname}.p12",
- command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\"
-passout pass:${defaultpassword} -in /etc/ssl/certs/${certname}.pem -inkey
/etc/ssl/private/${certname}.key -out ${location}/${certname}.p12",
- onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key",
- require => [Package["openssl"],
File["/etc/ssl/private/${certname}.key", "/etc/ssl/certs/${certname}.pem"]];
+ # pkcs12 file, used by things like opendj, nss, and tomcat
+ exec { "${name}_create_pkcs12":
+ creates => "${location}/${certname}.p12",
+ command => "/usr/bin/openssl pkcs12 -export -name \"${certalias}\"
-passout pass:${defaultpassword} -in /etc/ssl/certs/${certname}.pem -inkey
/etc/ssl/private/${certname}.key -out ${location}/${certname}.p12",
+ onlyif => "/usr/bin/test -s /etc/ssl/private/${certname}.key",
+ require => [Package['openssl'],
+ File["/etc/ssl/private/${certname}.key"],
+ File["/etc/ssl/certs/${certname}.pem"],
+ ],
}
-
- file {
- # Fix permissions on the p12 file, and make it available as
- # a puppet resource
- "${location}/${certname}.p12":
- mode => 0440,
- owner => $user,
- group => $group,
- require => Exec["${name}_create_pkcs12"],
- ensure => file;
+ # Fix permissions on the p12 file, and make it available as
+ # a puppet resource
+ file { "${location}/${certname}.p12":
+ ensure => 'file',
+ mode => '0440',
+ owner => $user,
+ group => $group,
+ require => Exec["${name}_create_pkcs12"],
}
}
-define create_chained_cert( $certname="$name", $ca, $user="root",
$group="ssl-cert", $location="/etc/ssl/certs" ) {
- exec {
- # chained cert, used when needing to provide an entire certificate
chain to a client
- "${name}_create_chained_cert":
- creates => "${location}/${certname}.chained.pem",
- command => "/bin/cat ${certname}.pem ${ca} >
${location}/${certname}.chained.pem",
- cwd => "/etc/ssl/certs",
- require => [Package["openssl"],
File["/etc/ssl/certs/${certname}.pem"]];
+define create_chained_cert(
+ $ca,
+ $certname = $name,
+ $user = 'root',
+ $group = 'ssl-cert',
+ $location = '/etc/ssl/certs',
+) {
+ # chained cert, used when needing to provide
+ # an entire certificate chain to a client
+ exec { "${name}_create_chained_cert":
+ creates => "${location}/${certname}.chained.pem",
+ command => "/bin/cat ${certname}.pem ${ca} >
${location}/${certname}.chained.pem",
+ cwd => '/etc/ssl/certs',
+ require => [Package['openssl'],
+ File["/etc/ssl/certs/${certname}.pem"],
+ ],
}
-
- file {
- # Fix permissions on the chained file, and make it available as
- # a puppet resource
- "${location}/${certname}.chained.pem":
- mode => 0444,
- owner => $user,
- group => $group,
- require => Exec["${name}_create_chained_cert"],
- ensure => file;
+ # Fix permissions on the chained file, and make it available as
+ file { "${location}/${certname}.chained.pem":
+ ensure => 'file',
+ mode => '0444',
+ owner => $user,
+ group => $group,
+ require => Exec["${name}_create_chained_cert"],
}
}
-define create_combined_cert( $certname="$name", $user="root",
$group="ssl-cert", $location="/etc/ssl/private" ) {
-
- exec {
- # combined cert, used by things like lighttp and nginx
- "${name}_create_combined_cert":
- creates => "${location}/${certname}.pem",
- command => "/bin/cat /etc/ssl/certs/${certname}.pem
/etc/ssl/private/${certname}.key > ${location}/${certname}.pem",
- require => [Package["openssl"],
File["/etc/ssl/private/${certname}.key", "/etc/ssl/certs/${certname}.pem"]];
+define create_combined_cert(
+ $certname = $name,
+ $user = 'root',
+ $group = 'ssl-cert',
+ $location = '/etc/ssl/private',
+) {
+ # combined cert, used by things like lighttp and nginx
+ exec { "${name}_create_combined_cert":
+ creates => "${location}/${certname}.pem",
+ command => "/bin/cat /etc/ssl/certs/${certname}.pem
/etc/ssl/private/${certname}.key > ${location}/${certname}.pem",
+ require => [Package['openssl'],
+ File["/etc/ssl/private/${certname}.key"],
+ File["/etc/ssl/certs/${certname}.pem"],
+ ];
}
-
- file {
- # Fix permissions on the combined file, and make it available as
- # a puppet resource
- "${location}/${certname}.pem":
- mode => 0440,
- owner => $user,
- group => $group,
- require => Exec["${name}_create_combined_cert"],
- ensure => file;
+ # Fix permissions on the combined file, and make it available as
+ # a puppet resource
+ file { "${location}/${certname}.pem":
+ ensure => 'file',
+ mode => '0440',
+ owner => $user,
+ group => $group,
+ require => Exec["${name}_create_combined_cert"],
}
}
-define install_certificate( $group="ssl-cert", $ca="", $privatekey=true ) {
+define install_certificate(
+ $group = 'ssl-cert',
+ $ca = '',
+ $privatekey=true,
+) {
require certificates::packages,
certificates::rapidssl_ca,
certificates::rapidssl_ca_2,
certificates::digicert_ca,
certificates::wmf_ca
-
- file {
- # Public key
- "/etc/ssl/certs/${name}.pem":
- owner => root,
- group => $group,
- mode => 0444,
- source => "puppet:///files/ssl/${name}.pem";
+ # Public key
+ file { "/etc/ssl/certs/${name}.pem":
+ owner => 'root',
+ group => $group,
+ mode => '0444',
+ source => "puppet:///files/ssl/${name}.pem",
}
if ( $privatekey == true ) {
- file {
- # Private key
- "/etc/ssl/private/${name}.key":
- owner => root,
- group => $group,
- mode => 0440,
- source => "puppet:///private/ssl/${name}.key";
+ # Private key
+ file { "/etc/ssl/private/${name}.key":
+ owner => 'root',
+ group => $group,
+ mode => '0440',
+ source => "puppet:///private/ssl/${name}.key",
}
} else {
- file {
- # empty Private key
- "/etc/ssl/private/${name}.key":
- ensure => present;
+ # empty Private key
+ file { "/etc/ssl/private/${name}.key":
+ ensure => 'present',
}
}
-
- exec {
- # Many services require certificates to be found by a hash in
- # the certs directory
- "${name}_create_hash":
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/${name}.pem).0\" ]",
- command => "/bin/ln -sf /etc/ssl/certs/${name}.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/${name}.pem).0",
- require => [Package["openssl"],
File["/etc/ssl/certs/${name}.pem"]];
+ # Many services require certificates to be found by a hash in
+ # the certs directory
+ exec { "${name}_create_hash":
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/${name}.pem).0\" ]",
+ command => "/bin/ln -sf /etc/ssl/certs/${name}.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/${name}.pem).0",
+ require => [Package['openssl'],
+ File["/etc/ssl/certs/${name}.pem"],
+ ],
}
- create_pkcs12{ "${name}": }
- create_combined_cert{ "${name}": }
+ create_pkcs12{ $name: }
+ create_combined_cert{ $name: }
if ( $ca ) {
$cas = $ca
} else {
- # PEM files should be listed in order: intermediate -> intermediate ->
... -> root
- # If this is out of order either servers will fail to start, or will
not properly
- # have SSL enabled.
+ # PEM files should be listed in order:
+ # intermediate -> intermediate -> ... -> root
+ # If this is out of order either servers will fail to start,
+ # or will not properly have SSL enabled.
$cas = $name ? {
- "unified.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem",
- "star.wikimedia.org" => "RapidSSL_CA.pem RapidSSL_CA_2.pem
GeoTrust_Global_CA.pem",
- "star.wikipedia.org" => "DigiCertHighAssuranceCA-3.pem
DigiCert_High_Assurance_EV_Root_CA.pem",
- "star.wiktionary.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikiquote.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikibooks.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikisource.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikinews.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikiversity.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.mediawiki.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem",
- "star.wikimediafoundation.org" => "RapidSSL_CA.pem
GeoTrust_Global_CA.pem",
- "star.wmflabs.org" => "wmf-labs.pem",
- "star.wmflabs" => "wmf-labs.pem",
- "star.planet.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem
DigiCert_High_Assurance_EV_Root_CA.pem",
- default => "wmf-ca.pem",
+ 'unified.wikimedia.org' => 'DigiCertHighAssuranceCA-3.pem',
+ 'star.wikimedia.org' => 'RapidSSL_CA.pem
RapidSSL_CA_2.pem GeoTrust_Global_CA.pem',
+ 'star.wikipedia.org' => 'DigiCertHighAssuranceCA-3.pem
DigiCert_High_Assurance_EV_Root_CA.pem',
+ 'star.wiktionary.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikiquote.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikibooks.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikisource.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikinews.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikiversity.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.mediawiki.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wikimediafoundation.org' => 'RapidSSL_CA.pem
GeoTrust_Global_CA.pem',
+ 'star.wmflabs.org' => 'wmf-labs.pem',
+ 'star.wmflabs' => 'wmf-labs.pem',
+ 'star.planet.wikimedia.org' => 'DigiCertHighAssuranceCA-3.pem
DigiCert_High_Assurance_EV_Root_CA.pem',
+ default => 'wmf-ca.pem',
}
}
- create_chained_cert{ "${name}": ca => $cas }
+ create_chained_cert{ $name:
+ ca => $cas,
+ }
}
-define install_additional_key( $key_loc="", $owner="root", $group="ssl-cert",
$mode="0440" ) {
+define install_additional_key(
+ $key_loc = '',
+ $owner = 'root',
+ $group = 'ssl-cert',
+ $mode = '0440',
+) {
if ( $key_loc ) {
- file {
- "${key_loc}/${name}.key":
- owner => $owner,
- group => $group,
- mode => $mode,
- source => "puppet:///private/ssl/${name}.key",
- require => Package["openssl"];
+ file { "${key_loc}/${name}.key":
+ owner => $owner,
+ group => $group,
+ mode => $mode,
+ source => "puppet:///private/ssl/${name}.key",
+ require => Package['openssl'],
}
}
}
class certificates::packages {
- package { [ "openssl", "ca-certificates", "ssl-cert" ]:
- ensure => latest;
+ package { [ 'openssl', 'ca-certificates', 'ssl-cert' ]:
+ ensure => 'latest',
}
}
class certificates::star_wmflabs_org {
- install_certificate{ "star.wmflabs.org": }
+ install_certificate{ 'star.wmflabs.org': }
}
class certificates::star_wmflabs {
- install_certificate{ "star.wmflabs": }
+ install_certificate{ 'star.wmflabs': }
}
@@ -190,19 +212,17 @@
include certificates::packages
- file {
- "/etc/ssl/certs/wmf-ca.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/wmf-ca.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/wmf-ca.pem':
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///files/ssl/wmf-ca.pem',
+ require => Package['openssl'],
}
- exec {
- '/bin/ln -s /etc/ssl/certs/wmf-ca.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/wmf-ca.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/wmf-ca.pem).0\" ]",
- require => File["/etc/ssl/certs/wmf-ca.pem"];
+ exec { '/bin/ln -s /etc/ssl/certs/wmf-ca.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/wmf-ca.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/wmf-ca.pem).0\" ]",
+ require => File['/etc/ssl/certs/wmf-ca.pem'],
}
}
@@ -211,19 +231,17 @@
include certificates::packages
- file {
- "/etc/ssl/certs/wmf-labs.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/wmf-labs.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/wmf-labs.pem':
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///files/ssl/wmf-labs.pem',
+ require => Package['openssl'],
}
- exec {
- '/bin/ln -s /etc/ssl/certs/wmf-labs.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/wmf-labs.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/wmf-labs.pem).0\" ]",
- require => File["/etc/ssl/certs/wmf-labs.pem"];
+ exec { '/bin/ln -s /etc/ssl/certs/wmf-labs.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/wmf-labs.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/wmf-labs.pem).0\" ]",
+ require => File['/etc/ssl/certs/wmf-labs.pem'],
}
}
@@ -232,19 +250,17 @@
include certificates::packages
- file {
- "/etc/ssl/certs/RapidSSL_CA.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/RapidSSL_CA.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/RapidSSL_CA.pem':
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///files/ssl/RapidSSL_CA.pem',
+ require => Package['openssl'],
}
- exec {
- '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/RapidSSL_CA.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0\" ]",
- require => File["/etc/ssl/certs/RapidSSL_CA.pem"];
+ exec { '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/RapidSSL_CA.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/RapidSSL_CA.pem).0\" ]",
+ require => File['/etc/ssl/certs/RapidSSL_CA.pem'],
}
}
@@ -253,19 +269,17 @@
include certificates::packages
- file {
- "/etc/ssl/certs/RapidSSL_CA_2.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/RapidSSL_CA_2.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/RapidSSL_CA_2.pem':
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///files/ssl/RapidSSL_CA_2.pem',
+ require => Package['openssl'],
}
- exec {
- '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA_2.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/RapidSSL_CA_2.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/RapidSSL_CA_2.pem).0\" ]",
- require => File["/etc/ssl/certs/RapidSSL_CA_2.pem"];
+ exec { '/bin/ln -sf /etc/ssl/certs/RapidSSL_CA_2.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/RapidSSL_CA_2.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/RapidSSL_CA_2.pem).0\" ]",
+ require => File['/etc/ssl/certs/RapidSSL_CA_2.pem'],
}
}
@@ -274,18 +288,16 @@
include certificates::packages
- file {
- "/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem":
- owner => root,
- group => root,
- mode => 0444,
- source => "puppet:///files/ssl/DigiCertHighAssuranceCA-3.pem",
- require => Package["openssl"];
+ file { '/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem':
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///files/ssl/DigiCertHighAssuranceCA-3.pem',
+ require => Package['openssl'],
}
- exec {
- '/bin/ln -sf /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0':
- unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0\" ]",
- require => File["/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem"];
+ exec { '/bin/ln -sf /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem
/etc/ssl/certs/$(/usr/bin/openssl x509 -hash -noout -in
/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0':
+ unless => "/usr/bin/[ -f \"/etc/ssl/certs/$(/usr/bin/openssl x509
-hash -noout -in /etc/ssl/certs/DigiCertHighAssuranceCA-3.pem).0\" ]",
+ require => File['/etc/ssl/certs/DigiCertHighAssuranceCA-3.pem'],
}
}
--
To view, visit https://gerrit.wikimedia.org/r/110366
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I317fcc1b8a5722759f9830f617830a1004dcf4e4
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Matanya <mata...@foss.co.il>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Ori.livneh <o...@wikimedia.org>
Gerrit-Reviewer: RobH <r...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
