Faidon Liambotis has submitted this change and it was merged. Change subject: sslcert: remove ::certificate's $content parameter ......................................................................
sslcert: remove ::certificate's $content parameter We weren't using $content anywhere, so remove for now. Also cleanup some leftover TODOs about $private and provide a more elaborate rationale about the future use of content-only private keys. Change-Id: I0b689d79e9d7ae7890a7fe0b01b788b59711f25e --- M manifests/certs.pp M modules/sslcert/manifests/certificate.pp 2 files changed, 15 insertions(+), 29 deletions(-) Approvals: Faidon Liambotis: Verified; Looks good to me, approved diff --git a/manifests/certs.pp b/manifests/certs.pp index a7ec956..af09b3a 100644 --- a/manifests/certs.pp +++ b/manifests/certs.pp @@ -12,7 +12,6 @@ if ( $privatekey == true ) { Sslcert::Certificate[$name] { - # private => file("puppet:///private/ssl/${name}.key"), # cf this commit in certificate.pp private => "puppet:///private/ssl/${name}.key", } } diff --git a/modules/sslcert/manifests/certificate.pp b/modules/sslcert/manifests/certificate.pp index 779e2ef..23ed889 100644 --- a/modules/sslcert/manifests/certificate.pp +++ b/modules/sslcert/manifests/certificate.pp @@ -23,13 +23,8 @@ # If true, create also a chained version of the certificate, by calling into # sslcert::chainedcert. The default is true. # -# [*content*] -# If defined, will be used as the content of the X.509 certificate file. -# Undefined by default. Mutually exclusive with 'source'. -# # [*source*] # Path to file containing the X.509 certificate file. Undefined by default. -# Mutually exclusive with 'content'. # # [*private*] # The content of the private key to the certificate. Undefined by default. @@ -43,41 +38,33 @@ # define sslcert::certificate( + $source, $ensure=present, $group='ssl-cert', $chain=true, - $source=undef, - $content=undef, $private=undef, ) { require sslcert - if $source == undef and $content == undef { - fail('you must provide either "source" or "content"') - } - - if $source != undef and $content != undef { - fail('"source" and "content" are mutually exclusive') - } - file { "/etc/ssl/localcerts/${title}.crt": - ensure => $ensure, - owner => 'root', - group => 'root', - mode => '0444', - source => $source, - content => $content, + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0444', + source => $source, } if $private { - # only support "content"; serving sensitive material over the puppet - # fileserver isn't a very good security practice + # Ideally, we'd pass "content", not "source", and use the file() + # function, as well as a deny all fileserver rule to not allow anyone + # to reach key material out of their scope via the fileserver. However, + # file() is not very sane before Puppet 3.7.0, requiring the full + # absolute path to files. We should revisit once we get to 3.7+. file { "/etc/ssl/private/${name}.key": - ensure => $ensure, - owner => 'root', - group => $group, - mode => '0440', - # content => $private, # content variant is broken, fixing the easy way for now... + ensure => $ensure, + owner => 'root', + group => $group, + mode => '0440', source => $private, } } -- To view, visit https://gerrit.wikimedia.org/r/215351 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0b689d79e9d7ae7890a7fe0b01b788b59711f25e Gerrit-PatchSet: 4 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits