Faidon Liambotis has submitted this change and it was merged.
Change subject: sslcert: remove ::certificate's $content parameter
......................................................................
sslcert: remove ::certificate's $content parameter
We weren't using $content anywhere, so remove for now. Also cleanup some
leftover TODOs about $private and provide a more elaborate rationale
about the future use of content-only private keys.
Change-Id: I0b689d79e9d7ae7890a7fe0b01b788b59711f25e
---
M manifests/certs.pp
M modules/sslcert/manifests/certificate.pp
2 files changed, 15 insertions(+), 29 deletions(-)
Approvals:
Faidon Liambotis: Verified; Looks good to me, approved
diff --git a/manifests/certs.pp b/manifests/certs.pp
index a7ec956..af09b3a 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -12,7 +12,6 @@
if ( $privatekey == true ) {
Sslcert::Certificate[$name] {
- # private => file("puppet:///private/ssl/${name}.key"), # cf this
commit in certificate.pp
private => "puppet:///private/ssl/${name}.key",
}
}
diff --git a/modules/sslcert/manifests/certificate.pp
b/modules/sslcert/manifests/certificate.pp
index 779e2ef..23ed889 100644
--- a/modules/sslcert/manifests/certificate.pp
+++ b/modules/sslcert/manifests/certificate.pp
@@ -23,13 +23,8 @@
# If true, create also a chained version of the certificate, by calling into
# sslcert::chainedcert. The default is true.
#
-# [*content*]
-# If defined, will be used as the content of the X.509 certificate file.
-# Undefined by default. Mutually exclusive with 'source'.
-#
# [*source*]
# Path to file containing the X.509 certificate file. Undefined by default.
-# Mutually exclusive with 'content'.
#
# [*private*]
# The content of the private key to the certificate. Undefined by default.
@@ -43,41 +38,33 @@
#
define sslcert::certificate(
+ $source,
$ensure=present,
$group='ssl-cert',
$chain=true,
- $source=undef,
- $content=undef,
$private=undef,
) {
require sslcert
- if $source == undef and $content == undef {
- fail('you must provide either "source" or "content"')
- }
-
- if $source != undef and $content != undef {
- fail('"source" and "content" are mutually exclusive')
- }
-
file { "/etc/ssl/localcerts/${title}.crt":
- ensure => $ensure,
- owner => 'root',
- group => 'root',
- mode => '0444',
- source => $source,
- content => $content,
+ ensure => $ensure,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => $source,
}
if $private {
- # only support "content"; serving sensitive material over the puppet
- # fileserver isn't a very good security practice
+ # Ideally, we'd pass "content", not "source", and use the file()
+ # function, as well as a deny all fileserver rule to not allow anyone
+ # to reach key material out of their scope via the fileserver. However,
+ # file() is not very sane before Puppet 3.7.0, requiring the full
+ # absolute path to files. We should revisit once we get to 3.7+.
file { "/etc/ssl/private/${name}.key":
- ensure => $ensure,
- owner => 'root',
- group => $group,
- mode => '0440',
- # content => $private, # content variant is broken, fixing the
easy way for now...
+ ensure => $ensure,
+ owner => 'root',
+ group => $group,
+ mode => '0440',
source => $private,
}
}
--
To view, visit https://gerrit.wikimedia.org/r/215351
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0b689d79e9d7ae7890a7fe0b01b788b59711f25e
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
