Gehel has submitted this change and it was merged.
Change subject: Factorized code exposing Puppet SSL certs
......................................................................
Factorized code exposing Puppet SSL certs
k8s module has been taken as a model for how to expose certificates
The way certificates are exposed has been simplified:
* single directory with all certs
* CA cert is already available at '/etc/ssl/certs/Puppet_Internal_CA.pem'
so we do not expose it again
Refactoring of the k8s module has been split to another commit as it require
more work than initially planned.
Bug: T124444
Change-Id: I0d6976675f48679cfec78120d4a09cfef73970bd
---
M .gitignore
A modules/base/manifests/expose_puppet_certs.pp
A modules/base/spec/defines/expose_puppet_certs_spec.rb
M modules/base/spec/defines/service_unit_spec.rb
4 files changed, 124 insertions(+), 2 deletions(-)
Approvals:
Gehel: Looks good to me, approved
jenkins-bot: Verified
diff --git a/.gitignore b/.gitignore
index 6978ca3..99f1aa3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@
# Jetbrain's IDEA editor settings
/.idea
+/*.iml
\ No newline at end of file
diff --git a/modules/base/manifests/expose_puppet_certs.pp
b/modules/base/manifests/expose_puppet_certs.pp
new file mode 100644
index 0000000..cedc88c
--- /dev/null
+++ b/modules/base/manifests/expose_puppet_certs.pp
@@ -0,0 +1,66 @@
+# == Define: base::expose_puppet_certs
+# Copies appropriate cert files from the puppet CA infrastructure
+# To be usable by the other applications
+# Note: Only copies public components, no private keys, unless specifically
+# asked.
+#
+# === Parameters
+#
+# [*title*]
+# The directory in which the certificates will be exposed. A subdirectory
+# named "ssl" will be created.
+#
+# [*ensure*]
+# If 'present', certificates will be exposed, otherwise they will be removed.
+#
+# [*provide_private*]
+# Should the private keys also be exposed?
+#
+# [*user/group*]
+# User who will own the exposed SSL certificates.
+#
+# [*ssldir*]
+# The source directory containing the original SSL certificates.
+#
+define base::expose_puppet_certs(
+ $ensure = 'present',
+ $provide_private = false,
+ $user = 'root',
+ $group = 'root',
+ $ssldir = '/var/lib/puppet/ssl',
+) {
+ validate_absolute_path($ssldir)
+
+ $target_basedir = $title
+ $puppet_cert_name = $::fqdn
+
+ File {
+ owner => $user,
+ group => $group,
+ }
+
+ file { "${target_basedir}/ssl":
+ ensure => ensure_directory($ensure),
+ mode => '0555',
+ }
+
+ file { "${target_basedir}/ssl/cert.pem":
+ ensure => $ensure,
+ mode => '0444',
+ source => "${ssldir}/certs/${puppet_cert_name}.pem",
+ }
+
+ $private_key_ensure = $ensure ? {
+ 'present' => $provide_private ? {
+ true => 'present',
+ default => 'absent',
+ },
+ default => 'absent',
+ }
+
+ file { "${target_basedir}/ssl/server.key":
+ ensure => $private_key_ensure,
+ mode => '0400',
+ source => "${ssldir}/private_keys/${puppet_cert_name}.pem",
+ }
+}
diff --git a/modules/base/spec/defines/expose_puppet_certs_spec.rb
b/modules/base/spec/defines/expose_puppet_certs_spec.rb
new file mode 100644
index 0000000..2b2fb71
--- /dev/null
+++ b/modules/base/spec/defines/expose_puppet_certs_spec.rb
@@ -0,0 +1,54 @@
+require 'spec_helper'
+
+describe 'base::expose_puppet_certs', :type => :define do
+ let(:title) { '/my/ssl/dir' }
+ let(:facts) { { :fqdn => 'host.example.net'} }
+
+ describe 'directory structure is created' do
+ it { should contain_file('/my/ssl/dir/ssl').with({ 'ensure' =>
'directory', 'mode' => '0555' }) }
+ end
+
+ describe 'host certificate is exposed' do
+ it { should contain_file('/my/ssl/dir/ssl/cert.pem')
+ .with({
+ 'ensure' => 'present',
+ 'mode' => '0444',
+ 'source' =>
'/var/lib/puppet/ssl/certs/host.example.net.pem',
+ })
+ }
+ end
+
+ describe 'private key is not exposed by default' do
+ it { should contain_file('/my/ssl/dir/ssl/server.key').with({ 'ensure' =>
'absent' }) }
+ end
+
+ describe 'private key is exposed if required' do
+ let(:params) { { :provide_private => true } }
+
+ it { should contain_file('/my/ssl/dir/ssl/server.key')
+ .with({
+ 'ensure' => 'present',
+ 'mode' => '0400',
+ 'source' =>
'/var/lib/puppet/ssl/private_keys/host.example.net.pem',
+ })
+ }
+ end
+
+ describe 'all files are removed when ensure => absent' do
+ let(:params) { { :ensure => 'absent' } }
+
+ it { should contain_file('/my/ssl/dir/ssl/').with({ 'ensure' => 'absent'
}) }
+ it { should contain_file('/my/ssl/dir/ssl/cert.pem').with({ 'ensure' =>
'absent' }) }
+ it { should contain_file('/my/ssl/dir/ssl/server.key').with({ 'ensure' =>
'absent' }) }
+ end
+
+end
+
+# adding a test on the exposition of Puppet CA cert here to make it explicit
+# that clients of base::expose_puppet_certs most probably need this cert to be
+# exposed as well
+describe 'base::certificates', :type => :class do
+ describe 'exposes Puppet CA certificate' do
+ it { should
contain_file('/usr/local/share/ca-certificates/Puppet_Internal_CA.crt').with({
'ensure' => 'present' }) }
+ end
+end
diff --git a/modules/base/spec/defines/service_unit_spec.rb
b/modules/base/spec/defines/service_unit_spec.rb
index 6be090c..8831d86 100644
--- a/modules/base/spec/defines/service_unit_spec.rb
+++ b/modules/base/spec/defines/service_unit_spec.rb
@@ -17,8 +17,9 @@
end
it 'should execute daemon-reload' do
- should
contain_file('/etc/systemd/system/nginx.service').that_notifies('Exec[systemd
reload for nginx]').that_notifies('Service[nginx]')
- should contain_exec('systemd reload for
nginx').that_comes_before('Service[nginx]')
+ should contain_exec('systemd reload for nginx')
+ .that_comes_before('Service[nginx]')
+
.that_subscribes_to('File[/lib/systemd/system/nginx.service]')
end
end
--
To view, visit https://gerrit.wikimedia.org/r/274382
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0d6976675f48679cfec78120d4a09cfef73970bd
Gerrit-PatchSet: 13
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Gehel <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Gehel <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Volans <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
