Alexandros Kosiaris has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/344606 )
Change subject: Update bacula::client to use base::expose_puppet_certs ...................................................................... Update bacula::client to use base::expose_puppet_certs expose the puppet certificate, key and keypair via base::expose_puppet_certs and use them in the configurations Update the RSpec tests as well Bug: T161281 Change-Id: I8d49f96cbd4aa5542ac4eae6e01ee9a32aace734 --- M modules/bacula/.fixtures.yml M modules/bacula/manifests/client.pp M modules/bacula/spec/classes/bacula_client_spec.rb M modules/bacula/templates/bacula-client.erb M modules/bacula/templates/bacula-fd.conf.erb 5 files changed, 20 insertions(+), 22 deletions(-) Approvals: Alexandros Kosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/bacula/.fixtures.yml b/modules/bacula/.fixtures.yml index f66bf01..9eda903 100644 --- a/modules/bacula/.fixtures.yml +++ b/modules/bacula/.fixtures.yml @@ -1,3 +1,6 @@ fixtures: symlinks: bacula: "#{source_dir}" + base: "../../../../base" + wmflib: "../../../../wmflib" + stdlib: "../../../../stdlib" diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp index 467482a..811da19 100644 --- a/modules/bacula/manifests/client.pp +++ b/modules/bacula/manifests/client.pp @@ -44,6 +44,13 @@ require => Package['bacula-fd'], } + base::expose_puppet_certs { '/etc/bacula': + provide_private => true, + provide_keypair => true, + user => 'bacula', + group => 'bacula', + } + file { '/etc/bacula/bacula-fd.conf': ensure => present, owner => 'root', @@ -55,17 +62,6 @@ Package['bacula-fd'], Exec['concat-bacula-keypair'], ], - } - - # To avoid reimplementing a PKI infrastructure we use puppet's already well - # managed one. Bacula needs the keypair in one single file though hence this - # resource - exec { 'concat-bacula-keypair': - command => "/bin/cat \ - /var/lib/puppet/ssl/private_keys/${::fqdn}.pem \ - /var/lib/puppet/ssl/certs/${::fqdn}.pem > \ - /var/lib/puppet/ssl/private_keys/bacula-keypair-${::fqdn}.pem", - creates => "/var/lib/puppet/ssl/private_keys/bacula-keypair-${::fqdn}.pem", } # We export oufself to the director diff --git a/modules/bacula/spec/classes/bacula_client_spec.rb b/modules/bacula/spec/classes/bacula_client_spec.rb index c289d4c..c1f43ec 100644 --- a/modules/bacula/spec/classes/bacula_client_spec.rb +++ b/modules/bacula/spec/classes/bacula_client_spec.rb @@ -14,7 +14,6 @@ it { should contain_package('bacula-fd') } it { should contain_service('bacula-fd') } - it { should contain_exec('concat-bacula-keypair') } it 'should generate valid content for /etc/bacula/bacula-fd.conf' do should contain_file('/etc/bacula/bacula-fd.conf').with({ 'ensure' => 'present', @@ -24,10 +23,10 @@ }) \ .with_content(/Name = "testdirector"/) \ .with_content(/Password = "testdirectorpass"/) \ - .with_content(/TLS Certificate = "\/var\/lib\/puppet\/ssl\/certs\/testhost.example.com.pem"/) \ - .with_content(/TLS Key = "\/var\/lib\/puppet\/ssl\/private_keys\/testhost.example.com.pem"/) \ + .with_content(/TLS Certificate = "\/etc\/bacula\/ssl\/server.pem"/) \ + .with_content(/TLS Key = "\/etc\/bacula\/ssl\/server.key"/) \ .with_content(/Name = "testhost.example.com-fd"/) \ .with_content(/FDport = 2000/) \ - .with_content(/PKI Keypair = "\/var\/lib\/puppet\/ssl\/private_keys\/bacula-keypair-testhost.example.com.pem"/) + .with_content(/PKI Keypair = "\/etc\/bacula\/ssl\/server-keypair.pem"/) end end diff --git a/modules/bacula/templates/bacula-client.erb b/modules/bacula/templates/bacula-client.erb index 018a3d7..5156019 100644 --- a/modules/bacula/templates/bacula-client.erb +++ b/modules/bacula/templates/bacula-client.erb @@ -12,8 +12,8 @@ TLS Enable = yes TLS Require = yes TLS CA Certificate File = "/var/lib/puppet/ssl/certs/ca.pem" - TLS Certificate = "/var/lib/puppet/ssl/certs/<%= @director -%>.pem" - TLS Key = "/var/lib/puppet/ssl/private_keys/bacula-<%= @director -%>.pem" + TLS Certificate = "/etc/bacula/ssl/server.key" + TLS Key = "/etc/bacula/ssl/server-keypair.pem" # Priority = 10 # Maximum Bandwith Per Job = # Autoprune = yes diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb index 0f9d655..0287848 100644 --- a/modules/bacula/templates/bacula-fd.conf.erb +++ b/modules/bacula/templates/bacula-fd.conf.erb @@ -9,8 +9,8 @@ TLS Require = yes TLS CA Certificate File = "/var/lib/puppet/ssl/certs/ca.pem" TLS Verify Peer = yes - TLS Certificate = "/var/lib/puppet/ssl/certs/<%= @fqdn %>.pem" - TLS Key = "/var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem" + TLS Certificate = "/etc/bacula/ssl/server.pem" + TLS Key = "/etc/bacula/ssl/server.key" } # @@ -26,13 +26,13 @@ # Have all data stored encrypted PKI Encryption = Yes PKI Signatures = Yes - PKI Keypair = "/var/lib/puppet/ssl/private_keys/bacula-keypair-<%= @fqdn %>.pem" + PKI Keypair = "/etc/bacula/ssl/server-keypair.pem" PKI Master Key = "/var/lib/puppet/ssl/certs/ca.pem" # Do enable Data channel encryption. TLS Enable = yes TLS Require = yes - TLS Certificate = "/var/lib/puppet/ssl/certs/<%= @fqdn %>.pem" - TLS Key = "/var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem" + TLS Certificate = "/etc/bacula/ssl/server.pem" + TLS Key = "/etc/bacula/ssl/server.key" TLS CA Certificate File = "/var/lib/puppet/ssl/certs/ca.pem" # Heartbeat inverval = 0 # in secs # FDAddresses = # For director connections -- To view, visit https://gerrit.wikimedia.org/r/344606 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I8d49f96cbd4aa5542ac4eae6e01ee9a32aace734 Gerrit-PatchSet: 5 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits