Ottomata has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/355782 )
Change subject: [WIP] Genericize ca-manager
......................................................................
[WIP] Genericize ca-manager
This creates a new ca module that can be used to create and manage CA certs and
keyfiles
for services that do encryption and authentication via TLS certs.
TODO:
- Is this the correct module? Should this be merged into the sslcert module?
- Generate .pem and other useful key formats
Change-Id: Ice4527534a2a1a5b227aa30f87e74d7159c2d62a
---
R modules/ca/files/ca-manager
A modules/ca/manifests/certs.pp
A modules/ca/manifests/manager.pp
M modules/cassandra/manifests/ca_manager.pp
M modules/cassandra/manifests/instance.pp
5 files changed, 112 insertions(+), 42 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/82/355782/1
diff --git a/modules/cassandra/files/cassandra-ca-manager
b/modules/ca/files/ca-manager
similarity index 97%
rename from modules/cassandra/files/cassandra-ca-manager
rename to modules/ca/files/ca-manager
index 4f55a5d..c1de038 100755
--- a/modules/cassandra/files/cassandra-ca-manager
+++ b/modules/ca/files/ca-manager
@@ -2,7 +2,10 @@
# -*- coding: utf-8 -*-
"""
-Cassandra certificate management
+Certificate management for Java and other tools.
+
+This manages creation of certificate and Java keytool files for services
+that require encryption and authentication.
First, you need a manifest that specifies the Certificate Authority, and
each of the keystores. For example:
@@ -59,7 +62,7 @@
Next, run the script with the manifest as its only argument:
- $ cassandra-ca manifest.yaml
+ $ ca-manager manifest.yaml
$ tree /path/to/base/directory
/path/to/base/directory
├── restbase1001-a
diff --git a/modules/ca/manifests/certs.pp b/modules/ca/manifests/certs.pp
new file mode 100644
index 0000000..7fc73d8
--- /dev/null
+++ b/modules/ca/manifests/certs.pp
@@ -0,0 +1,81 @@
+# == Define: ca::certs
+#
+# Installs keystores and keyfiles generated by ca-manager using
+# puppet secret().
+#
+# === Usage
+# ca::certs { 'cassandra/services/restbase1007':
+# destination_directory => '/etc/cassandra/tls',
+# local_key_name => 'server',
+# owner => 'cassandra',
+# group => 'cassandra',
+# }
+#
+# === Parameters
+#
+# [*title*]
+#
+# [*destination_directory*]
+#
+# ...
+define ca::certs(
+ $destination_directory,
+ $local_key_name = undef,
+ $owner = 'root',
+ $group = 'root',
+ $keystores = true,
+ $keyfiles = true,
+) {
+
+
+ # cassandra/services/restbase1007: $key_name = restbase1007
+ $key_name = basename($title)
+ # If $local_key_name not provided, default to $key_name.
+ $_local_key_name = $local_key_name ? {
+ undef => $key_name,
+ default => $local_key_name,
+ }
+
+ # Base secret path is the directory above where this
+ # particular key was generated.
+ # cassandra/services/restbase1007: $base_secret_path = cassandra/services.
+ # This is to build the secrets path, and should be equivalent
+ # to the base_directory (in the private secrets module) as provided
+ # to ca-manager when the key files were generated.
+ $base_secret_path = dirname($title)
+
+ file { $destination_directory:
+ ensure => 'directory',
+ owner => $owner,
+ group => $group,
+ mode => '0400',
+ }
+
+ # Java key Keystore
+ # TODO: standardize on file extensions! Why .kst -> .key???
+ file { "${destination_directory}/${_local_key_name}.key":
+ content => secret("${base_secret_path}/${key_name}/${key_name}.kst"),
+ owner => $owner,
+ group => $group,
+ mode => '0400',
+ require => File[$destination_directory],
+ }
+
+ # Java CA trust keystore
+ file { "${destination_directory}/${_local_key_name}.trust":
+ content => secret("${base_secret_path}/truststore"),
+ owner => $owner,
+ group => $group,
+ mode => '0400',
+ require => File[$destination_directory],
+ }
+
+ # CA Cert
+ file { "${destination_directory}/rootCa.crt":
+ content => secret("${base_secret_path}/rootCa.crt"),
+ owner => $owner,
+ group => $group,
+ mode => '0400',
+ require => File[$destination_directory],
+ }
+}
\ No newline at end of file
diff --git a/modules/ca/manifests/manager.pp b/modules/ca/manifests/manager.pp
new file mode 100644
index 0000000..fdcecdc
--- /dev/null
+++ b/modules/ca/manifests/manager.pp
@@ -0,0 +1,11 @@
+class ca::manager {
+ # keytool dependency
+ require_package('default-jre')
+
+ file { '/usr/local/bin/ca-manager':
+ source => 'puppet:///modules/ca/ca-manager',
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
+ }
+}
diff --git a/modules/cassandra/manifests/ca_manager.pp
b/modules/cassandra/manifests/ca_manager.pp
index 34388e1..8ad7b8e 100644
--- a/modules/cassandra/manifests/ca_manager.pp
+++ b/modules/cassandra/manifests/ca_manager.pp
@@ -1,6 +1,9 @@
# == Class: cassandra::ca_manager
#
-# Install Cassandra CA manager.
+# Install a symlink as cassandra-ca-manager to ca-manager.
+# This maintains backwards compatibility for anyone who doesn't
+# yet know that cassandra-ca-manager has been made generic.
+# See: https://phabricator.wikimedia.org/T166167
#
# The manager will accept a manifest file as input and generate a CA plus all
# related certificates to be installed on cassandra nodes.
@@ -10,15 +13,9 @@
# class { '::cassandra::ca_manager': }
class cassandra::ca_manager {
- file { '/usr/local/bin/cassandra-ca-manager':
- source => 'puppet:///modules/cassandra-ca-manager',
- owner => 'root',
- group => 'root',
- mode => '0555',
- }
+ require ::ca::manager
- # keytool dependency
- package { 'default-jre':
- ensure => present,
+ file { '/usr/local/bin/cassandra-ca-manager':
+ ensure => '/usr/local/bin/ca-manager',
}
}
diff --git a/modules/cassandra/manifests/instance.pp
b/modules/cassandra/manifests/instance.pp
index 2a76fea..cd39835 100644
--- a/modules/cassandra/manifests/instance.pp
+++ b/modules/cassandra/manifests/instance.pp
@@ -187,37 +187,15 @@
}
}
+ # Copy TLS cert keystore files from puppetmaster.
+ # TLS cert keystore files were generated using ca-manager
+ # and are checked into the puppet private repository
+ # in the secret module.
if ($tls_cluster_name) {
- file { "${config_directory}/tls":
- ensure => directory,
- owner => 'cassandra',
- group => 'cassandra',
- mode => '0400',
- require => Package['cassandra'],
- }
-
- file { "${config_directory}/tls/server.key":
- content =>
secret("cassandra/${tls_cluster_name}/${tls_hostname}/${tls_hostname}.kst"),
- owner => 'cassandra',
- group => 'cassandra',
- mode => '0400',
- require => File["${config_directory}/tls"],
- }
-
- file { "${config_directory}/tls/server.trust":
- content => secret("cassandra/${tls_cluster_name}/truststore"),
- owner => 'cassandra',
- group => 'cassandra',
- mode => '0400',
- require => File["${config_directory}/tls"],
- }
-
- file { "${config_directory}/tls/rootCa.crt":
- content => secret("cassandra/${tls_cluster_name}/rootCa.crt"),
- owner => 'cassandra',
- group => 'cassandra',
- mode => '0400',
- require => File["${config_directory}/tls"],
+ ::ca::certs { "cassandra/${tls_cluster_name}/${tls_hostname}":
+ destination_directory => "${config_directory}/tls"
+ owner => 'cassandra',
+ group => 'cassandra',
}
}
--
To view, visit https://gerrit.wikimedia.org/r/355782
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ice4527534a2a1a5b227aa30f87e74d7159c2d62a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ottomata <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
