Ottomata has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/391134 )
Change subject: [WIP] Add cergen module
......................................................................
[WIP] Add cergen module
has not been tested, just some ideas atm.
Bug: T166167
Change-Id: I26c3072f4f4d1b8dd73b9e123263b09b5972b045
---
A modules/cergen/manifests/certificate.pp
A modules/cergen/manifests/init.pp
A modules/cergen/manifests/manifest.pp
A modules/cergen/templates/certificate.yaml.erb
4 files changed, 131 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/34/391134/1
diff --git a/modules/cergen/manifests/certificate.pp
b/modules/cergen/manifests/certificate.pp
new file mode 100644
index 0000000..1e11b69
--- /dev/null
+++ b/modules/cergen/manifests/certificate.pp
@@ -0,0 +1,78 @@
+# == Define cergen::certificate
+# == Parameters
+# arguments
+#
+define cergen::certificate (
+ $destination,
+ $manifest,
+ # TODO: use ensure
+ $ensure = 'present',
+ $owner = 'root',
+ $group = 'root',
+ $include_private_key = false,
+) {
+ include ::passwords::certificates
+ $password = $::passwords::certificates::certificates[$title]
+
+ $defaults = {
+ 'authority' => 'puppet_ca',
+ 'subject' => {
+ 'country_name' => 'US',
+ 'state_or_province_name' => 'CA',
+ 'locality_name' => 'San Francisco',
+ 'organization_name' => 'Wikimedia Foundation',
+ },
+ 'expiry' => 'null',
+ 'key' => {
+ 'algorithm' => 'ec',
+ 'password' => $password,
+ }
+ }
+ $certificate_manifest = deep_merge($manifest, $defaults)
+
+ @@cergen::manifest { $title:
+ ensure => $ensure,
+ content => template('cergen/certificate.yaml.erb'),
+ }
+
+ # TODO: automatically run cergen --generate using puppet generate()
function?!
+
+ # TODO: Assuming the file is on the puppet master, now render it?
+ # Or, should this be a separate define?
+
+ # base-path:
/etc/puppet/private/modules/secret/files/certificates/certs/$name/
+ # base-private-path:
/etc/puppet/private/modules/secret/secrets/certficates/private/$name/
+
+ # Default subsequent file resources with these.
+ File {
+ owner => $owner,
+ group => $group,
+ mode => '0400',
+ }
+
+ file { $destination:
+ ensure => 'directory',
+ mode => '0555',
+ # Puppet will fully manage this directory. Any files in
+ # this directory that are not managed by puppet will be deleted.
+ recurse => true,
+ purge => true,
+ }
+
+ file { "${destination}":
+ ensure => 'directory',
+ mode => '0555',
+ # Puppet will fully manage this directory. Any files in
+ # this directory that are not managed by puppet will be deleted.
+ recurse => true,
+ purge => true,
+ source => "puppet:///secret/certificates/certs/${title}"
+ }
+
+ if $include_private_key {
+ file { "${destination}/{title}.key.private.pem":
+ ensure => 'directory',
+ content =>
secret("certificates/private/${title}/${title}.key.private.pem"),
+ }
+ }
+}
diff --git a/modules/cergen/manifests/init.pp b/modules/cergen/manifests/init.pp
new file mode 100644
index 0000000..8ee3af6
--- /dev/null
+++ b/modules/cergen/manifests/init.pp
@@ -0,0 +1,16 @@
+# == Class cergen
+# Installs cergen and ensure that /etc/cergen/manifests.d exists.
+#
+class cergen
+{
+ require_package('cergen')
+
+ $manifests_path = '/etc/cergen/manifests.d'
+
+ file { ['/etc/cergen', $manifests_path]:
+ ensure => 'directory',
+ }
+
+ # Collect all exported cergen certificate manifests.
+ Cergen_manifest <<||>>
+}
diff --git a/modules/cergen/manifests/manifest.pp
b/modules/cergen/manifests/manifest.pp
new file mode 100644
index 0000000..3cf8169
--- /dev/null
+++ b/modules/cergen/manifests/manifest.pp
@@ -0,0 +1,35 @@
+# == Define cergen
+# Installs a cergen certificate manifest file into /etc/cergen/manifests.d
+# This does not handle generation of certificates with cergen CLI.
+# You should manually run cergen CLI and commit the resulting files to puppet
and private
+# repositories.
+#
+# Parameters:
+# [*ensure*]
+#
+# [*source*]
+#
+# [*content*]
+#
+define cergen::manifest(
+ $ensure = 'present',
+ $source = undef,
+ $content = undef,
+) {
+ require ::cergen
+
+ if $source == undef and $content == undef and $ensure == 'present' {
+ fail('you must provide either "source" or "content", or ensure must be
"absent"')
+ }
+
+ if $source != undef and $content != undef {
+ fail('"source" and "content" are mutually exclusive')
+ }
+
+ file { "${::cergen::manifests_path}/${title}.yaml":
+ ensure => $ensure,
+ mode => '0400'
+ content => $content,
+ source => $source,
+ }
+}
diff --git a/modules/cergen/templates/certificate.yaml.erb
b/modules/cergen/templates/certificate.yaml.erb
new file mode 100644
index 0000000..3659efa
--- /dev/null
+++ b/modules/cergen/templates/certificate.yaml.erb
@@ -0,0 +1,2 @@
+<% require 'yaml' -%>
+<%= @certificate_manifest.to_yaml %>
--
To view, visit https://gerrit.wikimedia.org/r/391134
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I26c3072f4f4d1b8dd73b9e123263b09b5972b045
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ottomata <ao...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
