|
3 | 3 | # This class installs and configures the puppetdb terminus pacakge |
4 | 4 | # |
5 | 5 | # Parameters: |
| 6 | +# ['generate_ssl_certs'] - Generate ssl certs (false to disable) |
6 | 7 | # ['puppet_passenger_port'] - The port for the virtual host |
7 | 8 | # ['puppet_docroot'] - Apache documnet root |
8 | 9 | # ['apache_serveradmin'] - The apache server admin |
|
31 | 32 | # } |
32 | 33 | # |
33 | 34 | class puppet::passenger( |
| 35 | + $generate_ssl_certs = true, |
34 | 36 | $puppet_passenger_port, |
35 | 37 | $puppet_docroot, |
36 | 38 | $apache_serveradmin, |
|
51 | 53 | owner => $::puppet::params::puppet_user, |
52 | 54 | group => $::puppet::params::puppet_group, |
53 | 55 | } |
| 56 | + } |
54 | 57 |
|
55 | | - file { "${puppet_ssldir}/ca": |
| 58 | + if str2bool($generate_ssl_certs) == true { |
| 59 | + file{"${puppet_ssldir}/ca": |
56 | 60 | ensure => directory, |
57 | 61 | owner => $::puppet::params::puppet_user, |
58 | 62 | group => $::puppet::params::puppet_group, |
59 | 63 | before => Exec['Certificate_Check'], |
60 | 64 | } |
61 | 65 |
|
62 | | - file { "${puppet_ssldir}/ca/requests": |
| 66 | + file{"${puppet_ssldir}/ca/requests": |
63 | 67 | ensure => directory, |
64 | 68 | owner => $::puppet::params::puppet_user, |
65 | 69 | group => $::puppet::params::puppet_group, |
66 | 70 | before => Exec['Certificate_Check'], |
67 | 71 | } |
68 | | - } |
| 72 | + # first we need to generate the cert |
| 73 | + # Clean the installed certs out ifrst |
| 74 | + $crt_clean_cmd = "puppet cert clean ${certname}" |
| 75 | + # I would have preferred to use puppet cert generate, but it does not |
| 76 | + # return the corret exit code on some versions of puppet |
| 77 | + $crt_gen_cmd = "puppet certificate --ca-location=local --dns_alt_names=$dns_alt_names generate ${certname}" |
| 78 | + # I am using the sign command here b/c AFAICT, the sign command for certificate |
| 79 | + # does not work |
| 80 | + $crt_sign_cmd = "puppet cert sign --allow-dns-alt-names ${certname}" |
| 81 | + # find is required to move the cert into the certs directory which is |
| 82 | + # where it needs to be for puppetdb to find it |
| 83 | + $cert_find_cmd = "puppet certificate --ca-location=local find ${certname}" |
69 | 84 |
|
70 | | - # first we need to generate the cert |
71 | | - # Clean the installed certs out ifrst |
72 | | - $crt_clean_cmd = "puppet cert clean ${certname}" |
73 | | - # I would have preferred to use puppet cert generate, but it does not |
74 | | - # return the corret exit code on some versions of puppet |
75 | | - $crt_gen_cmd = "puppet certificate --ca-location=local --dns_alt_names=$dns_alt_names generate ${certname}" |
76 | | - # I am using the sign command here b/c AFAICT, the sign command for certificate |
77 | | - # does not work |
78 | | - $crt_sign_cmd = "puppet cert sign --allow-dns-alt-names ${certname}" |
79 | | - # find is required to move the cert into the certs directory which is |
80 | | - # where it needs to be for puppetdb to find it |
81 | | - $cert_find_cmd = "puppet certificate --ca-location=local find ${certname}" |
82 | | - |
83 | | - exec { 'Certificate_Check': |
84 | | - command => "${crt_clean_cmd} ; ${crt_gen_cmd} && ${crt_sign_cmd} && ${cert_find_cmd}", |
85 | | - unless => "/bin/ls ${puppet_ssldir}/certs/${certname}.pem", |
86 | | - path => '/usr/bin:/usr/local/bin', |
87 | | - logoutput => on_failure, |
88 | | - require => File[$puppet_conf] |
| 85 | + exec { 'Certificate_Check': |
| 86 | + command => "${crt_clean_cmd} ; ${crt_gen_cmd} && ${crt_sign_cmd} && ${cert_find_cmd}", |
| 87 | + unless => "/bin/ls ${puppet_ssldir}/certs/${certname}.pem", |
| 88 | + path => '/usr/bin:/usr/local/bin', |
| 89 | + logoutput => on_failure, |
| 90 | + require => File[$puppet_conf] |
| 91 | + } |
89 | 92 | } |
90 | 93 |
|
91 | 94 | file { $puppet_docroot: |
|
96 | 99 | } |
97 | 100 |
|
98 | 101 | apache::vhost { "puppet-${certname}": |
99 | | - port => $puppet_passenger_port, |
100 | | - priority => '40', |
101 | | - docroot => $puppet_docroot, |
102 | | - serveradmin => $apache_serveradmin, |
103 | | - servername => $certname, |
104 | | - ssl => true, |
105 | | - ssl_cert => "${puppet_ssldir}/certs/${certname}.pem", |
106 | | - ssl_key => "${puppet_ssldir}/private_keys/${certname}.pem", |
107 | | - ssl_chain => "${puppet_ssldir}/ca/ca_crt.pem", |
108 | | - ssl_ca => "${puppet_ssldir}/ca/ca_crt.pem", |
109 | | - ssl_crl => "${puppet_ssldir}/ca/ca_crl.pem", |
110 | | - ssl_protocol => 'ALL -SSLv2 -SSLv3', |
111 | | - ssl_cipher => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK', |
| 102 | + port => $puppet_passenger_port, |
| 103 | + priority => '40', |
| 104 | + docroot => $puppet_docroot, |
| 105 | + serveradmin => $apache_serveradmin, |
| 106 | + servername => $certname, |
| 107 | + ssl => true, |
| 108 | + ssl_cert => "${puppet_ssldir}/certs/${certname}.pem", |
| 109 | + ssl_key => "${puppet_ssldir}/private_keys/${certname}.pem", |
| 110 | + ssl_chain => "${puppet_ssldir}/ca/ca_crt.pem", |
| 111 | + ssl_ca => "${puppet_ssldir}/ca/ca_crt.pem", |
| 112 | + ssl_crl => "${puppet_ssldir}/ca/ca_crl.pem", |
| 113 | + ssl_protocol => 'ALL -SSLv2 -SSLv3', |
| 114 | + ssl_cipher => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK', |
112 | 115 | ssl_honorcipherorder => 'On', |
113 | | - ssl_verify_client => 'optional', |
114 | | - ssl_verify_depth => '1', |
115 | | - ssl_options => ['+StdEnvVars', '+ExportCertData'], |
116 | | - rack_base_uris => '/', |
117 | | - directories => [ |
| 116 | + ssl_verify_client => 'optional', |
| 117 | + ssl_verify_depth => '1', |
| 118 | + ssl_options => ['+StdEnvVars', '+ExportCertData'], |
| 119 | + rack_base_uris => '/', |
| 120 | + directories => [ |
118 | 121 | { |
119 | 122 | path => $puppet_docroot, |
120 | 123 | }, |
|
123 | 126 | options => 'None', |
124 | 127 | }, |
125 | 128 | ], |
126 | | - require => [ File['/etc/puppet/rack/config.ru'], File[$puppet_conf] ], |
| 129 | + require => [ File['/etc/puppet/rack/config.ru'], File[$puppet_conf] ], |
127 | 130 | } |
128 | 131 |
|
129 | 132 | #Hack to add extra passenger configurations for puppetmaster |
|
0 commit comments