Add new flag to make ssl cert generation optional

robinbowes · robinbowes · commit d8dbfb3213d2 · 2014-10-20T17:54:33.000+01:00
diff --git a/manifests/master.pp b/manifests/master.pp
@@ -32,6 +32,7 @@
 #  ['puppetdb_startup_timeout'] - The timeout for puppetdb
 #  ['dns_alt_names']            - Comma separated list of alternative DNS names
 #  ['digest_algorithm']         - The algorithm to use for file digests.
+#  ['generate_ssl_certs']       - Generate ssl certs (false to disable)
 #
 # Requires:
 #
@@ -83,6 +84,7 @@
   $puppetdb_strict_validation = $::puppet::params::puppetdb_strict_validation,
   $dns_alt_names              = ['puppet'],
   $digest_algorithm           = $::puppet::params::digest_algorithm,
+  $generate_ssl_certs         = true,
 ) inherits puppet::params {
 
   anchor { 'puppet::master::begin': }
@@ -121,14 +123,15 @@
 
   Anchor['puppet::master::begin'] ->
   class {'puppet::passenger':
-    puppet_passenger_port  => $puppet_passenger_port,
-    puppet_docroot         => $puppet_docroot,
-    apache_serveradmin     => $apache_serveradmin,
-    puppet_conf            => $::puppet::params::puppet_conf,
-    puppet_ssldir          => $puppet_ssldir,
-    certname               => $certname,
-    conf_dir               => $::puppet::params::confdir,
-    dns_alt_names          => join($dns_alt_names,','),
+    puppet_passenger_port => $puppet_passenger_port,
+    puppet_docroot        => $puppet_docroot,
+    apache_serveradmin    => $apache_serveradmin,
+    puppet_conf           => $::puppet::params::puppet_conf,
+    puppet_ssldir         => $puppet_ssldir,
+    certname              => $certname,
+    conf_dir              => $::puppet::params::confdir,
+    dns_alt_names         => join($dns_alt_names,','),
+    generate_ssl_certs    => $generate_ssl_certs,
   } ->
   Anchor['puppet::master::end']
 
diff --git a/manifests/passenger.pp b/manifests/passenger.pp
@@ -3,6 +3,7 @@
 # This class installs and configures the puppetdb terminus pacakge
 #
 # Parameters:
+#   ['generate_ssl_certs']       - Generate ssl certs (false to disable)
 #   ['puppet_passenger_port']    - The port for the virtual host
 #   ['puppet_docroot']           - Apache documnet root
 #   ['apache_serveradmin']       - The apache server admin
@@ -31,6 +32,7 @@
 #   }
 #
 class puppet::passenger(
+  $generate_ssl_certs = true,
   $puppet_passenger_port,
   $puppet_docroot,
   $apache_serveradmin,
@@ -52,43 +54,50 @@
       group  => $::puppet::params::puppet_group,
       mode   => '0750',
     }
+  }
 
-    file{"${puppet_ssldir}/ca":
-      ensure => directory,
-      owner  => $::puppet::params::puppet_user,
-      group  => $::puppet::params::puppet_group,
-      mode   => '0770',
-      before => Exec['Certificate_Check'],
-    }
+  if str2bool($generate_ssl_certs) == true {
+
+    if $::osfamily == 'redhat' {
+
+      file{"${puppet_ssldir}/ca":
+	ensure => directory,
+	owner  => $::puppet::params::puppet_user,
+	group  => $::puppet::params::puppet_group,
+	mode   => '0770',
+	before => Exec['Certificate_Check'],
+      }
+
+      file{"${puppet_ssldir}/ca/requests":
+	ensure => directory,
+	owner  => $::puppet::params::puppet_user,
+	group  => $::puppet::params::puppet_group,
+	mode   => '0750',
+	before => Exec['Certificate_Check'],
+      }
 
-    file{"${puppet_ssldir}/ca/requests":
-      ensure => directory,
-      owner  => $::puppet::params::puppet_user,
-      group  => $::puppet::params::puppet_group,
-      mode   => '0750',
-      before => Exec['Certificate_Check'],
     }
-  }
+    # first we need to generate the cert
+    # Clean the installed certs out ifrst
+    $crt_clean_cmd  = "puppet cert clean ${certname}"
+    # I would have preferred to use puppet cert generate, but it does not
+    # return the corret exit code on some versions of puppet
+    $crt_gen_cmd   = "puppet certificate --ca-location=local --dns_alt_names=$dns_alt_names generate ${certname}"
+    # I am using the sign command here b/c AFAICT, the sign command for certificate
+    # does not work
+    $crt_sign_cmd  = "puppet cert sign --allow-dns-alt-names ${certname}"
+    # find is required to move the cert into the certs directory which is
+    # where it needs to be for puppetdb to find it
+    $cert_find_cmd = "puppet certificate --ca-location=local find ${certname}"
 
-  # first we need to generate the cert
-  # Clean the installed certs out ifrst
-  $crt_clean_cmd  = "puppet cert clean ${certname}"
-  # I would have preferred to use puppet cert generate, but it does not
-  # return the corret exit code on some versions of puppet
-  $crt_gen_cmd   = "puppet certificate --ca-location=local --dns_alt_names=$dns_alt_names generate ${certname}"
-  # I am using the sign command here b/c AFAICT, the sign command for certificate
-  # does not work
-  $crt_sign_cmd  = "puppet cert sign --allow-dns-alt-names ${certname}"
-  # find is required to move the cert into the certs directory which is
-  # where it needs to be for puppetdb to find it
-  $cert_find_cmd = "puppet certificate --ca-location=local find ${certname}"
+    exec { 'Certificate_Check':
+      command   => "${crt_clean_cmd} ; ${crt_gen_cmd} && ${crt_sign_cmd} && ${cert_find_cmd}",
+      unless    => "/bin/ls ${puppet_ssldir}/certs/${certname}.pem",
+      path      => '/usr/bin:/usr/local/bin',
+      logoutput => on_failure,
+      require   => File[$puppet_conf]
+    }
 
-  exec { 'Certificate_Check':
-    command   => "${crt_clean_cmd} ; ${crt_gen_cmd} && ${crt_sign_cmd} && ${cert_find_cmd}",
-    unless    => "/bin/ls ${puppet_ssldir}/certs/${certname}.pem",
-    path      => '/usr/bin:/usr/local/bin',
-    logoutput => on_failure,
-    require   => File[$puppet_conf]
   }
 
   file { $puppet_docroot:
