diff --git a/manifests/apache.pp b/manifests/apache.pp index fc6f0eb6..6dfef638 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -123,6 +123,7 @@ if $deploy { include certs::config::deploy + require certs::ca certs::keypair { $apache_cert_name: source_dir => "${certs::ssl_build_dir}/${hostname}", @@ -136,5 +137,21 @@ cert_mode => '0440', require => $require_cert, } + + file { $certs::katello_default_ca_cert: + ensure => file, + source => $certs::ca::default_ca_path, + owner => 'root', + group => 'root', + mode => '0644', + } + + file { $certs::katello_server_ca_cert: + ensure => file, + source => $certs::ca::server_ca_path, + owner => 'root', + group => 'root', + mode => '0644', + } } } diff --git a/manifests/ca.pp b/manifests/ca.pp index 1d49bb77..c905e112 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -11,10 +11,8 @@ String $org_unit = $certs::org_unit, String $ca_expiration = $certs::ca_expiration, Boolean $generate = $certs::generate, - Boolean $deploy = $certs::deploy, String $owner = $certs::user, String $group = $certs::group, - Stdlib::Absolutepath $katello_server_ca_cert = $certs::katello_server_ca_cert, String $ca_key_password = $certs::ca_key_password, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, ) { @@ -71,24 +69,4 @@ } } } - - if $deploy { - include certs::config::deploy - - file { $certs::katello_default_ca_cert: - ensure => file, - source => $default_ca_path, - owner => 'root', - group => 'root', - mode => '0644', - } - - file { $katello_server_ca_cert: - ensure => file, - source => $server_ca_path, - owner => $owner, - group => $group, - mode => '0644', - } - } } diff --git a/manifests/foreman.pp b/manifests/foreman.pp index 120dccb5..712ae8d9 100644 --- a/manifests/foreman.pp +++ b/manifests/foreman.pp @@ -15,7 +15,6 @@ String $org_unit = 'PUPPET', String $expiration = $certs::expiration, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, - Stdlib::Absolutepath $server_ca = $certs::katello_server_ca_cert, String $owner = 'root', String $group = 'foreman', ) inherits certs { @@ -41,6 +40,8 @@ } if $deploy { + require certs::ca + certs::keypair { $client_cert_name: source_dir => "${certs::ssl_build_dir}/${hostname}", key_file => $client_key, diff --git a/manifests/foreman_proxy.pp b/manifests/foreman_proxy.pp index 23ae547e..9b99dea2 100644 --- a/manifests/foreman_proxy.pp +++ b/manifests/foreman_proxy.pp @@ -18,7 +18,6 @@ Stdlib::Absolutepath $foreman_ssl_key = '/etc/foreman-proxy/foreman_ssl_key.pem', Stdlib::Absolutepath $foreman_ssl_ca_cert = '/etc/foreman-proxy/foreman_ssl_ca.pem', Stdlib::Absolutepath $pki_dir = $certs::pki_dir, - Stdlib::Absolutepath $server_ca_cert = $certs::katello_server_ca_cert, Optional[Stdlib::Absolutepath] $server_cert = $certs::server_cert, Optional[Stdlib::Absolutepath] $server_key = $certs::server_key, Optional[Stdlib::Absolutepath] $server_cert_req = $certs::server_cert_req, @@ -26,7 +25,7 @@ String $state = $certs::state, String $city = $certs::city, String $expiration = $certs::expiration, - Stdlib::Absolutepath $default_ca_cert = $certs::katello_default_ca_cert, + Stdlib::Absolutepath $default_ca_cert = $certs::ca::default_ca_path, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, String $group = 'foreman-proxy', String $owner = 'root', @@ -108,6 +107,7 @@ if $deploy { include certs::config::deploy + require certs::ca certs::keypair { $proxy_cert_name: source_dir => "${certs::ssl_build_dir}/${hostname}", @@ -123,12 +123,11 @@ } file { $proxy_ca_cert: - ensure => file, - source => $default_ca_cert, - owner => $owner, - group => $group, - mode => '0440', - require => File[$default_ca_cert], + ensure => file, + source => $default_ca_cert, + owner => $owner, + group => $group, + mode => '0440', } certs::keypair { $foreman_proxy_client_cert_name: @@ -145,12 +144,11 @@ } file { $foreman_ssl_ca_cert: - ensure => file, - source => $server_ca_cert, - owner => $owner, - group => $group, - mode => '0440', - require => File[$server_ca_cert], + ensure => file, + source => $certs::ca::server_ca_path, + owner => $owner, + group => $group, + mode => '0440', } cert_key_bundle { $foreman_proxy_ssl_client_bundle: diff --git a/manifests/iop_advisor_engine.pp b/manifests/iop_advisor_engine.pp index f72bee4c..3c45b2d0 100644 --- a/manifests/iop_advisor_engine.pp +++ b/manifests/iop_advisor_engine.pp @@ -37,11 +37,13 @@ } if $deploy { + require certs::ca + $cert_directory = '/etc/iop-advisor-engine' $server_cert = "${cert_directory}/server.cert" $server_key = "${cert_directory}/server.key" - $server_ca_cert = $certs::katello_server_ca_cert + $server_ca_cert = $certs::ca::server_ca_path $client_cert = $certs::foreman_proxy::foreman_ssl_cert $client_key = $certs::foreman_proxy::foreman_ssl_key diff --git a/manifests/puppet.pp b/manifests/puppet.pp index da1e2572..f0db0549 100644 --- a/manifests/puppet.pp +++ b/manifests/puppet.pp @@ -13,7 +13,6 @@ String $city = $certs::city, String $expiration = $certs::expiration, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, - Stdlib::Absolutepath $server_ca = $certs::katello_server_ca_cert, Stdlib::Absolutepath $pki_dir = $certs::pki_dir, String $owner = 'root', String $group = 'puppet', @@ -40,6 +39,7 @@ if $deploy { include certs::config::deploy + require certs::ca file { "${pki_dir}/puppet": ensure => directory, @@ -62,12 +62,11 @@ } file { $ssl_ca_cert: - ensure => file, - source => $server_ca, - owner => $owner, - group => $group, - mode => '0440', - require => File[$server_ca], + ensure => file, + source => $certs::ca::server_ca_path, + owner => $owner, + group => $group, + mode => '0440', } } } diff --git a/spec/acceptance/certs_spec.rb b/spec/acceptance/certs_spec.rb index 17d5794a..20303505 100644 --- a/spec/acceptance/certs_spec.rb +++ b/spec/acceptance/certs_spec.rb @@ -2,7 +2,7 @@ describe 'certs' do before(:all) do - on default, 'rm -rf /root/ssl-build' + on default, 'rm -rf /root/ssl-build /etc/pki/katello' end context 'with default params' do @@ -42,22 +42,8 @@ it { should be_encrypted } end - describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do - it { should be_certificate } - it { should be_valid } - it { should have_purpose 'SSL server CA' } - its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:keylength) { should be >= 4096 } - end - - describe x509_certificate('/etc/pki/katello/certs/katello-server-ca.crt') do - it { should be_certificate } - it { should be_valid } - it { should have_purpose 'SSL server CA' } - its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:keylength) { should be >= 4096 } + describe file('/etc/pki/katello/certs/katello-default-ca.crt') do + it { should_not exist } end describe file('/etc/pki/katello/private/katello-default-ca.key') do @@ -75,10 +61,6 @@ describe file('/root/ssl-build/katello-default-ca.pwd') do it { should exist } end - - describe file('/etc/pki/katello/private/katello-default-ca.pwd') do - it { should_not exist } - end end context 'with deploy false' do