Revision 433dadc5
Added by Eric Helms 27 days ago
| manifests/ca.pp | ||
|---|---|---|
|
String $ca_expiration = $certs::ca_expiration,
|
||
|
Boolean $generate = $certs::generate,
|
||
|
Boolean $deploy = $certs::deploy,
|
||
|
Optional[Stdlib::Absolutepath] $server_cert = $certs::server_cert,
|
||
|
Optional[Stdlib::Absolutepath] $ssl_build_dir = $certs::ssl_build_dir,
|
||
|
String $group = $certs::group,
|
||
|
String $owner = $certs::user,
|
||
|
String $group = $certs::group,
|
||
|
Stdlib::Absolutepath $katello_server_ca_cert = $certs::katello_server_ca_cert,
|
||
|
Stdlib::Absolutepath $ca_key = $certs::ca_key,
|
||
|
Stdlib::Absolutepath $ca_cert = $certs::ca_cert,
|
||
| ... | ... | |
|
String $ca_key_password = $certs::ca_key_password,
|
||
|
Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
|
||
|
) {
|
||
|
$server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt"
|
||
|
|
||
|
file { "${certs::pki_dir}/private/${default_ca_name}.pwd":
|
||
|
ensure => absent,
|
||
|
}
|
||
| ... | ... | |
|
}
|
||
|
$default_ca = Ca[$default_ca_name]
|
||
|
|
||
|
if $server_cert {
|
||
|
ca { $server_ca_name:
|
||
|
ensure => present,
|
||
|
generate => $generate,
|
||
|
deploy => false,
|
||
|
custom_pubkey => $certs::server_ca_cert,
|
||
|
build_dir => $certs::ssl_build_dir,
|
||
|
if $certs::server_ca_cert {
|
||
|
file { $server_ca_path:
|
||
|
ensure => file,
|
||
|
source => $certs::server_ca_cert,
|
||
|
owner => 'root',
|
||
|
group => 'root',
|
||
|
mode => '0644',
|
||
|
}
|
||
|
} else {
|
||
|
ca { $server_ca_name:
|
||
|
ensure => present,
|
||
|
generate => $generate,
|
||
|
deploy => false,
|
||
|
custom_pubkey => "${certs::ssl_build_dir}/${default_ca_name}.crt",
|
||
|
build_dir => $certs::ssl_build_dir,
|
||
|
file { $server_ca_path:
|
||
|
ensure => file,
|
||
|
source => "${certs::ssl_build_dir}/${default_ca_name}.crt",
|
||
|
owner => 'root',
|
||
|
group => 'root',
|
||
|
mode => '0644',
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if $generate {
|
||
|
file { "${ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
|
||
|
file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
|
||
|
ensure => link,
|
||
|
target => "${ssl_build_dir}/${server_ca_name}.crt",
|
||
|
require => Ca[$server_ca_name],
|
||
|
target => $server_ca_path,
|
||
|
require => File[$server_ca_path],
|
||
|
}
|
||
|
}
|
||
|
|
||
| ... | ... | |
|
|
||
|
file { $katello_server_ca_cert:
|
||
|
ensure => file,
|
||
|
source => "${certs::ssl_build_dir}/${server_ca_name}.crt",
|
||
|
source => $server_ca_path,
|
||
|
owner => $owner,
|
||
|
group => $group,
|
||
|
mode => '0644',
|
||
| spec/acceptance/certs_spec.rb | ||
|---|---|---|
|
it { should_not exist }
|
||
|
end
|
||
|
end
|
||
|
|
||
|
context 'with server CA cert' do
|
||
|
before(:context) do
|
||
|
source_path = "fixtures/example.partial.solutions-chain.pem"
|
||
|
dest_path = "/server-ca.crt"
|
||
|
scp_to(hosts, source_path, dest_path)
|
||
|
end
|
||
|
|
||
|
it_behaves_like 'an idempotent resource' do
|
||
|
let(:manifest) do
|
||
|
<<-PUPPET
|
||
|
class { 'certs':
|
||
|
server_ca_cert => '/server-ca.crt',
|
||
|
}
|
||
|
PUPPET
|
||
|
end
|
||
|
end
|
||
|
|
||
|
describe x509_certificate('/root/ssl-build/katello-server-ca.crt') do
|
||
|
it { should be_certificate }
|
||
|
# Doesn't have to be valid - can be expired since it's a static resource
|
||
|
it { should have_purpose 'CA' }
|
||
|
its(:issuer) { should eq('CN = Fake LE Root X1') }
|
||
|
its(:subject) { should eq('CN = Fake LE Intermediate X1') }
|
||
|
its(:keylength) { should be >= 2048 }
|
||
|
end
|
||
|
end
|
||
|
end
|
||
Also available in: Unified diff
Copy the server CA certificate with file resource