Drop certs and ensure ownership of keys

theforeman · Jul 6, 2020 · b4699d4 · b4699d4
1 parent 148be0a
commit b4699d4
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 34 deletions.
diff --git a/manifests/application.pp b/manifests/application.pp
@@ -21,31 +21,38 @@
   Boolean $use_pulp_2_for_docker = false,
   Boolean $use_pulp_2_for_yum = false,
   Stdlib::Absolutepath $repo_export_dir = '/var/lib/pulp/katello-export',
+  Stdlib::Absolutepath $pulp_client_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt',
+  Stdlib::Absolutepath $pulp_client_cert = '/etc/foreman-pki/certs/foreman/foreman-to-pulp.crt',
+  Stdlib::Absolutepath $pulp_client_key = '/etc/foreman-pki/certs/foreman/foreman-to-pulp.key',
+  Stdlib::Absolutepath $candlepin_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt',
+  Stdlib::Absolutepath $candlepin_events_ssl_cert = '/etc/foreman-pki/certs/foreman/foreman-to-candlepin.crt',
+  Stdlib::Absolutepath $candlepin_events_ssl_key = '/etc/foreman-pki/certs/foreman/foreman-to-candlepin.key',
+  Stdlib::Absolutepath $crane_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt',
 ) {
   include foreman
-  include certs
-  include certs::apache
-  include certs::candlepin
-  include certs::foreman
-  include certs::pulp_client
   include katello::params
+  include foreman::plugin::tasks
 
-  foreman_config_entry { 'pulp_client_cert':
-    value          => $certs::pulp_client::client_cert,
-    ignore_missing => false,
-    require        => [Class['certs::pulp_client'], Foreman::Rake['db:seed']],
+  file { $candlepin_events_ssl_key:
+    group => $foreman::group,
+    mode  => '0640',
   }
 
+  file { $pulp_client_key:
+    group => $foreman::group,
+    mode  => '0640',
+  } ~>
+  foreman_config_entry { 'pulp_client_cert':
+    value          => $pulp_client_cert,
+    ignore_missing => false,
+    require        => Foreman::Rake['db:seed'],
+  } ~>
   foreman_config_entry { 'pulp_client_key':
-    value          => $certs::pulp_client::client_key,
+    value          => $pulp_client_key,
     ignore_missing => false,
-    require        => [Class['certs::pulp_client'], Foreman::Rake['db:seed']],
+    require        => Foreman::Rake['db:seed'],
   }
 
-  include foreman::plugin::tasks
-
-  Class['certs', 'certs::ca', 'certs::apache'] ~> Class['apache::service']
-
   # Used in katello.yaml.erb
   $enable_ostree = $katello::params::enable_ostree
   $enable_yum = $katello::params::enable_yum
@@ -54,15 +61,12 @@
   $enable_docker = $katello::params::enable_docker
   $enable_deb = $katello::params::enable_deb
   $pulp_url = $katello::params::pulp_url
-  $pulp_ca_cert = $certs::katello_server_ca_cert # TODO: certs::apache::...
+
   $candlepin_url = $katello::params::candlepin_url
   $candlepin_oauth_key = $katello::params::candlepin_oauth_key
   $candlepin_oauth_secret = $katello::params::candlepin_oauth_secret
-  $candlepin_ca_cert = $certs::ca_cert
-  $candlepin_events_ssl_cert = $certs::candlepin::client_cert
-  $candlepin_events_ssl_key = $certs::candlepin::client_key
+
   $crane_url = $katello::params::crane_url
-  $crane_ca_cert = $certs::katello_server_ca_cert
   $postgresql_evr_package = $katello::params::postgresql_evr_package
   $manage_db = $foreman::db_manage
 

diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp
@@ -26,25 +26,26 @@
   Boolean $db_ssl = false,
   Boolean $db_ssl_verify = true,
   Boolean $manage_db = true,
+  Stdlib::Absolutepath $ca_cert = '/etc/foreman-pki/certs/candlepin/ca.crt',
+  Stdlib::Absolutepath $ca_key = '/etc/foreman-pki/certs/candlepin/ca.key',
+  Stdlib::Absolutepath $keystore_file = '/etc/foreman-pki/certs/tomcat/keystore',
+  Stdlib::Absolutepath $keystore_password_file = '/etc/foreman-pki/certs/tomcat/password',
+  Stdlib::Absolutepath $truststore_file = '/etc/foreman-pki/certs/artemis/truststore',
+  Stdlib::Absolutepath $truststore_password_file = '/etc/foreman-pki/certs/artemis/password',
 ) {
-  include certs
   include katello::params
 
-  class { 'certs::candlepin':
-    hostname => $katello::params::candlepin_host,
-  }
-
   class { 'candlepin':
     host                         => $katello::params::candlepin_host,
-    user_groups                  => $certs::candlepin::group,
     oauth_key                    => $katello::params::candlepin_oauth_key,
     oauth_secret                 => $katello::params::candlepin_oauth_secret,
-    ca_key                       => $certs::candlepin::ca_key,
-    ca_cert                      => $certs::candlepin::ca_cert,
-    keystore_file                => $certs::candlepin::keystore,
-    keystore_password            => $certs::candlepin::keystore_password,
-    truststore_password          => $certs::candlepin::keystore_password,
-    artemis_client_dn            => $certs::candlepin::artemis_client_dn,
+    ca_key                       => $ca_key,
+    ca_cert                      => $ca_cert,
+    keystore_file                => $keystore_file,
+    keystore_password            => file($keystore_password_file),
+    truststore_file              => $truststore_file,
+    truststore_password          => file($truststore_password_file),
+    artemis_client_dn            => "CN=${katello::params::candlepin_host}",
     enable_basic_auth            => false,
     consumer_system_name_pattern => '.+',
     adapter_module               => 'org.candlepin.katello.KatelloModule',
@@ -56,7 +57,6 @@
     db_ssl                       => $db_ssl,
     db_ssl_verify                => $db_ssl_verify,
     manage_db                    => $manage_db,
-    subscribe                    => Class['certs', 'certs::candlepin'],
   } ->
   anchor { 'katello::candlepin': } # lint:ignore:anchor_resource
 

diff --git a/templates/katello.yaml.erb b/templates/katello.yaml.erb
@@ -25,7 +25,7 @@
 
   :pulp:
     :url: <%= @pulp_url %>
-    :ca_cert_file: <%= @pulp_ca_cert %>
+    :ca_cert_file: <%= @pulp_client_ca_cert %>
 
   :use_pulp_2_for_content_type:
     :docker: <%= @use_pulp_2_for_docker %>