From b4699d4629ab5571884d07b3cddf5f4cfc90c5f6 Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Wed, 17 Jun 2020 19:54:03 +0000 Subject: [PATCH] Drop certs and ensure ownership of keys --- manifests/application.pp | 44 +++++++++++++++++++++----------------- manifests/candlepin.pp | 26 +++++++++++----------- templates/katello.yaml.erb | 2 +- 3 files changed, 38 insertions(+), 34 deletions(-) diff --git a/manifests/application.pp b/manifests/application.pp index 255a426e..53ff71a6 100644 --- a/manifests/application.pp +++ b/manifests/application.pp @@ -21,31 +21,38 @@ Boolean $use_pulp_2_for_docker = false, Boolean $use_pulp_2_for_yum = false, Stdlib::Absolutepath $repo_export_dir = '/var/lib/pulp/katello-export', + Stdlib::Absolutepath $pulp_client_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt', + Stdlib::Absolutepath $pulp_client_cert = '/etc/foreman-pki/certs/foreman/foreman-to-pulp.crt', + Stdlib::Absolutepath $pulp_client_key = '/etc/foreman-pki/certs/foreman/foreman-to-pulp.key', + Stdlib::Absolutepath $candlepin_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt', + Stdlib::Absolutepath $candlepin_events_ssl_cert = '/etc/foreman-pki/certs/foreman/foreman-to-candlepin.crt', + Stdlib::Absolutepath $candlepin_events_ssl_key = '/etc/foreman-pki/certs/foreman/foreman-to-candlepin.key', + Stdlib::Absolutepath $crane_ca_cert = '/etc/foreman-pki/certs/ca/ca.crt', ) { include foreman - include certs - include certs::apache - include certs::candlepin - include certs::foreman - include certs::pulp_client include katello::params + include foreman::plugin::tasks - foreman_config_entry { 'pulp_client_cert': - value => $certs::pulp_client::client_cert, - ignore_missing => false, - require => [Class['certs::pulp_client'], Foreman::Rake['db:seed']], + file { $candlepin_events_ssl_key: + group => $foreman::group, + mode => '0640', } + file { $pulp_client_key: + group => $foreman::group, + mode => '0640', + } ~> + foreman_config_entry { 'pulp_client_cert': + value => $pulp_client_cert, + ignore_missing => false, + require => Foreman::Rake['db:seed'], + } ~> foreman_config_entry { 'pulp_client_key': - value => $certs::pulp_client::client_key, + value => $pulp_client_key, ignore_missing => false, - require => [Class['certs::pulp_client'], Foreman::Rake['db:seed']], + require => Foreman::Rake['db:seed'], } - include foreman::plugin::tasks - - Class['certs', 'certs::ca', 'certs::apache'] ~> Class['apache::service'] - # Used in katello.yaml.erb $enable_ostree = $katello::params::enable_ostree $enable_yum = $katello::params::enable_yum @@ -54,15 +61,12 @@ $enable_docker = $katello::params::enable_docker $enable_deb = $katello::params::enable_deb $pulp_url = $katello::params::pulp_url - $pulp_ca_cert = $certs::katello_server_ca_cert # TODO: certs::apache::... + $candlepin_url = $katello::params::candlepin_url $candlepin_oauth_key = $katello::params::candlepin_oauth_key $candlepin_oauth_secret = $katello::params::candlepin_oauth_secret - $candlepin_ca_cert = $certs::ca_cert - $candlepin_events_ssl_cert = $certs::candlepin::client_cert - $candlepin_events_ssl_key = $certs::candlepin::client_key + $crane_url = $katello::params::crane_url - $crane_ca_cert = $certs::katello_server_ca_cert $postgresql_evr_package = $katello::params::postgresql_evr_package $manage_db = $foreman::db_manage diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index ec907cc8..82235c7f 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -26,25 +26,26 @@ Boolean $db_ssl = false, Boolean $db_ssl_verify = true, Boolean $manage_db = true, + Stdlib::Absolutepath $ca_cert = '/etc/foreman-pki/certs/candlepin/ca.crt', + Stdlib::Absolutepath $ca_key = '/etc/foreman-pki/certs/candlepin/ca.key', + Stdlib::Absolutepath $keystore_file = '/etc/foreman-pki/certs/tomcat/keystore', + Stdlib::Absolutepath $keystore_password_file = '/etc/foreman-pki/certs/tomcat/password', + Stdlib::Absolutepath $truststore_file = '/etc/foreman-pki/certs/artemis/truststore', + Stdlib::Absolutepath $truststore_password_file = '/etc/foreman-pki/certs/artemis/password', ) { - include certs include katello::params - class { 'certs::candlepin': - hostname => $katello::params::candlepin_host, - } - class { 'candlepin': host => $katello::params::candlepin_host, - user_groups => $certs::candlepin::group, oauth_key => $katello::params::candlepin_oauth_key, oauth_secret => $katello::params::candlepin_oauth_secret, - ca_key => $certs::candlepin::ca_key, - ca_cert => $certs::candlepin::ca_cert, - keystore_file => $certs::candlepin::keystore, - keystore_password => $certs::candlepin::keystore_password, - truststore_password => $certs::candlepin::keystore_password, - artemis_client_dn => $certs::candlepin::artemis_client_dn, + ca_key => $ca_key, + ca_cert => $ca_cert, + keystore_file => $keystore_file, + keystore_password => file($keystore_password_file), + truststore_file => $truststore_file, + truststore_password => file($truststore_password_file), + artemis_client_dn => "CN=${katello::params::candlepin_host}", enable_basic_auth => false, consumer_system_name_pattern => '.+', adapter_module => 'org.candlepin.katello.KatelloModule', @@ -56,7 +57,6 @@ db_ssl => $db_ssl, db_ssl_verify => $db_ssl_verify, manage_db => $manage_db, - subscribe => Class['certs', 'certs::candlepin'], } -> anchor { 'katello::candlepin': } # lint:ignore:anchor_resource diff --git a/templates/katello.yaml.erb b/templates/katello.yaml.erb index 1a3b77f7..4e20a621 100644 --- a/templates/katello.yaml.erb +++ b/templates/katello.yaml.erb @@ -25,7 +25,7 @@ :pulp: :url: <%= @pulp_url %> - :ca_cert_file: <%= @pulp_ca_cert %> + :ca_cert_file: <%= @pulp_client_ca_cert %> :use_pulp_2_for_content_type: :docker: <%= @use_pulp_2_for_docker %>