opuppet/module-puppetdb
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge branch 'feature/add_ssl_cert_settings'

Browse source 
* feature/add_ssl_cert_settings:
  Add the ability to a) deploy ssl keys, b) set paths to ssl keys in jetty.ini
This commit is contained in:
Ken Barber 2014-10-07 15:05:26 +01:00
commit 8cad042fb9
4 changed files with 101 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
manifests/params.pp
View file

@ -7,6 +7,15 @@ class puppetdb::params {
$ssl_listen_port = '8081'
$disable_ssl = false
$open_ssl_listen_port = undef
$ssl_dir = '/etc/puppetdb/ssl'
$ssl_set_cert_paths = false
$ssl_cert_path = "${ssl_dir}/public.pem"
$ssl_key_path = "${ssl_dir}/private.pem"
$ssl_ca_cert_path = "${ssl_dir}/ca.pem"
$ssl_deploy_certs = false
$ssl_key = undef
$ssl_cert = undef
$ssl_ca_cert = undef
$postgres_listen_addresses = 'localhost'
$database = 'postgres'
@ -68,6 +77,8 @@ class puppetdb::params {
if defined('$is_pe') and str2bool($::is_pe) == true {
$puppetdb_package = 'pe-puppetdb'
$puppetdb_service = 'pe-puppetdb'
$puppetdb_user = 'pe-puppetdb'
$puppetdb_group = 'pe-puppetdb'
$confdir = '/etc/puppetlabs/puppetdb/conf.d'
$puppet_service_name = 'pe-httpd'
$puppet_confdir = '/etc/puppetlabs/puppet'
@ -88,6 +99,8 @@ class puppetdb::params {
} else {
$puppetdb_package = 'puppetdb'
$puppetdb_service = 'puppetdb'
$puppetdb_user = 'puppetdb'
$puppetdb_group = 'puppetdb'
$confdir = '/etc/puppetdb/conf.d'
$puppet_confdir = '/etc/puppet'
$terminus_package = 'puppetdb-terminus'

51
manifests/server.pp
View file

@ -7,6 +7,15 @@ class puppetdb::server(
$ssl_listen_port = $puppetdb::params::ssl_listen_port,
$disable_ssl = $puppetdb::params::disable_ssl,
$open_ssl_listen_port = $puppetdb::params::open_ssl_listen_port,
$ssl_dir = $puppetdb::params::ssl_dir,
$ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,
$ssl_cert_path = $puppetdb::params::ssl_cert_path,
$ssl_key_path = $puppetdb::params::ssl_key_path,
$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path,
$ssl_deploy_certs = $puppetdb::params::ssl_deploy_certs,
$ssl_key = $puppetdb::params::ssl_key,
$ssl_cert = $puppetdb::params::ssl_cert,
$ssl_ca_cert = $puppetdb::params::ssl_ca_cert,
$database = $puppetdb::params::database,
$database_host = $puppetdb::params::database_host,
$database_port = $puppetdb::params::database_port,
@ -36,6 +45,8 @@ class puppetdb::server(
$puppetdb_package = $puppetdb::params::puppetdb_package,
$puppetdb_version = $puppetdb::params::puppetdb_version,
$puppetdb_service = $puppetdb::params::puppetdb_service,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$puppetdb_service_status = $puppetdb::params::puppetdb_service_status,
$confdir = $puppetdb::params::confdir,
$manage_firewall = true,
@ -89,7 +100,6 @@ class puppetdb::server(
}
if $manage_firewall {
class { 'puppetdb::server::firewall':
http_port => $listen_port,
open_http_port => $open_listen_port,
@ -134,11 +144,50 @@ class puppetdb::server(
notify => Service[$puppetdb_service],
}
if str2bool($ssl_set_cert_paths) == true or str2bool($ssl_deploy_certs) == true {
validate_absolute_path($ssl_key_path)
validate_absolute_path($ssl_cert_path)
validate_absolute_path($ssl_ca_cert_path)
}
if str2bool($ssl_deploy_certs) == true {
validate_absolute_path($ssl_dir)
file{
$ssl_dir:
ensure => directory,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0700';
$ssl_key_path:
ensure => file,
content => $ssl_key,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600';
$ssl_cert_path:
ensure => file,
content => $ssl_cert,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600';
$ssl_ca_cert_path:
ensure => file,
content => $ssl_ca_cert,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600';
}
}
class { 'puppetdb::server::jetty_ini':
listen_address => $listen_address,
listen_port => $listen_port,
ssl_listen_address => $ssl_listen_address,
ssl_listen_port => $ssl_listen_port,
ssl_set_cert_paths => $ssl_set_cert_paths,
ssl_key_path => $ssl_key_path,
ssl_cert_path => $ssl_cert_path,
ssl_ca_cert_path => $ssl_ca_cert_path,
disable_ssl => $disable_ssl,
confdir => $confdir,
max_threads => $max_threads,

23
manifests/server/jetty_ini.pp
View file

@ -5,6 +5,10 @@ class puppetdb::server::jetty_ini(
$ssl_listen_address = $puppetdb::params::ssl_listen_address,
$ssl_listen_port = $puppetdb::params::ssl_listen_port,
$disable_ssl = $puppetdb::params::disable_ssl,
$ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,
$ssl_cert_path = $puppetdb::params::ssl_cert_path,
$ssl_key_path = $puppetdb::params::ssl_key_path,
$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path,
$confdir = $puppetdb::params::confdir,
$max_threads = $puppetdb::params::max_threads,
) inherits puppetdb::params {
@ -34,6 +38,25 @@ class puppetdb::server::jetty_ini(
default => 'present',
}
if str2bool($ssl_set_cert_paths) == true {
# assume paths have been validated in calling class
ini_setting {'puppetdb_ssl_key':
ensure => present,
setting => 'ssl-key',
value => $ssl_key_path,
}
ini_setting {'puppetdb_ssl_cert':
ensure => present,
setting => 'ssl-cert',
value => $ssl_cert_path,
}
ini_setting {'puppetdb_ssl_ca_cert':
ensure => present,
setting => 'ssl-ca-cert',
value => $ssl_ca_cert_path,
}
}
ini_setting {'puppetdb_sslhost':
ensure => $ssl_setting_ensure,
setting => 'ssl-host',

28
manifests/server/read_database_ini.pp
View file

@ -1,17 +1,19 @@
# PRIVATE CLASS - do not use directly
class puppetdb::server::read_database_ini(
$database = $puppetdb::params::read_database,
$database_host = $puppetdb::params::read_database_host,
$database_port = $puppetdb::params::read_database_port,
$database_username = $puppetdb::params::read_database_username,
$database_password = $puppetdb::params::read_database_password,
$database_name = $puppetdb::params::read_database_name,
$database_ssl = $puppetdb::params::read_database_ssl,
$database = $puppetdb::params::read_database,
$database_host = $puppetdb::params::read_database_host,
$database_port = $puppetdb::params::read_database_port,
$database_username = $puppetdb::params::read_database_username,
$database_password = $puppetdb::params::read_database_password,
$database_name = $puppetdb::params::read_database_name,
$database_ssl = $puppetdb::params::read_database_ssl,
$log_slow_statements = $puppetdb::params::read_log_slow_statements,
$conn_max_age = $puppetdb::params::read_conn_max_age,
$conn_keep_alive = $puppetdb::params::read_conn_keep_alive,
$conn_lifetime = $puppetdb::params::read_conn_lifetime,
$confdir = $puppetdb::params::confdir,
$conn_max_age = $puppetdb::params::read_conn_max_age,
$conn_keep_alive = $puppetdb::params::read_conn_keep_alive,
$conn_lifetime = $puppetdb::params::read_conn_lifetime,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params {
# Only add the read database configuration if database host is defined.
@ -35,8 +37,8 @@ class puppetdb::server::read_database_ini(
file { "${confdir}/read_database.ini":
ensure => file,
owner => 'puppetdb',
group => 'puppetdb',
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600';
}