From fcbf7c0b4df14149269b646b5ac8e66acd63647e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 6 Sep 2013 17:37:03 +0200 Subject: use define instead of class for site_stunnel::setup (#3817) so it can be called multiple times --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- puppet/modules/site_mx/manifests/couchdb.pp | 2 +- puppet/modules/site_stunnel/manifests/setup.pp | 2 +- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d982013e..481da279 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -27,7 +27,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { # basic setup: ensure cert, key, ca files are in place, and some generic # stunnel things are done - class { 'site_stunnel::setup': + site_stunnel::setup { 'couchdb_couchdb': cert_name => $cert_name, key => $key, cert => $cert, diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp index f842ceab..85db7327 100644 --- a/puppet/modules/site_mx/manifests/couchdb.pp +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -15,7 +15,7 @@ class site_mx::couchdb { $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - class { 'site_stunnel::setup': + site_stunnel::setup {'mx_couchdb': cert_name => $cert_name, key => $key, cert => $cert, diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index 92eeb425..7fd18d47 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -1,4 +1,4 @@ -class site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { +define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { include site_stunnel diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ac01a5bc..4bafc7f3 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -60,7 +60,7 @@ class site_webapp::couchdb { mode => '0744'; } - class { 'site_stunnel::setup': + site_stunnel::setup { 'webapp_couchdb': cert_name => $cert_name, key => $key, cert => $cert, -- cgit v1.2.3 From 4d58a02c83baf0ce0a9ecb349d998aa3dad9493f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 14:17:20 +0200 Subject: deploy default x509::ca leap_ca in site_config::default (#3817) --- puppet/modules/site_config/manifests/default.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 0a4e75b6..dd0d37f7 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -55,4 +55,15 @@ class site_config::default { include site_squid_deb_proxy::client } + # Set up leap ca + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $ca_name = 'leap_ca' + + x509::ca { $ca_name: + content => $ca, + before => [ + Class['Site_openvpn::Keys'], + Class['Site_stunnel'] ] + } } -- cgit v1.2.3 From a6c19295e276da865f6c66963ed761d3ebc7dc99 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 14:17:54 +0200 Subject: remove x509::ca for leap_ca in site_openvpn::keys and site_stunnel::stunnel (#3817) --- puppet/modules/site_openvpn/manifests/keys.pp | 6 ------ puppet/modules/site_stunnel/manifests/setup.pp | 6 ------ 2 files changed, 12 deletions(-) diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index f3c5b423..864bbd9b 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,12 +12,6 @@ class site_openvpn::keys { notify => Service[openvpn]; } - x509::ca { - 'leap_ca': - content => $site_openvpn::x509_config['ca_cert'], - notify => Service[openvpn]; - } - file { '/etc/openvpn/keys/dh.pem': content => $site_openvpn::x509_config['dh'], mode => '0644', diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index 7fd18d47..2309800b 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -14,11 +14,5 @@ define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { notify => Service['stunnel']; } - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - } -- cgit v1.2.3 From 3a9569ca027dccef87509323f08407e60039d9a9 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 15:55:09 +0200 Subject: Deploy default x509 cert + key that services can use (Feature #3836) --- puppet/modules/site_config/manifests/default.pp | 13 ++----------- puppet/modules/site_config/manifests/params.pp | 3 +++ puppet/modules/site_config/manifests/x509.pp | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+), 11 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509.pp diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index dd0d37f7..b315044a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -55,15 +55,6 @@ class site_config::default { include site_squid_deb_proxy::client } - # Set up leap ca - $x509 = hiera('x509') - $ca = $x509['ca_cert'] - $ca_name = 'leap_ca' - - x509::ca { $ca_name: - content => $ca, - before => [ - Class['Site_openvpn::Keys'], - Class['Site_stunnel'] ] - } + include site_config::x509 + } diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 237ee454..20697042 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -22,4 +22,7 @@ class site_config::params { else { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } + + $ca_name = 'leap_ca' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp new file mode 100644 index 00000000..879285dd --- /dev/null +++ b/puppet/modules/site_config/manifests/x509.pp @@ -0,0 +1,19 @@ +class site_config::x509 { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} -- cgit v1.2.3 From 3e5e685200e9b5c3ac8567100e552929ea55d8e8 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 16:20:07 +0200 Subject: setup stunnel config to use default x509 cert,key+ca (#3837) * fix stunnel setups for couchdb, mx, webapp services --- puppet/modules/site_couchdb/manifests/init.pp | 11 +---------- puppet/modules/site_couchdb/manifests/stunnel.pp | 20 ++++---------------- puppet/modules/site_mx/manifests/couchdb.pp | 20 ++++---------------- puppet/modules/site_stunnel/manifests/setup.pp | 18 ------------------ puppet/modules/site_webapp/manifests/couchdb.pp | 8 +------- 5 files changed, 10 insertions(+), 67 deletions(-) delete mode 100644 puppet/modules/site_stunnel/manifests/setup.pp diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 43abd616..6bc4f6a3 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,11 +1,6 @@ class site_couchdb { tag 'leap_service' - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -44,11 +39,7 @@ class site_couchdb { -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_soledad_user] - class { 'site_couchdb::stunnel': - key => $key, - cert => $cert, - ca => $ca - } + class { 'site_couchdb::stunnel': } class { 'site_couchdb::bigcouch::add_nodes': } diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 481da279..993555cb 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,4 +1,4 @@ -class site_couchdb::stunnel ($key, $cert, $ca) { +class site_couchdb::stunnel { $stunnel = hiera('stunnel') @@ -19,21 +19,9 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $ednp_clients = $stunnel['ednp_clients'] include x509::variables - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - # basic setup: ensure cert, key, ca files are in place, and some generic - # stunnel things are done - site_stunnel::setup { 'couchdb_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" # setup a stunnel server for the webapp to connect to couchdb stunnel::service { 'couch_server': diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp index 85db7327..b1f3bd02 100644 --- a/puppet/modules/site_mx/manifests/couchdb.pp +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -5,23 +5,11 @@ class site_mx::couchdb { $couch_client_connect = $couch_client['connect'] include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - site_stunnel::setup {'mx_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + include site_stunnel $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp deleted file mode 100644 index 2309800b..00000000 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ /dev/null @@ -1,18 +0,0 @@ -define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { - - include site_stunnel - - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - -} - diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 4bafc7f3..f9a4eb6b 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -60,13 +60,7 @@ class site_webapp::couchdb { mode => '0744'; } - site_stunnel::setup { 'webapp_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + include site_stunnel exec { 'migrate_design_documents': cwd => '/srv/leap/webapp', -- cgit v1.2.3