diff --git a/.fixtures.yml b/.fixtures.yml new file mode 100644 index 00000000..bc2bbbbb --- /dev/null +++ b/.fixtures.yml @@ -0,0 +1,7 @@ +fixtures: + repositories: + stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git" + foreman: "git://github.com/theforeman/puppet-foreman.git" + common: "git://github.com/katello/puppet-common.git" + symlinks: + certs: "#{source_dir}" diff --git a/.gitignore b/.gitignore index 27254b81..133e989c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,6 @@ .vagrant *.swp *.swo -*.swm -*.swn .bundle vendor/ diff --git a/.travis.yml b/.travis.yml index 4dc4d3bc..028725a0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,31 @@ +--- language: ruby +bundler_args: --without development +before_install: rm Gemfile.lock || true rvm: + - 1.8.7 - 1.9.3 -script: - - rake lint + - 2.0.0 + - 2.1.0 +script: bundle exec rake test +env: + - PUPPET_VERSION="~> 2.7.0" + - PUPPET_VERSION="~> 3.2.0" + - PUPPET_VERSION="~> 3.3.0" + - PUPPET_VERSION="~> 3.4.0" + - PUPPET_VERSION="~> 3.5.0" + - PUPPET_VERSION="~> 3.6.0" +matrix: + exclude: + - rvm: 1.9.3 + env: PUPPET_VERSION="~> 2.7.0" + - rvm: 2.0.0 + env: PUPPET_VERSION="~> 2.7.0" + - rvm: 2.1.0 + env: PUPPET_VERSION="~> 2.7.0" + - rvm: 2.1.0 + env: PUPPET_VERSION="~> 3.2.0" + - rvm: 2.1.0 + env: PUPPET_VERSION="~> 3.3.0" + - rvm: 2.1.0 + env: PUPPET_VERSION="~> 3.4.0" diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 00000000..f5f6a8c9 --- /dev/null +++ b/CHANGELOG @@ -0,0 +1 @@ +2014-07-27 Release 0.1.0 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..e329c37f --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,87 @@ +This module has grown over time based on a range of contributions from +people using it. If you follow these contributing guidelines your patch +will likely make it into a release a little quicker. + + +## Contributing + +1. Fork the repo. + +2. Run the tests. We only take pull requests with passing tests, and + it's great to know that you have a clean slate + +3. Add a test for your change. Only refactoring and documentation + changes require no new tests. If you are adding functionality + or fixing a bug, please add a test. + +4. Make the test pass. + +5. Open an issue here - http://projects.theforeman.org/projects/katello/issues/new + +6. Ensure commit message begins with 'Fixes #' + +5. Push to your fork andaa submit a pull request. + + +## Dependencies + +The testing and development tools have a bunch of dependencies, +all managed by [bundler](http://bundler.io/) according to the +[Puppet support matrix](http://docs.puppetlabs.com/guides/platforms.html#ruby-versions). + +By default the tests use a baseline version of Puppet. + +If you have Ruby 2.x or want a specific version of Puppet, +you must set an environment variable such as: + + export PUPPET_VERSION="~> 3.2.0" + +Install the dependencies like so... + + bundle install + +## Syntax and style + +The test suite will run [Puppet Lint](http://puppet-lint.com/) and +[Puppet Syntax](https://github.com/gds-operations/puppet-syntax) to +check various syntax and style things. You can run these locally with: + + bundle exec rake lint + bundle exec rake syntax + +## Running the unit tests + +The unit test suite covers most of the code, as mentioned above please +add tests if you're adding new functionality. If you've not used +[rspec-puppet](http://rspec-puppet.com/) before then feel free to ask +about how best to test your new feature. Running the test suite is done +with: + + bundle exec rake spec + +Note also you can run the syntax, style and unit tests in one go with: + + bundle exec rake test + +## Integration tests + +The unit tests just check the code runs, not that it does exactly what +we want on a real machine. For that we're using +[beaker](https://github.com/puppetlabs/beaker). + +This fires up a new virtual machine (using vagrant) and runs a series of +simple tests against it after applying the module. You can run this +with: + + bundle exec rake acceptance + +This will run the tests on an Ubuntu 12.04 virtual machine. You can also +run the integration tests against Centos 6.5 with. + + RS_SET=centos-64-x64 bundle exec rake acceptances + +If you don't want to have to recreate the virtual machine every time you +can use `BEAKER_DESTROY=no` and `BEAKER_PROVISION=no`. On the first run you will +at least need `BEAKER_PROVISION` set to yes (the default). The Vagrantfile +for the created virtual machines will be in `.vagrant/beaker_vagrant_fies`. + diff --git a/CONTRIBUTORS b/CONTRIBUTORS new file mode 100644 index 00000000..51e2c7e2 --- /dev/null +++ b/CONTRIBUTORS @@ -0,0 +1,7 @@ +Ivan Necas @iNecas +Eric D Helms @ehelms +Justin Sherrill @jlsherrill +Dustin Tsang @dustint-rh +Jason Montleon @jmontleon +Alex Wood @awood +Og Maciel @omaciel diff --git a/Gemfile b/Gemfile index 7cc9b7cd..1a01c128 100644 --- a/Gemfile +++ b/Gemfile @@ -1,11 +1,20 @@ -source 'https://rubygems.org' +source "https://rubygems.org" -if ENV.key?('PUPPET_VERSION') - puppetversion = "~> #{ENV['PUPPET_VERSION']}" -else - puppetversion = ['>= 2.6'] +group :test do + gem "rake" + gem "puppet", ENV['PUPPET_VERSION'] || '~> 3.4.0' + gem "puppet-lint" + gem "rspec-puppet", :git => 'https://github.com/rodjek/rspec-puppet.git' + gem "puppet-syntax" + gem "puppetlabs_spec_helper" end -gem 'rake' -gem 'puppet', puppetversion -gem 'puppet-lint', '~> 0.3.2' +group :development do + gem "travis" + gem "travis-lint" + gem "beaker" + gem "beaker-rspec" + gem "vagrant-wrapper" + gem "puppet-blacksmith" + gem "guard-rake" +end diff --git a/README.md b/README.md new file mode 100644 index 00000000..9e46801d --- /dev/null +++ b/README.md @@ -0,0 +1,41 @@ +####Table of Contents + +1. [Overview](#overview) +2. [Setup - The basics of getting started with certs](#setup) + * [What certs affects](#what-certs-affects) + * [Setup requirements](#setup-requirements) + * [Beginning with certs](#beginning-with-certs) +3. [Usage - Configuration options and additional functionality](#usage) +4. [Reference - An under-the-hood peek at what the module is doing and how](#reference) +5. [Limitations - OS compatibility, etc.](#limitations) +6. [Development - Guide for contributing to the module](#development) + +##Overview + +This module handles creating and deploying certificates based on a central CA. + +##Setup + +###What certs affects + +* Installs and deploys a CA +* Deploys certificates generated from the CA + +###Beginning with certs + +The very basic steps needed for a user to get the module up and running. + +If your most recent release breaks compatibility or requires particular steps for upgrading, you may wish to include an additional section here: Upgrading (For an example, see http://forge.puppetlabs.com/puppetlabs/firewall). + +##Usage + +##Reference + +##Limitations + +* EL6 (RHEL6 / CentOS 6) + +##Development + +See the CONTRIBUTING guide for steps on how to make a change and get it accepted upstream. + diff --git a/Rakefile b/Rakefile index 2b0c8381..b7934ece 100644 --- a/Rakefile +++ b/Rakefile @@ -1,8 +1,44 @@ +require 'puppetlabs_spec_helper/rake_tasks' require 'puppet-lint/tasks/puppet-lint' +require 'puppet-syntax/tasks/puppet-syntax' + +# These two gems aren't always present, for instance +# on Travis with --without development +begin + require 'puppet_blacksmith/rake_tasks' +rescue LoadError +end -PuppetLint.configuration.log_format = '%{path}:%{linenumber}:%{KIND}: %{message}' -PuppetLint.configuration.fail_on_warnings = true -PuppetLint.configuration.send("disable_class_inherits_from_params_class") PuppetLint.configuration.send("disable_80chars") +PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}" +PuppetLint.configuration.fail_on_warnings = true + +# Forsake support for Puppet 2.6.2 for the benefit of cleaner code. +# http://puppet-lint.com/checks/class_parameter_defaults/ +PuppetLint.configuration.send('disable_class_parameter_defaults') +# http://puppet-lint.com/checks/class_inherits_from_params_class/ +PuppetLint.configuration.send('disable_class_inherits_from_params_class') +# http://puppet-lint.com/checks/autoloader_layout/ +PuppetLint.configuration.send('disable_autoloader_layout') +# http://puppet-lint.com/checks/inherits_across_namespaces/ +PuppetLint.configuration.send('disable_inherits_across_namespaces') + +exclude_paths = [ + "pkg/**/*", + "vendor/**/*", + "spec/**/*", +] +PuppetLint.configuration.ignore_paths = exclude_paths +PuppetSyntax.exclude_paths = exclude_paths + +desc "Run acceptance tests" +RSpec::Core::RakeTask.new(:acceptance) do |t| + t.pattern = 'spec/acceptance' +end -task :default => [:lint] +desc "Run syntax, lint, and spec tests." +task :test => [ + :syntax, + :lint, + :spec, +] diff --git a/manifests/apache.pp b/manifests/apache.pp index a6deb9f9..a6a5ba14 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -13,14 +13,14 @@ if $::certs::server_cert { cert { $apache_cert_name: - ensure => present, - hostname => $hostname, - generate => $generate, - deploy => $deploy, - regenerate => $regenerate, - custom_pubkey => $::certs::server_cert, - custom_privkey => $::certs::server_key, - custom_req => $::certs::server_cert_req, + ensure => present, + hostname => $hostname, + generate => $generate, + deploy => $deploy, + regenerate => $regenerate, + custom_pubkey => $::certs::server_cert, + custom_privkey => $::certs::server_key, + custom_req => $::certs::server_cert_req, } } else { cert { $apache_cert_name: @@ -51,9 +51,9 @@ notify => Service['httpd'] } ~> privkey { $apache_key: - ensure => present, - key_pair => Cert[$apache_cert_name], - notify => Service['httpd'] + ensure => present, + key_pair => Cert[$apache_cert_name], + notify => Service['httpd'] } -> file { $apache_key: owner => $::apache::user, diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index 22905a11..4a68aa89 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -55,15 +55,15 @@ mode => '0440', } ~> exec { 'candlepin-generate-ssl-keystore': - command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${certs::ca_key_password_file}\" ", - creates => $keystore, + command => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${certs::ca_key_password_file}\" ", + creates => $keystore, } ~> file { "/usr/share/${candlepin::tomcat}/conf/keystore": - ensure => link, - target => $keystore, - owner => 'tomcat', - group => $::certs::group, - notify => Service[$candlepin::tomcat] + ensure => link, + target => $keystore, + owner => 'tomcat', + group => $::certs::group, + notify => Service[$candlepin::tomcat] } Cert[$java_client_cert_name] ~> @@ -91,21 +91,21 @@ require => Service['qpidd'], } ~> exec { 'import CA into Candlepin truststore': - command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${certs::default_ca_name} -file ${ca_cert} -noprompt", - creates => $amqp_truststore, + command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${certs::default_ca_name} -file ${ca_cert} -noprompt", + creates => $amqp_truststore, } ~> exec { 'import client certificate into Candlepin keystore': # Stupid keytool doesn't allow you to import a keypair. You can only import a cert. Hence, we have to # create the store as an PKCS12 and convert to JKS. See http://stackoverflow.com/a/8224863 - command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12", - unless => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias ${certs::default_ca_name}", + command => "openssl pkcs12 -export -name amqp-client -in ${client_cert} -inkey ${client_key} -out /tmp/keystore.p12 -passout file:${password_file} && keytool -importkeystore -destkeystore ${amqp_keystore} -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass ${keystore_password} -srcstorepass ${keystore_password} -noprompt && rm /tmp/keystore.p12", + unless => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias ${certs::default_ca_name}", } ~> file { $amqp_keystore: - ensure => file, - owner => 'tomcat', - group => $::certs::group, - mode => '0640', - notify => Service[$candlepin::tomcat], + ensure => file, + owner => 'tomcat', + group => $::certs::group, + mode => '0640', + notify => Service[$candlepin::tomcat], } } } diff --git a/manifests/config.pp b/manifests/config.pp index 7025bc47..d0f43083 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -2,24 +2,24 @@ class certs::config { file { $certs::pki_dir: - ensure => directory, - owner => 'root', - group => $certs::group, - mode => '0755', + ensure => directory, + owner => 'root', + group => $certs::group, + mode => '0755', } file { "${certs::pki_dir}/certs": - ensure => directory, - owner => 'root', - group => $certs::group, - mode => '0755', + ensure => directory, + owner => 'root', + group => $certs::group, + mode => '0755', } file { "${certs::pki_dir}/private": - ensure => directory, - owner => 'root', - group => $certs::group, - mode => '0750', + ensure => directory, + owner => 'root', + group => $certs::group, + mode => '0750', } } diff --git a/manifests/foreman.pp b/manifests/foreman.pp index 13e76a1b..b893786e 100644 --- a/manifests/foreman.pp +++ b/manifests/foreman.pp @@ -43,9 +43,9 @@ key_pair => $::certs::server_ca } ~> file { $client_key: - ensure => file, - owner => 'foreman', - mode => '0400', + ensure => file, + owner => 'foreman', + mode => '0400', } $foreman_config_cmd = "${::foreman::app_root}/script/foreman-config\ diff --git a/manifests/foreman_proxy.pp b/manifests/foreman_proxy.pp index 9e68e67e..15e33f47 100644 --- a/manifests/foreman_proxy.pp +++ b/manifests/foreman_proxy.pp @@ -15,14 +15,14 @@ if $::certs::server_cert { cert { $proxy_cert_name: - ensure => present, - hostname => $::certs::foreman_proxy::hostname, - generate => $generate, - regenerate => $regenerate, - deploy => $deploy, - custom_pubkey => $::certs::server_cert, - custom_privkey => $::certs::server_key, - custom_req => $::certs::server_cert_req, + ensure => present, + hostname => $::certs::foreman_proxy::hostname, + generate => $generate, + regenerate => $regenerate, + deploy => $deploy, + custom_pubkey => $::certs::server_cert, + custom_privkey => $::certs::server_key, + custom_req => $::certs::server_cert_req, } } else { # cert for ssl of foreman-proxy @@ -59,10 +59,10 @@ notify => Service['foreman-proxy'], } ~> file { $proxy_key: - ensure => file, - owner => 'foreman-proxy', - group => $certs::group, - mode => '0400' + ensure => file, + owner => 'foreman-proxy', + group => $certs::group, + mode => '0400' } ~> Service['foreman-proxy'] diff --git a/manifests/init.pp b/manifests/init.pp index df05ed39..9312364b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -179,17 +179,17 @@ Ca[$default_ca_name] ~> pubkey { $ca_cert: - key_pair => $default_ca + key_pair => $default_ca } ~> pubkey { $ca_cert_stripped: - strip => true, - key_pair => $default_ca + strip => true, + key_pair => $default_ca } ~> file { $ca_cert: - ensure => file, - owner => 'root', - group => $certs::group, - mode => '0644', + ensure => file, + owner => 'root', + group => $certs::group, + mode => '0644', } if $generate { @@ -200,10 +200,10 @@ password_file => $ca_key_password_file } ~> file { $ca_key: - ensure => file, - owner => 'root', - group => $certs::group, - mode => '0440', + ensure => file, + owner => 'root', + group => $certs::group, + mode => '0440', } } } diff --git a/manifests/pulp_child.pp b/manifests/pulp_child.pp index 6607f7ea..e802756f 100644 --- a/manifests/pulp_child.pp +++ b/manifests/pulp_child.pp @@ -51,9 +51,9 @@ key_pair => Cert["${::certs::pulp_child::hostname}-qpid-client-cert"], } ~> file { $pulp::messaging_client_cert: - owner => 'apache', - group => 'apache', - mode => '0640', + owner => 'apache', + group => 'apache', + mode => '0640', } } diff --git a/manifests/pulp_parent.pp b/manifests/pulp_parent.pp index 34d1cee5..75d56fef 100644 --- a/manifests/pulp_parent.pp +++ b/manifests/pulp_parent.pp @@ -68,9 +68,9 @@ key_pair => Cert["${::certs::pulp_parent::hostname}-qpid-client-cert"], } ~> file { $messaging_client_cert: - owner => 'apache', - group => 'apache', - mode => '0640', + owner => 'apache', + group => 'apache', + mode => '0640', } -> Class['pulp::config'] } diff --git a/manifests/puppet.pp b/manifests/puppet.pp index b617aea2..8b6ec857 100644 --- a/manifests/puppet.pp +++ b/manifests/puppet.pp @@ -44,9 +44,9 @@ key_pair => $::certs::server_ca } ~> file { $client_key: - ensure => file, - owner => 'puppet', - mode => '0400', + ensure => file, + owner => 'puppet', + mode => '0400', } } diff --git a/manifests/qpid.pp b/manifests/qpid.pp index 7282d8c4..1cb4093d 100644 --- a/manifests/qpid.pp +++ b/manifests/qpid.pp @@ -44,10 +44,10 @@ key_pair => Cert["${::certs::qpid::hostname}-qpid-broker"] } ~> file { $client_key: - ensure => file, - owner => 'root', - group => 'apache', - mode => '0440', + ensure => file, + owner => 'root', + group => 'apache', + mode => '0440', } ~> file { $::certs::nss_db_dir: ensure => directory, @@ -61,10 +61,10 @@ creates => $nss_db_password_file } -> file { $nss_db_password_file: - ensure => file, - owner => 'root', - group => 'qpidd', - mode => '0640', + ensure => file, + owner => 'root', + group => 'qpidd', + mode => '0640', } ~> exec { 'create-nss-db': command => "certutil -N -d '${::certs::nss_db_dir}' -f '${nss_db_password_file}'", @@ -77,9 +77,9 @@ refreshonly => true, } ~> file { $nssdb_files: - owner => 'root', - group => 'qpidd', - mode => '0640', + owner => 'root', + group => 'qpidd', + mode => '0640', } ~> exec { 'add-broker-cert-to-nss-db': command => "certutil -A -d '${::certs::nss_db_dir}' -n 'broker' -t ',,' -a -i '${client_cert}'", diff --git a/metadata.json b/metadata.json new file mode 100644 index 00000000..2def2b14 --- /dev/null +++ b/metadata.json @@ -0,0 +1,24 @@ +{ + "name": "katello-certs", + "version": "0.1.0", + "author": "Katello", + "summary": "Deploys CA and required certs for a Foreman and Katello installation.", + "license": "GPLv3+", + "source": "https://github.com/Katello/puppet-certs.git", + "project_page": "https://github.com/Katello/puppet-certs", + "issues_url": "http://projects.theforeman.org/projects/katello/issues", + "dependencies": [ + { + "name": "puppetlabs-stdlib", + "version_requirement": ">= 1.0.0" + }, + { + "name": "theforeman-foreman", + "version_requirement": ">= 1.5.0" + }, + { + "name": "katello-common", + "version_requirement": ">= 0.1.0" + } + ] +} diff --git a/spec/classes/certs_spec.rb b/spec/classes/certs_spec.rb new file mode 100644 index 00000000..234c25f6 --- /dev/null +++ b/spec/classes/certs_spec.rb @@ -0,0 +1,20 @@ +require 'spec_helper' + +describe 'certs' do + + context 'on redhat' do + let :facts do + { + :concat_basedir => '/tmp', + :operatingsystem => 'RedHat', + :operatingsystemrelease => '6.4', + :operatingsystemmajrelease => '6.4', + :osfamily => 'RedHat', + } + end + + it { should contain_class('certs::install') } + it { should contain_class('certs::config') } + end + +end diff --git a/spec/classes/coverage_spec.rb b/spec/classes/coverage_spec.rb new file mode 100644 index 00000000..12513b83 --- /dev/null +++ b/spec/classes/coverage_spec.rb @@ -0,0 +1 @@ +at_exit { RSpec::Puppet::Coverage.report! } diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 00000000..2c6f5664 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1 @@ +require 'puppetlabs_spec_helper/module_spec_helper' diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb new file mode 100644 index 00000000..e580c573 --- /dev/null +++ b/spec/spec_helper_acceptance.rb @@ -0,0 +1,24 @@ +require 'beaker-rspec/spec_helper' +require 'beaker-rspec/helpers/serverspec' + +hosts.each do |host| + # Install Puppet + install_puppet +end + +RSpec.configure do |c| + # Project root + proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) + + # Readable test descriptions + c.formatter = :documentation + + # Configure all nodes in nodeset + c.before :suite do + # Install module and dependencies + puppet_module_install(:source => proj_root, :module_name => 'katello_devel') + hosts.each do |host| + on host, puppet('module', 'install', 'puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] } + end + end +end