Parameterizing the module and removing coupling to the Katello module.

.gitignore

@@ -0,0 +1,16 @@
+.vagrant
+*.swp
+*.swo
+
+.bundle
+vendor/
+
+pkg/
+
+Gemfile.lock
+
+.rbenv*
+.rvmrc*
+.ruby-version
+
+spec/fixtures/

.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+  - 1.9.3
+script:
+  - rake lint

Gemfile

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+
+if ENV.key?('PUPPET_VERSION')
+  puppetversion = "~> #{ENV['PUPPET_VERSION']}"
+else
+  puppetversion = ['>= 2.6']
+end
+
+gem 'puppet',  puppetversion
+gem 'puppet-lint', '>=0.3.2'

Rakefile

@@ -0,0 +1,7 @@
+require 'puppet-lint/tasks/puppet-lint'
+
+PuppetLint.configuration.log_format = '%{path}:%{linenumber}:%{KIND}: %{message}'
+PuppetLint.configuration.send("disable_class_inherits_from_params_class")
+PuppetLint.configuration.send("disable_80chars")
+
+task :default => [:lint]

lib/puppet/provider/katello_ssl_tool.rb

@@ -24,6 +24,7 @@ def self.details(cert_name)
 
       passphrase_file = passphrase_file(cert_name)
       if File.exists?(passphrase_file)
+        details[:passphrase_file] = passphrase_file
         details[:passphrase] = File.read(passphrase_file).chomp
       end
 
@@ -33,7 +34,7 @@ def self.details(cert_name)
     def self.pubkey(name)
       # TODO: just temporarily until we have this changes in katello installer as well
       if name == 'candlepin-ca'
-        '/usr/share/katello/candlepin-cert.crt'
+        '/usr/share/katello/candlepin-ca.crt'
       else
         target_path("certs/#{name}.crt")
       end
@@ -169,6 +170,8 @@ class CertFile < Puppet::Provider
 
     initvars
 
+    commands :openssl => 'openssl'
+
     def exists?
       return false unless File.exists?(resource[:path])
       checksum(expected_content) == checksum(current_content)

lib/puppet/provider/key_bundle/katello_ssl_tool.rb

@@ -5,14 +5,23 @@
   protected
 
   def expected_content
-    [privkey, pubkey].map { |f| File.read(f) }.join("\n")
+    [privkey, pubkey].join("\n")
+  end
+
+  def pubkey
+    # strips the textual info from the certificate file
+    openssl('x509', '-in', pubkey_source_path)
   end
 
   def privkey
+    File.read(privkey_source_path)
+  end
+
+  def privkey_source_path
     resource[:privkey] || cert_details[:privkey]
   end
 
-  def pubkey
+  def pubkey_source_path
     resource[:pubkey] || cert_details[:pubkey]
   end
 

lib/puppet/provider/privkey/katello_ssl_tool.rb

@@ -4,6 +4,23 @@
 
   protected
 
+  def expected_content
+    if resource[:unprotect]
+      tmp_file = "#{source_path}.tmp"
+      begin
+        openssl('rsa',
+                '-in', source_path,
+                '-out', tmp_file,
+                '-passin', "file:#{cert_details[:passphrase_file]}")
+        File.read(tmp_file)
+      ensure
+        File.delete(tmp_file) if File.exists?(tmp_file)
+      end
+    else
+      super
+    end
+  end
+
   def source_path
     cert_details[:privkey]
   end

lib/puppet/provider/pubkey/katello_ssl_tool.rb

@@ -4,6 +4,11 @@
 
   protected
 
+  def expected_content
+    # strips the textual info from the certificate file
+    openssl('x509', '-in', source_path)
+  end
+
   def source_path
     cert_details[:pubkey]
   end

lib/puppet/type/privkey.rb

@@ -4,4 +4,7 @@
   desc 'Stores the private key file on a location'
 
   instance_eval(&Certs::FILE_COMMON_PARAMS)
+
+  # to make the key unprotected by the passphrase
+  newparam(:unprotect)
 end

manifests/apache.pp

@@ -0,0 +1,60 @@
+class certs::apache (
+    $hostname        = $::certs::node_fqdn,
+    $generate        = $::certs::generate,
+    $regenerate      = $::certs::regenerate,
+    $deploy          = $::certs::deploy,
+    $ca              = $::certs::default_ca,
+    $apache_ssl_cert = $::certs::params::apache_ssl_cert,
+    $apache_ssl_key  = $::certs::params::apache_ssl_key,
+    $apache_ca_cert  = $::certs::params::apache_ca_cert
+  ) inherits certs::params {
+
+  cert { "${::certs::node_fqdn}-ssl":
+    ensure      => present,
+    hostname    => $::certs::node_fqdn,
+    country     => $::certs::country,
+    state       => $::certs::state,
+    city        => $::certs::sity,
+    org         => $::certs::org,
+    org_unit    => $::certs::org_unit,
+    expiration  => $::certs::expiration,
+    ca          => $ca,
+    generate    => $generate,
+    regenerate  => $regenerate,
+    deploy      => $deploy,
+  }
+
+  if $deploy {
+    include apache
+    include apache::ssl
+
+    pubkey { $apache_ssl_cert:
+      ensure => present,
+      cert   => Cert["${::certs::node_fqdn}-ssl"]
+    }
+
+    pubkey { $apache_ca_cert:
+      ensure => present,
+      cert   => $ca
+    }
+
+    privkey { $apache_ssl_key:
+      ensure => present,
+      cert   => Cert["${::certs::node_fqdn}-ssl"]
+    } ->
+    file { $apache_ssl_key:
+      owner => $apache::params::user,
+      group => $apache::params::group,
+      mode  => '0400';
+    }
+
+    file { "${apache::params::configdir}/ssl.conf":
+      content => template('apache/ssl.conf.erb'),
+      mode    => '0644',
+      owner   => 'root',
+      group   => 'root',
+      require => [Pubkey[$apache_ssl_cert], Privkey[$apache_ssl_key]],
+      notify  => Exec['reload-apache'],
+    } -> Service['httpd']
+  }
+}

manifests/candlepin.pp

@@ -0,0 +1,69 @@
+# Constains certs specific configurations for candlepin
+class certs::candlepin (
+    $hostname               = $::certs::node_fqdn,
+    $generate               = $::certs::generate,
+    $regenerate             = $::certs::regenerate,
+    $deploy                 = $::certs::deploy,
+    $ca                     = $::certs::default_ca,
+    $storage                = $::certs::params::candlepin_certs_storage,
+    $ca_cert                = $::certs::params::candlepin_ca_cert,
+    $ca_key                 = $::certs::params::candlepin_ca_key,
+    $pki_dir                = $::certs::params::candlepin_pki_dir,
+    $keystore               = $::certs::params::candlepin_keystore,
+    $keystore_password_file = $::certs::params::candlepin_keystore_password_file,
+    $keystore_password      = $::certs::params::candlepin_keystore_password,
+    $candlepin_certs_dir    = $::certs::params::candlepin_certs_dir
+  ) inherits certs::params {
+
+  Exec { logoutput => 'on_failure' }
+
+  if $deploy {
+    file { $keystore_password_file:
+      ensure  => file,
+      content => $keystore_password,
+      mode    => '0644',
+      owner   => 'tomcat',
+      group   => $::certs::user_groups,
+      replace => false;
+    } ~>
+    file { $pki_dir:
+      ensure => directory,
+      owner  => 'root',
+      group  => $::certs::user_groups,
+      mode   => '0750',
+    } ~>
+    pubkey { $ca_cert:
+      cert => $ca,
+    } ~>
+    file { $ca_cert:
+      owner   => 'root',
+      group   => $::certs::user_groups,
+      mode    => '0644';
+    } ~>
+    privkey { $ca_key:
+      cert      => $ca,
+      unprotect => true;
+    } ~>
+    file { $ca_key:
+      owner   => 'root',
+      group   => $::certs::user_groups,
+      mode    => '0640';
+    } ~>
+    exec { 'generate-ssl-keystore':
+      command   => "openssl pkcs12 -export -in ${ca_cert} -inkey ${ca_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${keystore_password_file}\"",
+      path      => '/bin:/usr/bin',
+      creates   => $keystore;
+    } ~>
+    file { "/usr/share/${candlepin::tomcat}/conf/keystore":
+      ensure  => link,
+      target  => $keystore;
+    } ~>
+    exec { 'add-candlepin-cert-to-nss-db':
+      command     => "certutil -A -d '${::certs::nss_db_dir}' -n 'ca' -t 'TCu,Cu,Tuw' -a -i '${ca_cert}'",
+      path        => '/usr/bin',
+      subscribe   => Exec['create-nss-db'],
+      refreshonly => true,
+    }
+
+  }
+}

manifests/foreman.pp

@@ -0,0 +1,46 @@
+class certs::foreman (
+    $hostname    = $::certs::node_fqdn,
+    $generate    = $::certs::generate,
+    $regenerate  = $::certs::regenerate,
+    $deploy      = $::certs::deploy,
+    $ca          = $::certs::default_ca,
+    $client_cert = $::certs::params::foreman_client_cert,
+    $client_key  = $::certs::params::foreman_client_key,
+    $client_ca   = $::certs::params::foreman_client_ca
+  ) inherits certs::params {
+
+  # cert for authentication of puppetmaster against foreman
+  cert { "${::certs::foreman::hostname}-foreman-client":
+    hostname    => $::certs::foreman::hostname,
+    purpose     => client,
+    country     => $::certs::country,
+    state       => $::certs::state,
+    city        => $::certs::sity,
+    org         => 'FOREMAN',
+    org_unit    => 'PUPPET',
+    expiration  => $::certs::expiration,
+    ca          => $ca,
+    generate    => $generate,
+    regenerate  => $regenerate,
+    deploy      => $deploy,
+  }
+
+  if $deploy {
+    pubkey { $client_cert:
+      cert => Cert["${::certs::foreman::hostname}-foreman-client"],
+    }
+
+    privkey { $client_key:
+      cert => Cert["${::certs::foreman::hostname}-foreman-client"],
+    } ->
+
+    file { $client_key:
+      owner => "foreman",
+      mode  => "0400"
+    }
+
+    pubkey { $client_ca:
+      cert => $ca,
+    }
+  }
+}

manifests/foreman_proxy.pp

@@ -0,0 +1,46 @@
+class certs::foreman_proxy (
+    $hostname   = $::certs::node_fqdn,
+    $generate   = $::certs::generate,
+    $regenerate = $::certs::regenerate,
+    $deploy     = $::certs::deploy,
+    $ca         = $::certs::default_ca,
+    $proxy_cert = $::certs::params::foreman_proxy_cert,
+    $proxy_key  = $::certs::params::foreman_proxy_key,
+    $proxy_ca   = $::certs::params::foreman_proxy_ca
+  ) inherits certs::params {
+
+  # cert for ssl of foreman-proxy
+  cert { "${::certs::foreman_proxy::hostname}-foreman-proxy":
+    hostname    => $::certs::foreman_proxy::hostname,
+    purpose     => server,
+    country     => $::certs::country,
+    state       => $::certs::state,
+    city        => $::certs::sity,
+    org         => 'FOREMAN',
+    org_unit    => 'SMART_PROXY',
+    expiration  => $::certs::expiration,
+    ca          => $ca,
+    generate    => $generate,
+    regenerate  => $regenerate,
+    deploy      => $deploy,
+  }
+
+  if $deploy {
+    pubkey { $proxy_cert:
+      cert => Cert["${::certs::foreman_proxy::hostname}-foreman-proxy"],
+    }
+
+    privkey { $proxy_key:
+      cert => Cert["${::certs::foreman_proxy::hostname}-foreman-proxy"],
+    } ->
+
+    file { $proxy_key:
+      owner => "foreman-proxy",
+      mode  => "0400"
+    }
+
+    pubkey { $proxy_ca:
+      cert => $ca,
+    }
+  }
+}