Rely on the generated CA certificate location when deploying the CA cert

Signed-off-by: Eric D. Helms <[email protected]>

manifests/apache.pp

@@ -121,6 +121,7 @@
 
   if $deploy {
     include certs::config::deploy
+    require certs::ca
 
     certs::keypair { $apache_cert_name:
       source_dir => "${certs::ssl_build_dir}/${hostname}",
@@ -134,5 +135,21 @@
       cert_mode  => '0440',
       require    => $require_cert,
     }
+
+    file { $certs::katello_default_ca_cert:
+      ensure => file,
+      source => $certs::ca::default_ca_path,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0644',
+    }
+
+    file { $certs::katello_server_ca_cert:
+      ensure => file,
+      source => $certs::ca::server_ca_path,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0644',
+    }
   }
 }

manifests/ca.pp

@@ -11,10 +11,8 @@
   String $org_unit = $certs::org_unit,
   String $ca_expiration = $certs::ca_expiration,
   Boolean $generate = $certs::generate,
-  Boolean $deploy = $certs::deploy,
   String $owner = $certs::user,
   String $group = $certs::group,
-  Stdlib::Absolutepath $katello_server_ca_cert = $certs::katello_server_ca_cert,
   String $ca_key_password = $certs::ca_key_password,
   Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
 ) {
@@ -52,24 +50,4 @@
       mode   => '0644',
     }
   }
-
-  if $deploy {
-    include certs::config::deploy
-
-    file { $certs::katello_default_ca_cert:
-      ensure => file,
-      source => $default_ca_path,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0644',
-    }
-
-    file { $katello_server_ca_cert:
-      ensure => file,
-      source => $server_ca_path,
-      owner  => $owner,
-      group  => $group,
-      mode   => '0644',
-    }
-  }
 }

manifests/foreman.pp

@@ -15,7 +15,7 @@
   String $org_unit = 'PUPPET',
   String $expiration = $certs::expiration,
   Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
-  Stdlib::Absolutepath $server_ca = $certs::katello_server_ca_cert,
+  Optional[Stdlib::Absolutepath] $server_ca = undef,
   String $owner = 'root',
   String $group = 'foreman',
 ) inherits certs {
@@ -41,6 +41,8 @@
   }
 
   if $deploy {
+    require certs::ca
+
     certs::keypair { $client_cert_name:
       source_dir => "${certs::ssl_build_dir}/${hostname}",
       key_file   => $client_key,
@@ -55,12 +57,11 @@
     }
 
     file { $ssl_ca_cert:
-      ensure  => file,
-      source  => $server_ca,
-      owner   => 'root',
-      group   => $group,
-      mode    => '0440',
-      require => File[$server_ca],
+      ensure => file,
+      source => pick($server_ca, $certs::ca::server_ca_path),
+      owner  => 'root',
+      group  => $group,
+      mode   => '0440',
     }
   }
 }

manifests/foreman_proxy.pp

@@ -18,15 +18,15 @@
   Stdlib::Absolutepath $foreman_ssl_key = '/etc/foreman-proxy/foreman_ssl_key.pem',
   Stdlib::Absolutepath $foreman_ssl_ca_cert = '/etc/foreman-proxy/foreman_ssl_ca.pem',
   Stdlib::Absolutepath $pki_dir = $certs::pki_dir,
-  Stdlib::Absolutepath $server_ca_cert = $certs::katello_server_ca_cert,
+  Stdlib::Absolutepath $server_ca_cert = $certs::ca::server_ca_path,
   Optional[Stdlib::Absolutepath] $server_cert = $certs::server_cert,
   Optional[Stdlib::Absolutepath] $server_key = $certs::server_key,
   Optional[Stdlib::Absolutepath] $server_cert_req = $certs::server_cert_req,
   String[2,2] $country = $certs::country,
   String $state = $certs::state,
   String $city = $certs::city,
   String $expiration = $certs::expiration,
-  Stdlib::Absolutepath $default_ca_cert = $certs::katello_default_ca_cert,
+  Stdlib::Absolutepath $default_ca_cert = $certs::ca::default_ca_path,
   Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
   String $group = 'foreman-proxy',
   String $owner = 'root',
@@ -108,6 +108,7 @@
 
   if $deploy {
     include certs::config::deploy
+    require certs::ca
 
     certs::keypair { $proxy_cert_name:
       source_dir => "${certs::ssl_build_dir}/${hostname}",
@@ -123,12 +124,11 @@
     }
 
     file { $proxy_ca_cert:
-      ensure  => file,
-      source  => $default_ca_cert,
-      owner   => $owner,
-      group   => $group,
-      mode    => '0440',
-      require => File[$default_ca_cert],
+      ensure => file,
+      source => $default_ca_cert,
+      owner  => $owner,
+      group  => $group,
+      mode   => '0440',
     }
 
     certs::keypair { $foreman_proxy_client_cert_name:
@@ -145,12 +145,11 @@
     }
 
     file { $foreman_ssl_ca_cert:
-      ensure  => file,
-      source  => $server_ca_cert,
-      owner   => $owner,
-      group   => $group,
-      mode    => '0440',
-      require => File[$server_ca_cert],
+      ensure => file,
+      source => $server_ca_cert,
+      owner  => $owner,
+      group  => $group,
+      mode   => '0440',
     }
 
     cert_key_bundle { $foreman_proxy_ssl_client_bundle:

manifests/iop_advisor_engine.pp

@@ -37,11 +37,13 @@
   }
 
   if $deploy {
+    require certs::ca
+
     $cert_directory = '/etc/iop-advisor-engine'
 
     $server_cert = "${cert_directory}/server.cert"
     $server_key = "${cert_directory}/server.key"
-    $server_ca_cert = $certs::katello_server_ca_cert
+    $server_ca_cert = $certs::ca::server_ca_path
 
     $client_cert = $certs::foreman_proxy::foreman_ssl_cert
     $client_key = $certs::foreman_proxy::foreman_ssl_key

manifests/puppet.pp

@@ -13,7 +13,7 @@
   String $city = $certs::city,
   String $expiration = $certs::expiration,
   Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
-  Stdlib::Absolutepath $server_ca = $certs::katello_server_ca_cert,
+  Stdlib::Absolutepath $server_ca = $certs::ca::server_ca_path,
   Stdlib::Absolutepath $pki_dir = $certs::pki_dir,
   String $owner = 'root',
   String $group = 'puppet',
@@ -40,6 +40,7 @@
 
   if $deploy {
     include certs::config::deploy
+    require certs::ca
 
     file { "${pki_dir}/puppet":
       ensure => directory,

spec/acceptance/certs_spec.rb

@@ -2,7 +2,7 @@
 
 describe 'certs' do
   before(:all) do
-    on default, 'rm -rf /root/ssl-build'
+    on default, 'rm -rf /root/ssl-build /etc/pki/katello'
   end
 
   context 'with default params' do
@@ -36,22 +36,8 @@
       it { should be_encrypted }
     end
 
-    describe x509_certificate('/etc/pki/katello/certs/katello-default-ca.crt') do
-      it { should be_certificate }
-      it { should be_valid }
-      it { should have_purpose 'SSL server CA' }
-      its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
-      its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
-      its(:keylength) { should be >= 4096 }
-    end
-
-    describe x509_certificate('/etc/pki/katello/certs/katello-server-ca.crt') do
-      it { should be_certificate }
-      it { should be_valid }
-      it { should have_purpose 'SSL server CA' }
-      its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
-      its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) }
-      its(:keylength) { should be >= 4096 }
+    describe file('/etc/pki/katello/certs/katello-default-ca.crt') do
+      it { should_not exist }
     end
 
     describe file('/etc/pki/katello/private/katello-default-ca.key') do
@@ -69,10 +55,6 @@
     describe file('/root/ssl-build/katello-default-ca.pwd') do
       it { should exist }
     end
-
-    describe file('/etc/pki/katello/private/katello-default-ca.pwd') do
-      it { should_not exist }
-    end
   end
 
   context 'with deploy false' do