Refs #31878 - Split qpid router server and client certificates

theforeman · Feb 19, 2021 · 06471c2 · 06471c2
1 parent 6fc79f4
commit 06471c2
Show file tree

Hide file tree

Showing 6 changed files with 97 additions and 63 deletions.
diff --git a/manifests/foreman_proxy_content.pp b/manifests/foreman_proxy_content.pp
@@ -24,15 +24,16 @@
     fail('The hostname is the same as the provided hostname for the foreman-proxy')
   }
 
-  class { 'certs::puppet':        hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::foreman':       hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::foreman_proxy': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::apache':        hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::qpid':          hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::qpid_router':   hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
-  class { 'certs::qpid_client':   hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::puppet':              hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::foreman':             hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::foreman_proxy':       hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::apache':              hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::qpid':                hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::qpid_router::server': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::qpid_router::client': hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
+  class { 'certs::qpid_client':         hostname => $foreman_proxy_fqdn, cname => $foreman_proxy_cname }
 
   certs::tar_create { $certs_tar:
-    subscribe => Class['certs::puppet', 'certs::foreman', 'certs::foreman_proxy', 'certs::qpid', 'certs::qpid_router', 'certs::apache', 'certs::qpid_client'],
+    subscribe => Class['certs::puppet', 'certs::foreman', 'certs::foreman_proxy', 'certs::qpid', 'certs::qpid_router::server', 'certs::qpid_router::client', 'certs::apache', 'certs::qpid_client'],
   }
 }
diff --git a/manifests/qpid_router.pp → manifests/qpid_router/client.pp b/manifests/qpid_router.pp → manifests/qpid_router/client.pp
@@ -1,14 +1,12 @@
 # Constains certs specific configurations for qpid dispatch router
-class certs::qpid_router (
+class certs::qpid_router::client (
   $hostname               = $certs::node_fqdn,
   $cname                  = $certs::cname,
   $generate               = $certs::generate,
   $regenerate             = $certs::regenerate,
   $deploy                 = $certs::deploy,
-  $server_cert            = $certs::qpid_router_server_cert,
-  $client_cert            = $certs::qpid_router_client_cert,
-  $server_key             = $certs::qpid_router_server_key,
-  $client_key             = $certs::qpid_router_client_key,
+  $cert                   = $certs::qpid_router_client_cert,
+  $key                    = $certs::qpid_router_client_key,
   $owner                  = 'qdrouterd',
   $group                  = 'root',
 
@@ -21,27 +19,8 @@
   $ca_key_password_file  = $certs::ca_key_password_file,
 ) inherits certs {
 
-  $server_keypair = "${hostname}-qpid-router-server"
   $client_keypair = "${hostname}-qpid-router-client"
 
-  cert { $server_keypair:
-    ensure        => present,
-    hostname      => $hostname,
-    cname         => $cname,
-    country       => $country,
-    state         => $state,
-    city          => $city,
-    org           => 'dispatch server',
-    org_unit      => $org_unit,
-    expiration    => $expiration,
-    ca            => $default_ca,
-    generate      => $generate,
-    regenerate    => $regenerate,
-    deploy        => $deploy,
-    purpose       => 'server',
-    password_file => $ca_key_password_file,
-  }
-
   cert { $client_keypair:
     ensure        => present,
     hostname      => $hostname,
@@ -61,28 +40,14 @@
   }
 
   if $deploy {
-    certs::keypair { 'qpid_router_server':
-      key_pair    => Cert[$server_keypair],
-      key_file    => $server_key,
-      manage_key  => true,
-      key_owner   => $owner,
-      key_group   => $group,
-      key_mode    => '0640',
-      cert_file   => $server_cert,
-      manage_cert => true,
-      cert_owner  => $owner,
-      cert_group  => $group,
-      cert_mode   => '0640',
-    }
-
     certs::keypair { 'qpid_router_client':
       key_pair    => Cert[$client_keypair],
-      key_file    => $client_key,
+      key_file    => $key,
       manage_key  => true,
       key_owner   => $owner,
       key_group   => $group,
       key_mode    => '0640',
-      cert_file   => $client_cert,
+      cert_file   => $cert,
       manage_cert => true,
       cert_owner  => $owner,
       cert_group  => $group,

diff --git a/manifests/qpid_router/server.pp b/manifests/qpid_router/server.pp
@@ -0,0 +1,57 @@
+# Constains certs specific configurations for qpid dispatch router
+class certs::qpid_router::server (
+  $hostname               = $certs::node_fqdn,
+  $cname                  = $certs::cname,
+  $generate               = $certs::generate,
+  $regenerate             = $certs::regenerate,
+  $deploy                 = $certs::deploy,
+  $cert                   = $certs::qpid_router_server_cert,
+  $key                    = $certs::qpid_router_server_key,
+  $owner                  = 'qdrouterd',
+  $group                  = 'root',
+
+  $country               = $certs::country,
+  $state                 = $certs::state,
+  $city                  = $certs::city,
+  $org_unit              = $certs::org_unit,
+  $expiration            = $certs::expiration,
+  $default_ca            = $certs::default_ca,
+  $ca_key_password_file  = $certs::ca_key_password_file,
+) inherits certs {
+
+  $server_keypair = "${hostname}-qpid-router-server"
+
+  cert { $server_keypair:
+    ensure        => present,
+    hostname      => $hostname,
+    cname         => $cname,
+    country       => $country,
+    state         => $state,
+    city          => $city,
+    org           => 'dispatch server',
+    org_unit      => $org_unit,
+    expiration    => $expiration,
+    ca            => $default_ca,
+    generate      => $generate,
+    regenerate    => $regenerate,
+    deploy        => $deploy,
+    purpose       => 'server',
+    password_file => $ca_key_password_file,
+  }
+
+  if $deploy {
+    certs::keypair { 'qpid_dispatch_server':
+      key_pair    => Cert[$server_keypair],
+      key_file    => $key,
+      manage_key  => true,
+      key_owner   => $owner,
+      key_group   => $group,
+      key_mode    => '0640',
+      cert_file   => $cert,
+      manage_cert => true,
+      cert_owner  => $owner,
+      cert_group  => $group,
+      cert_mode   => '0640',
+    }
+  }
+}
diff --git a/spec/classes/certs_qpid_router_client_spec.rb b/spec/classes/certs_qpid_router_client_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe 'certs::qpid_router::client' do
+  on_supported_os.each do |os, os_facts|
+    let :facts do
+      os_facts
+    end
+
+    describe 'with default parameters' do
+      it { should compile.with_all_deps }
+    end
+  end
+end
diff --git a/spec/classes/certs_qpid_router_server_spec.rb b/spec/classes/certs_qpid_router_server_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe 'certs::qpid_router::server' do
+  on_supported_os.each do |os, os_facts|
+    let :facts do
+      os_facts
+    end
+
+    describe 'with default parameters' do
+      it { should compile.with_all_deps }
+    end
+  end
+end
diff --git a/spec/classes/certs_qpid_router_spec.rb b/spec/classes/certs_qpid_router_spec.rb