Deploy Foreman with cert not from puppet

[amh-mw]

On CentOS 6, the following settings allow me to use a CA-provided cert instead of a puppet cert.

$tlsdir = "/etc/pki/tls"

class { '::foreman':
    client_ssl_ca   => "${tlsdir}/certs/IntermediateCA.crt",
    client_ssl_cert => "${tlsdir}/certs/star.domain.com.crt",
    client_ssl_key  => "${tlsdir}/private/star.domain.com.key",
}

class { "::foreman_proxy": }

class { "::puppet":
    # Generated per http://curl.haxx.se/docs/caextract.html
    server_foreman_ssl_ca => "${tlsdir}/certs/ca-bundle.crt",
}

[ekohl]

Are these parameters available in the scope? Would you be willing to write a test for this?

[ekohl]

I don't know why Travis failed, but it looks like a Travis issue more than the code.

This can be a good addition, especially since we already have the variables available in params.pp. I do wonder what PUP-57 stands for.

[amh-mw]

On Wed, Dec 11, 2013 at 11:57 AM, Ewoud Kohl van Wijngaarden
notifications@github.com wrote:

Are these parameters available in the scope?

Ah, no. I'm running puppet 2.7, so I haven't purged all my bad habits yet.

Would you be willing to write a test for this?

Sure, I should be able to get back to this later this week.

I do wonder what PUP-57 stands for.

It is just the issue number in JIRA here internally. I didn't think
to scrub it from the comment.

[ekohl]

👍 from me. @domcleal?

Semi-related: I wish github would send me a notification if a new commit was added.

[domcleal]

I'm uncomfortable using the client parameters for the server side certificates, since I think these params are designed for the puppetmaster certificates when talking to Foreman. Could we add new params for server certs instead?

[ekohl]

Shouldn't this line also come from a variable?

[amh-mw]

I originally set it to the same value as SSLCertificateChainFile (which seems to be a fairly common pattern in Apache conf files), but @domcleal suggested that I not. Initial googling suggests that I can/should not use my CA-issued cert to issue client certs.

http://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile

[amh-mw]

PR updated to use server_* class parameters.

[ekohl]

Still unsure about the SSLCACertificateFile and it being static, but I don't mind merging it as is. @domcleal @GregSutcliffe?

[domcleal]

ditto, that's good, thanks for the update @amh-mw.

One last thing, could you add some docs to the top of init.pp for the three new parameters which our installer parses out? Then we can merge. Cheers!

[amh-mw]

PR updated with documentation.

[domcleal]

👍 pending Travis

[ekohl]

Travis is still broken on 1.8.7, but 👍 from me as well.

[domcleal]

Thanks for the contribution @amh-mw, merged as 222fb5e!