Skip to content

Commit

Permalink
Move OS specific data from params.pp into hiera
Browse files Browse the repository at this point in the history
  • Loading branch information
h-haaks committed May 28, 2024
1 parent 6da92b0 commit d2e3f5b
Show file tree
Hide file tree
Showing 11 changed files with 94 additions and 179 deletions.
87 changes: 39 additions & 48 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,10 @@

### Classes

#### Public Classes

* [`ca_cert`](#ca_cert): This module manages the user defined certificate authority (CA)
certificates on the server. On OSes that support a distrusted
folder the module also manages distrusting system default CA certificates.

#### Private Classes

* `ca_cert::params`: OS dependent parameter defaults

### Defined types

* [`ca_cert::ca`](#ca_cert--ca): Manage a user defined CA Certificate on a system.
Expand Down Expand Up @@ -63,52 +57,70 @@ class { 'ca_cert':

The following parameters are available in the `ca_cert` class:

* [`package_name`](#-ca_cert--package_name)
* [`update_cmd`](#-ca_cert--update_cmd)
* [`trusted_cert_dir`](#-ca_cert--trusted_cert_dir)
* [`distrusted_cert_dir`](#-ca_cert--distrusted_cert_dir)
* [`install_package`](#-ca_cert--install_package)
* [`package_ensure`](#-ca_cert--package_ensure)
* [`package_name`](#-ca_cert--package_name)
* [`cert_dir_group`](#-ca_cert--cert_dir_group)
* [`cert_dir_mode`](#-ca_cert--cert_dir_mode)
* [`ca_file_group`](#-ca_cert--ca_file_group)
* [`ca_file_mode`](#-ca_cert--ca_file_mode)
* [`ca_file_extension`](#-ca_cert--ca_file_extension)
* [`package_ensure`](#-ca_cert--package_ensure)
* [`always_update_certs`](#-ca_cert--always_update_certs)
* [`purge_unmanaged_CAs`](#-ca_cert--purge_unmanaged_CAs)
* [`install_package`](#-ca_cert--install_package)
* [`ca_certs`](#-ca_cert--ca_certs)

##### <a name="-ca_cert--package_name"></a>`package_name`

Data type: `String[1]`

The name of the package(s) to be installed.

Default value: `$ca_cert::params::package_name`

##### <a name="-ca_cert--update_cmd"></a>`update_cmd`

Data type: `String[1]`

Command to be used to update CA certificates.

Default value: `$ca_cert::params::update_cmd`
Default provided by Hiera for supported Operating Systems.

##### <a name="-ca_cert--trusted_cert_dir"></a>`trusted_cert_dir`

Data type: `Stdlib::Absolutepath`

Absolute directory path to the folder containing trusted certificates.

Default value: `$ca_cert::params::trusted_cert_dir`
Default provided by Hiera for supported Operating Systems.

##### <a name="-ca_cert--distrusted_cert_dir"></a>`distrusted_cert_dir`

Data type: `Optional[Stdlib::Absolutepath]`

Absolute directory path to the folder containing distrusted certificates.
Default provided by Hiera for supported Operating Systems.

Default value: `undef`

##### <a name="-ca_cert--install_package"></a>`install_package`

Data type: `Boolean`

Whether or not this module should install the ca_certificates package.
The package contains the system default (typically Mozilla) CA
certificates, as well as the tools required for managing other installed
CA certificates.

Default value: `true`

##### <a name="-ca_cert--package_ensure"></a>`package_ensure`

Data type: `Stdlib::Ensure::Package`

The ensure parameter to pass to the package resource.

Default value: `'installed'`

##### <a name="-ca_cert--package_name"></a>`package_name`

Data type: `String[1]`

The name of the package(s) to be installed.

Default value: `$ca_cert::params::distrusted_cert_dir`
Default value: `'ca-certificates'`

##### <a name="-ca_cert--cert_dir_group"></a>`cert_dir_group`

Expand All @@ -117,17 +129,16 @@ Data type: `String[1]`
The installed trusted certificate's POSIX group permissions. This uses
the same syntax as Puppet's native file resource's "group" parameter.

Default value: `$ca_cert::params::cert_dir_group`
Default value: `'root'`

##### <a name="-ca_cert--cert_dir_mode"></a>`cert_dir_mode`

Data type: `Stdlib::Filemode`

The installed trusted certificate's POSIX filesystem permissions. This uses
the same syntax as Puppet's native file resource's "mode" parameter.
It defaults to '2665' on Debian, and to '0755' on other cases.

Default value: `$ca_cert::params::cert_dir_mode`
Default value: `'0755'`

##### <a name="-ca_cert--ca_file_group"></a>`ca_file_group`

Expand All @@ -136,33 +147,24 @@ Data type: `String[1]`
The installed CA certificate's POSIX group permissions. This uses
the same syntax as Puppet's native file resource's "group" parameter.

Default value: `$ca_cert::params::ca_file_group`
Default value: `'root'`

##### <a name="-ca_cert--ca_file_mode"></a>`ca_file_mode`

Data type: `Stdlib::Filemode`

The installed CA certificate's POSIX filesystem permissions. This uses
the same syntax as Puppet's native file resource's "mode" parameter.
(defaults to '0444', i.e. world-readable)

Default value: `$ca_cert::params::ca_file_mode`
Default value: `'0644'`

##### <a name="-ca_cert--ca_file_extension"></a>`ca_file_extension`

Data type: `String[1]`

File extenstion for the certificate.

Default value: `$ca_cert::params::ca_file_extension`

##### <a name="-ca_cert--package_ensure"></a>`package_ensure`

Data type: `Stdlib::Ensure::Package`

The ensure parameter to pass to the package resource.

Default value: `'installed'`
Default value: `'crt'`

##### <a name="-ca_cert--always_update_certs"></a>`always_update_certs`

Expand All @@ -183,17 +185,6 @@ module will be purged.

Default value: `false`

##### <a name="-ca_cert--install_package"></a>`install_package`

Data type: `Boolean`

Whether or not this module should install the ca_certificates package.
The package contains the system default (typically Mozilla) CA
certificates, as well as the tools required for managing other installed
CA certificates.

Default value: `true`

##### <a name="-ca_cert--ca_certs"></a>`ca_certs`

Data type: `Hash`
Expand Down
4 changes: 4 additions & 0 deletions data/Archlinux-family.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
ca_cert::update_cmd: 'trust extract-compat'
ca_cert::trusted_cert_dir: '/etc/ca-certificates/trust-source/anchors/'
ca_cert::distrusted_cert_dir: '/etc/ca-certificates/trust-source/blacklist'
3 changes: 3 additions & 0 deletions data/Debian-family.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
ca_cert::update_cmd: 'update-ca-certificates'
ca_cert::trusted_cert_dir: '/usr/local/share/ca-certificates'
4 changes: 4 additions & 0 deletions data/RedHat-family.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
ca_cert::update_cmd: 'update-ca-trust extract'
ca_cert::trusted_cert_dir: '/etc/pki/ca-trust/source/anchors'
ca_cert::distrusted_cert_dir: '/etc/pki/ca-trust/source/blacklist'
4 changes: 4 additions & 0 deletions data/Suse-family.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
ca_cert::update_cmd: 'update-ca-certificates'
ca_cert::trusted_cert_dir: '/etc/pki/trust/anchors'
ca_cert::distrusted_cert_dir: '/etc/pki/trust/blacklist'
14 changes: 14 additions & 0 deletions hiera.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: 'Major Version'
path: '%{facts.os.name}-%{facts.os.release.major}.yaml'
- name: 'OS Family Major Version'
path: '%{facts.os.family}-family-%{facts.os.release.major}.yaml'
- name: 'OS Family'
path: '%{facts.os.family}-family.yaml'
- name: 'common'
path: 'common.yaml'
51 changes: 26 additions & 25 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,29 @@
# ca_file_extension => 'pem',
# }
#
# @param package_name
# The name of the package(s) to be installed.
#
# @param update_cmd
# Command to be used to update CA certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param trusted_cert_dir
# Absolute directory path to the folder containing trusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param distrusted_cert_dir
# Absolute directory path to the folder containing distrusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param install_package
# Whether or not this module should install the ca_certificates package.
# The package contains the system default (typically Mozilla) CA
# certificates, as well as the tools required for managing other installed
# CA certificates.
#
# @param package_ensure
# The ensure parameter to pass to the package resource.
#
# @param package_name
# The name of the package(s) to be installed.
#
# @param cert_dir_group
# The installed trusted certificate's POSIX group permissions. This uses
Expand All @@ -41,7 +53,6 @@
# @param cert_dir_mode
# The installed trusted certificate's POSIX filesystem permissions. This uses
# the same syntax as Puppet's native file resource's "mode" parameter.
# It defaults to '2665' on Debian, and to '0755' on other cases.
#
# @param ca_file_group
# The installed CA certificate's POSIX group permissions. This uses
Expand All @@ -50,14 +61,10 @@
# @param ca_file_mode
# The installed CA certificate's POSIX filesystem permissions. This uses
# the same syntax as Puppet's native file resource's "mode" parameter.
# (defaults to '0444', i.e. world-readable)
#
# @param ca_file_extension
# File extenstion for the certificate.
#
# @param package_ensure
# The ensure parameter to pass to the package resource.
#
# @param always_update_certs
# Run the appropriate update CA certificates command for your operating
# system on every Puppet run whether it is needed or not.
Expand All @@ -67,32 +74,26 @@
# certificates (in the appropriate directories) not managed by this
# module will be purged.
#
# @param install_package
# Whether or not this module should install the ca_certificates package.
# The package contains the system default (typically Mozilla) CA
# certificates, as well as the tools required for managing other installed
# CA certificates.
#
# @param ca_certs
# A hash of CA certificates that should be installed as part of the class
# declaration.
#
class ca_cert (
String[1] $package_name = $ca_cert::params::package_name,
String[1] $update_cmd = $ca_cert::params::update_cmd,
Stdlib::Absolutepath $trusted_cert_dir = $ca_cert::params::trusted_cert_dir,
Optional[Stdlib::Absolutepath] $distrusted_cert_dir = $ca_cert::params::distrusted_cert_dir,
String[1] $cert_dir_group = $ca_cert::params::cert_dir_group,
String[1] $ca_file_group = $ca_cert::params::ca_file_group,
Stdlib::Filemode $cert_dir_mode = $ca_cert::params::cert_dir_mode,
Stdlib::Filemode $ca_file_mode = $ca_cert::params::ca_file_mode,
String[1] $ca_file_extension = $ca_cert::params::ca_file_extension,
String[1] $update_cmd,
Stdlib::Absolutepath $trusted_cert_dir,
Optional[Stdlib::Absolutepath] $distrusted_cert_dir = undef,
Boolean $install_package = true,
Stdlib::Ensure::Package $package_ensure = 'installed',
String[1] $package_name = 'ca-certificates',
String[1] $cert_dir_group = 'root',
Stdlib::Filemode $cert_dir_mode = '0755',
String[1] $ca_file_group = 'root',
Stdlib::Filemode $ca_file_mode = '0644',
String[1] $ca_file_extension = 'crt',
Boolean $always_update_certs = false,
Boolean $purge_unmanaged_CAs = false, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
Boolean $install_package = true,
Hash $ca_certs = {},
) inherits ca_cert::params {
) {
file { 'trusted_certs':
ensure => directory,
path => $trusted_cert_dir,
Expand Down
54 changes: 0 additions & 54 deletions manifests/params.pp

This file was deleted.

1 change: 0 additions & 1 deletion spec/classes/ca_cert_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
let(:facts) { facts }

it { is_expected.to compile }
it { is_expected.to contain_class('ca_cert::params') }

it do
is_expected.to contain_file('trusted_certs').only_with(
Expand Down
Loading

0 comments on commit d2e3f5b

Please sign in to comment.