feature: generate Keytool for SSL

fix: profile.erb due to "RDECK_SSL_OPTS"
voxpupuli · Sep 5, 2016 · 4073dff · 4073dff
1 parent 0b9559e
commit 4073dff
Show file tree

Hide file tree

Showing 15 changed files with 131 additions and 3 deletions.
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -4,5 +4,6 @@ fixtures:
     inifile: "https://github.com/puppetlabs/puppetlabs-inifile.git"
     archive: "https://github.com/puppet-community/puppet-archive.git"
     dirtree: "https://github.com/puppetlabs/pltraining-dirtree.git"
+    java_ks: "https://github.com/puppetlabs/puppetlabs-java_ks.git"
   symlinks:
     rundeck: "#{source_dir}"
diff --git a/README.md b/README.md
@@ -65,6 +65,40 @@ Web context path to use, such as "/rundeck". http://host.domain:port/server_web_
 #####`ssl_enabled`
 Enable ssl for the Rundeck web application.
 
+#####`ssl_keyfile` and `ssl_certfile`
+
+If ssl_enabled is True, you must supply this parameter. It is recommended that you provide the .crt and .key files separately via other means, such as a role or profile manifest.
+
+How to: eg: environments/role/manifests/rundeck.pp
+```Puppet
+
+class role::rundeck (
+...
+  $ssl_keyfile                        = hiera('rundeck::config::ssl_keyfile', "/etc/rundeck/ssl/$fqdn.key"),
+  $ssl_certfile                       = hiera('rundeck::config::ssl_certfile', "/etc/rundeck/ssl/$fqdn.crt"),
+..
+){
+...
+  validate_string($ssl_keyfile)
+  validate_string($ssl_certfile)
+...
+  class { 'rundeck':
+...
+    ssl_keyfile                  => $ssl_keyfile,
+    ssl_certfile                 => $ssl_certfile,
+...
+  }
+...
+}
+
+```
+Am End please add the module below to your environments/Puppetfile to use java_ks:
+```Puppet
+mod 'java_ks',
+  :git => 'https://github.com/puppetlabs/puppetlabs-java_ks.git',
+  :tag => '1.4.1'
+
+
 #####`session_timeout`
 Time limit (in minutes) for a logged in Rundeck web application user which as been inactive for a period of time.
 

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -49,6 +49,8 @@
   $session_timeout              = $rundeck::session_timeout,
   $ssl_enabled                  = $rundeck::ssl_enabled,
   $ssl_port                     = $rundeck::ssl_port,
+  $ssl_keyfile                  = $rundeck::ssl_keyfile,
+  $ssl_certfile                 = $rundeck::ssl_certfile,
   $truststore                   = $rundeck::truststore,
   $truststore_password          = $rundeck::truststore_password,
   $user                         = $rundeck::user,

diff --git a/manifests/config/global/framework.pp b/manifests/config/global/framework.pp
@@ -10,14 +10,30 @@
   $group            = $rundeck::config::group,
   $properties_dir   = $rundeck::config::properties_dir,
   $user             = $rundeck::config::user,
-
+  $ssl_enabled      = $rundeck::config::ssl_enabled,
+  $ssl_port         = $rundeck::config::ssl_port
 ) {
 
+  $framework_config_base = merge($rundeck::params::framework_config, $rundeck::framework_config)
+
+  if $ssl_enabled and $ssl_port == '' {
+    $framework_config_port = { 'framework.server.port' => '4443' }
+    $framework_config_url = { 'framework.server.url' => "https://${::fqdn}:4443" }
+  }
+  elsif $ssl_enabled and $ssl_port != '' {
+    $framework_config_port = { 'framework.server.port' => $ssl_port }
+    $framework_config_url = { 'framework.server.url' => "https://${::fqdn}:${ssl_port}" }
+  }
+  else {
+    $framework_config_port = { 'framework.server.port' => '4440' }
+    $framework_config_url = { 'framework.server.url' => "http://${::fqdn}:4440" }
+  }
+
   $properties_file = "${properties_dir}/framework.properties"
 
   ensure_resource('file', $properties_dir, {'ensure' => 'directory', 'owner' => $user, 'group' => $group } )
 
-  $framework_config = merge($rundeck::params::framework_config, $rundeck::framework_config)
+  $framework_config = merge($framework_config_base, $framework_config_url, $framework_config_port)
 
   file { $properties_file:
     ensure  => present,

diff --git a/manifests/config/global/ssl.pp b/manifests/config/global/ssl.pp
@@ -9,6 +9,8 @@
 class rundeck::config::global::ssl(
   $group               = $rundeck::config::group,
   $key_password        = $rundeck::config::key_password,
+  $ssl_keyfile         = $rundeck::config::ssl_keyfile,
+  $ssl_certfile        = $rundeck::config::ssl_certfile,
   $keystore            = $rundeck::config::keystore,
   $keystore_password   = $rundeck::config::keystore_password,
   $properties_dir      = $rundeck::config::properties_dir,
@@ -32,6 +34,25 @@
     'require' => File[$properties_dir]
     } )
 
+  java_ks { "rundeck:${properties_dir}/ssl/keystore":
+    ensure       => present,
+    private_key  => $ssl_keyfile,
+    certificate  => $ssl_certfile,
+    password     => $keystore_password,
+    destkeypass  => $key_password,
+    trustcacerts => true,
+    notify       => Service[$service_name],
+  } ->
+  java_ks { "rundeck:${properties_dir}/ssl/truststore":
+    ensure       => present,
+    private_key  => $ssl_keyfile,
+    certificate  => $ssl_certfile,
+    password     => $truststore_password,
+    destkeypass  => $key_password,
+    trustcacerts => true,
+    notify       => Service[$service_name],
+  }
+
   Ini_setting {
     notify => Service[$service_name],
   }

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -28,6 +28,12 @@
 # [*grails_server_url*]
 #  The url used in sending email notifications.
 #
+# [*ssl_keyfile*]
+#  Full path to the SSL private key to be used by Rundeck.
+#
+# [*ssl_certfile*]
+#  Full path to the SSL public key to be used by Rundeck.
+#
 # [*group*]
 #  The group permission that rundeck is installed as.
 #
@@ -189,6 +195,8 @@
   $keystore                     = $rundeck::params::keystore,
   $keystore_password            = $rundeck::params::keystore_password,
   $mail_config                  = $rundeck::params::mail_config,
+  $ssl_keyfile                  = $rundeck::params::ssl_keyfile,
+  $ssl_certfile                 = $rundeck::params::ssl_certfile,
   $manage_default_admin_policy  = $rundeck::params::manage_default_admin_policy,
   $manage_default_api_policy    = $rundeck::params::manage_default_api_policy,
   $manage_yum_repo              = $rundeck::params::manage_yum_repo,
@@ -243,6 +251,8 @@
   validate_hash($database_config)
   validate_hash($kerberos_realms)
   validate_absolute_path($keystore)
+  validate_absolute_path($ssl_certfile)
+  validate_absolute_path($ssl_keyfile)
   validate_re($key_storage_type, [ '^db$', '^file$' ])
   validate_string($keystore_password)
   validate_string($key_password)

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -288,6 +288,9 @@
   $ssl_enabled = false
   $ssl_port = '4443'
 
+  $ssl_keyfile = '/etc/rundeck/ssl/rundeck.key'
+  $ssl_certfile = '/etc/rundeck/ssl/rundeck.crt'
+
   $package_source = 'https://dl.bintray.com/rundeck/rundeck-deb'
 
   $web_xml = "${rdeck_base}/exp/webapp/WEB-INF/web.xml"

diff --git a/metadata.json b/metadata.json
@@ -61,6 +61,10 @@
     {
       "name": "puppet/archive",
       "version_requirement": ">= 0.3.0 <=1.1.1"
+    },
+    {
+      "name": "puppetlabs/java_ks",
+      "version_requirement": ">= 1.0.3 <2.0.0"
     }
   ]
 }
diff --git a/spec/acceptance/rundeck_spec.rb b/spec/acceptance/rundeck_spec.rb
@@ -1,3 +1,5 @@
+# rubocop:disable RSpec/MultipleExpectations
+
 require 'spec_helper_acceptance'
 
 describe 'rundeck class' do

diff --git a/spec/classes/config/global/auth_spec.rb b/spec/classes/config/global/auth_spec.rb
@@ -1,3 +1,5 @@
+# rubocop:disable RSpec/MultipleExpectations
+
 require 'spec_helper'
 
 describe 'rundeck' do

diff --git a/spec/classes/config/global/framework_spec.rb b/spec/classes/config/global/framework_spec.rb
@@ -1,3 +1,5 @@
+# rubocop:disable RSpec/MultipleExpectations
+
 require 'spec_helper'
 
 describe 'rundeck' do
@@ -71,4 +73,29 @@
       end
     end
   end
+  context 'add port and url configuration' do
+    describe 'with ssl true' do
+      let(:params) do
+        {
+          ssl_enabled: true,
+          ssl_port: '443'
+        }
+      end
+      let(:facts) do
+        {
+          osfamily: 'Debian',
+          fqdn: 'test.domain.com',
+          serialnumber: 0,
+          rundeck_version: '',
+          puppetversion: Puppet.version
+        }
+      end
+
+      it 'generates valid content for framework.properties framework.server.port = 443 and framework.server.url = https://test.domain.com:443' do
+        content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content]
+        expect(content).to include('framework.server.port = 443')
+        expect(content).to include('framework.server.url = https://test.domain.com:443')
+      end
+    end
+  end
 end
diff --git a/spec/classes/config/global/gui_config_spec.rb b/spec/classes/config/global/gui_config_spec.rb
@@ -1,3 +1,5 @@
+# rubocop:disable RSpec/MultipleExpectations
+
 require 'spec_helper'
 
 describe 'rundeck' do

diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb
@@ -1,3 +1,5 @@
+# rubocop:disable RSpec/MultipleExpectations
+
 require 'spec_helper'
 
 describe 'rundeck' do

diff --git a/spec/classes/rundeck_spec.rb b/spec/classes/rundeck_spec.rb
@@ -1,3 +1,5 @@
+# rubocop:disable RSpec/MultipleExpectations
+
 require 'spec_helper'
 
 describe 'rundeck' do

diff --git a/templates/profile.erb b/templates/profile.erb
@@ -37,7 +37,7 @@ RDECK_JVM="$RDECK_JVM <%= @jvm_args %>"
 
 <%- if @ssl_enabled -%>
 export RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=<%= @properties_dir %>/ssl/ssl.properties -Dserver.https.port=<%= @ssl_port %>"
-export RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=$RDECK_BASE/ssl/truststore -Djavax.net.ssl.trustStoreType=jks -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"
+export RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=<%= @properties_dir %>/ssl/truststore -Djavax.net.ssl.trustStoreType=jks -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"
 <%- end -%>
 
 if test -t 0 -a -z "$RUNDECK_CLI_TERSE"