pki: This class provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server. The keydist directory must have the fpki::copy::apps_dir: NOTE: THIS IS A PRIVATE CLASS This class configures the top-level appl
pki::copy: This Defined Type provides a useful copy function for properly copying the entire set of SIMP-based PKI certificates as deployed by the PKI m
pki_cert_sync: A puppet type for merging the contents of one directory full of X.509 PKI certificates into another while hashing the certificates in a manne
This class provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server.
The keydist directory must have the following structure:
${codedir}/${environment}/modules/#{module_name}/files/keydist/cacerts- Any X.509 PEM formatted CA certificates that you want to serve to your clients.
<fqdn>cacerts- Any X.509 PEM formatted CA certificates that you want to serve to this particular client.
<fqdn>.pem-> Host Private Key<fqdn>.pub-> Host Public Key
If $pki is set to 'simp', the keydist directory will have the same structure, however it will be located in a separate module path so keys don't get clobbered when using r10k:
/var/simp/environments/${environment}/site_files/pki_files/files/keydist
The following parameters are available in the pki class:
Data type: Variant[Boolean,Enum['simp']]
-
If 'simp', certs will be copied from
puppet:///modules/pki_files/keydist -
If true or false, certs will be copied from
puppet:///modules/${module_name}/keydist
Default value: simplib::lookup('simp_options::pki', { 'default_value' => 'simp' })
Data type: Stdlib::Absolutepath
The directory to which certs will be copied.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
Data type: String
The name of the cert to be used on this host
Defaults to the Puppet certname.
Default value: pick($trusted['certname'], $facts['networking']['fqdn'])
Data type: String
The source of the private key content
- This parameter accepts the same values as the
filetype'ssourceparameter
Default value: "puppet:///modules/${module_name}/keydist/${certname}/${certname}.pem"
Data type: String
The source of the private key content
- This parameter accepts the same values as the
filetype'ssourceparameter
Default value: "puppet:///modules/${module_name}/keydist/${certname}/${certname}.pub"
Data type: Boolean
Whether or not to enable auditing of the system keys
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false})
Data type: Boolean
Whether or not the PKI sync type should purge the destination directory
- If set to
true(the default), the/etc/pki/cacertsdirectory will have any non-recognized certificates removed.
Default value: true
Data type: Array[String]
Modulepath to look in for the CA certs. Normally this is a special
modulepath outside of the normal $codedir. The full path can be found
in the environment.conf or through puppet config print modulepath
Default value:
[
"puppet:///modules/${module_name}/keydist/cacerts",
"puppet:///modules/${module_name}/keydist/cacerts/${certname}/cacerts"
]NOTE: THIS IS A PRIVATE CLASS
This class configures the top-level application directory where application-level copies of PKI keys will be housed
The following parameters are available in the pki::copy::apps_dir class:
Data type: Stdlib::Absolutepath
The name of the destination directory
Default value: '/etc/pki/simp_apps'
Data type: Boolean
Whether or not to purge unmanaged keys from the directory
- NOTE: It is highly recommended that you purge unmanaged keys for security reasons
Default value: true
This Defined Type provides a useful copy function for properly copying the entire set of SIMP-based PKI certificates as deployed by the PKI module to a different location.
This is particularly important when dealing with SELinux enabled services since they tend to react poorly to symlinks.
The following parameters are available in the pki::copy defined type:
Data type: Variant[Boolean,Enum['simp']]
-
If set to
simportrue- Certificates will be centralized in /etc/pki/simp_apps/, and copied to
/etc/pki/simp_apps/$name/x509.
- Certificates will be centralized in /etc/pki/simp_apps/, and copied to
-
If set to
simp- Include the
pkiclass
- Include the
-
If set to
false- Certificates will not be centralized, and you must provide a
$destination
- Certificates will not be centralized, and you must provide a
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false})
Data type: Variant[String,Stdlib::Absolutepath]
-
If
$pki = trueor$pki = 'simp'this parameter will be used to namespace certificates in/etc/pki/simp_apps/$name/x509. -
If
$pki = false, this variable has no effect.
Data type: String
Where to find the certificates. This value could be one of a few types:
- Absolute path
- A file URL in the form of
(https|puppet):///file/path. See thefileresource documentation for details on the format of this URL - An NSS database. This must be managed by something else, like IPA.
If the setting is a path (file or URL), the locations referenced must have the following structure:
-
<path>/cacerts -
<path>/private -
<path>/public -
NOTE: No other directories will be copied!
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
Data type: Optional[Stdlib::Absolutepath]
Optional. The destination that PKI certs get copied to.
-
If
$pki = false:- You must specify $destination.
- You will need to ensure that all parent directories have been properly created.
- A 'pki' directory will be created under this space
- For example, if you set this to
/foo/barthen/foo/bar/pkiwill be created
- For example, if you set this to
-
If
$pki = trueor$pki = 'simp':- This variable has no effect.
Default value: undef
Data type: String
The owner of the directories/files that get copied
Default value: 'root'
Data type: String
The group of the directories/files that get copied
Default value: 'root'
A puppet type for merging the contents of one directory full of X.509 PKI certificates into another while hashing the certificates in a manner appropriate for use by most Linux applications (Apache, OpenLDAP, etc...).
Usage:
pki_cert_sync { '<target_dir>': source => '<source_dir>' }
Both directories must exist on the local operating system, remote file syncing is not supported. File attributes will all be copied from the source directory.
Any SELinux contexts will be preserved on existing files and copied from the source files if the destination file does not exist.
The following properties are available in the pki_cert_sync type.
The directory from which to copy all materials.
The following parameters are available in the pki_cert_sync type.
Valid values: true, false, yes, no
Whether to generate the PEM file hash links in the target directory (:name). Should only be disabled if the application using the target directory generates those links itself.
Default value: true
namevar
The target directory into which to place and hash the X.509 certificates.
This directory will be left as it was found at the end of the sync just in case it is the destination of a recursive file copy with purge enabled.
The specific backend to use for this pki_cert_sync resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Valid values: true, false, yes, no
Whether to purge the target directory (:name). In general, you will want to do this to ensure that systems do not get inappropriate CAs added locally.
Default value: true