Skip to content
Snippets Groups Projects
Unverified Commit d9af797d authored by Max Adamo's avatar Max Adamo
Browse files

reorganize redis and vault

parent 61822343
Branches
No related tags found
No related merge requests found
......@@ -12,6 +12,7 @@ Options:
-c CLIENT --client=CLIENT Client
-d DOMAIN --domain=DOMAIN Domain
-p PROVIDER --provider=PROVIDER Provider
-u UNIT --unit=UNIT Unit, entity or team
-w --wildcard Use wildcard
-x --extra=EXTRA Supply extra parameters available from certbot documentation
"""
......@@ -140,8 +141,12 @@ if __name__ == "__main__":
ARGS = docopt(__doc__)
DOMAIN = ARGS['--domain']
UNIT = ARGS['--unit']
PROVIDER = ARGS['--provider']
CLIENTS = ARGS['--client']
if ARGS['--client']:
CLIENTS = ARGS['--client']
else:
CLIENTS = DOMAIN[0] # client makes only sense with Puppet
WILDCARD = ARGS['--wildcard']
EXTRA = ARGS['--extra']
LOG_FILE = '/var/log/acme_{}/geant_acme.log'.format(PROVIDER)
......@@ -192,12 +197,13 @@ if __name__ == "__main__":
# if we are here, everything went fine and we can upload the certificates
if WILDCARD:
UPLOADER = '/root/bin/geant_acme_uploader.py -d {} -p {} -w'.format(DOMAIN[0], PROVIDER)
UPLOADER = '/root/bin/geant_acme_uploader.py -u {} -d {} -p {} -w'.format(
UNIT, DOMAIN[0], PROVIDER)
os.system(UPLOADER)
else:
for client in CLIENTS:
UPLOADER = '/root/bin/geant_acme_uploader.py -d {} -c {} -p {}'.format(
DOMAIN[0], client, PROVIDER)
UPLOADER = '/root/bin/geant_acme_uploader.py -u {} -d {} -c {} -p {}'.format(
UNIT, DOMAIN[0], client, PROVIDER)
os.system(UPLOADER)
os_exit()
......@@ -11,6 +11,7 @@ Options:
-h --help Show this screen
-d DOMAIN --domain=DOMAIN Domain
-c CLIENT --client=CLIENT Client
-u UNIT --unit=UNIT Unit, entity or team
-p PROVIDER --provider=PROVIDER Provider
-w --wildcard Wildcard
"""
......@@ -131,6 +132,7 @@ if __name__ == "__main__":
ARGS = docopt(__doc__)
DOMAIN = ARGS['--domain']
UNIT = ARGS['--unit']
PROVIDER = ARGS['--provider']
if ARGS['--wildcard']:
CLIENT = ['common']
......@@ -143,7 +145,7 @@ if __name__ == "__main__":
CONFIG = configparser.RawConfigParser()
CONFIG.read_file(open('/root/.geant_acme.ini'))
REDIS_TOKEN = CONFIG.get('geant_acme', 'redis_token')
VAULT_TOKEN = CONFIG.get('geant_acme', 'vault_token')
VAULT_TOKEN = CONFIG.get('geant_acme', 'vault_token_{}'.format(UNIT))
REDIS_HOST = CONFIG.get('geant_acme', 'redis_host')
VAULT_HOST = CONFIG.get('geant_acme', 'vault_host')
BASEDIR = '/etc/{}/live'.format(PROVIDER)
......@@ -181,22 +183,22 @@ if __name__ == "__main__":
domain_underscored = DOMAIN.replace('.', '_')
certname_renamed = certname.replace(
'cert.pem', 'pem').replace('.', '_')
redis_full_path = '{}:redis_{}{}_{}'.format(
CLIENT_ITEM, PROVIDER_PREFIX, domain_underscored, certname_renamed)
certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path)
REDIS_FULL_PATH = '{}:{}:redis_{}{}_{}'.format(
UNIT, CLIENT_ITEM, PROVIDER_PREFIX, domain_underscored, certname_renamed)
certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, REDIS_FULL_PATH)
if certdata_local != certdata_upstream:
print('uploading to Redis: {}'.format(redis_full_path))
redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_local)
print('uploading to Redis: {}'.format(REDIS_FULL_PATH))
redis_upload(REDIS_HOST, REDIS_TOKEN, REDIS_FULL_PATH, certdata_local)
else:
print('redis key {} did not change: skipping'.format(redis_full_path))
print('redis key {} did not change: skipping'.format(REDIS_FULL_PATH))
# upload key to Vault
with open(KEYPATH, 'r') as keyfile:
KEYDATA_LOCAL = keyfile.read()
DOMAIN_UNDERSCORED = DOMAIN.replace('.', '_')
VAULT_FULL_PATH = 'puppet/{}/vault_{}{}{}_key'.format(
CLIENT_ITEM, PROVIDER_PREFIX, WILDCARD, DOMAIN_UNDERSCORED)
VAULT_FULL_PATH = '{}/{}/vault_{}{}{}_key'.format(
UNIT, CLIENT_ITEM, PROVIDER_PREFIX, WILDCARD, DOMAIN_UNDERSCORED)
KEYDATA_UPSTREAM = vault_dowload(VAULT_HOST, VAULT_TOKEN, VAULT_FULL_PATH)
if KEYDATA_LOCAL != KEYDATA_UPSTREAM:
......
......@@ -3,6 +3,7 @@
class geant_acme::files (
Sensitive $vault_token,
Sensitive $puppet_token,
$team_name,
$wildcard_domain,
$redis_host,
$vault_host,
......@@ -96,7 +97,8 @@ class geant_acme::files (
target => '/root/bin/infoblox_hook.py';
'/root/.geant_acme.ini':
mode => '0640',
content => Sensitive(epp("${module_name}/geant_acme.ini.epp"));
content => epp("${module_name}/geant_acme.ini.epp");
#content => Sensitive(epp("${module_name}/geant_acme.ini.epp"));
'/root/.secrets_shuffle.ini':
mode => '0640',
content => Sensitive(epp("${module_name}/secrets_shuffle.ini.epp"));
......
......@@ -47,8 +47,13 @@ class geant_acme (
include geant_acme::nginx
include geant_acme::firewall
$ev_units = keys($sg_certificates_ev)
$ov_units = keys($sg_certificates_ov)
$units = unique($ev_units + $ov_units)
class {
'geant_acme::files':
team_name => $units,
vault_token => Sensitive($vault_token),
puppet_token => Sensitive($puppet_token),
iblox_password => Sensitive($iblox_password),
......@@ -79,15 +84,25 @@ class geant_acme (
geant_acme::wildcard { ['letsencrypt', 'sectigo_ov']: check_days => $check_days; }
}
geant_acme::server {
default:
check_days => $check_days;
'letsencrypt':
certificates => $le_certificates;
'sectigo_ov':
certificates => $sg_certificates_ov;
'sectigo_ev':
certificates => $sg_certificates_ev;
$ev_units.each | $evunit | {
geant_acme::server { 'sectigo_ev':
check_days => $check_days,
team_name => $evunit,
certificates => $sg_certificates_ev[$evunit];
}
}
$ov_units.each | $ovunit | {
geant_acme::server { 'sectigo_ov':
check_days => $check_days,
team_name => $ovunit,
certificates => $sg_certificates_ov[$ovunit];
}
}
geant_acme::server { 'letsencrypt':
check_days => $check_days,
certificates => $le_certificates;
}
}
......
......@@ -18,6 +18,7 @@
define geant_acme::server (
$certificates,
$check_days,
$team_name = undef,
$provider = $name,
) {
......@@ -26,8 +27,12 @@ define geant_acme::server (
$certificates_list.each | String $certificate | {
# join multiple clients as following: 'test-nas01.geant.org -c test-jump01.geant.org'
$certificates_clients = join($certificates[$certificate]['clients'], ' -c ')
if $certificates[$certificate]['clients'] {
$certificates_clients = join($certificates[$certificate]['clients'], ' -c ')
$_clients = "-c ${certificates_clients}"
} else {
$_clients = ''
}
# if there is multi_domain join them as following: 'cert_2.geant.org -d cert_3.geant.org'
if $certificates[$certificate]['multi_domain'] {
$concat_cert_list = concat([$certificate], $certificates[$certificate]['multi_domain'])
......@@ -39,14 +44,14 @@ define geant_acme::server (
# if verbose is enabled append ' - v'
if 'verbose' in $certificates[$certificate] {
$cmd = "${certificates_clients} -v"
$clients = "${_clients} -v"
} else {
$cmd = $certificates_clients
$clients = $_clients
}
# 86400 = 1 day
$cmd_prefix = "/bin/check-ssl-cert.rb -c ${check_days} -w ${check_days} -P /etc/${provider}/live/${certificate}/fullchain.pem"
$cmd_suffix = "/root/bin/geant_acme.py -p ${provider} -d ${cert_list} -c ${cmd}"
$cmd_suffix = "/root/bin/geant_acme.py -p ${provider} -u ${team_name} -d ${cert_list} ${clients}"
cron { $certificate:
ensure => present,
......
......@@ -8,9 +8,13 @@ redis_token = <%= $geant_acme::files::puppet_token.unwrap %>
redis_host = <%= $geant_acme::files::redis_host %>
# Vault parameters
vault_token = <%= $geant_acme::files::vault_token.unwrap %>
vault_host = <%= $geant_acme::files::vault_host %>
# PuppetDB parameters
puppetdb_host = <%= $geant_acme::files::puppetdb_host %>
puppetdb_port = <%= $geant_acme::files::puppetdb_port %>
# Vault tokens
<% $token_hash = $geant_acme::files::vault_token.unwrap -%>
<% $geant_acme::files::team_name.each |$team| { %>vault_token_<%= $team %> = <%= $token_hash[$team] %>
<% } -%>
[vault]
# Vault parameters
vault_token = <%= $geant_acme::files::vault_token.unwrap %>
<% $token_hash = $geant_acme::files::vault_token.unwrap -%>
vault_token = <%= $token_hash['puppet'] %>
vault_ssl = true
vault_host = <%= $geant_acme::files::vault_host %>
vault_port = 443
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment