diff --git a/files/geant_acme.py b/files/geant_acme.py
index f2aedb817d96669fad26223b02770a81988bdaae..5e793e37765ba59c6e87b0f14245ca84ec13f5ba 100755
--- a/files/geant_acme.py
+++ b/files/geant_acme.py
@@ -12,6 +12,7 @@ Options:
-c CLIENT --client=CLIENT Client
-d DOMAIN --domain=DOMAIN Domain
-p PROVIDER --provider=PROVIDER Provider
+ -u UNIT --unit=UNIT Unit, entity or team
-w --wildcard Use wildcard
-x --extra=EXTRA Supply extra parameters available from certbot documentation
"""
@@ -140,8 +141,12 @@ if __name__ == "__main__":
ARGS = docopt(__doc__)
DOMAIN = ARGS['--domain']
+ UNIT = ARGS['--unit']
PROVIDER = ARGS['--provider']
- CLIENTS = ARGS['--client']
+ if ARGS['--client']:
+ CLIENTS = ARGS['--client']
+ else:
+ CLIENTS = DOMAIN[0] # client makes only sense with Puppet
WILDCARD = ARGS['--wildcard']
EXTRA = ARGS['--extra']
LOG_FILE = '/var/log/acme_{}/geant_acme.log'.format(PROVIDER)
@@ -192,12 +197,13 @@ if __name__ == "__main__":
# if we are here, everything went fine and we can upload the certificates
if WILDCARD:
- UPLOADER = '/root/bin/geant_acme_uploader.py -d {} -p {} -w'.format(DOMAIN[0], PROVIDER)
+ UPLOADER = '/root/bin/geant_acme_uploader.py -u {} -d {} -p {} -w'.format(
+ UNIT, DOMAIN[0], PROVIDER)
os.system(UPLOADER)
else:
for client in CLIENTS:
- UPLOADER = '/root/bin/geant_acme_uploader.py -d {} -c {} -p {}'.format(
- DOMAIN[0], client, PROVIDER)
+ UPLOADER = '/root/bin/geant_acme_uploader.py -u {} -d {} -c {} -p {}'.format(
+ UNIT, DOMAIN[0], client, PROVIDER)
os.system(UPLOADER)
os_exit()
diff --git a/files/geant_acme_uploader.py b/files/geant_acme_uploader.py
index 68048aa3bbdd732e6210c56cf136f9f1556c02dd..318b90903bcd0f0ee11d5a054df2bcbdd3372917 100755
--- a/files/geant_acme_uploader.py
+++ b/files/geant_acme_uploader.py
@@ -11,6 +11,7 @@ Options:
-h --help Show this screen
-d DOMAIN --domain=DOMAIN Domain
-c CLIENT --client=CLIENT Client
+ -u UNIT --unit=UNIT Unit, entity or team
-p PROVIDER --provider=PROVIDER Provider
-w --wildcard Wildcard
"""
@@ -131,6 +132,7 @@ if __name__ == "__main__":
ARGS = docopt(__doc__)
DOMAIN = ARGS['--domain']
+ UNIT = ARGS['--unit']
PROVIDER = ARGS['--provider']
if ARGS['--wildcard']:
CLIENT = ['common']
@@ -143,7 +145,7 @@ if __name__ == "__main__":
CONFIG = configparser.RawConfigParser()
CONFIG.read_file(open('/root/.geant_acme.ini'))
REDIS_TOKEN = CONFIG.get('geant_acme', 'redis_token')
- VAULT_TOKEN = CONFIG.get('geant_acme', 'vault_token')
+ VAULT_TOKEN = CONFIG.get('geant_acme', 'vault_token_{}'.format(UNIT))
REDIS_HOST = CONFIG.get('geant_acme', 'redis_host')
VAULT_HOST = CONFIG.get('geant_acme', 'vault_host')
BASEDIR = '/etc/{}/live'.format(PROVIDER)
@@ -181,22 +183,22 @@ if __name__ == "__main__":
domain_underscored = DOMAIN.replace('.', '_')
certname_renamed = certname.replace(
'cert.pem', 'pem').replace('.', '_')
- redis_full_path = '{}:redis_{}{}_{}'.format(
- CLIENT_ITEM, PROVIDER_PREFIX, domain_underscored, certname_renamed)
- certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path)
+ REDIS_FULL_PATH = '{}:{}:redis_{}{}_{}'.format(
+ UNIT, CLIENT_ITEM, PROVIDER_PREFIX, domain_underscored, certname_renamed)
+ certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, REDIS_FULL_PATH)
if certdata_local != certdata_upstream:
- print('uploading to Redis: {}'.format(redis_full_path))
- redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_local)
+ print('uploading to Redis: {}'.format(REDIS_FULL_PATH))
+ redis_upload(REDIS_HOST, REDIS_TOKEN, REDIS_FULL_PATH, certdata_local)
else:
- print('redis key {} did not change: skipping'.format(redis_full_path))
+ print('redis key {} did not change: skipping'.format(REDIS_FULL_PATH))
# upload key to Vault
with open(KEYPATH, 'r') as keyfile:
KEYDATA_LOCAL = keyfile.read()
DOMAIN_UNDERSCORED = DOMAIN.replace('.', '_')
- VAULT_FULL_PATH = 'puppet/{}/vault_{}{}{}_key'.format(
- CLIENT_ITEM, PROVIDER_PREFIX, WILDCARD, DOMAIN_UNDERSCORED)
+ VAULT_FULL_PATH = '{}/{}/vault_{}{}{}_key'.format(
+ UNIT, CLIENT_ITEM, PROVIDER_PREFIX, WILDCARD, DOMAIN_UNDERSCORED)
KEYDATA_UPSTREAM = vault_dowload(VAULT_HOST, VAULT_TOKEN, VAULT_FULL_PATH)
if KEYDATA_LOCAL != KEYDATA_UPSTREAM:
diff --git a/manifests/files.pp b/manifests/files.pp
index 007c8b005b7ac6d71225539803b584b6f7ffc4bb..5ff28149f5b7b060746d5223880b2c0a735b2037 100644
--- a/manifests/files.pp
+++ b/manifests/files.pp
@@ -3,6 +3,7 @@
class geant_acme::files (
Sensitive $vault_token,
Sensitive $puppet_token,
+ $team_name,
$wildcard_domain,
$redis_host,
$vault_host,
@@ -96,7 +97,8 @@ class geant_acme::files (
target => '/root/bin/infoblox_hook.py';
'/root/.geant_acme.ini':
mode => '0640',
- content => Sensitive(epp("${module_name}/geant_acme.ini.epp"));
+ content => epp("${module_name}/geant_acme.ini.epp");
+ #content => Sensitive(epp("${module_name}/geant_acme.ini.epp"));
'/root/.secrets_shuffle.ini':
mode => '0640',
content => Sensitive(epp("${module_name}/secrets_shuffle.ini.epp"));
diff --git a/manifests/init.pp b/manifests/init.pp
index 5d0baf06433bba464bdf3f569a07f07c970fc32b..d82c9bcea8e65f1fe198833ab80e697afa3f7c0f 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -47,8 +47,13 @@ class geant_acme (
include geant_acme::nginx
include geant_acme::firewall
+ $ev_units = keys($sg_certificates_ev)
+ $ov_units = keys($sg_certificates_ov)
+ $units = unique($ev_units + $ov_units)
+
class {
'geant_acme::files':
+ team_name => $units,
vault_token => Sensitive($vault_token),
puppet_token => Sensitive($puppet_token),
iblox_password => Sensitive($iblox_password),
@@ -79,15 +84,25 @@ class geant_acme (
geant_acme::wildcard { ['letsencrypt', 'sectigo_ov']: check_days => $check_days; }
}
- geant_acme::server {
- default:
- check_days => $check_days;
- 'letsencrypt':
- certificates => $le_certificates;
- 'sectigo_ov':
- certificates => $sg_certificates_ov;
- 'sectigo_ev':
- certificates => $sg_certificates_ev;
+ $ev_units.each | $evunit | {
+ geant_acme::server { 'sectigo_ev':
+ check_days => $check_days,
+ team_name => $evunit,
+ certificates => $sg_certificates_ev[$evunit];
+ }
+ }
+
+ $ov_units.each | $ovunit | {
+ geant_acme::server { 'sectigo_ov':
+ check_days => $check_days,
+ team_name => $ovunit,
+ certificates => $sg_certificates_ov[$ovunit];
+ }
+ }
+
+ geant_acme::server { 'letsencrypt':
+ check_days => $check_days,
+ certificates => $le_certificates;
}
}
diff --git a/manifests/server.pp b/manifests/server.pp
index 50a2b434b1d8c7718056f4ea4abfcdac5c22c349..9e7672ab1f8ebe2fe7eae3afd6cd91937b81d641 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -18,6 +18,7 @@
define geant_acme::server (
$certificates,
$check_days,
+ $team_name = undef,
$provider = $name,
) {
@@ -26,8 +27,12 @@ define geant_acme::server (
$certificates_list.each | String $certificate | {
# join multiple clients as following: 'test-nas01.geant.org -c test-jump01.geant.org'
- $certificates_clients = join($certificates[$certificate]['clients'], ' -c ')
-
+ if $certificates[$certificate]['clients'] {
+ $certificates_clients = join($certificates[$certificate]['clients'], ' -c ')
+ $_clients = "-c ${certificates_clients}"
+ } else {
+ $_clients = ''
+ }
# if there is multi_domain join them as following: 'cert_2.geant.org -d cert_3.geant.org'
if $certificates[$certificate]['multi_domain'] {
$concat_cert_list = concat([$certificate], $certificates[$certificate]['multi_domain'])
@@ -39,14 +44,14 @@ define geant_acme::server (
# if verbose is enabled append ' - v'
if 'verbose' in $certificates[$certificate] {
- $cmd = "${certificates_clients} -v"
+ $clients = "${_clients} -v"
} else {
- $cmd = $certificates_clients
+ $clients = $_clients
}
# 86400 = 1 day
$cmd_prefix = "/bin/check-ssl-cert.rb -c ${check_days} -w ${check_days} -P /etc/${provider}/live/${certificate}/fullchain.pem"
- $cmd_suffix = "/root/bin/geant_acme.py -p ${provider} -d ${cert_list} -c ${cmd}"
+ $cmd_suffix = "/root/bin/geant_acme.py -p ${provider} -u ${team_name} -d ${cert_list} ${clients}"
cron { $certificate:
ensure => present,
diff --git a/templates/geant_acme.ini.epp b/templates/geant_acme.ini.epp
index 269a9e056f992502bb2584831da739a41535d87a..8bed83d157176b791f2c6e62d8494ffe3f9af4e5 100644
--- a/templates/geant_acme.ini.epp
+++ b/templates/geant_acme.ini.epp
@@ -8,9 +8,13 @@ redis_token = <%= $geant_acme::files::puppet_token.unwrap %>
redis_host = <%= $geant_acme::files::redis_host %>
# Vault parameters
-vault_token = <%= $geant_acme::files::vault_token.unwrap %>
vault_host = <%= $geant_acme::files::vault_host %>
# PuppetDB parameters
puppetdb_host = <%= $geant_acme::files::puppetdb_host %>
puppetdb_port = <%= $geant_acme::files::puppetdb_port %>
+
+# Vault tokens
+<% $token_hash = $geant_acme::files::vault_token.unwrap -%>
+<% $geant_acme::files::team_name.each |$team| { %>vault_token_<%= $team %> = <%= $token_hash[$team] %>
+<% } -%>
diff --git a/templates/secrets_shuffle.ini.epp b/templates/secrets_shuffle.ini.epp
index 96d329ffed8ef22ff6ba2234f43cc1267a4358e4..d86093d94915e3ab281d2e2cb51508aaa2a2207f 100644
--- a/templates/secrets_shuffle.ini.epp
+++ b/templates/secrets_shuffle.ini.epp
@@ -1,6 +1,7 @@
[vault]
# Vault parameters
-vault_token = <%= $geant_acme::files::vault_token.unwrap %>
+<% $token_hash = $geant_acme::files::vault_token.unwrap -%>
+vault_token = <%= $token_hash['puppet'] %>
vault_ssl = true
vault_host = <%= $geant_acme::files::vault_host %>
vault_port = 443