diff --git a/files/geant_acme.py b/files/geant_acme.py index f2aedb817d96669fad26223b02770a81988bdaae..5e793e37765ba59c6e87b0f14245ca84ec13f5ba 100755 --- a/files/geant_acme.py +++ b/files/geant_acme.py @@ -12,6 +12,7 @@ Options: -c CLIENT --client=CLIENT Client -d DOMAIN --domain=DOMAIN Domain -p PROVIDER --provider=PROVIDER Provider + -u UNIT --unit=UNIT Unit, entity or team -w --wildcard Use wildcard -x --extra=EXTRA Supply extra parameters available from certbot documentation """ @@ -140,8 +141,12 @@ if __name__ == "__main__": ARGS = docopt(__doc__) DOMAIN = ARGS['--domain'] + UNIT = ARGS['--unit'] PROVIDER = ARGS['--provider'] - CLIENTS = ARGS['--client'] + if ARGS['--client']: + CLIENTS = ARGS['--client'] + else: + CLIENTS = DOMAIN[0] # client makes only sense with Puppet WILDCARD = ARGS['--wildcard'] EXTRA = ARGS['--extra'] LOG_FILE = '/var/log/acme_{}/geant_acme.log'.format(PROVIDER) @@ -192,12 +197,13 @@ if __name__ == "__main__": # if we are here, everything went fine and we can upload the certificates if WILDCARD: - UPLOADER = '/root/bin/geant_acme_uploader.py -d {} -p {} -w'.format(DOMAIN[0], PROVIDER) + UPLOADER = '/root/bin/geant_acme_uploader.py -u {} -d {} -p {} -w'.format( + UNIT, DOMAIN[0], PROVIDER) os.system(UPLOADER) else: for client in CLIENTS: - UPLOADER = '/root/bin/geant_acme_uploader.py -d {} -c {} -p {}'.format( - DOMAIN[0], client, PROVIDER) + UPLOADER = '/root/bin/geant_acme_uploader.py -u {} -d {} -c {} -p {}'.format( + UNIT, DOMAIN[0], client, PROVIDER) os.system(UPLOADER) os_exit() diff --git a/files/geant_acme_uploader.py b/files/geant_acme_uploader.py index 68048aa3bbdd732e6210c56cf136f9f1556c02dd..318b90903bcd0f0ee11d5a054df2bcbdd3372917 100755 --- a/files/geant_acme_uploader.py +++ b/files/geant_acme_uploader.py @@ -11,6 +11,7 @@ Options: -h --help Show this screen -d DOMAIN --domain=DOMAIN Domain -c CLIENT --client=CLIENT Client + -u UNIT --unit=UNIT Unit, entity or team -p PROVIDER --provider=PROVIDER Provider -w --wildcard Wildcard """ @@ -131,6 +132,7 @@ if __name__ == "__main__": ARGS = docopt(__doc__) DOMAIN = ARGS['--domain'] + UNIT = ARGS['--unit'] PROVIDER = ARGS['--provider'] if ARGS['--wildcard']: CLIENT = ['common'] @@ -143,7 +145,7 @@ if __name__ == "__main__": CONFIG = configparser.RawConfigParser() CONFIG.read_file(open('/root/.geant_acme.ini')) REDIS_TOKEN = CONFIG.get('geant_acme', 'redis_token') - VAULT_TOKEN = CONFIG.get('geant_acme', 'vault_token') + VAULT_TOKEN = CONFIG.get('geant_acme', 'vault_token_{}'.format(UNIT)) REDIS_HOST = CONFIG.get('geant_acme', 'redis_host') VAULT_HOST = CONFIG.get('geant_acme', 'vault_host') BASEDIR = '/etc/{}/live'.format(PROVIDER) @@ -181,22 +183,22 @@ if __name__ == "__main__": domain_underscored = DOMAIN.replace('.', '_') certname_renamed = certname.replace( 'cert.pem', 'pem').replace('.', '_') - redis_full_path = '{}:redis_{}{}_{}'.format( - CLIENT_ITEM, PROVIDER_PREFIX, domain_underscored, certname_renamed) - certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path) + REDIS_FULL_PATH = '{}:{}:redis_{}{}_{}'.format( + UNIT, CLIENT_ITEM, PROVIDER_PREFIX, domain_underscored, certname_renamed) + certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, REDIS_FULL_PATH) if certdata_local != certdata_upstream: - print('uploading to Redis: {}'.format(redis_full_path)) - redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_local) + print('uploading to Redis: {}'.format(REDIS_FULL_PATH)) + redis_upload(REDIS_HOST, REDIS_TOKEN, REDIS_FULL_PATH, certdata_local) else: - print('redis key {} did not change: skipping'.format(redis_full_path)) + print('redis key {} did not change: skipping'.format(REDIS_FULL_PATH)) # upload key to Vault with open(KEYPATH, 'r') as keyfile: KEYDATA_LOCAL = keyfile.read() DOMAIN_UNDERSCORED = DOMAIN.replace('.', '_') - VAULT_FULL_PATH = 'puppet/{}/vault_{}{}{}_key'.format( - CLIENT_ITEM, PROVIDER_PREFIX, WILDCARD, DOMAIN_UNDERSCORED) + VAULT_FULL_PATH = '{}/{}/vault_{}{}{}_key'.format( + UNIT, CLIENT_ITEM, PROVIDER_PREFIX, WILDCARD, DOMAIN_UNDERSCORED) KEYDATA_UPSTREAM = vault_dowload(VAULT_HOST, VAULT_TOKEN, VAULT_FULL_PATH) if KEYDATA_LOCAL != KEYDATA_UPSTREAM: diff --git a/manifests/files.pp b/manifests/files.pp index 007c8b005b7ac6d71225539803b584b6f7ffc4bb..5ff28149f5b7b060746d5223880b2c0a735b2037 100644 --- a/manifests/files.pp +++ b/manifests/files.pp @@ -3,6 +3,7 @@ class geant_acme::files ( Sensitive $vault_token, Sensitive $puppet_token, + $team_name, $wildcard_domain, $redis_host, $vault_host, @@ -96,7 +97,8 @@ class geant_acme::files ( target => '/root/bin/infoblox_hook.py'; '/root/.geant_acme.ini': mode => '0640', - content => Sensitive(epp("${module_name}/geant_acme.ini.epp")); + content => epp("${module_name}/geant_acme.ini.epp"); + #content => Sensitive(epp("${module_name}/geant_acme.ini.epp")); '/root/.secrets_shuffle.ini': mode => '0640', content => Sensitive(epp("${module_name}/secrets_shuffle.ini.epp")); diff --git a/manifests/init.pp b/manifests/init.pp index 5d0baf06433bba464bdf3f569a07f07c970fc32b..d82c9bcea8e65f1fe198833ab80e697afa3f7c0f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,8 +47,13 @@ class geant_acme ( include geant_acme::nginx include geant_acme::firewall + $ev_units = keys($sg_certificates_ev) + $ov_units = keys($sg_certificates_ov) + $units = unique($ev_units + $ov_units) + class { 'geant_acme::files': + team_name => $units, vault_token => Sensitive($vault_token), puppet_token => Sensitive($puppet_token), iblox_password => Sensitive($iblox_password), @@ -79,15 +84,25 @@ class geant_acme ( geant_acme::wildcard { ['letsencrypt', 'sectigo_ov']: check_days => $check_days; } } - geant_acme::server { - default: - check_days => $check_days; - 'letsencrypt': - certificates => $le_certificates; - 'sectigo_ov': - certificates => $sg_certificates_ov; - 'sectigo_ev': - certificates => $sg_certificates_ev; + $ev_units.each | $evunit | { + geant_acme::server { 'sectigo_ev': + check_days => $check_days, + team_name => $evunit, + certificates => $sg_certificates_ev[$evunit]; + } + } + + $ov_units.each | $ovunit | { + geant_acme::server { 'sectigo_ov': + check_days => $check_days, + team_name => $ovunit, + certificates => $sg_certificates_ov[$ovunit]; + } + } + + geant_acme::server { 'letsencrypt': + check_days => $check_days, + certificates => $le_certificates; } } diff --git a/manifests/server.pp b/manifests/server.pp index 50a2b434b1d8c7718056f4ea4abfcdac5c22c349..9e7672ab1f8ebe2fe7eae3afd6cd91937b81d641 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -18,6 +18,7 @@ define geant_acme::server ( $certificates, $check_days, + $team_name = undef, $provider = $name, ) { @@ -26,8 +27,12 @@ define geant_acme::server ( $certificates_list.each | String $certificate | { # join multiple clients as following: 'test-nas01.geant.org -c test-jump01.geant.org' - $certificates_clients = join($certificates[$certificate]['clients'], ' -c ') - + if $certificates[$certificate]['clients'] { + $certificates_clients = join($certificates[$certificate]['clients'], ' -c ') + $_clients = "-c ${certificates_clients}" + } else { + $_clients = '' + } # if there is multi_domain join them as following: 'cert_2.geant.org -d cert_3.geant.org' if $certificates[$certificate]['multi_domain'] { $concat_cert_list = concat([$certificate], $certificates[$certificate]['multi_domain']) @@ -39,14 +44,14 @@ define geant_acme::server ( # if verbose is enabled append ' - v' if 'verbose' in $certificates[$certificate] { - $cmd = "${certificates_clients} -v" + $clients = "${_clients} -v" } else { - $cmd = $certificates_clients + $clients = $_clients } # 86400 = 1 day $cmd_prefix = "/bin/check-ssl-cert.rb -c ${check_days} -w ${check_days} -P /etc/${provider}/live/${certificate}/fullchain.pem" - $cmd_suffix = "/root/bin/geant_acme.py -p ${provider} -d ${cert_list} -c ${cmd}" + $cmd_suffix = "/root/bin/geant_acme.py -p ${provider} -u ${team_name} -d ${cert_list} ${clients}" cron { $certificate: ensure => present, diff --git a/templates/geant_acme.ini.epp b/templates/geant_acme.ini.epp index 269a9e056f992502bb2584831da739a41535d87a..8bed83d157176b791f2c6e62d8494ffe3f9af4e5 100644 --- a/templates/geant_acme.ini.epp +++ b/templates/geant_acme.ini.epp @@ -8,9 +8,13 @@ redis_token = <%= $geant_acme::files::puppet_token.unwrap %> redis_host = <%= $geant_acme::files::redis_host %> # Vault parameters -vault_token = <%= $geant_acme::files::vault_token.unwrap %> vault_host = <%= $geant_acme::files::vault_host %> # PuppetDB parameters puppetdb_host = <%= $geant_acme::files::puppetdb_host %> puppetdb_port = <%= $geant_acme::files::puppetdb_port %> + +# Vault tokens +<% $token_hash = $geant_acme::files::vault_token.unwrap -%> +<% $geant_acme::files::team_name.each |$team| { %>vault_token_<%= $team %> = <%= $token_hash[$team] %> +<% } -%> diff --git a/templates/secrets_shuffle.ini.epp b/templates/secrets_shuffle.ini.epp index 96d329ffed8ef22ff6ba2234f43cc1267a4358e4..d86093d94915e3ab281d2e2cb51508aaa2a2207f 100644 --- a/templates/secrets_shuffle.ini.epp +++ b/templates/secrets_shuffle.ini.epp @@ -1,6 +1,7 @@ [vault] # Vault parameters -vault_token = <%= $geant_acme::files::vault_token.unwrap %> +<% $token_hash = $geant_acme::files::vault_token.unwrap -%> +vault_token = <%= $token_hash['puppet'] %> vault_ssl = true vault_host = <%= $geant_acme::files::vault_host %> vault_port = 443