Commit 03927b0c authored by Bill MacAllister's avatar Bill MacAllister
Browse files

base::syslog::tls: Restructure for puppet 3 compatibility

The tls_support.pp class used a dubious reference to a variable
defined in the tls resource definition.  This was used to install the
ca cert required for accessing the central syslog service.  The change
requires that the cert be explicitly in manifests that want to use the
base::syslog::tls resource to install rsyslog fragments.
parent 24613eaf
release/004.004 (2014-11-07)
[syslog::tls] Restructure code to support puppet 3's scoping
rules. The change required means that existing manifests that use
the base::syslog::tls resource will need to add the
base::syslog::tls_ca_cert resource.
release/004.003 (2014-11-06)
[puppetclient] Only put the database account credentials in
......
......@@ -31,6 +31,7 @@
# Simple Exmaple
# --------------
#
# base::syslog::tls_ca_cert: { $::fqdn: ensure => present }
# base::syslog::tls { '50-ldap-remote.conf':
# ensure => 'present',
# content => 's_idg_test/etc/rsyslog.d/50-ldap-tls.conf.erb'),
......@@ -48,12 +49,15 @@
# use_default => false,
# }
#
# base::syslog::tls_ca_cert: { $::fqdn:
# syslog_server => 'logsink-dev.stanford.edu',
# ensure => present
# }
# base::syslog::tls { '50-ldap-tls.conf':
# ensure => 'present',
# syslog_server => 'logsink-dev.stanford.edu',
# content => 's_idg_test/etc/rsyslog.d/50-ldap-tls.conf.erb',
# }
#
# base::syslog::tls { '95-default-tls.conf':
# ensure => 'present',
# syslog_server => 'logsink-dev.stanford.edu',
......@@ -70,7 +74,7 @@ define base::syslog::tls(
$install_cert = true
) {
include syslog::tls_support
include base::syslog::tls_support
$realname = "/etc/rsyslog.d/$name"
$basetmpl = "base/syslog/etc/rsyslog.d/${name}.erb"
......
# This is resource should be defined before the first use of
# base::tls. The certificate installed is referenced in the rsyslog
# fragments installed by base::tls.
#
# Example:
#
# base::syslog::tls_ca_cert{ $::fqdn: ensure => present }
define base::syslog::tls_ca_cert(
$syslog_server = 'logsink.stanford.edu',
$ensure = 'present'
) {
case $ensure {
'present': {
# Install the CA certificate for the syslog server
$ca_cert_file = "${syslog_server}.ca.pem"
$ca_cert_path = "/etc/ssl/certs/$ca_cert_file"
file { $ca_cert_path:
ensure => present,
source => "puppet:///modules/cert-files/${ca_cert_file}",
notify => Service['syslog'],
}
apache::cert::hash { $ca_cert_file:
ensure => present,
require => File[$ca_cert_path],
}
}
'absent': {
file { $ca_cert_file: ensure => absent }
}
}
}
# Packages and rsyslog fragments required for TLS/RELP support
# Packages and rsyslog fragments required for TLS/RELP support. This
# class is included from base::syslog::tls.
class base::syslog::tls_support {
......@@ -10,16 +11,4 @@ class base::syslog::tls_support {
ensure => present,
source => 'puppet:///modules/base/syslog/etc/rsyslog.d/05-modules-relp.conf';
}
# Install the CA certificate for the syslog server
$ca_cert_file = "/etc/ssl/certs/${syslog_server}.ca.pem"
file { $ca_cert_file:
ensure => present,
source => "puppet:///modules/cert-files/${syslog_server}.ca.pem",
notify => Service['syslog'],
}
apache::cert::hash { "${syslog_server}.ca.pem":
ensure => present,
require => File["/etc/ssl/certs/${syslog_server}.ca.pem"],
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment