Add machine_cert profile for client certificates for quod

This creates the file the same way as the apps_lib profile does, except as a discrete profile. We then include it in role::quod_prod to enable client certificates with reverse proxies there.
mlibrary · Sep 4, 2024 · a6b8d5b · a6b8d5b
1 parent bc34f3e
commit a6b8d5b
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/manifests/profile/machine_cert.pp b/manifests/profile/machine_cert.pp
@@ -0,0 +1,35 @@
+# Copyright (c) 2024 The Regents of the University of Michigan.
+# All Rights Reserved. Licensed according to the terms of the Revised
+# BSD License. See LICENSE.txt for details.
+
+# nebula::profile::machine_cert
+#
+# Manage a combined cert + key pem file to use as a client certificate.
+#
+# Take the puppet-issued certificate and combine into conventional Debian
+# directory (/etc/ssl/private), using machine name the filename base and .pem.
+#
+# @example
+#   include nebula::profile::machine_cert
+class nebula::profile::machine_cert () {
+  $certname = $trusted['certname'];
+  $client_cert = "/etc/ssl/private/${certname}.pem";
+
+  concat { $client_cert:
+    ensure => 'present',
+    mode   => '0600',
+    owner  => 'root',
+  }
+
+  concat::fragment { 'client cert':
+    target => $client_cert,
+    source => "/etc/puppetlabs/puppet/ssl/certs/${certname}.pem",
+    order  =>  1
+  }
+
+  concat::fragment { 'client key':
+    target => $client_cert,
+    source => "/etc/puppetlabs/puppet/ssl/private_keys/${certname}.pem",
+    order  =>  2
+  }
+}
diff --git a/manifests/role/app_host/quod_prod.pp b/manifests/role/app_host/quod_prod.pp
@@ -14,6 +14,7 @@
   include nebula::profile::afs
   include nebula::profile::users
   include nebula::profile::tsm
+  include nebula::profile::machine_cert
   include nebula::profile::quod::prod::perl
   include nebula::profile::quod::prod::haproxy
   include nebula::profile::networking::firewall::http