diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index cbab68e2..2093ce26 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -8,8 +8,10 @@ Stdlib::Absolutepath $ca_cert = $certs::candlepin_ca_cert, Stdlib::Absolutepath $ca_key = $certs::candlepin_ca_key, Stdlib::Absolutepath $pki_dir = $certs::pki_dir, + Optional[String] $keystore_password = undef, Stdlib::Absolutepath $keystore = $certs::candlepin_keystore, String $keystore_password_file = 'keystore_password-file', + Optional[String] $truststore_password = undef, Stdlib::Absolutepath $truststore = $certs::candlepin_truststore, String $truststore_password_file = 'truststore_password-file', String[2,2] $country = $certs::country, @@ -67,8 +69,20 @@ build_dir => $certs::ssl_build_dir, } - $keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32)) - $truststore_password = extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32)) + # Generate and cache the password on the master once + # In multi-puppetmaster setups, the user should specify their own + if $keystore_password { + $final_keystore_password = $keystore_password + } else { + $final_keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32)) + } + + if $truststore_password { + $final_truststore_password = $truststore_password + } else { + $final_truststore_password = extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32)) + } + $keystore_password_path = "${pki_dir}/${keystore_password_file}" $truststore_password_path = "${pki_dir}/${truststore_password_file}" $client_key = $certs::foreman::client_key @@ -109,7 +123,7 @@ file { $keystore_password_path: ensure => file, - content => $keystore_password, + content => $final_keystore_password, owner => 'root', group => $group, mode => '0440', @@ -134,7 +148,7 @@ file { $truststore_password_path: ensure => file, - content => $truststore_password, + content => $final_truststore_password, owner => 'root', group => $group, mode => '0440', diff --git a/manifests/init.pp b/manifests/init.pp index 372dff1f..19f24be9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,6 +39,8 @@ # $deploy:: Deploy the certs on the configured system. False means # we want to apply it to a different system # +# $ca_key_password:: Optional string to use for the CA key password +# # $ca_common_name:: Common name for the generated CA certificate # # $country:: Country attribute for managed certificates @@ -73,6 +75,7 @@ Boolean $generate = true, Boolean $regenerate = false, Boolean $deploy = true, + String[10] $ca_key_password = $certs::params::ca_key_password, String $ca_common_name = $certs::params::ca_common_name, String[2,2] $country = 'US', String $state = 'North Carolina', @@ -103,7 +106,6 @@ $ca_key = "${pki_dir}/private/${default_ca_name}.key" $ca_cert = "${pki_dir}/certs/${default_ca_name}.crt" $ca_cert_stripped = "${pki_dir}/certs/${default_ca_name}-stripped.crt" - $ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24)) $ca_key_password_file = "${ssl_build_dir}/${default_ca_name}.pwd" $katello_server_ca_cert = "${pki_dir}/certs/${server_ca_name}.crt" diff --git a/manifests/params.pp b/manifests/params.pp index 47719083..fb16697d 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -19,4 +19,8 @@ $candlepin_ca_key = "${candlepin_certs_dir}/candlepin-ca.key" $pulp_pki_dir = '/etc/pki/pulp' + + # Generate and cache the password on the master once + # In multi-puppetmaster setups, the user should specify their own + $ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24)) }