From 63016bb3a6b7266c022f7d7e2398a0360d476fd5 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Wed, 25 Sep 2019 14:20:25 +0200 Subject: [PATCH] Move bacula::bacula_ssl_{server,client}_{cert,key} to hiera --- modules/bacula/manifests/client.pp | 2 +- modules/bacula/manifests/director/client.pp | 4 --- .../manifests/director/client_from_storage.pp | 4 --- modules/bacula/manifests/init.pp | 29 +++++++++---------- modules/bacula/manifests/storage.pp | 2 +- modules/bacula/templates/bacula-dir.conf.erb | 5 ++-- modules/bacula/templates/bacula-fd.conf.erb | 5 ++-- modules/bacula/templates/bacula-sd.conf.erb | 5 ++-- modules/bacula/templates/bconsole.conf.erb | 5 ++-- .../templates/client/fd-per-director.conf.erb | 5 ++-- .../director/dir-per-client-from-storage.erb | 5 ++-- .../templates/director/dir-per-client.erb | 5 ++-- .../storage/sd-per-director.conf.erb | 5 ++-- 13 files changed, 32 insertions(+), 49 deletions(-) diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp index 6e9988cc5..75bae98c3 100644 --- a/modules/bacula/manifests/client.pp +++ b/modules/bacula/manifests/client.pp @@ -111,7 +111,7 @@ class bacula::client( path => '/usr/bin:/usr/sbin:/bin:/sbin', command => "sh -c 'setsid /usr/local/sbin/bacula-idle-restart ${port_fd} bacula-fd &'", refreshonly => true, - subscribe => [ File[$bacula::bacula_ssl_server_cert], File[$bacula::bacula_ssl_client_cert] ], + subscribe => [ File[$bacula::ssl_server_cert], File[$bacula::ssl_client_cert] ], require => [ File['/usr/local/sbin/bacula-idle-restart'], File['/etc/bacula/fd-conf.d/empty.conf'] ], } diff --git a/modules/bacula/manifests/director/client.pp b/modules/bacula/manifests/director/client.pp index fecbe41d3..0d356a662 100644 --- a/modules/bacula/manifests/director/client.pp +++ b/modules/bacula/manifests/director/client.pp @@ -18,10 +18,6 @@ define bacula::director::client ( ) { include bacula::director - $bacula_ssl_ca_path = $bacula::bacula_ssl_ca_path - $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert - $bacula_ssl_client_key = $bacula::bacula_ssl_client_key - # we define this in both bacula::director::client_from_storage and # bacula::director::client and it needs to match. $pool_name = "${bacula::director::pool_name}-${client}" diff --git a/modules/bacula/manifests/director/client_from_storage.pp b/modules/bacula/manifests/director/client_from_storage.pp index ac77de942..7b4cb11b8 100644 --- a/modules/bacula/manifests/director/client_from_storage.pp +++ b/modules/bacula/manifests/director/client_from_storage.pp @@ -26,10 +26,6 @@ define bacula::director::client_from_storage ( ) { include bacula::director - $bacula_ssl_ca_path = $bacula::bacula_ssl_ca_path - $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert - $bacula_ssl_client_key = $bacula::bacula_ssl_client_key - # For historical reasons, we use the same string for # director-internal storage name as we do for mediate # type names. If we ever blow away the catalog and start diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp index d82255904..1b88a49ce 100644 --- a/modules/bacula/manifests/init.pp +++ b/modules/bacula/manifests/init.pp @@ -1,19 +1,21 @@ # bacula class -- defines all the variables we care about in our bacula deployment # # @param operator_email email address for reports -# @param do_ssl use TLS between systems # @param ssl_ca_path full path and filename specifying a PEM encoded TLS CA certificate(s) +# @param ssl_client_cert path to TLS client certificate +# @param ssl_client_key path to TLS client certificate key +# @param ssl_server_cert path to TLS server certificate +# @param ssl_server_key path to TLS server certificate key # @param public_addresses this host's public IP addresses. The ones it connects out from and is reachable from outsite. # @param has_ipv4 daemons should listen on ipv4 # @param has_ipv6 daemons should listen on ipv6 class bacula ( String $operator_email = 'root@localhost', - Boolean $do_ssl = true, - Optional[String] $ssl_ca_path, - String $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt', - String $bacula_ssl_client_key = '/etc/ssl/private/thishost.key', - String $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt', - String $bacula_ssl_server_key = '/etc/ssl/private/thishost-server.key', + String $ssl_ca_path, + String $ssl_client_cert, + String $ssl_client_key, + String $ssl_server_cert, + String $ssl_server_key, Array[Stdlib::IP::Address] $public_addresses = $base::public_addresses, @@ -24,14 +26,11 @@ class bacula ( $bacula_dsa_client_list = '/etc/bacula/dsa-clients' $tag_bacula_dsa_client_list = 'bacula::dsa::clientlist' - if $do_ssl { - if !$ssl_ca_path { fail('Need ssl_ca_path with do_ssl') } - - $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\"" - } else { - $bacula_tls_ca_certificate_file = '' - } - + $bacula_tls_ca_certificate_file = "TLS CA Certificate File = \"${ssl_ca_path}\"" + $bacula_tls_client_certificate = "TLS Certificate = \"${ssl_client_cert}\"" + $bacula_tls_client_key = "TLS Key = \"${ssl_client_key}\"" + $bacula_tls_server_certificate = "TLS Certificate = \"${ssl_server_cert}\"" + $bacula_tls_server_key = "TLS Key = \"${ssl_server_key}\"" file { '/usr/local/sbin/bacula-idle-restart': mode => '0555', diff --git a/modules/bacula/manifests/storage.pp b/modules/bacula/manifests/storage.pp index 2e7a41784..4f63f4be0 100644 --- a/modules/bacula/manifests/storage.pp +++ b/modules/bacula/manifests/storage.pp @@ -38,7 +38,7 @@ class bacula::storage ( path => '/usr/bin:/usr/sbin:/bin:/sbin', command => "sh -c 'setsid /usr/local/sbin/bacula-idle-restart ${port_sd} bacula-sd &'", refreshonly => true, - subscribe => File[$bacula::bacula_ssl_server_cert], + subscribe => File[$bacula::ssl_server_cert], require => File['/usr/local/sbin/bacula-idle-restart'], } diff --git a/modules/bacula/templates/bacula-dir.conf.erb b/modules/bacula/templates/bacula-dir.conf.erb index 8ad48d5a1..e481622d1 100644 --- a/modules/bacula/templates/bacula-dir.conf.erb +++ b/modules/bacula/templates/bacula-dir.conf.erb @@ -29,9 +29,8 @@ Director { TLS Verify Peer = yes TLS Allowed CN = "clientcerts/<%= @director_address %>" <%= scope['bacula::bacula_tls_ca_certificate_file'] %> - # This is a server certificate, used for incoming console connections. - TLS Certificate = "<%= @bacula_ssl_server_cert %>" - TLS Key = "<%= @bacula_ssl_server_key %>" + <%= scope['bacula::bacula_tls_server_certificate'] %> + <%= scope['bacula::bacula_tls_server_key'] %> Heartbeat Interval = 60 } diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb index 14d996449..6f930d569 100644 --- a/modules/bacula/templates/bacula-fd.conf.erb +++ b/modules/bacula/templates/bacula-fd.conf.erb @@ -38,9 +38,8 @@ FileDaemon { TLS Enable = yes TLS Require = yes <%= scope['bacula::bacula_tls_ca_certificate_file'] %> - # This is a client certificate, used by the client to connect to the storage daemon - TLS Certificate = "<%= @bacula_ssl_client_cert %>" - TLS Key = "<%= @bacula_ssl_client_key %>" + <%= scope['bacula::bacula_tls_client_certificate'] %> + <%= scope['bacula::bacula_tls_client_key'] %> Heartbeat Interval = 60 } diff --git a/modules/bacula/templates/bacula-sd.conf.erb b/modules/bacula/templates/bacula-sd.conf.erb index d232bd968..370c28150 100644 --- a/modules/bacula/templates/bacula-sd.conf.erb +++ b/modules/bacula/templates/bacula-sd.conf.erb @@ -35,9 +35,8 @@ Storage { TLS Require = yes TLS Verify Peer = yes <%= scope['bacula::bacula_tls_ca_certificate_file'] %> - # This is a server certificate, used for incoming connections. - TLS Certificate = "<%= @bacula_ssl_server_cert %>" - TLS Key = "<%= @bacula_ssl_server_key %>" + <%= scope['bacula::bacula_tls_server_certificate'] %> + <%= scope['bacula::bacula_tls_server_key'] %> } @|"sh -c 'for f in /etc/bacula/storage-conf.d/*.conf ; do echo @${f} ; done'" diff --git a/modules/bacula/templates/bconsole.conf.erb b/modules/bacula/templates/bconsole.conf.erb index 49fbec68a..6f91306cf 100644 --- a/modules/bacula/templates/bconsole.conf.erb +++ b/modules/bacula/templates/bconsole.conf.erb @@ -16,7 +16,6 @@ Director { TLS Require = yes <%= scope['bacula::bacula_tls_ca_certificate_file'] %> - # This is a client certificate, used for console connections to the director. - TLS Certificate = "<%= @bacula_ssl_client_cert %>" - TLS Key = "<%= @bacula_ssl_client_key %>" + <%= scope['bacula::bacula_tls_client_certificate'] %> + <%= scope['bacula::bacula_tls_client_key'] %> } diff --git a/modules/bacula/templates/client/fd-per-director.conf.erb b/modules/bacula/templates/client/fd-per-director.conf.erb index 2f8d46f53..7e8f8f963 100644 --- a/modules/bacula/templates/client/fd-per-director.conf.erb +++ b/modules/bacula/templates/client/fd-per-director.conf.erb @@ -14,9 +14,8 @@ Director { TLS Verify Peer = yes TLS Allowed CN = "clientcerts/<%= @director_address %>" <%= scope['bacula::bacula_tls_ca_certificate_file'] %> - # This is a server certificate, used for incoming director connections. - TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>" - TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>" + <%= scope['bacula::bacula_tls_server_certificate'] %> + <%= scope['bacula::bacula_tls_server_key'] %> } # Send all messages except skipped files back to Director diff --git a/modules/bacula/templates/director/dir-per-client-from-storage.erb b/modules/bacula/templates/director/dir-per-client-from-storage.erb index 7a5b4333e..70e87e43a 100644 --- a/modules/bacula/templates/director/dir-per-client-from-storage.erb +++ b/modules/bacula/templates/director/dir-per-client-from-storage.erb @@ -20,9 +20,8 @@ Storage { TLS Enable = yes TLS Require = yes <%= scope['bacula::bacula_tls_ca_certificate_file'] %> - # This is a client certificate, used by the director to connect to the storage daemon - TLS Certificate = "<%= @bacula_ssl_client_cert %>" - TLS Key = "<%= @bacula_ssl_client_key %>" + <%= scope['bacula::bacula_tls_client_certificate'] %> + <%= scope['bacula::bacula_tls_client_key'] %> } ######################################################################## diff --git a/modules/bacula/templates/director/dir-per-client.erb b/modules/bacula/templates/director/dir-per-client.erb index 5ee2d0eb4..23757a7c1 100644 --- a/modules/bacula/templates/director/dir-per-client.erb +++ b/modules/bacula/templates/director/dir-per-client.erb @@ -35,8 +35,7 @@ Client { TLS Enable = yes TLS Require = yes <%= scope['bacula::bacula_tls_ca_certificate_file'] %> - # This is a client certificate, used by the director to connect to the client's file daemon - TLS Certificate = "<%= @bacula_ssl_client_cert %>" - TLS Key = "<%= @bacula_ssl_client_key %>" + <%= scope['bacula::bacula_tls_client_certificate'] %> + <%= scope['bacula::bacula_tls_client_key'] %> } diff --git a/modules/bacula/templates/storage/sd-per-director.conf.erb b/modules/bacula/templates/storage/sd-per-director.conf.erb index 5a38e9025..5b568698d 100644 --- a/modules/bacula/templates/storage/sd-per-director.conf.erb +++ b/modules/bacula/templates/storage/sd-per-director.conf.erb @@ -11,9 +11,8 @@ Director { TLS Verify Peer = yes TLS Allowed CN = "clientcerts/<%= @director_address %>" <%= scope['bacula::bacula_tls_ca_certificate_file'] %> - # This is a server certificate, used for incoming director connections. - TLS Certificate = "<%= scope['bacula::bacula_ssl_server_cert'] %>" - TLS Key = "<%= scope['bacula::bacula_ssl_server_key'] %>" + <%= scope['bacula::bacula_tls_server_certificate'] %> + <%= scope['bacula::bacula_tls_server_key'] %> } # Send all messages to the Director, -- 2.20.1