puppet-st2/manifests/server/datastore_keys.pp at f581716c9fdca018907912050386e26841d86ded · StackStorm/puppet-st2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# @summary Generates and manages crypto keys for use with the StackStorm datastore
#
# @param conf_file
#    The path where st2 config is stored
# @param keys_dir
#    The directory where the datastore keys will be stored
# @param key_path
#    Path to the key file
#
# @example Basic Usage
#   include st2::server::datastore_keys
#
# @example Custom key path
#   class { 'st2::server::datastore_keys':
#     keys_dir => '/path/to/custom/keys',
#     key_path => '/path/to/custom/keys/datastore_key.json.',
#   }
#
class st2::server::datastore_keys (
  $conf_file            = $st2::conf_file,
  $keys_dir             = $st2::datastore_keys_dir,
  $key_path             = $st2::datastore_key_path,
  $manage_datastore_key = $st2::manage_datastore_key,
  $datastore_hmac_size  = $st2::datastore_hmac_size,
  $datastore_hmac_key   = $st2::datastore_hmac_key,
  $datastore_aes_key    = $st2::datastore_aes_key,
  $datastore_aes_mode   = $st2::datastore_aes_mode,
  $datastore_aes_size   = $st2::datastore_aes_size,
) inherits st2 {
  ## Directory
  file { $keys_dir:
    ensure  => directory,
    owner   => 'st2',
    group   => 'st2',
    mode    => '0600',
    require => Package['st2'],
  }

  if $manage_datastore_key {
    file { $key_path:
      ensure  => file,
      path    => $key_path,
      content => epp('st2/server/datastore_key.json.epp', {
        datastore_hmac_key  => $datastore_hmac_key,
        datastore_hmac_size => $datastore_hmac_size,
        datastore_aes_mode  => $datastore_aes_mode,
        datastore_aes_key   => $datastore_aes_key,
        datastore_aes_size  => $datastore_aes_size,
      }),
      owner   => 'st2',
      group   => 'st2',
      mode    => '0600',
      notify  => Service['st2api'],
      require => Package['st2'],
    }
  } else {
    ## Generate
    exec { "generate datastore key ${key_path}":
      command => "st2-generate-symmetric-crypto-key --key-path ${key_path}",
      creates => $key_path,
      path    => ['/opt/stackstorm/st2/bin'],
      notify  => Service['st2api'],
    }

    ## Permissions
    file { $key_path:
      ensure  => file,
      owner   => 'st2',
      group   => 'st2',
      mode    => '0600',
      require => Package['st2'],
    }
  }

  ## Config
  ini_setting { 'keyvalue_encryption_key_path':
    ensure  => present,
    path    => $conf_file,
    section => 'keyvalue',
    setting => 'encryption_key_path',
    value   => $key_path,
    tag     => 'st2::config',
  }


  if $manage_datastore_key {
    Package['st2']
    -> File[$keys_dir]
    -> File[$key_path]
  } else {
    Package['st2']
    -> File[$keys_dir]
    -> Exec["generate datastore key ${key_path}"]
    -> File[$key_path]
  }
}