Merge pull request #495 from cultuurnet/feature/OPS-1248

willaerk · web-flow · commit e62ab8d92472 · 2025-01-31T09:37:21.000+01:00
Declare and trust Vault UI certificate
diff --git a/manifests/files.pp b/manifests/files.pp
@@ -52,4 +52,11 @@
     mode    => '0755',
     require => File['/etc/puppetlabs/facter']
   }
+
+  # Realize a list of 'default' files on all servers
+  realize File['/data']
+
+  realize File['/etc/puppetlabs']
+  realize File['/etc/puppetlabs/facter']
+  realize File['/etc/puppetlabs/facter/facts.d']
 }
diff --git a/manifests/glassfish/domain/heap.pp b/manifests/glassfish/domain/heap.pp
@@ -6,13 +6,16 @@
 
   include ::profiles
 
+  realize File['/etc/puppetlabs/facter/facts.d']
+
   $default_maximum_size         = '512m'
   $jvmoption_default_attributes = {
                                     user         => 'glassfish',
                                     passwordfile => '/home/glassfish/asadmin.pass',
                                     portbase     => String($portbase)
                                   }
 
+
   if $initial_size {
     jvmoption { "Domain ${title} initial heap jvmoption":
       ensure => 'present',
@@ -76,6 +79,7 @@
   file { "Domain ${title} heap external facts":
     ensure  => 'file',
     path    => "/etc/puppetlabs/facter/facts.d/glassfish.${title}.heap.yaml",
-    content => template('profiles/glassfish/domain/heap.yaml.erb')
+    content => template('profiles/glassfish/domain/heap.yaml.erb'),
+    require => File['/etc/puppetlabs/facter/facts.d']
   }
 }
diff --git a/manifests/mysql/rds.pp b/manifests/mysql/rds.pp
@@ -4,14 +4,17 @@
 
   $rds_mysqld_version = lookup('terraform::rds::mysqld_version', Optional[String], 'first', undef)
 
+  realize File['/etc/puppetlabs/facter/facts.d']
+
   if $rds_mysqld_version {
     file { 'mysqld_version_external_fact':
       ensure  => 'file',
       path    => '/etc/puppetlabs/facter/facts.d/mysqld_version.txt',
       owner   => 'root',
       group   => 'root',
       mode    => '0644',
-      content => "mysqld_version=${rds_mysqld_version}"
+      content => "mysqld_version=${rds_mysqld_version}",
+      require => File['/etc/puppetlabs/facter/facts.d']
     }
 
     profiles::mysql::root_my_cnf { $host:
diff --git a/manifests/packages.pp b/manifests/packages.pp
@@ -141,7 +141,7 @@
     require => Apt::Source['publiq-tools']
   }
 
-  # Realize a list of 'default' packages on all servers
+  # Realize a list of 'default' packages on all nodes
   realize Package['jq']
   realize Package['iftop']
 }
diff --git a/manifests/publiq/vault_ui.pp b/manifests/publiq/vault_ui.pp
@@ -0,0 +1,26 @@
+class profiles::publiq::vault_ui (
+  String $certname
+) inherits ::profiles {
+
+  realize File['/etc/puppetlabs/facter/facts.d']
+
+  puppet_certificate { $certname:
+    ensure               => 'present',
+    waitforcert          => 60,
+    renewal_grace_period => 5,
+    clean                => true
+  }
+
+  file { 'vault_ui_certificate_external_fact':
+    ensure  => 'file',
+    path    => '/etc/puppetlabs/facter/facts.d/vault_ui_certificate.txt',
+    content => 'vault_ui_certificate_available=true',
+    require => [File['/etc/puppetlabs/facter/facts.d'], Puppet_certificate[$certname]]
+  }
+
+  if $facts['vault_ui_certificate_available'] {
+    @@profiles::vault::trusted_certificate { $certname:
+      policies => ['puppet_certificate', 'ui_certificate']
+    }
+  }
+}
diff --git a/manifests/puppet/agent.pp b/manifests/puppet/agent.pp
@@ -10,9 +10,6 @@
                                     }
 
   realize Apt::Source['puppet']
-
-  realize File['/etc/puppetlabs']
-  realize File['/etc/puppetlabs/facter']
   realize File['/etc/puppetlabs/facter/facts.d']
 
   package { 'puppet-agent':
diff --git a/manifests/vault.pp b/manifests/vault.pp
@@ -108,16 +108,16 @@
     }
 
     if $auto_unseal {
-      class { 'profiles::vault::authentication':
-        require => Class['profiles::vault::seal']
-      }
-
       class { 'profiles::vault::secrets_engines':
         require => Class['profiles::vault::seal']
       }
 
       class { 'profiles::vault::policies':
-        require => [Class['profiles::vault::secrets_engines'], Class['profiles::vault::authentication']]
+        require => Class['profiles::vault::secrets_engines']
+      }
+
+      class { 'profiles::vault::authentication':
+        require => Class['profiles::vault::policies']
       }
     }
   }
diff --git a/manifests/vault/init.pp b/manifests/vault/init.pp
@@ -22,8 +22,6 @@
   realize Group['vault']
   realize User['vault']
   realize Package['jq']
-  realize File['/etc/puppetlabs']
-  realize File['/etc/puppetlabs/facter']
   realize File['/etc/puppetlabs/facter/facts.d']
 
   file { 'vault_gpg_keys':
@@ -99,13 +97,13 @@
     command   => "/usr/bin/cat /home/vault/vault_init_output.json | /usr/local/bin/vault-process-init-output \"${gpg_keys_owners}\" > /etc/puppetlabs/facter/facts.d/vault_encrypted_unseal_keys.json",
     creates   => '/etc/puppetlabs/facter/facts.d/vault_encrypted_unseal_keys.json',
     logoutput => 'on_failure',
-    require   => [Exec['vault_init'], Package['jq'], File['vault_process_init_output']]
+    require   => [Exec['vault_init'], Package['jq'], File['vault_process_init_output'], File['/etc/puppetlabs/facter/facts.d']]
   }
 
   file { 'vault_initialized_external_fact':
     ensure  => 'file',
     path    => '/etc/puppetlabs/facter/facts.d/vault_initialized.txt',
     content => 'vault_initialized=true',
-    require => Exec['vault_init']
+    require => [Exec['vault_init'], File['/etc/puppetlabs/facter/facts.d']]
   }
 }
diff --git a/manifests/vault/policies.pp b/manifests/vault/policies.pp
@@ -19,4 +19,10 @@
     policies_directory => $policies_directory,
     require            => File['vault_policies']
   }
+
+  profiles::vault::policy { 'ui_certificate':
+    policy             => 'path "puppet/*" { capabilities = ["create", "update", "patch", "delete", "list"] }',
+    policies_directory => $policies_directory,
+    require            => File['vault_policies']
+  }
 }
diff --git a/manifests/vault/trusted_certificate.pp b/manifests/vault/trusted_certificate.pp
@@ -1,10 +1,13 @@
 define profiles::vault::trusted_certificate (
-  String           $trusted_certs_directory = '/etc/vault.d/trusted_certs',
-  Optional[String] $certificate             = undef
+  String                         $trusted_certs_directory = '/etc/vault.d/trusted_certs',
+  Variant[String, Array[String]] $policies                = 'puppet_certificate',
+  Optional[String]               $certificate             = undef
 ) {
 
   include ::profiles
 
+  $policies_string = [$policies].flatten.join(',')
+
   realize Group['vault']
   realize User['vault']
 
@@ -21,7 +24,7 @@
   }
 
   exec { "vault_trust_cert ${title}":
-    command   => "/usr/bin/vault write auth/cert/certs/${title} display_name=${title} policies=puppet_certificate certificate=@${trusted_certs_directory}/${title}.pem",
+    command   => "/usr/bin/vault write auth/cert/certs/${title} display_name=${title} policies=${policies_string} certificate=@${trusted_certs_directory}/${title}.pem",
     user      => 'vault',
     unless    => "/usr/bin/vault read auth/cert/certs/${title}",
     logoutput => 'on_failure',
diff --git a/spec/classes/files_spec.rb b/spec/classes/files_spec.rb
@@ -69,6 +69,41 @@
         it { is_expected.to contain_file('/etc/puppetlabs/facter').that_requires('File[/etc/puppetlabs]') }
         it { is_expected.to contain_file('/etc/puppetlabs/facter/facts.d').that_requires('File[/etc/puppetlabs/facter]') }
       end
+
+      context "without file virtual resources realized" do
+        let(:pre_condition) { [
+          'Group <| |>',
+          'User <| |>'
+        ] }
+
+        it { is_expected.to contain_file('/data').with(
+          'ensure' => 'directory',
+          'owner'  => 'root',
+          'group'  => 'root',
+          'mode'   => '0755'
+        ) }
+
+        it { is_expected.to contain_file('/etc/puppetlabs').with(
+          'ensure' => 'directory',
+          'owner'  => 'root',
+          'group'  => 'root',
+          'mode'   => '0755'
+        ) }
+
+        it { is_expected.to contain_file('/etc/puppetlabs/facter').with(
+          'ensure' => 'directory',
+          'owner'  => 'root',
+          'group'  => 'root',
+          'mode'   => '0755'
+        ) }
+
+        it { is_expected.to contain_file('/etc/puppetlabs/facter/facts.d').with(
+          'ensure' => 'directory',
+          'owner'  => 'root',
+          'group'  => 'root',
+          'mode'   => '0755'
+        ) }
+      end
     end
   end
 end
diff --git a/spec/classes/mysql/rds_spec.rb b/spec/classes/mysql/rds_spec.rb
@@ -15,6 +15,8 @@
 
           it { is_expected.to compile.with_all_deps }
 
+          it { is_expected.to contain_file('/etc/puppetlabs/facter/facts.d') }
+
           it { is_expected.to contain_file('mysqld_version_external_fact').with(
             'ensure'  => 'file',
             'path'    => '/etc/puppetlabs/facter/facts.d/mysqld_version.txt',
@@ -28,6 +30,8 @@
             'database_user'     => 'admin',
             'database_password' => 'mypass'
           ) }
+
+          it { is_expected.to contain_file('mysqld_version_external_fact').that_requires('File[/etc/puppetlabs/facter/facts.d]') }
         end
 
         context "without hieradata" do
diff --git a/spec/classes/packages_spec.rb b/spec/classes/packages_spec.rb
@@ -131,6 +131,20 @@
         it { is_expected.to contain_package('google-cloud-cli').that_requires('Apt::Source[publiq-tools]') }
         it { is_expected.to contain_package('rubygem-angular-config').that_requires('Apt::Source[publiq-tools]') }
       end
+
+      context "without package virtual resources realized" do
+        let(:pre_condition) { [
+          'Apt::Source <| |>'
+        ] }
+
+        it { is_expected.to contain_package('jq').with(
+          'ensure' => 'present'
+        ) }
+
+        it { is_expected.to contain_package('iftop').with(
+          'ensure' => 'present'
+        ) }
+      end
     end
   end
 end
diff --git a/spec/classes/publiq/vault_ui_spec.rb b/spec/classes/publiq/vault_ui_spec.rb
@@ -0,0 +1,90 @@
+describe 'profiles::publiq::vault_ui' do
+  include_examples 'operating system support'
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) { facts }
+
+      context "with certname => vault.example.com" do
+        let(:params) { {
+          'certname' => 'vault.example.com'
+        } }
+
+        it { is_expected.to compile.with_all_deps }
+
+        it { is_expected.to contain_class('profiles::publiq::vault_ui').with(
+          'certname' => 'vault.example.com'
+        ) }
+
+        it { is_expected.to contain_file('/etc/puppetlabs/facter/facts.d') }
+
+        it { is_expected.to contain_puppet_certificate('vault.example.com').with(
+          'ensure'               => 'present',
+          'waitforcert'          => 60,
+          'renewal_grace_period' => 5,
+          'clean'                => true
+        ) }
+
+        it { is_expected.to contain_file('vault_ui_certificate_external_fact').with(
+          'ensure'  => 'file',
+          'path'    => '/etc/puppetlabs/facter/facts.d/vault_ui_certificate.txt',
+          'content' => 'vault_ui_certificate_available=true'
+        ) }
+
+        it { is_expected.to contain_file('vault_ui_certificate_external_fact').that_requires('File[/etc/puppetlabs/facter/facts.d]') }
+        it { is_expected.to contain_file('vault_ui_certificate_external_fact').that_requires('Puppet_certificate[vault.example.com]') }
+
+        context "without fact vault_ui_certificate_available" do
+          it { expect(exported_resources).not_to contain_profiles__vault__trusted_certificate('vault.example.com') }
+        end
+
+        context "with fact vault_ui_certificate_available" do
+          let(:facts) { facts.merge({ 'vault_ui_certificate_available' => true }) }
+
+          it { expect(exported_resources).to contain_profiles__vault__trusted_certificate('vault.example.com').with(
+            'policies' => ['puppet_certificate', 'ui_certificate']
+          ) }
+        end
+      end
+
+      context "with certname => foo.bar.local" do
+        let(:params) { {
+          'certname' => 'foo.bar.local'
+        } }
+
+        it { is_expected.to contain_puppet_certificate('foo.bar.local').with(
+          'ensure'               => 'present',
+          'waitforcert'          => 60,
+          'renewal_grace_period' => 5,
+          'clean'                => true
+        ) }
+
+        it { is_expected.to contain_file('vault_ui_certificate_external_fact').with(
+          'ensure'  => 'file',
+          'path'    => '/etc/puppetlabs/facter/facts.d/vault_ui_certificate.txt',
+          'content' => 'vault_ui_certificate_available=true'
+        ) }
+
+        it { is_expected.to contain_file('vault_ui_certificate_external_fact').that_requires('Puppet_certificate[foo.bar.local]') }
+
+        context "without fact vault_ui_certificate_available" do
+          it { expect(exported_resources).not_to contain_profiles__vault__trusted_certificate('foo.bar.local') }
+        end
+
+        context "with fact vault_ui_certificate_available" do
+          let(:facts) { facts.merge({ 'vault_ui_certificate_available' => true }) }
+
+          it { expect(exported_resources).to contain_profiles__vault__trusted_certificate('foo.bar.local').with(
+            'policies' => ['puppet_certificate', 'ui_certificate']
+          ) }
+        end
+      end
+
+      context "without parameters" do
+        let(:params) { { } }
+
+        it { expect { catalogue }.to raise_error(Puppet::ParseError, /expects a value for parameter 'certname'/) }
+      end
+    end
+  end
+end
diff --git a/spec/classes/puppet/agent_spec.rb b/spec/classes/puppet/agent_spec.rb
@@ -33,8 +33,6 @@
           'force'  => true
         ) }
 
-        it { is_expected.to contain_file('/etc/puppetlabs') }
-        it { is_expected.to contain_file('/etc/puppetlabs/facter') }
         it { is_expected.to contain_file('/etc/puppetlabs/facter/facts.d') }
 
         it { is_expected.to contain_service('puppet').with(
diff --git a/spec/classes/vault/init_spec.rb b/spec/classes/vault/init_spec.rb
@@ -21,8 +21,6 @@
         it { is_expected.to contain_group('vault') }
         it { is_expected.to contain_user('vault') }
         it { is_expected.to contain_package('jq') }
-        it { is_expected.to contain_file('/etc/puppetlabs') }
-        it { is_expected.to contain_file('/etc/puppetlabs/facter') }
         it { is_expected.to contain_file('/etc/puppetlabs/facter/facts.d') }
 
         it { is_expected.to contain_file('vault_gpg_keys').with(
@@ -89,7 +87,9 @@
         it { is_expected.to contain_exec('vault_auto_unseal_key').that_requires('Exec[vault_init]') }
         it { is_expected.to contain_exec('vault_unseal_keys_external_fact').that_requires('Exec[vault_init]') }
         it { is_expected.to contain_exec('vault_unseal_keys_external_fact').that_requires('Package[jq]') }
+        it { is_expected.to contain_exec('vault_unseal_keys_external_fact').that_requires('File[/etc/puppetlabs/facter/facts.d]') }
         it { is_expected.to contain_file('vault_initialized_external_fact').that_requires('Exec[vault_init]') }
+        it { is_expected.to contain_file('vault_initialized_external_fact').that_requires('File[/etc/puppetlabs/facter/facts.d]') }
       end
 
       context 'with auto_unseal => false and gpg_keys => { fingerprint => dcba6789, owner => baz, key => -----BEGIN PGP PUBLIC KEY BLOCK-----\nzyx987\n-----END PGP PUBLIC KEY BLOCK----- }' do
diff --git a/spec/classes/vault/policies_spec.rb b/spec/classes/vault/policies_spec.rb
diff --git a/spec/classes/vault_spec.rb b/spec/classes/vault_spec.rb
diff --git a/spec/defines/glassfish/domain/heap_spec.rb b/spec/defines/glassfish/domain/heap_spec.rb
diff --git a/spec/defines/vault/trusted_certificate_spec.rb b/spec/defines/vault/trusted_certificate_spec.rb

Original file line number	Diff line number	Diff line change
`@@ -52,4 +52,11 @@`
`52`	`52`	`mode => '0755',`
`53`	`53`	`require => File['/etc/puppetlabs/facter']`
`54`	`54`	`}`
	`55`	`+`
	`56`	`+ # Realize a list of 'default' files on all servers`
	`57`	`+ realize File['/data']`
	`58`	`+`
	`59`	`+ realize File['/etc/puppetlabs']`
	`60`	`+ realize File['/etc/puppetlabs/facter']`
	`61`	`+ realize File['/etc/puppetlabs/facter/facts.d']`
`55`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,7 @@`
`141`	`141`	`require => Apt::Source['publiq-tools']`
`142`	`142`	`}`
`143`	`143`
`144`		`- # Realize a list of 'default' packages on all servers`
	`144`	`+ # Realize a list of 'default' packages on all nodes`
`145`	`145`	`realize Package['jq']`
`146`	`146`	`realize Package['iftop']`
`147`	`147`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,9 +10,6 @@`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`realize Apt::Source['puppet']`
`13`		`-`
`14`		`- realize File['/etc/puppetlabs']`
`15`		`- realize File['/etc/puppetlabs/facter']`
`16`	`13`	`realize File['/etc/puppetlabs/facter/facts.d']`
`17`	`14`
`18`	`15`	`package { 'puppet-agent':`
Original file line number	Diff line number	Diff line change
`@@ -108,16 +108,16 @@`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`if $auto_unseal {`
`111`		`- class { 'profiles::vault::authentication':`
`112`		`- require => Class['profiles::vault::seal']`
`113`		`- }`
`114`		`-`
`115`	`111`	`class { 'profiles::vault::secrets_engines':`
`116`	`112`	`require => Class['profiles::vault::seal']`
`117`	`113`	`}`
`118`	`114`
`119`	`115`	`class { 'profiles::vault::policies':`
`120`		`- require => [Class['profiles::vault::secrets_engines'], Class['profiles::vault::authentication']]`
	`116`	`+ require => Class['profiles::vault::secrets_engines']`
	`117`	`+ }`
	`118`	`+`
	`119`	`+ class { 'profiles::vault::authentication':`
	`120`	`+ require => Class['profiles::vault::policies']`
`121`	`121`	`}`
`122`	`122`	`}`
`123`	`123`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,4 +19,10 @@`
`19`	`19`	`policies_directory => $policies_directory,`
`20`	`20`	`require => File['vault_policies']`
`21`	`21`	`}`
	`22`	`+`
	`23`	`+ profiles::vault::policy { 'ui_certificate':`
	`24`	`+ policy => 'path "puppet/*" { capabilities = ["create", "update", "patch", "delete", "list"] }',`
	`25`	`+ policies_directory => $policies_directory,`
	`26`	`+ require => File['vault_policies']`
	`27`	`+ }`
`22`	`28`	`}`