Fix templates for master/slave installation
This patch updates service metadata with correct default
values for master/slave dogtag CA,KRA installation.
Related-Prod: PROD-18561
Change-Id: I7d8f407617863dd96dec0abd9b9e639ba774ef52
diff --git a/dogtag/files/389-ds_setup.inf b/dogtag/files/389-ds_setup.inf
index be764f4..cd89295 100644
--- a/dogtag/files/389-ds_setup.inf
+++ b/dogtag/files/389-ds_setup.inf
@@ -3,9 +3,11 @@
FullMachineName = {{ server.ldap_hostname|default('localhost') }}
SuiteSpotUserID = dirsrv
SuiteSpotGroup = dirsrv
+ConfigDirectoryAdminID = {{ server.ldap_admin_id|default('admin') }}
+ConfigDirectoryAdminPwd = {{ server.ldap_admin_password }}
[slapd]
ServerPort = {{ server.ldap_server_port|default(389) }}
ServerIdentifier = pki-tomcat
Suffix = {{ server.ldap_dc|default('dc=example,dc=com') }}
RootDN = {{ server.ldap_dn|default('cn=Directory Manager') }}
-RootDNPwd = {{ server.ldap_dn_password|default('PASSWORD') }}
+RootDNPwd = {{ server.ldap_dn_password }}
diff --git a/dogtag/files/dogtag.cfg b/dogtag/files/dogtag.cfg
index db79a53..ea48430 100644
--- a/dogtag/files/dogtag.cfg
+++ b/dogtag/files/dogtag.cfg
@@ -1,8 +1,10 @@
{%- from "dogtag/map.jinja" import server with context -%}
+{%- if server.default_config_options is defined %}
[DEFAULT]
{%- for conf_opt_name, conf_opt_value in server.default_config_options.iteritems() %}
{{ conf_opt_name }} = {{ conf_opt_value }}
{%- endfor %}
+{%- endif %}
{%- if server.get('role', 'master') == 'slave' %}
pki_clone=True
diff --git a/dogtag/map.jinja b/dogtag/map.jinja
index 7bdc0a2..8c58531 100644
--- a/dogtag/map.jinja
+++ b/dogtag/map.jinja
@@ -1,16 +1,5 @@
{%- load_yaml as server_defaults %}
default:
- default_config_options:
- pki_admin_password: PASSWORD
- pki_backup_password: PASSWORD
- pki_client_database_password: PASSWORD
- pki_client_pkcs12_password: PASSWORD
- pki_clone_pkcs12_password: PASSWORD
- pki_ds_password: PASSWORD
- pki_token_password: PASSWORD
- pki_security_domain_name: EXAMPLE
- pki_security_domain_password: PASSWORD
- pki_clone_pkcs12_path: /etc/dogtag/ca-certs.p12
subsystems:
KRA:
pkgs: [pki-ca, pki-kra]
diff --git a/dogtag/server.sls b/dogtag/server.sls
index a47b177..1f3746c 100644
--- a/dogtag/server.sls
+++ b/dogtag/server.sls
@@ -24,8 +24,9 @@
- require:
- pkg: dogtag_server_packages
-setup-ds --silent --file=/etc/dogtag/389-ds_setup.inf:
+dogtag_setup-ds:
cmd.run:
+ - name: 'setup-ds --silent --file=/etc/dogtag/389-ds_setup.inf'
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
@@ -34,18 +35,22 @@
- unless: ldapwhoami -x -p {{ server.ldap_server_port|default(389) }} -h {{ server.ldap_hostname|default('localhost') }} -w {{ server.ldap_dn_password }} -D '{{ server.ldap_dn|default('cn=Directory Manager') }}'
{%- if server.get('role', 'master') == 'slave' %}
-/etc/dogtag/ca-certs.p12:
+dogtag_ca-certs_decode:
file.decode:
- name: /etc/dogtag/ca-certs.p12
- encoding_type: base64
- encoded_data: "{{ server.dogtag_certs }}"
+ - require:
+ - dogtag_setup-ds
-/etc/dogtag/ca-certs.p12_rights:
+dogtag_ca-certs-rights:
file.managed:
- name: /etc/dogtag/ca-certs.p12
- user: pkiuser
- group: pkiuser
- mode: 640
+ - require:
+ - dogtag_ca-certs_decode
{%- endif %}
/etc/dogtag/dogtag.cfg:
@@ -56,7 +61,11 @@
- group: pkiuser
- mode: 640
- require:
+ - dogtag_setup-ds
- pkg: dogtag_server_packages
+ {%- if server.get('role', 'master') == 'slave' %}
+ - dogtag_ca-certs-rights
+ {%- endif %}
{# Need to use exact order of subsystems #}
{%- for key_name in ('CA', 'KRA', 'OCSP', 'TKS', 'TPS') %}
@@ -82,9 +91,14 @@
{%- endfor %}
{%- if server.get('role', 'master') == 'master' %}
+{%- if server.get('subsystems', {}).get('CA', {}).pki_client_pkcs12_password is defined %}
+ {%- set pki_client_pks12_password = server.subsystems.CA.pki_client_pkcs12_password %}
+{%- else %}
+ {%- set pki_client_pks12_password = server.default_config_options.pki_client_pkcs12_password %}
+{%- endif %}
export_dogtag_certs:
cmd.run:
- - name: grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /etc/dogtag/internal.txt && echo {{ server.default_config_options.get('pki_clone_pkcs12_password') }} > /etc/dogtag/pass.txt && PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p /etc/dogtag/internal.txt -o /etc/dogtag/ca-certs.p12 -w /etc/dogtag/pass.txt && rm -f /etc/dogtag/internal.txt /etc/dogtag/pass.txt && cat /etc/dogtag/ca-certs.p12 | base64 > /etc/dogtag/ca-certs.p12.base64
+ - name: grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /etc/dogtag/internal.txt && echo -n {{ pki_client_pks12_password }} > /etc/dogtag/pass.txt && PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p /etc/dogtag/internal.txt -o /etc/dogtag/ca-certs.p12 -w /etc/dogtag/pass.txt && rm -f /etc/dogtag/internal.txt /etc/dogtag/pass.txt && cat /etc/dogtag/ca-certs.p12 | base64 > /etc/dogtag/ca-certs.p12.base64
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
@@ -103,7 +117,7 @@
{%- if server.get('export_pem_file_path', False) %}
export_dogtag_root_cert_to_pem_file:
cmd.run:
- - name: openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:{{ server.default_config_options.get('pki_client_pkcs12_password') }} -out {{ server.export_pem_file_path }} -nodes
+ - name: openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:{{ pki_client_pks12_password }} -out {{ server.export_pem_file_path }} -nodes
- umask: 077
{%- if grains.get('noservices') %}
- onlyif: /bin/false
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
deleted file mode 100644
index dcfc899..0000000
--- a/metadata/service/server/cluster.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-applications:
-- dogtag
-parameters:
- _param:
- dogtag_pki_security_domain_https_port: 8443
- dogtag:
- server:
- enabled: True
- role: ${_param:dogtag_cluster_role}
- default_config_options:
- pki_security_domain_hostname: ${_param:dogtag_master_host}
- pki_security_domain_user: caadmin
- pki_security_domain_https_port: ${_param:dogtag_pki_security_domain_https_port}
- pki_clone_uri: https://${_param:dogtag_master_host}:${_param:dogtag_pki_security_domain_https_port}
- subsystems:
- CA:
- enabled: True
- KRA:
- enabled: True
- OCSP:
- enabled: False
- TKS:
- enabled: False
- TPS:
- enabled: False
diff --git a/metadata/service/server/cluster/init.yml b/metadata/service/server/cluster/init.yml
new file mode 100644
index 0000000..a26d275
--- /dev/null
+++ b/metadata/service/server/cluster/init.yml
@@ -0,0 +1,50 @@
+applications:
+- dogtag
+parameters:
+ _param:
+ dogtag_pki_security_domain_name: 'EXAMPLE'
+ dogtag_pki_security_domain: 'example.com'
+ dogtag_pki_ds_base_dn: 'dc=example,dc=com'
+ dogtag:
+ server:
+ enabled: True
+ default_config_options:
+ pki_client_pkcs12_password: ${_param:dogtag_pki_client_pkcs12_password}
+ subsystems:
+ CA:
+ enabled: True
+ pki_admin_email: caadmin@${_param:dogtag_pki_security_domain}
+ pki_admin_name: caadmin
+ pki_admin_nickname: caadmin
+ pki_admin_password: ${_param:dogtag_pki_admin_password}
+ pki_admin_uid: caadmin
+ pki_client_database_password: ${_param:dogtag_pki_client_database_password}
+ pki_client_database_purge: False
+ pki_client_pkcs12_password: ${_param:dogtag_pki_client_pkcs12_password}
+ pki_ds_base_dn: ${_param:dogtag_pki_ds_base_dn}
+ pki_ds_database: ca
+ pki_ds_password: ${_param:dogtag_pki_ds_password}
+ pki_security_domain_name: ${_param:dogtag_pki_security_domain_name}
+ pki_security_domain_password: ${_param:dogtag_pki_security_domain_password}
+ KRA:
+ enabled: True
+ pki_admin_cert_file: /root/.dogtag/pki-tomcat/ca_admin.cert
+ pki_admin_email: kraadmin@${_param:dogtag_pki_security_domain}
+ pki_admin_name: kraadmin
+ pki_admin_nickname: kraadmin
+ pki_admin_password: ${_param:dogtag_pki_admin_password}
+ pki_admin_uid: kraadmin
+ pki_client_database_password: ${_param:dogtag_pki_client_database_password}
+ pki_client_pkcs12_password: ${_param:dogtag_pki_client_pkcs12_password}
+ pki_ds_database: kra
+ pki_ds_password: ${_param:dogtag_pki_ds_password}
+ pki_security_domain_name: ${_param:dogtag_pki_security_domain_name}
+ pki_security_domain_user: caadmin
+ pki_security_domain_password: ${_param:dogtag_pki_security_domain_password}
+ pki_token_password: ${_param:dogtag_pki_token_password}
+ OCSP:
+ enabled: False
+ TKS:
+ enabled: False
+ TPS:
+ enabled: False
diff --git a/metadata/service/server/cluster/master.yml b/metadata/service/server/cluster/master.yml
new file mode 100644
index 0000000..38798a6
--- /dev/null
+++ b/metadata/service/server/cluster/master.yml
@@ -0,0 +1,8 @@
+classes:
+- service.dogtag.server.cluster
+parameters:
+ _param:
+ dogtag_pki_security_domain_https_port: 8443
+ dogtag:
+ server:
+ role: master
diff --git a/metadata/service/server/cluster/slave.yml b/metadata/service/server/cluster/slave.yml
new file mode 100644
index 0000000..34ebebb
--- /dev/null
+++ b/metadata/service/server/cluster/slave.yml
@@ -0,0 +1,26 @@
+classes:
+- service.dogtag.server.cluster
+parameters:
+ _param:
+ dogtag_pki_security_domain_https_port: 8443
+ dogtag_pki_security_domain_name: 'EXAMPLE'
+ dogtag:
+ server:
+ role: slave
+ subsystems:
+ CA:
+ pki_security_domain_hostname: ${_param:dogtag_master_host}
+ pki_security_domain_user: caadmin
+ pki_security_domain_https_port: ${_param:dogtag_pki_security_domain_https_port}
+ pki_clone_uri: https://${_param:dogtag_master_host}:${_param:dogtag_pki_security_domain_https_port}
+ pki_clone_pkcs12_path: /etc/dogtag/ca-certs.p12
+ pki_ssl_server_subject_dn: cn=CA Signing Certificate,OU=pki-tomcat,o=${_param:dogtag_pki_security_domain_name}
+ pki_clone_pkcs12_password: ${_param:dogtag_pki_clone_pkcs12_password}
+ KRA:
+ pki_security_domain_hostname: ${_param:dogtag_master_host}
+ pki_security_domain_user: caadmin
+ pki_security_domain_https_port: ${_param:dogtag_pki_security_domain_https_port}
+ pki_clone_uri: https://${_param:dogtag_master_host}:${_param:dogtag_pki_security_domain_https_port}
+ pki_clone_pkcs12_path: /etc/dogtag/ca-certs.p12
+ pki_ssl_server_subject_dn: cn=CA Signing Certificate,OU=pki-tomcat,o=${_param:dogtag_pki_security_domain_name}
+ pki_clone_pkcs12_password: ${_param:dogtag_pki_clone_pkcs12_password}
diff --git a/tests/pillar/dogtag_single.sls b/tests/pillar/dogtag_single.sls
index 0c25f99..15e6f6c 100644
--- a/tests/pillar/dogtag_single.sls
+++ b/tests/pillar/dogtag_single.sls
@@ -4,8 +4,10 @@
export_pem_file_path: /etc/barbican/kra_admin_cert.pem
ldap_dn_password: password
ldap_hostname: host
+ ldap_admin_password: password
subsystems:
CA:
+ pki_client_pkcs12_password: password
enabled: True
KRA:
enabled: True