Add DogTag HA
This patch adds HA support for Dogtag
Change-Id: I84e471c874ba65a75afcb4c6f69fdbb4cebbeabe
diff --git a/dogtag/files/dogtag.cfg b/dogtag/files/dogtag.cfg
index 67934e3..db79a53 100644
--- a/dogtag/files/dogtag.cfg
+++ b/dogtag/files/dogtag.cfg
@@ -3,6 +3,12 @@
{%- for conf_opt_name, conf_opt_value in server.default_config_options.iteritems() %}
{{ conf_opt_name }} = {{ conf_opt_value }}
{%- endfor %}
+
+{%- if server.get('role', 'master') == 'slave' %}
+pki_clone=True
+pki_clone_replicate_schema=True
+{%- endif %}
+
{%- for subsystem_name, subsystem_params in server.subsystems.iteritems() %}
[{{ subsystem_name }}]
{%- for key, value in subsystem_params.iteritems() %}
diff --git a/dogtag/map.jinja b/dogtag/map.jinja
index cab5c5b..7bdc0a2 100644
--- a/dogtag/map.jinja
+++ b/dogtag/map.jinja
@@ -10,6 +10,7 @@
pki_token_password: PASSWORD
pki_security_domain_name: EXAMPLE
pki_security_domain_password: PASSWORD
+ pki_clone_pkcs12_path: /etc/dogtag/ca-certs.p12
subsystems:
KRA:
pkgs: [pki-ca, pki-kra]
@@ -28,3 +29,6 @@
{%- endload %}
{%- set server = salt['grains.filter_by'](server_defaults, merge=salt['pillar.get']('dogtag:server'), base='default') %}
+
+{%- set dogtag_mine_certs = salt['mine.get']('I@dogtag:server:role:master', 'dogtag_certs', 'compound') %}
+{%- do server.update({'dogtag_certs': dogtag_mine_certs.values()[0] }) %}
diff --git a/dogtag/server.sls b/dogtag/server.sls
index 77f0537..a47b177 100644
--- a/dogtag/server.sls
+++ b/dogtag/server.sls
@@ -1,5 +1,5 @@
{%- from "dogtag/map.jinja" import server with context %}
-{%- if server.enabled %}
+{%- if server.get('enabled', False) %}
dogtag_server_packages:
pkg.installed:
@@ -10,7 +10,7 @@
- makedirs: True
- user: pkiuser
- group: pkiuser
- - mode: 600
+ - mode: 750
- require:
- pkg: dogtag_server_packages
@@ -18,6 +18,9 @@
file.managed:
- source: salt://dogtag/files/389-ds_setup.inf
- template: jinja
+ - user: pkiuser
+ - group: pkiuser
+ - mode: 640
- require:
- pkg: dogtag_server_packages
@@ -28,13 +31,30 @@
{%- endif %}
- require:
- file: /etc/dogtag/389-ds_setup.inf
- - unless: ldapwhoami -x -p {{ server.ldap_server_port|default(389) }} -h {{ server.ldap_hostname|default('localhost') }} -w {{ server.ldap_dn_password|default('PASSWORD') }} -D '{{ server.ldap_dn|default('cn=Directory Manager') }}'
+ - unless: ldapwhoami -x -p {{ server.ldap_server_port|default(389) }} -h {{ server.ldap_hostname|default('localhost') }} -w {{ server.ldap_dn_password }} -D '{{ server.ldap_dn|default('cn=Directory Manager') }}'
+{%- if server.get('role', 'master') == 'slave' %}
+/etc/dogtag/ca-certs.p12:
+ file.decode:
+ - name: /etc/dogtag/ca-certs.p12
+ - encoding_type: base64
+ - encoded_data: "{{ server.dogtag_certs }}"
+
+/etc/dogtag/ca-certs.p12_rights:
+ file.managed:
+ - name: /etc/dogtag/ca-certs.p12
+ - user: pkiuser
+ - group: pkiuser
+ - mode: 640
+{%- endif %}
/etc/dogtag/dogtag.cfg:
file.managed:
- source: salt://dogtag/files/dogtag.cfg
- template: jinja
+ - user: pkiuser
+ - group: pkiuser
+ - mode: 640
- require:
- pkg: dogtag_server_packages
@@ -55,15 +75,35 @@
- onlyif: /bin/false
{%- endif %}
- unless: pki-server subsystem-show {{ key_name|lower }}
+ - require:
+ - file: /etc/dogtag/dogtag.cfg
{%- endif %}
{%- endfor %}
+{%- if server.get('role', 'master') == 'master' %}
+export_dogtag_certs:
+ cmd.run:
+ - name: grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /etc/dogtag/internal.txt && echo {{ server.default_config_options.get('pki_clone_pkcs12_password') }} > /etc/dogtag/pass.txt && PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p /etc/dogtag/internal.txt -o /etc/dogtag/ca-certs.p12 -w /etc/dogtag/pass.txt && rm -f /etc/dogtag/internal.txt /etc/dogtag/pass.txt && cat /etc/dogtag/ca-certs.p12 | base64 > /etc/dogtag/ca-certs.p12.base64
+ {%- if grains.get('noservices') %}
+ - onlyif: /bin/false
+ {%- endif %}
+
+mine_send_dogtag_certs:
+ module.run:
+ - name: mine.send
+ - func: dogtag_certs
+ - kwargs:
+ mine_function: cmd.run
+ - args:
+ - 'cat /etc/dogtag/ca-certs.p12.base64'
+ - onchanges:
+ - cmd: export_dogtag_certs
{%- if server.get('export_pem_file_path', False) %}
export_dogtag_root_cert_to_pem_file:
cmd.run:
- - name: openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:{{ server.default_config_options.get('pki_client_pkcs12_password', 'PASSWORD') }} -out {{ server.export_pem_file_path }} -nodes
+ - name: openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:{{ server.default_config_options.get('pki_client_pkcs12_password') }} -out {{ server.export_pem_file_path }} -nodes
- umask: 077
{%- if grains.get('noservices') %}
- onlyif: /bin/false
@@ -81,5 +121,7 @@
- onchanges:
- cmd: export_dogtag_root_cert_to_pem_file
{%- endif %}
+{%- endif %}
+
{%- endif %}
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
new file mode 100644
index 0000000..78e8dbc
--- /dev/null
+++ b/metadata/service/server/cluster.yml
@@ -0,0 +1,18 @@
+applications:
+- dogtag
+parameters:
+ dogtag:
+ server:
+ enabled: True
+ role: ${_param:dogtag_cluster_role}
+ subsystems:
+ CA:
+ enabled: True
+ KRA:
+ enabled: True
+ OCSP:
+ enabled: True
+ TKS:
+ enabled: True
+ TPS:
+ enabled: True
diff --git a/tests/pillar/dogtag_single.sls b/tests/pillar/dogtag_single.sls
index 3508192..0c25f99 100644
--- a/tests/pillar/dogtag_single.sls
+++ b/tests/pillar/dogtag_single.sls
@@ -2,6 +2,8 @@
server:
enabled: True
export_pem_file_path: /etc/barbican/kra_admin_cert.pem
+ ldap_dn_password: password
+ ldap_hostname: host
subsystems:
CA:
enabled: True