prep for hsm proxy

2018-06-20 11:59:37 +02:00 · 2018-06-20 11:59:37 +02:00 · 1f16fe89f1
commit 1f16fe89f1
parent 439784bb4a
1 changed files with 17 additions and 1 deletions
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@ -137,7 +137,8 @@ class md_repo_client {
   }
 }

-class md_signer($dest_host=undef,$dest_dir="") {
+class md_signer($dest_host=undef,$dest_dir="",$luna_version="6.2") {
+   $pkcs11pin = hiera('pkcs11pin',"")
   package { ['xsltproc','libxml2-utils']: ensure => latest } ->
   sunet::snippets::secret_file {"/etc/credentials/metadata.key":
      hiera_key => 'eidas_metadata_key',
@ -149,6 +150,21 @@ class md_signer($dest_host=undef,$dest_dir="") {
      pipeline          => "${name}.fd",
      volumes           => ["/etc/credentials:/etc/credentials"]
   }
+   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
+   sunet::docker_run {"${name}_hsmproxy":
+      hostname => "${::fqdn}",
+      image    => 'docker.sunet.se/luna-client',
+      imagetag => $luna_version,
+      volumes  => ['/dev/log:/dev/log','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
+      env      => ["PKCS11PIN=${pkcs11pin}"]
+   }
+   sunet::scriptherder::cronjob { "${name}_restart_hsmproxy":
+     cmd           => "/usr/sbin/service docker-${name}-hsmproxy restart'",
+     minute        => '9',
+     hour          => '0',
+     ok_criteria   => ['exit_status=0','max_age=48h'],
+     warn_criteria => ['exit_status=1','max_age=50h'],
+   }
   if ($dest_host) {
      sunet::ssh_host_credential { "${name}-publish-credential":
         hostname          => $dest_host,