refactor key mgmt for md_signer

2018-07-02 08:48:12 +02:00 · 2018-07-02 08:48:12 +02:00 · 8e58d3a2e5
commit 8e58d3a2e5
parent 54160645cb
2 changed files with 17 additions and 9 deletions
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -295,6 +295,7 @@ md1.komreg.net:
   openstack_dockerhost:
   metadatamgrs:
   konsulter:
+   eidas_metadata_key:
   md_signer:
      name: natmd-qa
      dest_host: p1.komreg.net
@ -305,6 +306,7 @@ md-eu1.qa.komreg.net:
   openstack_dockerhost:
   metadatamgrs:
   konsulter:
+   eidas_metadata_key:
   md_signer:
      name: eidas-qa
      dest_host: p2.qa.komreg.net
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@ -137,19 +137,15 @@ class md_repo_client {
   }
 }

-class md_signer($dest_host=undef,$dest_dir="",$luna_version="6.2") {
-   $pkcs11pin = hiera('pkcs11pin',"")
-   package { ['xsltproc','libxml2-utils']: ensure => latest } ->
+class eidas_metadata_key {
   sunet::snippets::secret_file {"/etc/credentials/metadata.key":
      hiera_key => 'eidas_metadata_key',
      base64    => true
-   } ->
-   sunet::pyff {$name: 
-      version           => "eidas",
-      pound_and_varnish => false,
-      pipeline          => "${name}.fd",
-      volumes           => ["/etc/credentials:/etc/credentials"]
   }
+}
+
+class eidas_hsm_client {
+   $pkcs11pin = hiera('pkcs11pin',"")
   file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
   sunet::docker_run {"${name}_hsmproxy":
      hostname => "${::fqdn}",
@ -158,6 +154,16 @@ class md_signer($dest_host=undef,$dest_dir="",$luna_version="6.2") {
      volumes  => ['/dev/log:/dev/log','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
      env      => ["PKCS11PIN=${pkcs11pin}"]
   }
+}
+
+class md_signer($dest_host=undef,$dest_dir="",$luna_version="6.2") {
+   package { ['xsltproc','libxml2-utils']: ensure => latest } ->
+   sunet::pyff {$name:
+      version           => "eidas",
+      pound_and_varnish => false,
+      pipeline          => "${name}.fd",
+      volumes           => ["/etc/credentials:/etc/credentials"]
+   }
   sunet::scriptherder::cronjob { "${name}_restart_hsmproxy":
     cmd           => "/usr/sbin/service docker-${name}-hsmproxy restart'",
     minute        => '9',