From 8e58d3a2e58dbcafa6ce7b4602aeb6dc97f7a2e5 Mon Sep 17 00:00:00 2001
From: Leif Johansson <leifj@sunet.se>
Date: Mon, 2 Jul 2018 08:48:12 +0200
Subject: [PATCH] refactor key mgmt for md_signer

---
 global/overlay/etc/puppet/cosmos-rules.yaml   |  2 ++
 .../etc/puppet/manifests/cosmos-site.pp       | 24 ++++++++++++-------
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 7169033f..bfdc5a5a 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -295,6 +295,7 @@ md1.komreg.net:
    openstack_dockerhost:
    metadatamgrs:
    konsulter:
+   eidas_metadata_key:
    md_signer:
       name: natmd-qa
       dest_host: p1.komreg.net
@@ -305,6 +306,7 @@ md-eu1.qa.komreg.net:
    openstack_dockerhost:
    metadatamgrs:
    konsulter:
+   eidas_metadata_key:
    md_signer:
       name: eidas-qa
       dest_host: p2.qa.komreg.net
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index dcad00b5..7e467f40 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -137,19 +137,15 @@ class md_repo_client {
    }
 }
 
-class md_signer($dest_host=undef,$dest_dir="",$luna_version="6.2") {
-   $pkcs11pin = hiera('pkcs11pin',"")
-   package { ['xsltproc','libxml2-utils']: ensure => latest } ->
+class eidas_metadata_key {
    sunet::snippets::secret_file {"/etc/credentials/metadata.key":
       hiera_key => 'eidas_metadata_key',
       base64    => true
-   } ->
-   sunet::pyff {$name: 
-      version           => "eidas",
-      pound_and_varnish => false,
-      pipeline          => "${name}.fd",
-      volumes           => ["/etc/credentials:/etc/credentials"]
    }
+}
+
+class eidas_hsm_client {
+   $pkcs11pin = hiera('pkcs11pin',"")
    file {['/etc/luna','/etc/luna/cert']: ensure => directory } ->
    sunet::docker_run {"${name}_hsmproxy":
       hostname => "${::fqdn}",
@@ -158,6 +154,16 @@ class md_signer($dest_host=undef,$dest_dir="",$luna_version="6.2") {
       volumes  => ['/dev/log:/dev/log','/etc/luna/cert:/usr/safenet/lunaclient/cert'],
       env      => ["PKCS11PIN=${pkcs11pin}"]
    }
+}
+
+class md_signer($dest_host=undef,$dest_dir="",$luna_version="6.2") {
+   package { ['xsltproc','libxml2-utils']: ensure => latest } ->
+   sunet::pyff {$name:
+      version           => "eidas",
+      pound_and_varnish => false,
+      pipeline          => "${name}.fd",
+      volumes           => ["/etc/credentials:/etc/credentials"]
+   }
    sunet::scriptherder::cronjob { "${name}_restart_hsmproxy":
      cmd           => "/usr/sbin/service docker-${name}-hsmproxy restart'",
      minute        => '9',