Added sslpassword and sslverifyservercert

CHANGELOG.md

@@ -1,6 +1,8 @@
 ### 3.9.0
 
 - Add setting to control maxKBps in limits.conf
+- Add setting to control sslpassword plaintext or hashed
+- Add setting to control sslverifyservercert for outputs and splunkd
 
 ### 3.8.0
 

README.md

@@ -89,6 +89,7 @@ node 'splunk-server.internal.corp.tld' {
     reuse_puppet_certs => false,
     sslcertpath        => 'server.pem',
     sslrootcapath      => 'cacert.pem',
+    sslpassword        => 'password',
   }
 }
 ```
@@ -105,6 +106,7 @@ node 'splunk-server.internal.corp.tld' {
     reuse_puppet_certs => false,
     sslcertpath        => 'server.pem',
     sslrootcapath      => 'cacert.pem',
+    sslpassword        => 'password',
   }
 }
 ```
@@ -171,6 +173,7 @@ node 'splunk-server.internal.corp.tld' {
     reuse_puppet_certs => false,
     sslcertpath        => 'server.pem',
     sslrootcapath      => 'cacert.pem',
+    sslpassword        => 'password',
   }
 }
 
@@ -181,6 +184,7 @@ node 'some-server.internal.corp.tld' {
     reuse_puppet_certs => false,
     sslcertpath        => 'server.pem',
     sslrootcapath      => 'cacert.pem',
+    sslpassword        => 'password',
   }
 }
 ```
@@ -782,6 +786,10 @@ Windows on a share that is accessible from all your Windows servers.
 
    Note that the path is relative to $SPLUNK_HOME/etc/auth/
 
+#### `sslpassword`
+
+   Optional. Specify the password for the RSA key. Can be plaintext or a Splunk hash. For a Splunk hash you should also specify the Splunk secret.
+
 #### `admin`
 
   Optional. Used to create a local admin user with predefined hash, full
@@ -895,6 +903,27 @@ Windows on a share that is accessible from all your Windows servers.
   requireclientcert => 'inputs',
   ```
 
+#### `sslverifyservercert`
+
+  Optional. Used on a client to require servers to present an SSL certificate from the same CA as the client.
+  Can be an array with:
+
+  - `outputs`: require servers to present a certificate when sending data to Splunk
+  - `splunkd`: require deployment servers and search peers to present a certificate from the same CA
+
+
+  For example require both splunkd and outputs connections to present a certificate from the same CA:
+
+  ```
+  sslverifyservercert => ['splunkd','outputs'],
+  ```
+
+  Or only require Splunk indexers to present a certificate with the same CA when sending data;
+
+  ```
+  sslverifyservercert => 'outputs',
+  ```
+
 #### `secret`
 
   Optional. Specifies the contents for the $SPLUNK_HOME/etc/auth/splunk.secret file. This can be helpful when distributing prehashed passwords across multiple Splunk instances.

TEST_COVERAGE.md

@@ -12,14 +12,14 @@
 | v3.4.2  |   28   |  45   |
 | v3.7.0  |   30   |  48   |
 | v3.8.0  |   30   |  50   |
-| v3.9.0  |   31   |  51   |
+| v3.9.0  |   33   |  53   |
 
 ## By operating system:
 
 | os      | tested | total |
 |---------|--------|-------|
-| linux   |   31   |  51   |
-| windows |   0    |  51   |
+| linux   |   33   |  53   |
+| windows |   0    |  53   |
 
 ## By parameter:
 
@@ -68,7 +68,9 @@
 | `splunk_os_group` | no |
 | `sslcertpath`| Y |
 | `sslcompatibility` | no |
+| `sslpassword` | Y |
 | `sslrootcapath` | Y |
+| `sslverifyservercert` | Y |
 | `sslversions_intermediate` | no |
 | `sslversions_modern` | no |
 | `tcpout` | Y |

manifests/init.pp

@@ -42,6 +42,8 @@
   $reuse_puppet_certs         = $splunk::params::reuse_puppet_certs,
   $sslcertpath                = $splunk::params::sslcertpath,
   $sslrootcapath              = $splunk::params::sslrootcapath,
+  $sslpassword                = $splunk::params::sslpassword,
+  $sslverifyservercert        = $splunk::params::sslverifyservercert,
   $inputport                  = $splunk::params::inputport,
   $httpport                   = $splunk::params::httpport,
   $kvstoreport                = $splunk::params::kvstoreport,

manifests/inputs.pp

@@ -16,8 +16,9 @@
   $splunk_os_group = $splunk::real_splunk_os_group,
   $splunk_dir_mode = $splunk::real_splunk_dir_mode,
   $splunk_file_mode = $splunk::real_splunk_file_mode,
-  $sslrootcapath   = $splunk::sslrootcapath,
-  $sslcertpath   = $splunk::sslcertpath
+  $sslrootcapath = $splunk::sslrootcapath,
+  $sslpassword = $splunk::sslpassword,
+  $sslcertpath = $splunk::sslcertpath
 ){
   $splunk_app_name = 'puppet_common_ssl_inputs'
   if $inputport == undef {

manifests/outputs.pp

@@ -14,9 +14,11 @@
   $splunk_home    = $splunk::splunk_home,
   $splunk_app_precedence_dir = $splunk::splunk_app_precedence_dir,
   $splunk_app_replace = $splunk::splunk_app_replace,
-  $use_ack         = $splunk::use_ack,
-  $sslrootcapath   = $splunk::sslrootcapath,
-  $sslcertpath   = $splunk::sslcertpath
+  $use_ack = $splunk::use_ack,
+  $sslrootcapath = $splunk::sslrootcapath,
+  $sslcertpath = $splunk::sslcertpath,
+  $sslpassword = $splunk::sslpassword,
+  $sslverifyservercert = $splunk::sslverifyservercert
 ){
   if $clustering[cm] == undef and $type == undef {
     $cm = "${::fqdn}:8089"

manifests/params.pp

@@ -29,25 +29,27 @@
   $reuse_puppet_certs = true
   $sslcertpath   = 'certs/s2s.pem'
   $sslrootcapath = 'certs/ca.crt'
+  $sslpassword  = undef
+  $sslverifyservercert = undef
   $httpport     = undef
-  $kvstoreport = undef
+  $kvstoreport  = undef
   $mgmthostport = undef
-  $tcpout      = undef
+  $tcpout       = undef
   # set to some string instead of undef to prevent 'Missing title' errors in Puppet 4.x
-  $searchpeers = 'empty'
-  $admin       = undef
-  $clustering  = { }
+  $searchpeers  = 'empty'
+  $admin        = undef
+  $clustering   = { }
   $replication_port = 9887
-  $shclustering  = { }
-  $service     = {
+  $shclustering = { }
+  $service      = {
     enable => true,
     ensure => undef,
   }
   $use_ack      = false
   $ds_intermediate = undef
   $phonehomeintervalinsec = 60
   $repositorylocation = undef
-  $version     = undef
+  $version      = undef
   $auth                         = {
     'type'                      => 'Splunk',
     'saml_idptype'              => undef,
@@ -72,12 +74,12 @@
     'power'     => 'Power Users',
     'user'      => 'Domain Users',
   }
-  $dontruncmds = false
+  $dontruncmds  = false
   $minfreespace = undef
   $pass4symmkey = 'changeme'
-  $secret = undef
+  $secret       = undef
   $maxbackupindex = 1
-  $maxfilesize = 10000000
-  $maxkbps = undef
+  $maxfilesize  = 10000000
+  $maxkbps      = undef
 }
 

manifests/server/ssl.pp

@@ -15,7 +15,9 @@
   $splunk_app_precedence_dir = $splunk::splunk_app_precedence_dir,
   $splunk_app_replace = $splunk::splunk_app_replace,
   $splunk_home = $splunk::splunk_home,
-  $sslrootcapath = $splunk::sslrootcapath
+  $sslpassword = $splunk::sslpassword,
+  $sslrootcapath = $splunk::sslrootcapath,
+  $sslverifyservercert = $splunk::sslverifyservercert
 ){
   $splunk_app_name = 'puppet_common_ssl_base'
   file { ["${splunk_home}/etc/apps/${splunk_app_name}",

spec/classes/init_spec.rb

@@ -620,4 +620,37 @@
     it { should contain_file('/opt/splunkforwarder/etc/apps/puppet_common_thruput_base/local/limits.conf').with_content(/\[thruput\]\nmaxKBps = 5000/) }
   end
 
+  context 'with sslpassword set' do
+    let(:params) { 
+      {
+        :inputport => 9997,
+        :reuse_puppet_certs => false,
+        :sslcertpath => 'server.pem',
+        :sslrootcapath => 'cacert.pem',
+        :sslpassword => 'password',
+      }
+    }
+    it { should contain_class('splunk::installed') }
+    it { should contain_package('splunk') }
+    it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_inputs/local/inputs.conf').with_content(/sslPassword = password/) }
+    it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_base/local/server.conf').with_content(/sslPassword = password/) }
+  end
+
+  context 'with sslverifyservercert set' do
+    let(:params) { 
+      {
+        :type => 'uf',
+        :tcpout => 'server:9997',
+        :sslcertpath => 'server.pem',
+        :sslrootcapath => 'cacert.pem',
+        :sslpassword => 'password',
+        :sslverifyservercert => ['splunkd', 'outputs'],
+      }
+    }
+    it { should contain_class('splunk::installed') }
+    it { should contain_package('splunkforwarder') }
+    it { should contain_file('/opt/splunkforwarder/etc/apps/puppet_common_ssl_outputs/local/outputs.conf').with_content(/sslVerifyServerCert = true/) }
+    it { should contain_file('/opt/splunkforwarder/etc/apps/puppet_common_ssl_base/local/server.conf').with_content(/sslVerifyServerCert = true/) }
+  end
+
 end

templates/puppet_common_ssl_base/local/server.conf

@@ -12,8 +12,16 @@ enableSplunkdSSL=true
 <%- if @ecdhcurvename != nil -%>
 ecdhCurveName = <%= @ecdhcurvename %>
 <%- end -%>
+<%- if @sslpassword != nil -%>
+sslPassword = <%= @sslpassword %>
+<%- end -%>
 <%- if @requireclientcert != nil -%>
 <%- if @requireclientcert.include? 'splunkd' -%>
 requireClientCert = true
 <%- end -%>
 <%- end -%>
+<%- if @sslverifyservercert != nil -%>
+<%- if @sslverifyservercert.include? 'splunkd' -%>
+sslVerifyServerCert = true
+<%- end -%>
+<%- end -%>

templates/puppet_common_ssl_inputs/local/inputs.conf

@@ -21,6 +21,9 @@ ecdhCurveName = <%= @ecdhcurvename %>
 # moved to server.conf/[sslConfig]/
 serverCert = <%= @splunk_home %>/etc/auth/<%= @sslcertpath %>
 sslVersions = <%= @sslversions %>
+<%- if @sslpassword != nil -%>
+sslPassword = <%= @sslpassword %>
+<%- end -%>
 <%- if @requireclientcert != nil -%>
 <%- if @requireclientcert.include? 'inputs' -%>
 requireClientCert = true

templates/puppet_common_ssl_outputs/local/outputs.conf

@@ -13,6 +13,14 @@ server = <%= @tcpout %>
 <%- end -%>
 sslCertPath = <%= @splunk_home %>/etc/auth/<%= @sslcertpath %>
 sslRootCAPath = <%= @splunk_home %>/etc/auth/<%= @sslrootcapath %>
+<%- if @sslpassword != nil -%>
+sslPassword = <%= @sslpassword %>
+<%- end -%>
+<%- if @sslverifyservercert != nil -%>
+<%- if @sslverifyservercert.include? 'outputs' -%>
+sslVerifyServerCert = true
+<%- end -%>
+<%- end -%>
 useACK = <%= @use_ack %>
 
 <%- if @tcpout == 'indexer_discovery' -%>