Added option to also use Puppet certs for Splunkweb

jorritfolmer · May 28, 2018 · b26029f · b26029f
1 parent 6370769
commit b26029f
Show file tree

Hide file tree

Showing 9 changed files with 159 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### 3.12.0
+
+- Added option to also use Puppet certs for Splunkweb
+
 ### 3.11.0
 
 - Added pool_suggestion parameter

diff --git a/README.md b/README.md
@@ -883,6 +883,14 @@ Optional. By default the certificates signed by the Puppet CA will be reused. Ho
 - `true` (default)
 - `false`
 
+### `reuse_puppet_certs_for_web`
+
+Optional. By default the certificates signed by the SplunkCommonCA will be used to secure the Splunkweb interface at 8000/tcp
+If you want to use the one signed by the Puppet CA, set this option to true.
+
+- `false` (default)
+- `true`
+
 ### `requireclientcert`
 
 Optional. Used on a server to require clients to present an SSL certificate.

diff --git a/manifests/certs/web.pp b/manifests/certs/web.pp
@@ -0,0 +1,107 @@
+# vim: ts=2 sw=2 et
+#
+# Copyright (c) 2016-2018 Jorrit Folmer
+#
+
+class splunk::certs::web (
+  $package = $splunk::package,
+  $splunk_os_user = $splunk::real_splunk_os_user,
+  $splunk_os_group = $splunk::real_splunk_os_group,
+  $splunk_dir_mode = $splunk::real_splunk_dir_mode,
+  $splunk_file_mode = $splunk::real_splunk_file_mode,
+  $splunk_home = $splunk::splunk_home,
+  $privkeypath = $splunk::privkeypath,
+  $servercert = $splunk::servercert,
+  $reuse_puppet_certs_for_web = $splunk::reuse_puppet_certs_for_web
+){
+  case $::osfamily {
+    /^[Ww]indows$/: {
+      #################################### WINDOWS #################################
+      if $reuse_puppet_certs_for_web {
+        # reuse certs from open source Puppet
+        exec { 'openssl web privkey opensource puppet':
+          command     => "powershell -command \"Copy-Item c:/ProgramData/PuppetLabs/puppet/etc/ssl/private_keys/${::fqdn}.pem \'${splunk_home}/etc/auth/${privkeypath}\'\"",
+          path        => ['c:/windows/system32/windowspowershell/v1.0', 'c:/windows/system32', "${splunk_home}/bin"],
+          environment => "OPENSSL_CONF=${splunk_home}/openssl.cnf",
+          creates     => [ "${splunk_home}/etc/auth/${privkeypath}", ],
+          require     => File["${splunk_home}/etc/auth/certs"],
+          onlyif      => "powershell -command \"Test-Path C:/ProgramData/PuppetLabs/puppet/etc/ssl/private_keys/${::fqdn}.pem\""
+        }
+        -> file { "${splunk_home}/etc/auth/certs/${privkeypath}":
+          owner => $splunk_os_user,
+          group => $splunk_os_group,
+          mode  => $splunk_file_mode,
+        }
+        -> exec { 'openssl web cert opensource puppet':
+          command     => "powershell -command \"Copy-Item C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/${::fqdn}.pem \'${splunk_home}/etc/auth/${servercert}\'\"",
+          path        => ['c:/windows/system32/windowspowershell/v1.0', 'c:/windows/system32', "${splunk_home}/bin"],
+          environment => "OPENSSL_CONF=${splunk_home}/openssl.cnf",
+          creates     => [ "${splunk_home}/etc/auth/${servercert}", ],
+          onlyif      => "powershell -command \"Test-Path C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/${::fqdn}.pem\""
+        }
+        -> file { "${splunk_home}/etc/auth/${servercert}":
+          owner => $splunk_os_user,
+          group => $splunk_os_group,
+          mode  => $splunk_file_mode,
+        }
+
+      }
+    }
+    default: {
+      #################################### NIX #################################
+      if $reuse_puppet_certs_for_web {
+        # reuse certs from open source Puppet
+        exec { 'openssl web privkey opensource puppet':
+          command => "cat /etc/puppet/ssl/private_keys/${::fqdn}.pem > ${splunk_home}/etc/auth/${privkeypath}",
+          path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
+          creates => [ "${splunk_home}/etc/auth/${privkeypath}", ],
+          onlyif  => "/usr/bin/test -e /etc/puppet/ssl/private_keys/${::fqdn}.pem"
+        }
+        -> exec { 'openssl web cert opensource puppet':
+          command => "cat /etc/puppet/ssl/certs/${::fqdn}.pem > ${splunk_home}/etc/auth/${servercert}",
+          path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
+          creates => [ "${splunk_home}/etc/auth/${servercert}", ],
+          onlyif  => "/usr/bin/test -e /etc/puppet/ssl/certs/${::fqdn}.pem"
+        }
+        # reuse certs from commercial Puppet
+        -> exec { 'openssl web privkey commercial puppet':
+          command => "cat /etc/puppetlabs/puppet/ssl/private_keys/${::fqdn}.pem > ${splunk_home}/etc/auth/${privkeypath}",
+          path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
+          creates => [ "${splunk_home}/etc/auth/${privkeypath}", ],
+          onlyif  => "/usr/bin/test -e /etc/puppetlabs/puppet/ssl/private_keys/${::fqdn}.pem"
+        }
+        -> exec { 'openssl web cert commercial puppet':
+          command => "cat /etc/puppetlabs/puppet/ssl/certs/${::fqdn}.pem > ${splunk_home}/etc/auth/${servercert}",
+          path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
+          creates => [ "${splunk_home}/etc/auth/${servercert}", ],
+          onlyif  => "/usr/bin/test -e /etc/puppetlabs/puppet/ssl/certs/${::fqdn}.pem"
+        }
+        # reuse certs from Red Hat packaged Puppet
+        -> exec { 'openssl web privkey redhat puppet':
+          command => "cat /var/lib/puppet/ssl/private_keys/${::fqdn}.pem > ${splunk_home}/etc/auth/${privkeypath}",
+          path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
+          creates => [ "${splunk_home}/etc/auth/${privkeypath}", ],
+          onlyif  => "/usr/bin/test -e /var/lib/puppet/ssl/private_keys/${::fqdn}.pem"
+        }
+        -> exec { 'openssl web cert redhat puppet':
+          command => "cat /var/lib/puppet/ssl/private_keys/${::fqdn}.pem > ${splunk_home}/etc/auth/${servercert}",
+          path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', "${splunk_home}/bin"],
+          creates => [ "${splunk_home}/etc/auth/${servercert}", ],
+          onlyif  => "/usr/bin/test -e /var/lib/puppet/ssl/private_keys/${::fqdn}.pem"
+        }
+
+        # Fix permissions
+        -> file { "${splunk_home}/etc/auth/${privkeypath}":
+          owner => $splunk_os_user,
+          group => $splunk_os_group,
+          mode  => $splunk_file_mode,
+        }
+        -> file { "${splunk_home}/etc/auth/${servercert}":
+          owner => $splunk_os_user,
+          group => $splunk_os_group,
+          mode  => $splunk_file_mode,
+        }
+      }
+    }
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -46,14 +46,17 @@
   $pass4symmkey               = $splunk::params::pass4symmkey,
   $phonehomeintervalinsec     = $splunk::params::phonehomeintervalinsec,
   $pool_suggestion            = $splunk::params::pool_suggestion,
+  $privkeypath                = $splunk::params::privkeypath,
   $replication_port           = $splunk::params::replication_port,
   $repositorylocation         = $splunk::params::repositorylocation,
   $requireclientcert          = $splunk::params::requireclientcert,
   $reuse_puppet_certs         = $splunk::params::reuse_puppet_certs,
+  $reuse_puppet_certs_for_web = $splunk::params::reuse_puppet_certs_for_web,
   $rolemap                    = $splunk::params::rolemap,
   $searchpeers                = $splunk::params::searchpeers,
   $secret                     = $splunk::params::secret,
   $service                    = $splunk::params::service,
+  $servercert                 = $splunk::params::servercert,
   $shclustering               = $splunk::params::shclustering,
   $sslcompatibility           = $splunk::params::sslcompatibility,
   $sslversions_modern         = $splunk::params::sslversions_modern,
@@ -142,6 +145,7 @@
   include splunk::inputs
   include splunk::outputs
   include splunk::certs::s2s
+  include splunk::certs::web
   include splunk::web
   include splunk::server::general
   include splunk::server::ssl
@@ -168,6 +172,7 @@
   -> Class['splunk::inputs']
   -> Class['splunk::outputs']
   -> Class['splunk::certs::s2s']
+  -> Class['splunk::certs::web']
   -> Class['splunk::web']
   -> Class['splunk::server::general']
   -> Class['splunk::server::ssl']

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -53,20 +53,23 @@
   $pass4symmkey = 'changeme'
   $phonehomeintervalinsec = 60
   $pool_suggestion = undef
+  $privkeypath                  = 'certs/webprivkey.pem'
   $outputs                      = undef
-  $replication_port = 9887
-  $repositorylocation = undef
+  $replication_port             = 9887
+  $repositorylocation           = undef
   $requireclientcert            = undef
   $reuse_puppet_certs           = true
+  $reuse_puppet_certs_for_web   = undef
   $rolemap = {
     'admin'     => 'Domain Admins',
     'power'     => 'Power Users',
     'user'      => 'Domain Users',
   }
   # set to some string instead of undef to prevent 'Missing title' errors in Puppet 4.x
-  $searchpeers  = 'empty'
-  $secret       = undef
-  $service      = {
+  $searchpeers                  = 'empty'
+  $secret                       = undef
+  $servercert                   = 'certs/webcert.pem'
+  $service                      = {
     enable => true,
     ensure => undef,
   }
@@ -84,8 +87,8 @@
   $sslverifyservercert          = undef
   $tcpout                       = undef
   $type                         = undef
-  $use_ack      = false
-  $version      = undef
+  $use_ack                      = false
+  $version                      = undef
   $webssl                       = true
 }
 
diff --git a/manifests/web.pp b/manifests/web.pp
@@ -8,6 +8,9 @@
   $sslversions = $splunk::sslversions,
   $httpport = $splunk::httpport,
   $ecdhcurvename = $splunk::ecdhcurvename,
+  $privkeypath = $splunk::privkeypath,
+  $servercert = $splunk::servercert,
+  $reuse_puppet_certs_for_web = $splunk::reuse_puppet_certs_for_web,
   $splunk_os_user = $splunk::real_splunk_os_user,
   $splunk_os_group = $splunk::real_splunk_os_group,
   $splunk_dir_mode = $splunk::real_splunk_dir_mode,

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "jorritfolmer-splunk",
-  "version": "3.11.0",
+  "version": "3.12.0",
   "author": "Jorrit Folmer",
   "summary": "Deploy Splunk indexers, search heads and universal forwarders into any imaginable topology, distributed or (multisite) clustered.",
   "license": "MIT",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -124,6 +124,23 @@
     it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_outputs/local/outputs.conf').with_content(/sslCertPath = \/opt\/splunk\/etc\/auth\/server.pem/) }
   end
 
+
+  context 'with reuse_puppet_certs_for_web' do
+    let(:params) { 
+      {
+        :httpport => 8000,
+        :admin => { 'hash' => 'zzzz', 'fn' => 'yyyy', 'email' => 'wwww', },
+        :reuse_puppet_certs_for_web => true,
+      }
+    }
+    it { should contain_class('splunk::installed') }
+    it { should contain_package('splunk') }
+    it { should contain_file('/opt/splunk/etc/auth/certs/webprivkey.pem') }
+    it { should contain_file('/opt/splunk/etc/auth/certs/webcert.pem') }
+    it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_web_base/local/web.conf').with_content(/privKeyPath = \/opt\/splunk\/etc\/auth\/certs\/webprivkey.pem/) }
+    it { should contain_file('/opt/splunk/etc/apps/puppet_common_ssl_web_base/local/web.conf').with_content(/serverCert = \/opt\/splunk\/etc\/auth\/certs\/webcert.pem/) }
+  end
+
   context 'with tcpout as array' do
     let(:params) { 
       {

diff --git a/templates/puppet_common_ssl_web_base/local/web.conf b/templates/puppet_common_ssl_web_base/local/web.conf
@@ -12,4 +12,8 @@ ecdhCurveName = <%= @ecdhcurvename %>
 <%- end -%>
 <%- else -%>
 startwebserver = 0
+<%- end -%>
+<%- if @reuse_puppet_certs_for_web != nil -%>
+privKeyPath = <%= @splunk_home %>/etc/auth/<%= @privkeypath %>
+serverCert = <%= @splunk_home %>/etc/auth/<%= @servercert %>
 <%- end  %>