From dfd15ce6637e8ad3b3519f2b68fb95a1320ac099 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Str=C3=B6mb=C3=A4ck?= <filip.stromback@liu.se>
Date: Mon, 7 Dec 2020 10:58:10 +0100
Subject: [PATCH] Added AD keys. Experiment to see if Hiera storage works.
---
data/common.yaml | 27 +++++++++++++++++++++++++++
manifests/auth.pp | 28 +++++++++++++++++++++++++++-
2 files changed, 54 insertions(+), 1 deletion(-)
create mode 100644 data/common.yaml
diff --git a/data/common.yaml b/data/common.yaml
new file mode 100644
index 0000000..469ccaf
--- /dev/null
+++ b/data/common.yaml
@@ -0,0 +1,27 @@
+version: 5
+aes::auth::keytab_production: >
+ ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAfFSsoD6ALGcGIKtmxr/5DxCxmDUSAf2M/7dg
+ krxqYfSLDUZ2z4hWCqWotA2urirssyEuf2kKnX2DpVxPN/N8Nzzt6IKwgk2Y
+ EL4EbjOGdbUtH6vQmq4gcbQEs5WRiVDWYeFBvq4+OlLqbnOuaQu4opLzz6R3
+ Syqx7+y3f8E+CaBHHB+6FN+P2LMPlqQQo7eiUSWFFuarJIDm1058yf/qAuhL
+ wlIZW8e5u72g6UDd8pzZzsLp050HJL6D5RJGln3/D41Ovg2UaUYSqcJw+AFA
+ 5U9cmHj+7aaRHaEVqaxbcHCWulD1ayN5T42EhEx3j5BJC7xeI+dWaqfLBTgm
+ dHm8cDCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ6Gqc0YRrzi6w4+sw
+ QGUDM4BgTxHOYZpR3/stp6XdF5dt+LH+MVKobcQqw8f7d9t6ErChN/x2hRav
+ KnKyBQOSoeXYCwc8Mx0OWxI0yFu4uvFYDAT1KqWFYbuF39/xwcAtdd7brWyR
+ SQj5KZjJjZ6I7hGq]
+
+aes::auth::keytab_devel: >
+ ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAV6TzhtqZfmrgF+c/ExBVJIuKQqgGGoaA1gRL
+ q4JFbg9iDV1PsocvOWk7SCfPL7HnnEwnqSNPHSGXpW6n8x+3jevGeutnCnxY
+ FPSt6icAVfoF0m6ih7ls+NPKab8iAXbucWG2zhOq2IgYquKE2E7HZU87gIM0
+ w0h2aWgWw6Dnn90MhgwHl3p8RmielDu3XByM8NQ8Mvym7oNZTrcIFne1qoay
+ 2t6aSyXDMRAx+3EtpbNLwkPk5I395Rt1YlsZWXjT+2s0sr1+1S1ECGOJZNWq
+ s2CEd3JoYD6mQn3ng7I2Rzzvrfl/tKYm1SJY7MDsKHZLKNcxSLdjPJQeUx3i
+ R+qfRjCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQlXwrYkHkhsX0d7VY
+ GOSYr4Bg3/0GZbAt5i4epB6AfnweBJcwPrdVyo91tY/cOyTlqJwZnFhuY281
+ 3Dvy4xliNgqm8nzsX2fG5kMHnB74Y2JQPsGb0ZnZfCwak9JfPqQzZmuvWMhA
+ Fgsv+Aw8HmVNvJC4]
+
\ No newline at end of file
diff --git a/manifests/auth.pp b/manifests/auth.pp
index 1eebfba..d4eb56a 100644
--- a/manifests/auth.pp
+++ b/manifests/auth.pp
@@ -1,10 +1,22 @@
-class aes::auth {
+class aes::auth(
+ Optional[String] $keytab_production = undef,
+ Optional[String] $keytab_devel = undef,
+){
$auth_user = auth
$auth_group = "${auth_user}"
$auth_home = "/srv/${auth_user}"
$auth_service = "aes_auth"
+ # Pick the right keytab for the current environment. We use the fqdn rather than
+ # $environment since the keys are tied to the domain name rather than what
+ # environment the machine is configured in.
+ if $facts[fqdn] == 'aes.edu.liu.se' {
+ $keytab = $keytab_production
+ } elsif $facts[fqdn] == 'aes-devel.edu.liu.se' {
+ $keytab = $keytab_devel
+ }
+
# Note: We rely on Boost being installed by the broker. It seems Puppet does not like
# that we specify "boost" multiple times, even though it would look nice, modularity-wise
# since both the auth server and the broker requires boost.
@@ -73,6 +85,20 @@ class aes::auth {
source => "puppet:///modules/${module_name}/auth/start.sh",
}
+ file { "${auth_home}/keys" :
+ ensure => directory,
+ owner => "${auth_user}",
+ group => "${auth_group}",
+ mode => "0700"
+ }
+
+ file { "${auth_home}/keys/kerberos.keytab" :
+ ensure => file,
+ owner => root,
+ group => "${auth_group}",
+ mode => "0640"
+ }
+
exec { 'update-auth-repo' :
command => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git production",
environment => [ "REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh" ],
--
GitLab