Switch from pure binary pkcs7 to base64+pkcs7 for keytabs to avoid puppet 8 serialize issues

fedad439 · Thomas Johansson · 1217d3d0 · fedad439 · fedad439
Commit fedad439 authored 1 year ago by Thomas Johansson
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -26,6 +26,32 @@ aes::auth::keytab_devel: >
  IcAIbgvoQbriFHLJiL9HIWl6GSe6I/jp9n5veEkhHdT3M0nEEc0hbKWBaELj
  gTDWfQoET9V1Lrtv]

+aes::auth::keytab_production_base64: >
+  ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+  DQYJKoZIhvcNAQEBBQAEggEAWDNqT2ab63HdYWzW2/9TZrsxEcdDvJBKl87f
+  vNVOQveZOoK2vBSaGb0Mzs5AQrY02ib2mBEZKsIgyI5JIPJRc+KAPVsjOOa1
+  vYx8N/VazTPWEIEtCMXG5wwR2P+ws/mzU9ztcDd4E1Hh5k8bRsu/krTGn783
+  QF1I+FEod9tYd1vMMpRkd1nkGq0GJtRHv9Xteb3DN6XJkdrdMaNpKw8Cemj/
+  N96wTtcL72LvogBpgzueQJ8+XdyFJCmWqk1lQV7pyllOIcnXrIcAz9E7TRXz
+  kCjq3Lr2MPnpptV8CDhoIUuEiNfGAQIWa3DQJIPzuz5gtug9Am1XDvbg9Bxx
+  VQ2FmjCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQAjUES6mKmlxRmzIZ
+  wu7L04CBgACGs/1vQi4G6v4Lz99FyonAjwsGU/texX/8Xgchp7emzkgLgqqz
+  BnDIXQukEIHBA5sBiBSYbvztTj99QQ2+hjS0fIyclQHa1xACtzeWJeGuf7Wh
+  /SVEJY3QpTspf98UwahjqrDLrGNK/my8Wc0U4ji4dozFhDl1WGcTyYUp5Zgn]
+
+aes::auth::keytab_devel_base64: >
+  ENC[PKCS7,MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggEhMIIBHQIBADAFMAACAQEw
+  DQYJKoZIhvcNAQEBBQAEggEAIlqY2OywFv+nNU225WBoKCqDOoPLak73Di0u
+  Qm+zyFOroYQMYfzvCQ38U41wQanG3TdRaK9G9EoG3uX9qR/9AEYi9YWCq/YN
+  uhR7baNq4TEGsIkf/DoeMPh/LJGgQm8UGgRFj2cxTVERe/g1PC54LzuvmuHj
+  lk2KS1MYltGhnZoumczTFlk+1qGwzTzyGglSxt8EFbDJgLr5YEwWbgyhHQVg
+  C1HK53N5UeCUdJrRePDOoSfhXTq2TkzcmeuO6DMV+3pnb6IXdweBQTDikGnM
+  Bd5GSOx0U0njCVOeXqSmWAhDu2hCtryshbhhhiv+qL7cQ5yDulZIj6YaRb0X
+  CNCuXDCBrQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQ1yi1qYaUepK4KbkL
+  YTGfO4CBgKPQ++rfV6Nw1M5qPgLS6gsvkOEAe+9FFiFWH1uTNqoZX9jSO4tZ
+  F0y5pwJ4OpjQS0oiInF+rxET2PTnND6yNtxeSkBncAWnNHA80Z2U7BOZG6Lw
+  BbBuhpmotOaWx2thqdb2sCNlj3yZMT1k62VXU8rBqzRA3Vj7jiRiXXxcSnnQ]
+
 aes::tal_cli::credentials: >
  ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBAD
  AFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAii6nHpFM6+6aPuw1Qnawf77K7f

--- a/manifests/auth.pp
+++ b/manifests/auth.pp
+#  # New keytab base64+pkcs7 encoded
+#  Optional[String] $keytab_base64      = undef, # Kerberos keytab file for HTTP/fqdn (ida-web)
+#  Optional[String] $keytab2_base64     = undef, # Kerberos keytab file for HTTP/fqdn (ida-web2)
+#) {
 class aes::auth (
-  Optional[String] $keytab_production = undef,
-  Optional[String] $keytab_devel = undef
+  # Comment out old keytab params but
+  # keep temporay for comparison
+  #
+  # # Existing keytabs
+  # Optional[String] $keytab_production = undef,
+  # Optional[String] $keytab_devel = undef
+  #
+  # new base64+pkcs7 keytabs
+  Optional[String] $keytab_production_base64 = undef,
+  Optional[String] $keytab_devel_base64 = undef
 ) {
  $auth_user = auth
  $auth_group = $auth_user
  $auth_home = "/srv/${auth_user}"
  $auth_service = 'aes_auth'

+  # Decode base64 encoded keytabs
+  $keytab_production  = Binary.new($keytab_production_base64, '%b')
+  $keytab_devel = Binary.new($keytab_devel_base64, '%b')
+
  # Pick the right keytab for the current environment. We use the fqdn rather than 
  # $environment since the keys are tied to the domain name rather than what 
  # environment the machine is configured in.