Added cert reuse for both commercial and open source Puppet

jorritfolmer · Mar 23, 2016 · fbe8325 · fbe8325
1 parent 37c0838
commit fbe8325
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -370,9 +370,9 @@ Splunk search head clustering (SHC) not only requires  configuration
 management, but also some orchestration to get it up and running.
 Since Puppet mainly does configuration management, you can use the exampe below
 to configure a staging server as search head cluster node. The resulting
-configuration directories in `/opt/splunk/etc/puppet_*/` can then be copied to
-a search head deployer who will further take care of managing the SHC node
-configuration.
+configuration directories in `/opt/splunk/etc/apps/puppet_*/` can then be copied to
+a search head deployer in `/opt/splunk/etc/shcluster/apps` who will further
+take care of managing the SHC node configuration.
 
 ```
 node 'splunk-staging.internal.corp.tld' {
@@ -402,7 +402,7 @@ node 'splunk-shd.internal.corp.tld' {
 }
 ```
 
-The search head cluster will still need an `splunk init shcluster-config` and `splunk bootstrap shcluster-captain` before it is up and running.
+The search head cluster will still need a `splunk init shcluster-config` and `splunk bootstrap shcluster-captain` before it is up and running.
 
 ## Parameters
 
@@ -571,6 +571,11 @@ If you have version >= 6.2.0 servers but with stock settings from a previous Spl
 
 ## Changelog
 
+### 2.1.0
+
+- Added search head clustering (SHC) support, although only useful for staging purposes due to the overruling nature of the search head deployer (SHD)
+- Added support to reuse Puppet certs from /etc/puppetlabs/puppet/ssl whenever commercial Puppet is used.
+
 ### 2.0.0
 
 - Moved Splunk configuration out of etc/system/local to individual Splunk config apps
@@ -637,9 +642,6 @@ Initial release:
 
 ## Roadmap
 
-- Migrate config files into an app instead of using the `system` folder
-- Search head clustering: search head
-- Search head clustering: deployer
 - Distributed Management Console
 - Data Collection Node
 - Add defined type so multiple splunk instances can be deployed on a single system

diff --git a/manifests/certs/s2s.pp b/manifests/certs/s2s.pp
@@ -22,26 +22,33 @@
     logoutput => true,
     timeout   => 900,
   }
-  exec { 'openssl s2s ca':
+
+  # reuse certs from open source Puppet
+  exec { 'openssl s2s ca opensource puppet':
     command => "cat /etc/puppet/ssl/certs/ca.pem > ${splunk_home}/etc/auth/certs/ca.crt",
     path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
-    require => [
-      File["${splunk_home}/etc/auth/certs"],
-    ],
-    creates => [
-      "${splunk_home}/etc/auth/certs/ca.crt",
-    ],
-    # this may take some time
-    timeout => 900,
+    creates => [ "${splunk_home}/etc/auth/certs/ca.crt", ],
+    require => File["${splunk_home}/etc/auth/certs"],
+    onlyif  => '/usr/bin/test -e /etc/puppet/ssl'
   } ->
-  exec { 'openssl s2s 1':
+  exec { 'openssl s2s 1 opensource puppet':
     command => "cat /etc/puppet/ssl/private_keys/${::fqdn}.pem /etc/puppet/ssl/certs/${::fqdn}.pem > ${splunk_home}/etc/auth/certs/s2s.pem",
     path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
-    creates => [
-      "${splunk_home}/etc/auth/certs/s2s.pem",
-    ],
-    # this may take some time
-    timeout => 900,
+    creates => [ "${splunk_home}/etc/auth/certs/s2s.pem", ],
+  }
+
+  # reuse certs from commercial Puppet
+  exec { 'openssl s2s ca commercial puppet':
+    command => "cat /etc/puppetlabs/puppet/ssl/certs/ca.pem > ${splunk_home}/etc/auth/certs/ca.crt",
+    path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+    creates => [ "${splunk_home}/etc/auth/certs/ca.crt", ],
+    require => File["${splunk_home}/etc/auth/certs"],
+    onlyif  => '/usr/bin/test -e /etc/puppetlabs/puppet/ssl'
+  } ->
+  exec { 'openssl s2s 1 commercial puppet':
+    command => "cat /etc/puppetlabs/puppet/ssl/private_keys/${::fqdn}.pem /etc/puppetlabs/puppet/ssl/certs/${::fqdn}.pem > ${splunk_home}/etc/auth/certs/s2s.pem",
+    path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+    creates => [ "${splunk_home}/etc/auth/certs/s2s.pem", ],
   }
 
 }

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "jorritfolmer-splunk",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "author": "Jorrit Folmer",
   "summary": "Deploy Splunk instances into any imaginable topology, distributed or clustered.",
   "license": "MIT",