-
-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add code for secrets management in keystorage
- Loading branch information
Joris VAN ACOLEYEN
committed
Jul 25, 2024
1 parent
036c7ae
commit 9c1a339
Showing
1 changed file
with
74 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| # @summary This define will manage secrets in key storage. | ||
| # | ||
| # @example Basic usage. | ||
| # rundeck::config::project { 'MyProject': | ||
| # config => { | ||
| # 'project.description' => 'My test project', | ||
| # 'project.disable.schedule' => 'false', | ||
| # }, | ||
| # } | ||
| # | ||
| # @param content | ||
| # The secret content. | ||
| # @param ensure | ||
| # Whether or not the secret should be present. | ||
| # @param type | ||
| # The type of the secret. | ||
| # @param keystorage_path | ||
| # The path in rundeck key storage. | ||
| # @param owner | ||
| # The user that rundeck is installed as. | ||
| # @param group | ||
| # The group permission that rundeck is installed as. | ||
| # @param keystorage_dir | ||
| # The directory on filesystem where the secret files are stored. | ||
| # | ||
| define rundeck::config::secret ( | ||
| Variant[String, Sensitive[String]] $content, | ||
| Enum['absent', 'present'] $ensure = 'present', | ||
| Enum['password', 'privateKey', 'publicKey'] $type = 'password', | ||
| String[1] $keystorage_path = $name, | ||
| String[1] $owner = 'rundeck', | ||
| String[1] $group = 'rundeck', | ||
| Stdlib::Absolutepath $keystorage_dir = '/var/lib/rundeck/keystorage', | ||
| ) { | ||
| include rundeck::cli | ||
|
|
||
| ensure_resource('file', $keystorage_dir, { 'ensure' => 'directory', 'owner' => $owner, 'group' => $group, 'mode' => '0755' }) | ||
|
|
||
| $_filename = join([basename($keystorage_path), $type], '.') | ||
|
|
||
| file { "${keystorage_dir}/${_filename}": | ||
| ensure => $ensure, | ||
| owner => $owner, | ||
| group => $group, | ||
| mode => '0400', | ||
| content => $content, | ||
| notify => Exec["Update rundeck ${type}: ${keystorage_path}"], | ||
| } | ||
|
|
||
| if $ensure == 'absent' { | ||
| exec { "Remove rundeck ${type}: ${keystorage_path}": | ||
| command => "rd keys delete -p '${keystorage_path}'", | ||
| path => ['/bin', '/usr/bin', '/usr/local/bin'], | ||
| environment => $rundeck::cli::environment, | ||
| onlyif => "rd keys info -p '${keystorage_path}'", | ||
| } | ||
| } else { | ||
| exec { | ||
| default: | ||
| path => ['/bin', '/usr/bin', '/usr/local/bin'], | ||
| environment => $rundeck::cli::environment, | ||
| ; | ||
| "Update rundeck ${type}: ${keystorage_path}": | ||
| command => "rd keys update -t ${type} -p '${keystorage_path}' -f '${keystorage_dir}/${_filename}'", | ||
| onlyif => "rd keys info -p '${keystorage_path}'", | ||
| refreshonly => true, | ||
| ; | ||
| "Create rundeck ${type}: ${keystorage_path}": | ||
| command => "rd keys create -t ${type} -p '${keystorage_path}' -f '${keystorage_dir}/${_filename}'", | ||
| unless => "rd keys info -p '${keystorage_path}'", | ||
| ; | ||
| } | ||
| } | ||
| } |