Add puppet package zitrlp-strongswan

This change adds the package zitrlp-strongswan. This module allows
management of strongswan on Debian via swanctl / VICI.

Test Plan:
PASS: downloader
PASS: build-pkgs --clean --all
PASS: build-image
PASS: Run full build, system install, bootstrap and unlock SX system
PASS: Run command "puppet module list | grep strongswan"
PASS: Create a puppet manifest file responsible for creating and
      configuring each one of the strongswan and swanctl config files.
      Copy the manifest to /usr/share/puppet/modules/platform/manifest
      directory.
      Run "sudo puppet apply -e "include ::platform::strongswan""
      command. Observe that the files /etc/swanctl/swanctl.conf,
      /etc/strongswan.conf, /etc/strongswan.d/charon.conf and
      /etc/strongswan.d/charon-loggings.conf were updated according
      with the specifications of the implemented manifest.

Story: 2010940
Task: 48987

Change-Id: I3fac6d5ec514a9a7ab237b0c83dda61d042d4fcf
Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
This commit is contained in:
Leonardo Mendes 2023-10-14 21:12:50 -03:00
parent 2b1651f1d5
commit f56d5f6a73
13 changed files with 259 additions and 0 deletions

View File

@ -0,0 +1,5 @@
puppet-zitrlp-strongswan (0.1.0) UNRELEASED; urgency=medium
* Initial release.
-- Leonardo Mendes <leonardo.mendessantana@windriver.com> Sun, 15 Oct 2023 12:33:51 -0300

View File

@ -0,0 +1,15 @@
Source: puppet-zitrlp-strongswan
Section: admin
Priority: optional
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Build-Depends: debhelper-compat (= 13)
Standards-Version: 4.4.1
Homepage: https://www.starlingx.io
Package: puppet-zitrlp-strongswan
Architecture: any
Depends: puppet (>= 5.2.22),
puppet-module-puppetlabs-stdlib,
${misc:depends}
Description: Puppet module named puppet-zitrlp-strongswan
This module allows management of strongswan on Debian via swanctl / VICI, route-based or otherwise.

View File

@ -0,0 +1,29 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: puppet-zitrlp-strongswan
Upstream-Contact: Jan-Martin Rämer (https://software.service.zit-rlp.de/jra)
Source: https://software.service.zit-rlp.de/puppet/strongswan
Files: *
Copyright: (C) 2023 Jan-Martin Rämer (https://software.service.zit-rlp.de/jra)
License: GPL-3.0
Upstream-Name: puppet-zitrlp-strongswan
Upstream-Contact: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Source: https://opendev.org/starlingx/integ/src/branch/master/config/puppet-modules/puppet-zitrlp-strongswan
Files: debian/*
Copyright: (c) 2023 Wind River Systems, Inc.
License: GPL-3.0
License: GPL-3.0
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.

View File

@ -0,0 +1,146 @@
From c02bf3a61dafb0dee6362c0bb63e782abe3090f2 Mon Sep 17 00:00:00 2001
From: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
Date: Tue, 17 Oct 2023 14:18:54 -0300
Subject: [PATCH] Add classes to update config files
---
manifests/charon.pp | 12 ++++++++++++
manifests/charon_logging.pp | 12 ++++++++++++
manifests/init.pp | 37 ++-----------------------------------
manifests/swanctl.pp | 22 ++++++++++++++++++++++
4 files changed, 48 insertions(+), 35 deletions(-)
create mode 100644 manifests/charon.pp
create mode 100644 manifests/charon_logging.pp
create mode 100644 manifests/swanctl.pp
diff --git a/manifests/charon.pp b/manifests/charon.pp
new file mode 100644
index 0000000..d1f6dcc
--- /dev/null
+++ b/manifests/charon.pp
@@ -0,0 +1,12 @@
+# @param charon_options configure other attributes in charon.conf.
+class strongswan::charon (
+ Hash $charon_options = {},
+) {
+ file { '/etc/strongswan.d/charon.conf':
+ owner => 'root',
+ mode => '0600',
+ content => strongswan::hash_to_strongswan_config({
+ charon => $charon_options,
+ }),
+ }
+}
diff --git a/manifests/charon_logging.pp b/manifests/charon_logging.pp
new file mode 100644
index 0000000..b454f2b
--- /dev/null
+++ b/manifests/charon_logging.pp
@@ -0,0 +1,12 @@
+# @param charon_logging configure file charon-logging.conf.
+class strongswan::charon_logging (
+ Hash $charon_logging = {},
+) {
+ file { '/etc/strongswan.d/charon-logging.conf':
+ owner => 'root',
+ mode => '0600',
+ content => strongswan::hash_to_strongswan_config({
+ charon => $charon_logging,
+ }),
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 08002a3..27904e4 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -23,12 +23,6 @@
# @param sw_collector sw-collector block in strongswan.conf.
# @param starter starter block in strongswan.conf.
# @param swanctl swanctl block in strongswan.conf.
-# @param authorities authorities block in swanctl.conf.
-# @param connections connections block in swanctl.conf. Besides keys allowed in swanctl, these ones are added:
-# * base_interface: base interface for xfrm device.
-# * if_id: interface ID for xfrm device used for in and out. In swanctl.conf, this value is used for id_id_in and if_id_out.
-# @param secrets secrets block in swanctl.conf.
-# @param pools pools block in swanctl.conf.
# @param route_based Whether route based VPN is configured.
# @param xfrm_default_base_interface XRFM base interface used if none is specified in connection.
#
@@ -58,25 +52,9 @@ class strongswan (
Hash $connections = {},
Hash $secrets = {},
Hash $pools = {},
- Boolean $route_based = false,
String $xfrm_default_base_interface = 'lo',
+ String $strongswan_include = 'strongswan.d/*.conf',
) {
- ensure_packages(['strongswan-swanctl', 'charon-systemd'])
- service { ['ipsec,', 'strongswan-starter']:
- ensure => stopped,
- enable => false,
- }
- service { 'strongswan':
- ensure => running,
- enable => true,
- }
- if ($route_based) {
- $d = strongswan::extract_xfrm_devices_from_connections($connections, $xfrm_default_base_interface)
- $_connections = $d['connections']
- ensure_resources('strongswan::xfrm', $d['xfrm'])
- } else {
- $_connections = $connections
- }
file { '/etc/strongswan.conf':
owner => 'root',
mode => '0600',
@@ -100,18 +78,7 @@ class strongswan (
sw-collector => $sw_collector,
starter => $starter,
swanctl => $swanctl,
+ strongswan_include => $strongswan_include,
}),
- notify => Service['strongswan'],
- }
- file { '/etc/swanctl/swanctl.conf':
- owner => 'root',
- mode => '0600',
- content => strongswan::hash_to_strongswan_config({
- authorities => $authorities,
- connections => $_connections,
- secrets => $secrets,
- pools => $pools,
- }),
- notify => Service['strongswan'],
}
}
diff --git a/manifests/swanctl.pp b/manifests/swanctl.pp
new file mode 100644
index 0000000..f85e7e3
--- /dev/null
+++ b/manifests/swanctl.pp
@@ -0,0 +1,22 @@
+# @param authorities authorities block in swanctl.conf.
+# @param connections connections block in swanctl.conf.
+# @param secrets secrets block in swanctl.conf.
+# @param pools pools block in swanctl.conf.
+
+class strongswan::swanctl (
+ Hash $authorities = {},
+ Hash $connections = {},
+ Hash $secrets = {},
+ Hash $pools = {},
+) {
+ file { '/etc/swanctl/swanctl.conf':
+ owner => 'root',
+ mode => '0600',
+ content => strongswan::hash_to_strongswan_config({
+ authorities => $authorities,
+ connections => $connections,
+ secrets => $secrets,
+ pools => $pools,
+ }),
+ }
+}
--
2.25.1

View File

@ -0,0 +1 @@
0001-Add-classes-to-update-config-files.patch

View File

@ -0,0 +1,3 @@
metadata.json usr/share/puppet/modules.available/puppet-zitrlp-strongswan
lib usr/share/puppet/modules.available/puppet-zitrlp-strongswan
manifests usr/share/puppet/modules.available/puppet-zitrlp-strongswan

View File

@ -0,0 +1,13 @@
#!/bin/sh
# see: dh_installdeb(1)
set -e
if [ "${1}" = "configure" ] ; then
update-alternatives --install /usr/share/puppet/modules/strongswan puppet-module-zitrlp-strongswan \
/usr/share/puppet/modules.available/puppet-zitrlp-strongswan 500
fi
#DEBHELPER#
exit 0

View File

@ -0,0 +1,13 @@
#!/bin/sh
# see: dh_installdeb(1)
set -e
if [ "${1}" = "remove" ] || [ "${1}" = "disappear" ]; then
update-alternatives --remove puppet-module-zitrlp-strongswan \
/usr/share/puppet/modules.available/puppet-zitrlp-strongswan
fi
#DEBHELPER#
exit 0

View File

@ -0,0 +1,13 @@
#!/bin/sh
# see: dh_installdeb(1)
set -e
if [ "${1}" = "remove" ] || [ "${1}" = "upgrade" || [ "${1}" = "deconfigure" ]; then
update-alternatives --remove puppet-module-zitrlp-strongswan \
/usr/share/puppet/modules.available/puppet-zitrlp-strongswan
fi
#DEBHELPER#
exit 0

View File

@ -0,0 +1,7 @@
#!/usr/bin/make -f
# See debhelper(7) (uncomment to enable)
# output every command that modifies files on the build system.
#export DH_VERBOSE = 1
%:
dh $@

View File

@ -0,0 +1,10 @@
---
debname: puppet-zitrlp-strongswan
debver: 0.1.0
dl_path:
name: zitrlp-strongswan-0.1.0.tar.gz
url: https://forge.puppet.com/v3/files/zitrlp-strongswan-0.1.0.tar.gz
sha256sum: bf145ac0f974cd2f0fa3a1f8da2d5cb86fcd2d9c116d737839c3ea5decd298d5
revision:
dist: $STX_DIST
BASE_SRCREV: 9ddd3705b5dcb2b13741fb5698809c101267ef26

View File

@ -350,6 +350,9 @@ puppet-module-puppetlabs-postgresql
#puppetlabs-stdlib-5.0.0 #puppetlabs-stdlib-5.0.0
puppet-module-puppetlabs-stdlib puppet-module-puppetlabs-stdlib
#puppet-zitrlp-strongswan
puppet-zitrlp-strongswan
#python-docker #python-docker
python3-docker python3-docker

View File

@ -38,6 +38,7 @@ config/puppet-modules/puppet-network
config/puppet-modules/puppet-puppi config/puppet-modules/puppet-puppi
config/puppet-modules/puppet-rabbitmq-8.5.0 config/puppet-modules/puppet-rabbitmq-8.5.0
config/puppet-modules/puppet-staging config/puppet-modules/puppet-staging
config/puppet-modules/puppet-zitrlp-strongswan
docker/python-docker docker/python-docker
filesystem/drbd/drbd-tools filesystem/drbd/drbd-tools
filesystem/luks filesystem/luks