From 7f400af5da8edfe82cb055d68af0fee6246c7a8f Mon Sep 17 00:00:00 2001 From: Sally Young Date: Wed, 9 Oct 2024 12:26:12 +0100 Subject: [PATCH 1/6] Add support for certbot-dns-linode --- REFERENCE.md | 67 ++++++++++++++++++- data/Debian-family.yaml | 1 + data/FreeBSD-family.yaml | 1 + data/RedHat-family.yaml | 1 + data/os/Fedora.yaml | 1 + manifests/certonly.pp | 11 +++ manifests/plugin/dns_linode.pp | 60 +++++++++++++++++ .../letsencrypt_plugin_dns_linode_spec.rb | 23 +++++++ spec/classes/plugin/dns_linode_spec.rb | 55 +++++++++++++++ spec/defines/letsencrypt_certonly_spec.rb | 21 ++++++ spec/type_aliases/plugin_spec.rb | 2 +- types/plugin.pp | 1 + 12 files changed, 242 insertions(+), 2 deletions(-) create mode 100644 manifests/plugin/dns_linode.pp create mode 100644 spec/acceptance/letsencrypt_plugin_dns_linode_spec.rb create mode 100644 spec/classes/plugin/dns_linode_spec.rb diff --git a/REFERENCE.md b/REFERENCE.md index 3936bc75..3fd03945 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,6 +10,7 @@ * [`letsencrypt`](#letsencrypt): Install and configure Certbot, the LetsEncrypt client * [`letsencrypt::plugin::dns_cloudflare`](#letsencrypt--plugin--dns_cloudflare): Installs and configures the dns-cloudflare plugin +* [`letsencrypt::plugin::dns_linode`](#letsencrypt--plugin--dns_linode): Installs and configures the dns-linode plugin * [`letsencrypt::plugin::dns_rfc2136`](#letsencrypt--plugin--dns_rfc2136): Installs and configures the dns-rfc2136 plugin * [`letsencrypt::plugin::dns_route53`](#letsencrypt--plugin--dns_route53): Installs and configures the dns-route53 plugin * [`letsencrypt::plugin::nginx`](#letsencrypt--plugin--nginx): install and configure the Let's Encrypt nginx plugin @@ -411,6 +412,70 @@ Number of seconds to wait for the DNS server to propagate the DNS-01 challenge. Default value: `10` +### `letsencrypt::plugin::dns_linode` + +This class installs and configures the Let's Encrypt dns-linode plugin. +https://certbot-dns-linode.readthedocs.io + +#### Parameters + +The following parameters are available in the `letsencrypt::plugin::dns_linode` class: + +* [`package_name`](#-letsencrypt--plugin--dns_linode--package_name) +* [`api_key`](#-letsencrypt--plugin--dns_linode--api_key) +* [`version`](#-letsencrypt--plugin--dns_linode--version) +* [`config_path`](#-letsencrypt--plugin--dns_linode--config_path) +* [`manage_package`](#-letsencrypt--plugin--dns_linode--manage_package) +* [`propagation_seconds`](#-letsencrypt--plugin--dns_linode--propagation_seconds) + +##### `package_name` + +Data type: `Optional[String[1]]` + +The name of the package to install when $manage_package is true. + +Default value: `undef` + +##### `api_key` + +Data type: `Optional[String[1]]` + +Optional string, linode api key value for authentication. + +Default value: `undef` + +##### `version` + +Data type: `String[1]` + +string, linode api version. + +Default value: `'4'` + +##### `config_path` + +Data type: `Stdlib::Absolutepath` + +The path to the configuration directory. + +Default value: `"${letsencrypt::config_dir}/dns-linode.ini"` + +##### `manage_package` + +Data type: `Boolean` + +Manage the plugin package. + +Default value: `true` + +##### `propagation_seconds` + +Data type: `Integer` + +Number of seconds to wait for the DNS server to propagate the DNS-01 challenge. + +Default value: `10` + ### `letsencrypt::plugin::dns_rfc2136` This class installs and configures the Let's Encrypt dns-rfc2136 plugin. @@ -1072,5 +1137,5 @@ Variant[Integer[0,31], String[1], Array[ List of accepted plugins -Alias of `Enum['apache', 'standalone', 'webroot', 'nginx', 'dns-azure', 'dns-route53', 'dns-google', 'dns-cloudflare', 'dns-rfc2136', 'manual']` +Alias of `Enum['apache', 'standalone', 'webroot', 'nginx', 'dns-azure', 'dns-route53', 'dns-google', 'dns-cloudflare', 'dns-linode', 'dns-rfc2136', 'manual']` diff --git a/data/Debian-family.yaml b/data/Debian-family.yaml index c52a03b6..a4242b73 100644 --- a/data/Debian-family.yaml +++ b/data/Debian-family.yaml @@ -2,3 +2,4 @@ letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136' letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53' letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare' +letsencrypt::plugin::dns_linode::package_name: 'python3-certbot-dns-linode' diff --git a/data/FreeBSD-family.yaml b/data/FreeBSD-family.yaml index 46a0d2e7..42bc65c1 100644 --- a/data/FreeBSD-family.yaml +++ b/data/FreeBSD-family.yaml @@ -5,3 +5,4 @@ letsencrypt::cron_owner_group: 'wheel' letsencrypt::plugin::dns_rfc2136::package_name: 'py311-certbot-dns-rfc2136' letsencrypt::plugin::dns_route53::package_name: 'py311-certbot-dns-route53' letsencrypt::plugin::dns_cloudflare::package_name: 'py311-certbot-dns-cloudflare' +letsencrypt::plugin::dns_linode::package_name: 'py311-certbot-dns-linode' diff --git a/data/RedHat-family.yaml b/data/RedHat-family.yaml index 35f52041..c8a02590 100644 --- a/data/RedHat-family.yaml +++ b/data/RedHat-family.yaml @@ -3,3 +3,4 @@ letsencrypt::configure_epel: true letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136' letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53' letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare' +letsencrypt::plugin::dns_linode::package_name: 'python3-certbot-dns-linode' diff --git a/data/os/Fedora.yaml b/data/os/Fedora.yaml index 56c3cd56..6541eac1 100644 --- a/data/os/Fedora.yaml +++ b/data/os/Fedora.yaml @@ -2,3 +2,4 @@ letsencrypt::configure_epel: false letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136' letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53' +letsencrypt::plugin::dns_linode::package_name: 'python3-certbot-dns-linode' diff --git a/manifests/certonly.pp b/manifests/certonly.pp index b04f94b5..c9106a1c 100644 --- a/manifests/certonly.pp +++ b/manifests/certonly.pp @@ -205,6 +205,17 @@ ] } + 'dns-linode': { + require letsencrypt::plugin::dns_linode + $_domains = join($domains, '\' -d \'') + $plugin_args = [ + "--cert-name '${cert_name}' -d '${_domains}'", + '--dns-linode', + "--dns-linode-credentials ${letsencrypt::plugin::dns_linode::config_path}", + "--dns-linode-propagation-seconds ${letsencrypt::plugin::dns_linode::propagation_seconds}", + ] + } + 'nginx': { require letsencrypt::plugin::nginx diff --git a/manifests/plugin/dns_linode.pp b/manifests/plugin/dns_linode.pp new file mode 100644 index 00000000..f29ac304 --- /dev/null +++ b/manifests/plugin/dns_linode.pp @@ -0,0 +1,60 @@ +# @summary Installs and configures the dns-linode plugin +# +# This class installs and configures the Let's Encrypt dns-linode plugin. +# https://certbot-dns-linode.readthedocs.io +# +# @param package_name The name of the package to install when $manage_package is true. +# @param api_key +# Optional string, linode api key value for authentication. +# @param version +# string, linode api version. +# @param config_path The path to the configuration directory. +# @param manage_package Manage the plugin package. +# @param propagation_seconds Number of seconds to wait for the DNS server to propagate the DNS-01 challenge. +# +class letsencrypt::plugin::dns_linode ( + Optional[String[1]] $package_name = undef, + Optional[String[1]] $api_key = undef, + String[1] $version = '4', + Stdlib::Absolutepath $config_path = "${letsencrypt::config_dir}/dns-linode.ini", + Boolean $manage_package = true, + Integer $propagation_seconds = 10, +) { + include letsencrypt + + if ! $api_key { + fail('No authentication method provided, please specify api_key and version.') + } + + if $manage_package { + if ! $package_name { + fail('No package name provided for certbot dns linode plugin.') + } + + $requirement = if $letsencrypt::configure_epel { + Class['epel'] + } else { + undef + } + + package { $package_name: + ensure => $letsencrypt::package_ensure, + require => $requirement, + } + } + + $ini_vars = { + dns_linode_key => $api_key, + dns_linode_version => $version, + } + + file { $config_path: + ensure => file, + owner => 'root', + group => 0, + mode => '0400', + content => epp('letsencrypt/ini.epp', { + vars => { '' => $ini_vars }, + }), + } +} diff --git a/spec/acceptance/letsencrypt_plugin_dns_linode_spec.rb b/spec/acceptance/letsencrypt_plugin_dns_linode_spec.rb new file mode 100644 index 00000000..79909831 --- /dev/null +++ b/spec/acceptance/letsencrypt_plugin_dns_linode_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'letsencrypt::plugin::dns_linode' do + it_behaves_like 'an idempotent resource' do + let(:manifest) do + <<-PUPPET + include letsencrypt + class { 'letsencrypt::plugin::dns_linode': + api_key => 'dummy-linode-api-key', + } + PUPPET + end + end + + describe file('/etc/letsencrypt/dns-linode.ini') do + it { is_expected.to be_file } + it { is_expected.to be_owned_by 'root' } + it { is_expected.to be_grouped_into 'root' } + it { is_expected.to be_mode 400 } + end +end diff --git a/spec/classes/plugin/dns_linode_spec.rb b/spec/classes/plugin/dns_linode_spec.rb new file mode 100644 index 00000000..8f297d36 --- /dev/null +++ b/spec/classes/plugin/dns_linode_spec.rb @@ -0,0 +1,55 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'letsencrypt::plugin::dns_linode' do + on_supported_os.each do |os, os_facts| + context "on #{os} based operating systems" do + let(:facts) { os_facts } + let(:params) { { 'api_key' => 'dummy-linode-api-token' } } + let(:pre_condition) do + <<-PUPPET + class { 'letsencrypt': + email => 'foo@example.com', + } + PUPPET + end + let(:package_name) do + if %w[Debian RedHat].include?(facts['os']['family']) + 'python3-certbot-dns-linode' + elsif %w[FreeBSD].include?(facts['os']['family']) + 'py311-certbot-dns-linode' + end + end + + context 'with required parameters' do + it do + if package_name.nil? + is_expected.not_to compile + else + is_expected.to compile.with_all_deps + end + end + + describe 'with manage_package => true' do + let(:params) { super().merge(manage_package: true) } + + it do + if package_name.nil? + is_expected.not_to compile + else + is_expected.to contain_class('letsencrypt::plugin::dns_linode').with_package_name(package_name) + is_expected.to contain_package(package_name).with_ensure('installed') + end + end + end + + describe 'with manage_package => false' do + let(:params) { super().merge(manage_package: false, package_name: 'dns-linode-package') } + + it { is_expected.not_to contain_package('dns-linode-package') } + end + end + end + end +end diff --git a/spec/defines/letsencrypt_certonly_spec.rb b/spec/defines/letsencrypt_certonly_spec.rb index 6ded37de..8f348dd4 100644 --- a/spec/defines/letsencrypt_certonly_spec.rb +++ b/spec/defines/letsencrypt_certonly_spec.rb @@ -206,6 +206,27 @@ class { 'letsencrypt::plugin::dns_cloudflare': it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_command "letsencrypt --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a dns-cloudflare --cert-name 'foo.example.com' -d 'foo.example.com' --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dns-cloudflare.ini --dns-cloudflare-propagation-seconds 10" } end + context 'with dns-linode plugin' do + let(:title) { 'foo.example.com' } + let(:params) { { plugin: 'dns-linode', letsencrypt_command: 'letsencrypt' } } + let(:pre_condition) do + <<-PUPPET + class { 'letsencrypt': + email => 'foo@example.com', + config_dir => '/etc/letsencrypt', + } + class { 'letsencrypt::plugin::dns_linode': + package_name => 'irrelevant', + api_key => 'dummy-linode-api-key', + } + PUPPET + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('letsencrypt::plugin::dns_linode') } + it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_command "letsencrypt --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a dns-linode --cert-name 'foo.example.com' -d 'foo.example.com' --dns-linode --dns-linode-credentials /etc/letsencrypt/dns-linode.ini --dns-linode-propagation-seconds 10" } + end + context 'with custom plugin' do let(:title) { 'foo.example.com' } let(:params) { { plugin: 'apache' } } diff --git a/spec/type_aliases/plugin_spec.rb b/spec/type_aliases/plugin_spec.rb index 0891edfe..f5df70b5 100644 --- a/spec/type_aliases/plugin_spec.rb +++ b/spec/type_aliases/plugin_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe 'Letsencrypt::Plugin' do - it { is_expected.to allow_values('apache', 'standalone', 'webroot', 'nginx', 'dns-azure', 'dns-route53', 'dns-google', 'dns-cloudflare', 'dns-rfc2136') } + it { is_expected.to allow_values('apache', 'standalone', 'webroot', 'nginx', 'dns-azure', 'dns-route53', 'dns-google', 'dns-cloudflare', 'dns-rfc2136', 'dns-linode') } it { is_expected.not_to allow_value(nil) } it { is_expected.not_to allow_value('foo') } it { is_expected.not_to allow_value('custom') } diff --git a/types/plugin.pp b/types/plugin.pp index 56dffb61..6083293a 100644 --- a/types/plugin.pp +++ b/types/plugin.pp @@ -8,6 +8,7 @@ 'dns-route53', 'dns-google', 'dns-cloudflare', + 'dns-linode', 'dns-rfc2136', 'manual', ] From a85456114e43d87cf51ddebd0d08076e28e303e6 Mon Sep 17 00:00:00 2001 From: Sally Young Date: Fri, 18 Oct 2024 16:38:19 +0100 Subject: [PATCH 2/6] Update manifests/plugin/dns_linode.pp Co-authored-by: Kenyon Ralph --- manifests/plugin/dns_linode.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/plugin/dns_linode.pp b/manifests/plugin/dns_linode.pp index f29ac304..51a6eaa4 100644 --- a/manifests/plugin/dns_linode.pp +++ b/manifests/plugin/dns_linode.pp @@ -55,6 +55,7 @@ mode => '0400', content => epp('letsencrypt/ini.epp', { vars => { '' => $ini_vars }, - }), + }, + ), } } From d49be6c4f044ebc3637fed6759e490a18231be2e Mon Sep 17 00:00:00 2001 From: Sally Young Date: Fri, 18 Oct 2024 16:47:04 +0100 Subject: [PATCH 3/6] Make api_key required and increase propogation seconds to recommended amount --- manifests/plugin/dns_linode.pp | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/manifests/plugin/dns_linode.pp b/manifests/plugin/dns_linode.pp index 51a6eaa4..0f998efb 100644 --- a/manifests/plugin/dns_linode.pp +++ b/manifests/plugin/dns_linode.pp @@ -14,18 +14,14 @@ # class letsencrypt::plugin::dns_linode ( Optional[String[1]] $package_name = undef, - Optional[String[1]] $api_key = undef, - String[1] $version = '4', + String[1] $api_key, + String[1] $version = '4', Stdlib::Absolutepath $config_path = "${letsencrypt::config_dir}/dns-linode.ini", Boolean $manage_package = true, - Integer $propagation_seconds = 10, + Integer $propagation_seconds = 120, ) { include letsencrypt - if ! $api_key { - fail('No authentication method provided, please specify api_key and version.') - } - if $manage_package { if ! $package_name { fail('No package name provided for certbot dns linode plugin.') From 34a7611648580197873574b3cfa295693ac6684b Mon Sep 17 00:00:00 2001 From: Sally Young Date: Fri, 18 Oct 2024 16:48:43 +0100 Subject: [PATCH 4/6] Regenerate docs --- REFERENCE.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 3fd03945..5c3db159 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -438,12 +438,10 @@ Default value: `undef` ##### `api_key` -Data type: `Optional[String[1]]` +Data type: `String[1]` Optional string, linode api key value for authentication. -Default value: `undef` - ##### `version` Data type: `String[1]` @@ -474,7 +472,7 @@ Data type: `Integer` Number of seconds to wait for the DNS server to propagate the DNS-01 challenge. -Default value: `10` +Default value: `120` ### `letsencrypt::plugin::dns_rfc2136` From 2f9b09b738f7fc30a4b740f2b6d4187523373a66 Mon Sep 17 00:00:00 2001 From: Sally Young Date: Fri, 18 Oct 2024 17:00:20 +0100 Subject: [PATCH 5/6] parameter ordering --- manifests/plugin/dns_linode.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/plugin/dns_linode.pp b/manifests/plugin/dns_linode.pp index 0f998efb..250406bd 100644 --- a/manifests/plugin/dns_linode.pp +++ b/manifests/plugin/dns_linode.pp @@ -13,8 +13,8 @@ # @param propagation_seconds Number of seconds to wait for the DNS server to propagate the DNS-01 challenge. # class letsencrypt::plugin::dns_linode ( - Optional[String[1]] $package_name = undef, String[1] $api_key, + Optional[String[1]] $package_name = undef, String[1] $version = '4', Stdlib::Absolutepath $config_path = "${letsencrypt::config_dir}/dns-linode.ini", Boolean $manage_package = true, From 972d01beb4e835818659f9fa45de826a853e4506 Mon Sep 17 00:00:00 2001 From: Sally Young Date: Fri, 18 Oct 2024 17:19:01 +0100 Subject: [PATCH 6/6] propogation seconds --- spec/defines/letsencrypt_certonly_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/defines/letsencrypt_certonly_spec.rb b/spec/defines/letsencrypt_certonly_spec.rb index 8f348dd4..3456b017 100644 --- a/spec/defines/letsencrypt_certonly_spec.rb +++ b/spec/defines/letsencrypt_certonly_spec.rb @@ -224,7 +224,7 @@ class { 'letsencrypt::plugin::dns_linode': it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('letsencrypt::plugin::dns_linode') } - it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_command "letsencrypt --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a dns-linode --cert-name 'foo.example.com' -d 'foo.example.com' --dns-linode --dns-linode-credentials /etc/letsencrypt/dns-linode.ini --dns-linode-propagation-seconds 10" } + it { is_expected.to contain_exec('letsencrypt certonly foo.example.com').with_command "letsencrypt --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a dns-linode --cert-name 'foo.example.com' -d 'foo.example.com' --dns-linode --dns-linode-credentials /etc/letsencrypt/dns-linode.ini --dns-linode-propagation-seconds 120" } end context 'with custom plugin' do