feat: ensure vaultca certificate is trusted

- install the vault rootca on all nodes
- update ca-trust store on changes to the rootca certificate deployed
This commit is contained in:
2024-03-03 14:07:23 +11:00
parent 8009b59514
commit 05d2599bc5
3 changed files with 80 additions and 0 deletions
+1
View File
@@ -34,6 +34,7 @@ class profiles::base (
include profiles::ntp::client
include profiles::dns::base
include profiles::pki::vault
include profiles::pki::vaultca
include profiles::cloudinit::init
include profiles::metrics::default
include profiles::helpers::node_lookup
+37
View File
@@ -0,0 +1,37 @@
# ensure the ca certificate for vault is installed everywhere
class profiles::pki::vaultca {
$root_cacert = 'vaultcaroot.pem'
# Define the target path based on the operating system
case $facts['os']['family'] {
'RedHat': {
$ca_cert_target_path = "/etc/pki/ca-trust/source/anchors/${root_cacert}"
$update_ca_cert_command = 'update-ca-trust extract'
}
'Debian': {
$ca_cert_target_path = "/usr/local/share/ca-certificates/${root_cacert}"
$update_ca_cert_command = 'update-ca-certificates'
}
default: {
fail("Unsupported operating system: ${facts['os']['family']}")
}
}
# Ensure the CA certificate is present and contains the content from the template
file { $ca_cert_target_path:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('profiles/pki/vaultcaroot.pem.erb'),
notify => Exec['update_ca_trust_store'],
}
# Execute the system command to update the CA trust store
exec { 'update_ca_trust_store':
command => $update_ca_cert_command,
path => ['/bin', '/usr/bin'],
refreshonly => true,
require => File[$ca_cert_target_path],
}
}