feat: ensure vaultca certificate is trusted
- install the vault rootca on all nodes - update ca-trust store on changes to the rootca certificate deployed
This commit is contained in:
@@ -34,6 +34,7 @@ class profiles::base (
|
||||
include profiles::ntp::client
|
||||
include profiles::dns::base
|
||||
include profiles::pki::vault
|
||||
include profiles::pki::vaultca
|
||||
include profiles::cloudinit::init
|
||||
include profiles::metrics::default
|
||||
include profiles::helpers::node_lookup
|
||||
|
||||
@@ -0,0 +1,37 @@
|
||||
# ensure the ca certificate for vault is installed everywhere
|
||||
class profiles::pki::vaultca {
|
||||
$root_cacert = 'vaultcaroot.pem'
|
||||
|
||||
# Define the target path based on the operating system
|
||||
case $facts['os']['family'] {
|
||||
'RedHat': {
|
||||
$ca_cert_target_path = "/etc/pki/ca-trust/source/anchors/${root_cacert}"
|
||||
$update_ca_cert_command = 'update-ca-trust extract'
|
||||
}
|
||||
'Debian': {
|
||||
$ca_cert_target_path = "/usr/local/share/ca-certificates/${root_cacert}"
|
||||
$update_ca_cert_command = 'update-ca-certificates'
|
||||
}
|
||||
default: {
|
||||
fail("Unsupported operating system: ${facts['os']['family']}")
|
||||
}
|
||||
}
|
||||
|
||||
# Ensure the CA certificate is present and contains the content from the template
|
||||
file { $ca_cert_target_path:
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => template('profiles/pki/vaultcaroot.pem.erb'),
|
||||
notify => Exec['update_ca_trust_store'],
|
||||
}
|
||||
|
||||
# Execute the system command to update the CA trust store
|
||||
exec { 'update_ca_trust_store':
|
||||
command => $update_ca_cert_command,
|
||||
path => ['/bin', '/usr/bin'],
|
||||
refreshonly => true,
|
||||
require => File[$ca_cert_target_path],
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user