feat: ensure vaultca certificate is trusted
- install the vault rootca on all nodes - update ca-trust store on changes to the rootca certificate deployed
This commit is contained in:
parent
8009b59514
commit
05d2599bc5
@ -34,6 +34,7 @@ class profiles::base (
|
|||||||
include profiles::ntp::client
|
include profiles::ntp::client
|
||||||
include profiles::dns::base
|
include profiles::dns::base
|
||||||
include profiles::pki::vault
|
include profiles::pki::vault
|
||||||
|
include profiles::pki::vaultca
|
||||||
include profiles::cloudinit::init
|
include profiles::cloudinit::init
|
||||||
include profiles::metrics::default
|
include profiles::metrics::default
|
||||||
include profiles::helpers::node_lookup
|
include profiles::helpers::node_lookup
|
||||||
|
|||||||
37
site/profiles/manifests/pki/vaultca.pp
Normal file
37
site/profiles/manifests/pki/vaultca.pp
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
# ensure the ca certificate for vault is installed everywhere
|
||||||
|
class profiles::pki::vaultca {
|
||||||
|
$root_cacert = 'vaultcaroot.pem'
|
||||||
|
|
||||||
|
# Define the target path based on the operating system
|
||||||
|
case $facts['os']['family'] {
|
||||||
|
'RedHat': {
|
||||||
|
$ca_cert_target_path = "/etc/pki/ca-trust/source/anchors/${root_cacert}"
|
||||||
|
$update_ca_cert_command = 'update-ca-trust extract'
|
||||||
|
}
|
||||||
|
'Debian': {
|
||||||
|
$ca_cert_target_path = "/usr/local/share/ca-certificates/${root_cacert}"
|
||||||
|
$update_ca_cert_command = 'update-ca-certificates'
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
fail("Unsupported operating system: ${facts['os']['family']}")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Ensure the CA certificate is present and contains the content from the template
|
||||||
|
file { $ca_cert_target_path:
|
||||||
|
ensure => file,
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
content => template('profiles/pki/vaultcaroot.pem.erb'),
|
||||||
|
notify => Exec['update_ca_trust_store'],
|
||||||
|
}
|
||||||
|
|
||||||
|
# Execute the system command to update the CA trust store
|
||||||
|
exec { 'update_ca_trust_store':
|
||||||
|
command => $update_ca_cert_command,
|
||||||
|
path => ['/bin', '/usr/bin'],
|
||||||
|
refreshonly => true,
|
||||||
|
require => File[$ca_cert_target_path],
|
||||||
|
}
|
||||||
|
}
|
||||||
42
site/profiles/templates/pki/vaultcaroot.pem.erb
Normal file
42
site/profiles/templates/pki/vaultcaroot.pem.erb
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDrDCCApSgAwIBAgIUAyjDayxDtmvXzttcT1jUg9KU08swDQYJKoZIhvcNAQEL
|
||||||
|
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDI0NloXDTI5MDIy
|
||||||
|
MzExMDMxNlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo
|
||||||
|
b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCft5vNuV0S+WPN
|
||||||
|
qIm8N09yQcWUjK7S5LeWqFi2sYvxB3PZIsbGF4oB5QQKbHOvwSp+/70gQ0HeyBpq
|
||||||
|
yS3bVJK/OYMQXbYj+wpS8FXd1WeD5XphAEPV/vfWixQWOHLm4A+yjVbyFiaD4Z8e
|
||||||
|
0/cvi48WPp3uzyVFW12U/XRZ/eHF4psJ1tsNt8e1JcAsAmRXUr1R0JgKNDBJsu2Q
|
||||||
|
2EPa6MqRpJVKfI4cvOYM3XyXN5pCogAJaleg+TMdZ3wCQljTBpojzX947Ky1Yosa
|
||||||
|
GtZ2tNes8cpq3mzHqH8fms89H1JBPttOCVJXwK1sEdwkXYh6aktUDGkjppvaG013
|
||||||
|
eSx/LDFvAgMBAAGjgd4wgdswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
|
||||||
|
Af8wHQYDVR0OBBYEFEMfNj+VqQQF2XHJm1qK0RhCZxnRMB8GA1UdIwQYMBaAFCqI
|
||||||
|
QnrNBzDWmM1YryAlmIbAnwLPMEAGCCsGAQUFBwEBBDQwMjAwBggrBgEFBQcwAoYk
|
||||||
|
aHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraV9yb290L2NhMDYGA1UdHwQvMC0w
|
||||||
|
K6ApoCeGJWh0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJ
|
||||||
|
KoZIhvcNAQELBQADggEBALMGlMJ7twlrBkBJLBgDmF7+Q5rpiHz9zBhLU8fh0HiR
|
||||||
|
dhqe3yJcO87o3CrCiQXqtWHGy4Ogl2QvastKKhFBIcwp8BBXxzp68HG+SIJAzWau
|
||||||
|
val0pncs/2V3TIk1iOXLY7YXDm6x4ND+iUz5rmILs/0q82S3iAbro4IckinfmGjI
|
||||||
|
7En8eg7VRv8z2FL51+giov5zqH7NT3TjvYZzf20EKHmOlyZhAboktNxVpoj4cAGl
|
||||||
|
iUW3GFSva8F6VS49I9pejBFJUQeIILz5jeTEdzG643DnujjjNqw8ad3ivakBYD1G
|
||||||
|
YxGhYmLfh5RmESCeAgBbLQgRa1vNz1YYWhjn4OP0KKs=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
,-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDLzCCAhegAwIBAgIUeXJ+O/IJWu4Fl4+KdZl5r166SokwDQYJKoZIhvcNAQEL
|
||||||
|
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDEwNVoXDTM0MDIy
|
||||||
|
MjExMDEzNFowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF
|
||||||
|
AAOCAQ8AMIIBCgKCAQEAzKFwXIKAkavv5RgGUEzGQIgys1Uw97RBp4aE7glT++hs
|
||||||
|
60WSwKBRr+sk7zdL3LGMK/xClTIBt3eFJ2RMxEf/N/qLPoA1JqOzsHua1nXCR1sA
|
||||||
|
puP5HVfrS6YvfsXGpqJywX7tfaqk+7+Mq4Bbp22+JXmgBpfcQhCy9CNRd8gaLM67
|
||||||
|
LaznQEcmeurdqvqeUxSMUsymeLLSi2+Fx+M9bPiYYXvK3Hu7k7VVsDPamglBsZaG
|
||||||
|
QC7Up7ZD1h+UaweK/lC5v8HkW6xZ8OWZBEm0F6XFRIRRbroFTZXniAUu60FpoCCD
|
||||||
|
Ga9AfUrAAIWFQjd0iJ2fgzbX1qeLozKn1T/oMAiKhQIDAQABo3kwdzAOBgNVHQ8B
|
||||||
|
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUKohCes0HMNaYzViv
|
||||||
|
ICWYhsCfAs8wHwYDVR0jBBgwFoAUKohCes0HMNaYzVivICWYhsCfAs8wFAYDVR0R
|
||||||
|
BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQCBVjvJIAp3AtEhRO/V
|
||||||
|
wYtF/t6ntSKs8limCGnHHvJDvUJGkIP5ihCDQYviNyYIf7CrtRUmYzzOmwA4OEjq
|
||||||
|
cwxrdRynqkUz8jeRL2Ljc1kEs5A4rY2X8EtoUaCu4p55wm7Bh/m2lYASHHMpuza8
|
||||||
|
CR2DtlSQR8/x9gFKzAZO6rOw89qqU34p/cf7DlymDACjJr0QmhLa5IQMSj8ObsbT
|
||||||
|
c9sb9NXMFTsFkuCrkF5iLmeDZgmgyJNXkzFEh3TPeL15jKBXSJOHsBe8j3E3VMWS
|
||||||
|
YOL0pDU1XzfJedKGzX3LxvK6aUuBbtgaf/PW3IYX3KToolqfB30H2AO6Q/3LBl8M
|
||||||
|
aN8H
|
||||||
|
-----END CERTIFICATE-----
|
||||||
Loading…
Reference in New Issue
Block a user