unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enable terraform access to puppetca (#267)

Browse Source 
- enable terraform to clean certificates

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267
This commit is contained in:
Ben Vincent 2025-04-28 18:46:58 +10:00
parent 9359b8902e
commit 07b89ab737
2 changed files with 275 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
site/profiles/manifests/puppet/server.pp
View File

@ -65,6 +65,15 @@ class profiles::puppet::server (
notify => Service['puppetserver'],
}
file { '/etc/puppetlabs/puppetserver/conf.d/auth.conf':
ensure => 'file',
content => template('profiles/puppet/server/auth.conf.erb'),
group => 'root',
owner => 'root',
mode => '0644',
notify => Service['puppetserver'],
}
service { 'puppetserver':
ensure => running,
enable => true,

266
site/profiles/templates/puppet/server/auth.conf.erb Normal file
View File

@ -0,0 +1,266 @@
authorization: {
version: 1
rules: [
{
# Allow nodes to retrieve their own catalog
match-request: {
path: "^/puppet/v3/catalog/([^/]+)$"
type: regex
method: [get, post]
}
allow: "$1"
sort-order: 500
name: "puppetlabs v3 catalog from agents"
},
{
# Allow services to retrieve catalogs on behalf of others
match-request: {
path: "^/puppet/v4/catalog/?$"
type: regex
method: post
}
deny: "*"
sort-order: 500
name: "puppetlabs v4 catalog for services"
},
{
# Allow nodes to retrieve the certificate they requested earlier
match-request: {
path: "/puppet-ca/v1/certificate/"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs certificate"
},
{
# Allow all nodes to access the certificate revocation list
match-request: {
path: "/puppet-ca/v1/certificate_revocation_list/ca"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs crl"
},
{
# Allow nodes to request a new certificate
match-request: {
path: "/puppet-ca/v1/certificate_request"
type: path
method: [get, put]
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs csr"
},
{
# Allow the CA CLI to access the certificate_status endpoint
match-request: {
path: "/puppet-ca/v1/certificate_status"
type: path
method: [get, put, delete]
}
allow: [
{
extensions: {
pp_cli_auth: "true"
}
},
terraform
]
sort-order: 500
name: "puppetlabs cert status"
},
{
match-request: {
path: "^/puppet-ca/v1/certificate_revocation_list$"
type: regex
method: put
}
allow: {
extensions: {
pp_cli_auth: "true"
}
}
sort-order: 500
name: "puppetlabs CRL update"
},
{
# Allow the CA CLI to access the certificate_statuses endpoint
match-request: {
path: "/puppet-ca/v1/certificate_statuses"
type: path
method: get
}
allow: {
extensions: {
pp_cli_auth: "true"
}
}
sort-order: 500
name: "puppetlabs cert statuses"
},
{
# Allow authenticated access to the CA expirations endpoint
match-request: {
path: "/puppet-ca/v1/expirations"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs CA cert and CRL expirations"
},
{
# Allow the CA CLI to access the certificate clean endpoint
match-request: {
path: "/puppet-ca/v1/clean"
type: path
method: put
}
allow: {
extensions: {
pp_cli_auth: "true"
}
}
sort-order: 500
name: "puppetlabs cert clean"
},
{
# Allow unauthenticated access to the status service endpoint
match-request: {
path: "/status/v1/services"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status service - full"
},
{
match-request: {
path: "/status/v1/simple"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status service - simple"
},
{
match-request: {
path: "/puppet/v3/environments"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs environments"
},
{
# Allow nodes to access all file_bucket_files. Note that access for
# the 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_bucket_file"
type: path
method: [get, head, post, put]
}
allow: "*"
sort-order: 500
name: "puppetlabs file bucket file"
},
{
# Allow nodes to access all file_content. Note that access for the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_content"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppetlabs file content"
},
{
# Allow nodes to access all file_metadata. Note that access for the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_metadata"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppetlabs file metadata"
},
{
# Allow nodes to retrieve only their own node definition
match-request: {
path: "^/puppet/v3/node/([^/]+)$"
type: regex
method: get
}
allow: "$1"
sort-order: 500
name: "puppetlabs node"
},
{
# Allow nodes to store only their own reports
match-request: {
path: "^/puppet/v3/report/([^/]+)$"
type: regex
method: put
}
allow: "$1"
sort-order: 500
name: "puppetlabs report"
},
{
# Allow nodes to update their own facts
match-request: {
path: "^/puppet/v3/facts/([^/]+)$"
type: regex
method: put
}
allow: "$1"
sort-order: 500
name: "puppetlabs facts"
},
{
match-request: {
path: "/puppet/v3/static_file_content"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs static file content"
},
{
match-request: {
path: "/puppet/v3/tasks"
type: path
}
allow: "*"
sort-order: 500
name: "puppet tasks information"
},
{
# Deny everything else. This ACL is not strictly
# necessary, but illustrates the default policy
match-request: {
path: "/"
type: path
}
deny: "*"
sort-order: 999
name: "puppetlabs deny all"
}
]
}