From 0901595de97b4409f2a83ca4bdda77fe225632ba Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Wed, 22 May 2024 23:05:34 +1000
Subject: [PATCH] feat: puppet::client multiple altnames

- puppet clients can not request multiple dns alt_names
- set puppetdbapi hosts to request multiple certificates
---
 hieradata/common.yaml                                 | 5 +++++
 hieradata/roles/infra/puppetdb/api.yaml               | 5 +++++
 site/profiles/manifests/puppet/client.pp              | 5 ++++-
 site/profiles/templates/puppet/client/puppet.conf.erb | 2 +-
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 89259fc..66fddb6 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -93,6 +93,9 @@ lookup_options:
   profiles::puppet::server::dns_alt_names:
     merge:
       strategy: deep
+  profiles::puppet::client::dns_alt_names:
+    merge:
+      strategy: deep
   profiles::base::hosts::additional_hosts:
     merge:
       strategy: deep
@@ -199,6 +202,8 @@ profiles::puppet::client::runinterval: 1800
 profiles::puppet::client::runtimeout: 3600
 profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
+profiles::puppet::client::dns_alt_names:
+  - "%{trusted.certname}"
 
 # puppetdb
 puppetdbapi: prodinf01n04.main.unkin.net
diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml
index ae31065..784200a 100644
--- a/hieradata/roles/infra/puppetdb/api.yaml
+++ b/hieradata/roles/infra/puppetdb/api.yaml
@@ -4,6 +4,11 @@ profiles::puppet::puppetdb_api::java_args:
   '-Xmx': '2048m'
   '-Xms': '256m'
 
+profiles::puppet::client::dns_alt_names:
+  - puppetdbapi.main.unkin.net
+  - puppetdbapi.service.consul
+  - puppetdbapi.query.consul
+
 # additional altnames
 profiles::pki::vault::alt_names:
   - puppetdbapi.main.unkin.net
diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp
index e0f1dd2..aa3444c 100644
--- a/site/profiles/manifests/puppet/client.pp
+++ b/site/profiles/manifests/puppet/client.pp
@@ -4,7 +4,7 @@
 #
 # site/profile/manifests/puppet/client.pp
 class profiles::puppet::client (
-  String $dns_alt_names       = $trusted['certname'],
+  Array  $dns_alt_names       = [$trusted['certname']],
   String $server              = 'puppetmaster',
   String $ca_server           = 'puppetca',
   String $environment         = 'develop',
@@ -17,6 +17,9 @@ class profiles::puppet::client (
   # dont manage puppet.conf if this is a puppetmaster
   if $facts['enc_role'] != 'roles::infra::puppet::master' {
 
+
+    $dns_alt_names_string = join(sort($dns_alt_names), ',')
+
     # Assuming you want to manage puppet.conf with this profile
     file { '/etc/puppetlabs/puppet/puppet.conf':
       ensure  => 'present',
diff --git a/site/profiles/templates/puppet/client/puppet.conf.erb b/site/profiles/templates/puppet/client/puppet.conf.erb
index e7a86c6..40874c6 100644
--- a/site/profiles/templates/puppet/client/puppet.conf.erb
+++ b/site/profiles/templates/puppet/client/puppet.conf.erb
@@ -1,5 +1,5 @@
 [main]
-dns_alt_names = <%= @dns_alt_names %>
+dns_alt_names = <%= @dns_alt_names_string %>
 
 [agent]
 server = <%= @server %>