Merge pull request 'neoloc/pki_generate' (#127) from neoloc/pki_generate into develop

Reviewed-on: unkinben/puppet-prod#127
2024-03-03 13:33:33 +09:30 · 2024-03-03 13:33:33 +09:30 · 5afa9e8960
commit 5afa9e8960
parent 9ea49bc48d 88ba8406b8
7 changed files with 229 additions and 0 deletions
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -12,6 +12,12 @@ lookup_options:
  profiles::packages::remove_exclude:
    merge:
      strategy: deep
+  profiles::pki::vault::alt_names:
+    merge:
+      strategy: deep
+  profiles::pki::vault::ip_sans:
+    merge:
+      strategy: deep

 facts_path: '/opt/puppetlabs/facter/facts.d'

--- a/modules/libs/lib/facter/vault_cert_altnames.rb
+++ b/modules/libs/lib/facter/vault_cert_altnames.rb
@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# lib/facter/vault_cert_altnames.rb
+require 'puppet'
+
+Facter.add('vault_cert_altnames') do
+  setcode do
+    alt_names_file = '/etc/pki/tls/vault/alt_names'
+    if File.exist?(alt_names_file)
+      File.read(alt_names_file).split("\n")
+    else
+      []
+    end
+  end
+end
--- a/modules/libs/lib/facter/vault_cert_expiring.rb
+++ b/modules/libs/lib/facter/vault_cert_expiring.rb
@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# lib/facter/vault_cert_expiring.rb
+require 'puppet'
+
+Facter.add(:vault_cert_expiring) do
+  setcode do
+    require 'openssl'
+    cert_path = '/etc/pki/tls/vault/certificate.crt'
+    if File.exist?(cert_path)
+      # If the certificate file exists, check its expiration
+      cert = OpenSSL::X509::Certificate.new(File.read(cert_path))
+      cert_expiry = cert.not_after
+      days_remaining = (cert_expiry - Time.now).to_i / (24 * 60 * 60)
+      days_remaining < 30
+    else
+      # Report true if the certificate file does not exist
+      true
+    end
+  end
+end
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@ -33,6 +33,8 @@ class profiles::base (
  include profiles::accounts::sysadmin
  include profiles::ntp::client
  include profiles::dns::base
+  include profiles::pki::vault
+  include profiles::pki::vaultca
  include profiles::cloudinit::init
  include profiles::metrics::default
  include profiles::helpers::node_lookup
--- a/site/profiles/manifests/pki/vault.pp
+++ b/site/profiles/manifests/pki/vault.pp
@ -0,0 +1,106 @@
+# profiles::pki::vault
+class profiles::pki::vault (
+  Optional[Array[Stdlib::Host]] $alt_names = [],
+  Optional[Array[Stdlib::IP::Address]] $ip_sans = [],
+){
+
+  # validate and prepare additional alt_names, if any
+  $default_alt_names = [$::facts['networking']['hostname'], $::facts['networking']['fqdn']]
+  $effective_alt_names = $alt_names ? {
+    []      => $default_alt_names,
+    default => concat($default_alt_names, $alt_names),
+  }
+
+  # validate and prepare additional ip_sans, if any
+  $default_ip_sans = ['127.0.0.1', $::facts['networking']['ip']]
+  $effective_ip_sans = $ip_sans ? {
+    []      => $default_ip_sans,
+    default => concat($default_ip_sans, $ip_sans),
+  }
+
+  # path for the alt names file
+  $base_path = '/etc/pki/tls/vault'
+  $alt_names_file = "${base_path}/alt_names"
+
+  # ensure the base directory exists
+  file { $base_path:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  # alt_names_file contents
+  $alt_names_content = concat($effective_alt_names, $effective_ip_sans)
+
+  # manage the alt names file
+  file { $alt_names_file:
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => join($alt_names_content, "\n"),
+  }
+
+  # compare the sorted arrays of altnames from disk (fact) vs what is intended (this run)
+  $alt_names_match = sort($::facts['vault_cert_altnames']) == sort($alt_names_content)
+
+  # only renew certificate if its expiring or the alt names have changed
+  if $::facts['vault_cert_expiring'] or ! $alt_names_match {
+
+    # certificate variables
+    $common_name = $::facts['networking']['fqdn']
+    $valid_days  = 90
+
+    # prepare alt_names and ip_sans arguments conditionally
+    $alt_names_string = $effective_alt_names.empty() ? {
+      true    => '',
+      default => join($effective_alt_names, ','),
+    }
+    $ip_sans_string = $effective_ip_sans.empty() ? {
+      true    => '',
+      default => join($effective_ip_sans, ','),
+    }
+
+    # certmanager arguments
+    $cmd = '/usr/local/bin/certmanager'
+    $alt_names_arg = '--alt-names'
+    $ip_sans_arg = '--ip-sans'
+    $expiry_days_arg = '--expiry-days'
+
+    # call the script with generate(), capturing json output
+    $json_output = generate(
+      $cmd,
+      $common_name,
+      $alt_names_arg,
+      $alt_names_string,
+      $ip_sans_arg,
+      $ip_sans_string,
+      $expiry_days_arg,
+      $valid_days,
+      '--json'
+    )
+    $cert_data = parsejson($json_output)
+
+    # manage certificate file resources based on script output
+    $certificate_files = {
+      "${base_path}/certificate.crt"    => $cert_data['certificate'],
+      "${base_path}/private.key"        => $cert_data['private_key'],
+      "${base_path}/full_chain.crt"     => $cert_data['full_chain'],
+      "${base_path}/ca_certificate.crt" => $cert_data['ca_certificate'],
+      "${base_path}/certificate.pem"    => "${cert_data['certificate']}\n${cert_data['private_key']}",
+    }
+
+    # manage each file resources
+    $certificate_files.each |$file_path, $content| {
+      file { $file_path:
+        ensure  => file,
+        content => $content,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        require => File[$base_path],
+      }
+    }
+  }
+}
--- a/site/profiles/manifests/pki/vaultca.pp
+++ b/site/profiles/manifests/pki/vaultca.pp
@ -0,0 +1,37 @@
+# ensure the ca certificate for vault is installed everywhere
+class profiles::pki::vaultca {
+  $root_cacert = 'vaultcaroot.pem'
+
+  # Define the target path based on the operating system
+  case $facts['os']['family'] {
+    'RedHat': {
+      $ca_cert_target_path = "/etc/pki/ca-trust/source/anchors/${root_cacert}"
+      $update_ca_cert_command = 'update-ca-trust extract'
+    }
+    'Debian': {
+      $ca_cert_target_path = "/usr/local/share/ca-certificates/${root_cacert}"
+      $update_ca_cert_command = 'update-ca-certificates'
+    }
+    default: {
+      fail("Unsupported operating system: ${facts['os']['family']}")
+    }
+  }
+
+  # Ensure the CA certificate is present and contains the content from the template
+  file { $ca_cert_target_path:
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('profiles/pki/vaultcaroot.pem.erb'),
+    notify  => Exec['update_ca_trust_store'],
+  }
+
+  # Execute the system command to update the CA trust store
+  exec { 'update_ca_trust_store':
+    command     => $update_ca_cert_command,
+    path        => ['/bin', '/usr/bin'],
+    refreshonly => true,
+    require     => File[$ca_cert_target_path],
+  }
+}
--- a/site/profiles/templates/pki/vaultcaroot.pem.erb
+++ b/site/profiles/templates/pki/vaultcaroot.pem.erb
@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUAyjDayxDtmvXzttcT1jUg9KU08swDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDI0NloXDTI5MDIy
+MzExMDMxNlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo
+b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCft5vNuV0S+WPN
+qIm8N09yQcWUjK7S5LeWqFi2sYvxB3PZIsbGF4oB5QQKbHOvwSp+/70gQ0HeyBpq
+yS3bVJK/OYMQXbYj+wpS8FXd1WeD5XphAEPV/vfWixQWOHLm4A+yjVbyFiaD4Z8e
+0/cvi48WPp3uzyVFW12U/XRZ/eHF4psJ1tsNt8e1JcAsAmRXUr1R0JgKNDBJsu2Q
+2EPa6MqRpJVKfI4cvOYM3XyXN5pCogAJaleg+TMdZ3wCQljTBpojzX947Ky1Yosa
+GtZ2tNes8cpq3mzHqH8fms89H1JBPttOCVJXwK1sEdwkXYh6aktUDGkjppvaG013
+eSx/LDFvAgMBAAGjgd4wgdswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFEMfNj+VqQQF2XHJm1qK0RhCZxnRMB8GA1UdIwQYMBaAFCqI
+QnrNBzDWmM1YryAlmIbAnwLPMEAGCCsGAQUFBwEBBDQwMjAwBggrBgEFBQcwAoYk
+aHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraV9yb290L2NhMDYGA1UdHwQvMC0w
+K6ApoCeGJWh0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJ
+KoZIhvcNAQELBQADggEBALMGlMJ7twlrBkBJLBgDmF7+Q5rpiHz9zBhLU8fh0HiR
+dhqe3yJcO87o3CrCiQXqtWHGy4Ogl2QvastKKhFBIcwp8BBXxzp68HG+SIJAzWau
+val0pncs/2V3TIk1iOXLY7YXDm6x4ND+iUz5rmILs/0q82S3iAbro4IckinfmGjI
+7En8eg7VRv8z2FL51+giov5zqH7NT3TjvYZzf20EKHmOlyZhAboktNxVpoj4cAGl
+iUW3GFSva8F6VS49I9pejBFJUQeIILz5jeTEdzG643DnujjjNqw8ad3ivakBYD1G
+YxGhYmLfh5RmESCeAgBbLQgRa1vNz1YYWhjn4OP0KKs=
+-----END CERTIFICATE-----
+,-----BEGIN CERTIFICATE-----
+MIIDLzCCAhegAwIBAgIUeXJ+O/IJWu4Fl4+KdZl5r166SokwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDIyNTExMDEwNVoXDTM0MDIy
+MjExMDEzNFowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzKFwXIKAkavv5RgGUEzGQIgys1Uw97RBp4aE7glT++hs
+60WSwKBRr+sk7zdL3LGMK/xClTIBt3eFJ2RMxEf/N/qLPoA1JqOzsHua1nXCR1sA
+puP5HVfrS6YvfsXGpqJywX7tfaqk+7+Mq4Bbp22+JXmgBpfcQhCy9CNRd8gaLM67
+LaznQEcmeurdqvqeUxSMUsymeLLSi2+Fx+M9bPiYYXvK3Hu7k7VVsDPamglBsZaG
+QC7Up7ZD1h+UaweK/lC5v8HkW6xZ8OWZBEm0F6XFRIRRbroFTZXniAUu60FpoCCD
+Ga9AfUrAAIWFQjd0iJ2fgzbX1qeLozKn1T/oMAiKhQIDAQABo3kwdzAOBgNVHQ8B
+Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUKohCes0HMNaYzViv
+ICWYhsCfAs8wHwYDVR0jBBgwFoAUKohCes0HMNaYzVivICWYhsCfAs8wFAYDVR0R
+BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQCBVjvJIAp3AtEhRO/V
+wYtF/t6ntSKs8limCGnHHvJDvUJGkIP5ihCDQYviNyYIf7CrtRUmYzzOmwA4OEjq
+cwxrdRynqkUz8jeRL2Ljc1kEs5A4rY2X8EtoUaCu4p55wm7Bh/m2lYASHHMpuza8
+CR2DtlSQR8/x9gFKzAZO6rOw89qqU34p/cf7DlymDACjJr0QmhLa5IQMSj8ObsbT
+c9sb9NXMFTsFkuCrkF5iLmeDZgmgyJNXkzFEh3TPeL15jKBXSJOHsBe8j3E3VMWS
+YOL0pDU1XzfJedKGzX3LxvK6aUuBbtgaf/PW3IYX3KToolqfB30H2AO6Q/3LBl8M
+aN8H
+-----END CERTIFICATE-----