feat: automatically generate vault certs
- certificate will be generated for: - fqdn - hostname - primary ip address - localhost - 127.0.0.1 - update base profile to generate vault certificate for all - create facts for use with vault_certs
This commit is contained in:
@@ -33,6 +33,7 @@ class profiles::base (
|
||||
include profiles::accounts::sysadmin
|
||||
include profiles::ntp::client
|
||||
include profiles::dns::base
|
||||
include profiles::pki::vault
|
||||
include profiles::cloudinit::init
|
||||
include profiles::metrics::default
|
||||
include profiles::helpers::node_lookup
|
||||
|
||||
@@ -0,0 +1,106 @@
|
||||
# profiles::pki::vault
|
||||
class profiles::pki::vault (
|
||||
Optional[Array[Stdlib::Host]] $alt_names = [],
|
||||
Optional[Array[Stdlib::IP::Address]] $ip_sans = [],
|
||||
){
|
||||
|
||||
# validate and prepare additional alt_names, if any
|
||||
$default_alt_names = [$::facts['networking']['hostname'], $::facts['networking']['fqdn']]
|
||||
$effective_alt_names = $alt_names ? {
|
||||
[] => $default_alt_names,
|
||||
default => concat($default_alt_names, $alt_names),
|
||||
}
|
||||
|
||||
# validate and prepare additional ip_sans, if any
|
||||
$default_ip_sans = ['127.0.0.1', $::facts['networking']['ip']]
|
||||
$effective_ip_sans = $ip_sans ? {
|
||||
[] => $default_ip_sans,
|
||||
default => concat($default_ip_sans, $ip_sans),
|
||||
}
|
||||
|
||||
# path for the alt names file
|
||||
$base_path = '/etc/pki/tls/vault'
|
||||
$alt_names_file = "${base_path}/alt_names"
|
||||
|
||||
# ensure the base directory exists
|
||||
file { $base_path:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
# alt_names_file contents
|
||||
$alt_names_content = concat($effective_alt_names, $effective_ip_sans)
|
||||
|
||||
# manage the alt names file
|
||||
file { $alt_names_file:
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => join($alt_names_content, "\n"),
|
||||
}
|
||||
|
||||
# compare the sorted arrays of altnames from disk (fact) vs what is intended (this run)
|
||||
$alt_names_match = sort($::facts['vault_cert_altnames']) == sort($alt_names_content)
|
||||
|
||||
# only renew certificate if its expiring or the alt names have changed
|
||||
if $::facts['vault_cert_expiring'] or ! $alt_names_match {
|
||||
|
||||
# certificate variables
|
||||
$common_name = $::facts['networking']['fqdn']
|
||||
$valid_days = 90
|
||||
|
||||
# prepare alt_names and ip_sans arguments conditionally
|
||||
$alt_names_string = $effective_alt_names.empty() ? {
|
||||
true => '',
|
||||
default => join($effective_alt_names, ','),
|
||||
}
|
||||
$ip_sans_string = $effective_ip_sans.empty() ? {
|
||||
true => '',
|
||||
default => join($effective_ip_sans, ','),
|
||||
}
|
||||
|
||||
# certmanager arguments
|
||||
$cmd = '/usr/local/bin/certmanager'
|
||||
$alt_names_arg = '--alt-names'
|
||||
$ip_sans_arg = '--ip-sans'
|
||||
$expiry_days_arg = '--expiry-days'
|
||||
|
||||
# call the script with generate(), capturing json output
|
||||
$json_output = generate(
|
||||
$cmd,
|
||||
$common_name,
|
||||
$alt_names_arg,
|
||||
$alt_names_string,
|
||||
$ip_sans_arg,
|
||||
$ip_sans_string,
|
||||
$expiry_days_arg,
|
||||
$valid_days,
|
||||
'--json'
|
||||
)
|
||||
$cert_data = parsejson($json_output)
|
||||
|
||||
# manage certificate file resources based on script output
|
||||
$certificate_files = {
|
||||
"${base_path}/certificate.crt" => $cert_data['certificate'],
|
||||
"${base_path}/private.key" => $cert_data['private_key'],
|
||||
"${base_path}/full_chain.crt" => $cert_data['full_chain'],
|
||||
"${base_path}/ca_certificate.crt" => $cert_data['ca_certificate'],
|
||||
"${base_path}/certificate.pem" => "${cert_data['certificate']}\n${cert_data['private_key']}",
|
||||
}
|
||||
|
||||
# manage each file resources
|
||||
$certificate_files.each |$file_path, $content| {
|
||||
file { $file_path:
|
||||
ensure => file,
|
||||
content => $content,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
require => File[$base_path],
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user