From 5b4a17b77afa202c6d58c0ccf40a995d76c83c85 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 26 Aug 2023 00:48:22 +1000
Subject: [PATCH] Changed to a simple autosign method

---
 hieradata/common.yaml                         |  3 +
 site/profiles/manifests/puppet/autosign.pp    | 71 ++++++++-----------
 .../profiles/manifests/puppet/puppetmaster.pp |  2 +-
 .../puppet/autosign/autosign.conf.erb         |  6 ++
 4 files changed, 40 insertions(+), 42 deletions(-)
 create mode 100644 site/profiles/templates/puppet/autosign/autosign.conf.erb

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 67fb423..fbdb03a 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -24,5 +24,8 @@ profiles::base::packages::common:
 profiles::puppet::autosign::subnet_ranges:
   - '198.18.17.0/24'
 
+profiles::puppet::autosign::domains:
+  - '*.main.unkin.net'
+
 profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git
diff --git a/site/profiles/manifests/puppet/autosign.pp b/site/profiles/manifests/puppet/autosign.pp
index dd722b8..4a84d70 100644
--- a/site/profiles/manifests/puppet/autosign.pp
+++ b/site/profiles/manifests/puppet/autosign.pp
@@ -1,54 +1,43 @@
-# Class: profiles::puppet::autosign
+# profiles::puppet::autosign
 #
-# This class manages an autosign script for the Puppet master.
-# It sets up a Ruby script that automatically signs Puppet node requests
-# originating from certain IP subnet ranges.
+# This Puppet class provides automation for autosigning node certificates 
+# based on specified subnet ranges and domain patterns. 
+# It is useful in environments where nodes are dynamically provisioned and 
+# require automatic certificate signing without manual intervention.
 #
 # Parameters:
-#  - `subnet_ranges`: An array of IP subnet ranges for which to automatically
-#     sign certificate requests.
+#   - `subnet_ranges`: An array of IP subnet ranges in CIDR notation.
+#       Nodes with IP addresses within these ranges will have their 
+#       certificates autosigned. 
+#       Example: ['198.18.17.0/24']
 #
-# Actions:
-# - Ensures the autosign script file is present and has the correct content and permissions.
+#   - `domains`: An array of domain patterns.
+#       Nodes with hostnames matching these patterns will have their
+#       certificates autosigned.
+#       Default: ['*.main.unkin.net']
+#       Example: ['*.main.unkin.net', '*.secondary.unkin.net']
 #
 # Usage:
-#   The class can be declared in a node definition or classified using an ENC or Hiera.
-#   Example:
-#     node 'puppet.example.com' {
-#       class { 'profiles::puppet::autosign':
-#         subnet_ranges => ['198.18.17.0/24', '10.0.0.0/8'],
-#       }
-#     }
+# 
+# To include this class with custom parameters:
+#   class { 'profiles::puppet::autosign':
+#     subnet_ranges => ['198.18.17.0/24', '198.18.18.0/24'],
+#     domains       => ['*.main.unkin.net', '*.dev.unkin.net'],
+#   }
 #
-# Requirements:
-# - Puppet master must have access to the /opt/puppetlabs/bin directory.
-# - The gem 'ipaddr' module must be installed on the Puppet master.
-# - The puppet 'puppetlabs/stdlib' module must be installed on the Puppet master.
-#
-# Limitations:
-# This is designed to work on Unix-like systems.
+# Alternatively, configure subnet ranges and domains through Hiera.
 class profiles::puppet::autosign (
   Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges,
+  Array[String[1]] $domains,
 ) {
 
-  $script_content = @(END)
-    #!/usr/bin/env ruby
-
-    require 'yaml'
-    require 'ipaddr'
-
-    csr = YAML.load(STDIN.read)
-    networks = #{subnet_ranges}
-
-    ip = IPAddr.new(csr['facts']['networking']['ip'])
-
-    exit 1 unless networks.any? { |network| IPAddr.new(network).include?(ip) }
-    exit 0
-  END
-
-  file { '/opt/puppetlabs/bin/autosign.rb':
-    ensure  => file,
-    content => $script_content,
-    mode    => '0755',
+  # Manage the autosign.conf file using the template
+  file { '/etc/puppetlabs/puppet/autosign.conf':
+    ensure  => 'file',
+    content => template('profiles/puppet/autosign/autosign.conf.erb'),
+    owner   => 'puppet',
+    group   => 'puppet',
+    mode    => '0644',
   }
+
 }
diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp
index eaeaeba..d50ed16 100644
--- a/site/profiles/manifests/puppet/puppetmaster.pp
+++ b/site/profiles/manifests/puppet/puppetmaster.pp
@@ -38,6 +38,6 @@ class profiles::puppet::puppetmaster {
     server         => 'prodinf01n01.main.unkin.net',
     node_terminus  => 'exec',
     external_nodes => '/opt/puppetlabs/bin/enc',
-    autosign       => '/etc/puppetlabs/puppet/autosign.rb',
+    autosign       => '/etc/puppetlabs/puppet/autosign.conf',
   }
 }
diff --git a/site/profiles/templates/puppet/autosign/autosign.conf.erb b/site/profiles/templates/puppet/autosign/autosign.conf.erb
new file mode 100644
index 0000000..c533d8a
--- /dev/null
+++ b/site/profiles/templates/puppet/autosign/autosign.conf.erb
@@ -0,0 +1,6 @@
+<% @subnet_ranges.each do |subnet| -%>
+<%= subnet %>
+<% end -%>
+<% @domains.each do |domain| -%>
+<%= domain %>
+<% end -%>