Merge pull request 'feat: certmanager output as json' (#119) from neoloc/certmanager_json into develop

Reviewed-on: unkinben/puppet-prod#119
2024-02-25 18:03:56 +09:30 · 2024-02-25 18:03:56 +09:30 · bc3084a1e7
commit bc3084a1e7
parent 4cdba982fe f6110f534c
2 changed files with 18 additions and 4 deletions
--- a/site/profiles/manifests/helpers/certmanager.pp
+++ b/site/profiles/manifests/helpers/certmanager.pp
@ -60,7 +60,9 @@ class profiles::helpers::certmanager (
    # create the config from a template
    file { $config_path:
      ensure  => file,
-      mode    => '0600',
+      mode    => '0660',
+      owner   => 'puppet',
+      group   => 'root',
      content => Sensitive(template("profiles/helpers/${script_name}_config.yaml.erb")),
      require => Python::Pyvenv[$venv_path],
    }
--- a/site/profiles/templates/helpers/certmanager.erb
+++ b/site/profiles/templates/helpers/certmanager.erb
@ -28,10 +28,18 @@ def request_certificate(common_name, alt_names, ip_sans, expiry_days, vault_conf
        print(f"Error requesting certificate: {response.text}")
        return None

-def save_cert_files(certificate_response, common_name, compress, config):
+def save_cert_files(certificate_response, common_name, compress, config, json_output):
    base_path = config.get('output_path', '.')
    cert_dir = os.path.join(base_path, common_name)
-    if not compress:
+    if json_output:
+        import json
+        output = {
+            'certificate': certificate_response['data']['certificate'],
+            'private_key': certificate_response['data']['private_key'],
+            'full_chain': certificate_response['data']['issuing_ca'] + "\n" + certificate_response['data']['certificate'],
+        }
+        print(json.dumps(output))
+    elif not compress:
        os.makedirs(cert_dir, exist_ok=True)
        with open(os.path.join(cert_dir, "certificate.crt"), "w") as cert_file:
            cert_file.write(certificate_response['data']['certificate'])
@ -54,12 +62,16 @@ def main(config_file):
    parser.add_argument('-i', '--ip-sans', type=str, default='', help='Comma-separated IP Subject Alternative Names for the certificate')
    parser.add_argument('-e', '--expiry-days', type=int, default=365, help='Validity of the certificate in days (default: 365)')
    parser.add_argument('-c', '--compress', action='store_true', help='Compress the certificate, key, and full chain into a zip file')
+    parser.add_argument('--json', action='store_true', help='Output results in JSON format')
    args = parser.parse_args()
    alt_names = [name.strip() for name in args.alt_names.split(',') if name]
    ip_sans = [ip.strip() for ip in args.ip_sans.split(',') if ip]
    certificate_response = request_certificate(args.common_name, alt_names, ip_sans, args.expiry_days, config)
    if certificate_response:
-        save_cert_files(certificate_response, args.common_name, args.compress, config)
+        if args.json:
+            save_cert_files(certificate_response, args.common_name, args.compress, config, True)
+        else:
+            save_cert_files(certificate_response, args.common_name, args.compress, config, False)
    else:
        print("Failed to obtain certificate.")