From df8a55c3ddb1228ba5d8d98b6c9dda656ac88595 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 3 May 2024 21:29:25 +1000
Subject: [PATCH] feat: manage puppetca

- manage the puppet ca.cfg
- distribute the crl.pem from the puppetca to masters
---
 .../nodes/prodinf01n01.main.unkin.net.yaml    |  3 ++
 site/profiles/manifests/puppet/puppetca.pp    | 35 +++++++++++++++++++
 .../profiles/manifests/puppet/puppetmaster.pp |  1 +
 .../templates/puppet/puppet_ca.cfg.erb        | 10 ++++++
 4 files changed, 49 insertions(+)
 create mode 100644 site/profiles/manifests/puppet/puppetca.pp
 create mode 100644 site/profiles/templates/puppet/puppet_ca.cfg.erb

diff --git a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml
index 1b3d42c..d998612 100644
--- a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml
+++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml
@@ -2,3 +2,6 @@
 profiles::puppet::server::dns_alt_names:
   - puppetca.main.unkin.net
   - puppetca
+
+profiles::puppet::puppetca::is_puppetca: true
+profiles::puppet::puppetca::allow_subject_alt_names: true
diff --git a/site/profiles/manifests/puppet/puppetca.pp b/site/profiles/manifests/puppet/puppetca.pp
new file mode 100644
index 0000000..1e75240
--- /dev/null
+++ b/site/profiles/manifests/puppet/puppetca.pp
@@ -0,0 +1,35 @@
+# Class: profiles::puppet::puppetca
+#
+# This class manages Puppet CA
+class profiles::puppet::puppetca (
+  Boolean $allow_subject_alt_names = false,
+  Boolean $allow_authorization_extensions = false,
+  Boolean $enable_infra_crl = false,
+  Boolean $is_puppetca      = false,
+) {
+
+  # manage the ca.cfg file
+  file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('profiles/puppet/puppet_ca.cfg.erb'),
+    notify  => Service['puppetserver'],
+  }
+
+  # manage the crl file
+  if $is_puppetca {
+    # export the puppet crl.pem
+    @@file { '/etc/puppetlabs/puppet/ssl/crl.pem':
+      ensure  => file,
+      content => file('/etc/puppetlabs/puppet/ssl/crl.pem'),
+      tag     => 'crl_pem_export',
+    }
+  }else{
+    # import the puppet crl.pem
+    File <<| tag == 'crl_pem_export' |>> {
+      require => Service['puppetserver'],
+    }
+  }
+}
diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp
index 7229d64..73f46c0 100644
--- a/site/profiles/manifests/puppet/puppetmaster.pp
+++ b/site/profiles/manifests/puppet/puppetmaster.pp
@@ -16,6 +16,7 @@ class profiles::puppet::puppetmaster (
     include profiles::puppet::gems
     include profiles::helpers::certmanager
     include profiles::puppet::server
+    include profiles::puppet::puppetca
 
     class { 'puppetdb::master::config':
       puppetdb_server     => $puppetdb_host,
diff --git a/site/profiles/templates/puppet/puppet_ca.cfg.erb b/site/profiles/templates/puppet/puppet_ca.cfg.erb
new file mode 100644
index 0000000..a119784
--- /dev/null
+++ b/site/profiles/templates/puppet/puppet_ca.cfg.erb
@@ -0,0 +1,10 @@
+certificate-authority: {
+    # allow CA to sign certificate requests that have subject alternative names.
+    allow-subject-alt-names: <%= @allow_subject_alt_names %>
+
+    # allow CA to sign certificate requests that have authorization extensions.
+    allow-authorization-extensions: <%= @allow_authorization_extensions %>
+
+    # enable the separate CRL for Puppet infrastructure nodes
+    enable-infra-crl: <%= @enable_infra_crl %>
+}