feat: manage puppetca
- manage the puppet ca.cfg - distribute the crl.pem from the puppetca to masters
This commit is contained in:
parent
052b07be83
commit
df8a55c3dd
@ -2,3 +2,6 @@
|
|||||||
profiles::puppet::server::dns_alt_names:
|
profiles::puppet::server::dns_alt_names:
|
||||||
- puppetca.main.unkin.net
|
- puppetca.main.unkin.net
|
||||||
- puppetca
|
- puppetca
|
||||||
|
|
||||||
|
profiles::puppet::puppetca::is_puppetca: true
|
||||||
|
profiles::puppet::puppetca::allow_subject_alt_names: true
|
||||||
|
|||||||
35
site/profiles/manifests/puppet/puppetca.pp
Normal file
35
site/profiles/manifests/puppet/puppetca.pp
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
# Class: profiles::puppet::puppetca
|
||||||
|
#
|
||||||
|
# This class manages Puppet CA
|
||||||
|
class profiles::puppet::puppetca (
|
||||||
|
Boolean $allow_subject_alt_names = false,
|
||||||
|
Boolean $allow_authorization_extensions = false,
|
||||||
|
Boolean $enable_infra_crl = false,
|
||||||
|
Boolean $is_puppetca = false,
|
||||||
|
) {
|
||||||
|
|
||||||
|
# manage the ca.cfg file
|
||||||
|
file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf':
|
||||||
|
ensure => 'file',
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
content => template('profiles/puppet/puppet_ca.cfg.erb'),
|
||||||
|
notify => Service['puppetserver'],
|
||||||
|
}
|
||||||
|
|
||||||
|
# manage the crl file
|
||||||
|
if $is_puppetca {
|
||||||
|
# export the puppet crl.pem
|
||||||
|
@@file { '/etc/puppetlabs/puppet/ssl/crl.pem':
|
||||||
|
ensure => file,
|
||||||
|
content => file('/etc/puppetlabs/puppet/ssl/crl.pem'),
|
||||||
|
tag => 'crl_pem_export',
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
# import the puppet crl.pem
|
||||||
|
File <<| tag == 'crl_pem_export' |>> {
|
||||||
|
require => Service['puppetserver'],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -16,6 +16,7 @@ class profiles::puppet::puppetmaster (
|
|||||||
include profiles::puppet::gems
|
include profiles::puppet::gems
|
||||||
include profiles::helpers::certmanager
|
include profiles::helpers::certmanager
|
||||||
include profiles::puppet::server
|
include profiles::puppet::server
|
||||||
|
include profiles::puppet::puppetca
|
||||||
|
|
||||||
class { 'puppetdb::master::config':
|
class { 'puppetdb::master::config':
|
||||||
puppetdb_server => $puppetdb_host,
|
puppetdb_server => $puppetdb_host,
|
||||||
|
|||||||
10
site/profiles/templates/puppet/puppet_ca.cfg.erb
Normal file
10
site/profiles/templates/puppet/puppet_ca.cfg.erb
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
certificate-authority: {
|
||||||
|
# allow CA to sign certificate requests that have subject alternative names.
|
||||||
|
allow-subject-alt-names: <%= @allow_subject_alt_names %>
|
||||||
|
|
||||||
|
# allow CA to sign certificate requests that have authorization extensions.
|
||||||
|
allow-authorization-extensions: <%= @allow_authorization_extensions %>
|
||||||
|
|
||||||
|
# enable the separate CRL for Puppet infrastructure nodes
|
||||||
|
enable-infra-crl: <%= @enable_infra_crl %>
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user