- add fact to export vault public cert from agents - add fact to export list of trusted incus client certs - add method for incus clients to export their client cert to be trusted
This commit is contained in:
@@ -0,0 +1,16 @@
|
||||
# incus::client
|
||||
#
|
||||
# This class configures a host as an incus client and exports its certificate
|
||||
# for automatic trust management on incus servers.
|
||||
#
|
||||
class incus::client {
|
||||
|
||||
# Export this client's certificate for collection by incus servers
|
||||
@@incus::client_cert { $facts['networking']['fqdn']:
|
||||
hostname => $facts['networking']['fqdn'],
|
||||
certificate => $facts['vault_cert_content'],
|
||||
fingerprint => $facts['vault_cert_fingerprint'],
|
||||
tag => 'incus_client',
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,41 @@
|
||||
# Define the exported resource type for incus client certificates
|
||||
define incus::client_cert (
|
||||
String $hostname,
|
||||
Optional[String] $certificate = undef,
|
||||
Optional[String] $fingerprint = undef,
|
||||
) {
|
||||
|
||||
# Only proceed if we have both certificate and fingerprint
|
||||
if $certificate and $fingerprint {
|
||||
|
||||
$trust_list = $facts['incus_trust_list']
|
||||
$existing_client = $trust_list.filter |$client| { $client['name'] == $hostname }
|
||||
|
||||
if $existing_client.empty {
|
||||
# Add new certificate
|
||||
exec { "incus_trust_add_${hostname}":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "echo '${certificate}' > /tmp/${hostname}.crt && \
|
||||
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
|
||||
rm -f /tmp/${hostname}.crt",
|
||||
unless => "incus config trust list --format=json | grep '\"name\":\"${hostname}\"'",
|
||||
}
|
||||
} else {
|
||||
# Check if fingerprints are different
|
||||
$existing_fingerprint = $existing_client[0]['fingerprint']
|
||||
|
||||
if $existing_fingerprint != $fingerprint {
|
||||
# Remove existing and add new certificate only if fingerprints differ
|
||||
exec { "incus_trust_update_${hostname}":
|
||||
path => ['/bin', '/usr/bin'],
|
||||
command => "incus config trust remove ${existing_fingerprint} && \
|
||||
echo '${certificate}' > /tmp/${hostname}.crt && \
|
||||
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
|
||||
rm -f /tmp/${hostname}.crt",
|
||||
onlyif => "incus config trust list --format=json | grep '${existing_fingerprint}'",
|
||||
}
|
||||
}
|
||||
# If fingerprints match, do nothing (certificate is already correct)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -92,5 +92,10 @@ class incus (
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Collect exported client certificates and manage trust
|
||||
Incus::Client_cert <<| tag == 'incus_client' |>> {
|
||||
require => Service['incus'],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user