hieradata/common.yaml

@@ -24,5 +24,8 @@ profiles::base::packages::common:
 profiles::puppet::autosign::subnet_ranges:
   - '198.18.17.0/24'
 
+profiles::puppet::autosign::domains:
+  - '*.main.unkin.net'
+
 profiles::puppet::enc::enc_repo: https://git.unkin.net/unkinben/puppet-enc.git
 profiles::puppet::r10k::r10k_repo: https://git.unkin.net/unkinben/puppet-r10k.git

site/profiles/manifests/puppet/autosign.pp

@@ -1,54 +1,43 @@
-# Class: profiles::puppet::autosign
+# profiles::puppet::autosign
 #
-# This class manages an autosign script for the Puppet master.
+# This Puppet class provides automation for autosigning node certificates 
-# It sets up a Ruby script that automatically signs Puppet node requests
+# based on specified subnet ranges and domain patterns. 
-# originating from certain IP subnet ranges.
+# It is useful in environments where nodes are dynamically provisioned and 
+# require automatic certificate signing without manual intervention.
 #
 # Parameters:
-#  - `subnet_ranges`: An array of IP subnet ranges for which to automatically
+#   - `subnet_ranges`: An array of IP subnet ranges in CIDR notation.
-#     sign certificate requests.
+#       Nodes with IP addresses within these ranges will have their 
+#       certificates autosigned. 
+#       Example: ['198.18.17.0/24']
 #
-# Actions:
+#   - `domains`: An array of domain patterns.
-# - Ensures the autosign script file is present and has the correct content and permissions.
+#       Nodes with hostnames matching these patterns will have their
+#       certificates autosigned.
+#       Default: ['*.main.unkin.net']
+#       Example: ['*.main.unkin.net', '*.secondary.unkin.net']
 #
 # Usage:
-#   The class can be declared in a node definition or classified using an ENC or Hiera.
+# 
-#   Example:
+# To include this class with custom parameters:
-#     node 'puppet.example.com' {
+#   class { 'profiles::puppet::autosign':
-#       class { 'profiles::puppet::autosign':
+#     subnet_ranges => ['198.18.17.0/24', '198.18.18.0/24'],
-#         subnet_ranges => ['198.18.17.0/24', '10.0.0.0/8'],
+#     domains       => ['*.main.unkin.net', '*.dev.unkin.net'],
-#       }
+#   }
-#     }
 #
-# Requirements:
+# Alternatively, configure subnet ranges and domains through Hiera.
-# - Puppet master must have access to the /opt/puppetlabs/bin directory.
-# - The gem 'ipaddr' module must be installed on the Puppet master.
-# - The puppet 'puppetlabs/stdlib' module must be installed on the Puppet master.
-#
-# Limitations:
-# This is designed to work on Unix-like systems.
 class profiles::puppet::autosign (
   Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges,
+  Array[String[1]] $domains,
 ) {
 
-  $script_content = @(END)
+  # Manage the autosign.conf file using the template
-    #!/usr/bin/env ruby
+  file { '/etc/puppetlabs/puppet/autosign.conf':
-
+    ensure  => 'file',
-    require 'yaml'
+    content => template('profiles/puppet/autosign/autosign.conf.erb'),
-    require 'ipaddr'
+    owner   => 'puppet',
-
+    group   => 'puppet',
-    csr = YAML.load(STDIN.read)
+    mode    => '0644',
-    networks = #{subnet_ranges}
-
-    ip = IPAddr.new(csr['facts']['networking']['ip'])
-
-    exit 1 unless networks.any? { |network| IPAddr.new(network).include?(ip) }
-    exit 0
-  END
-
-  file { '/opt/puppetlabs/bin/autosign.rb':
-    ensure  => file,
-    content => $script_content,
-    mode    => '0755',
   }
+
 }

site/profiles/manifests/puppet/puppetmaster.pp

@@ -38,6 +38,6 @@ class profiles::puppet::puppetmaster {
     server         => 'prodinf01n01.main.unkin.net',
     node_terminus  => 'exec',
     external_nodes => '/opt/puppetlabs/bin/enc',
-    autosign       => '/etc/puppetlabs/puppet/autosign.rb',
+    autosign       => '/etc/puppetlabs/puppet/autosign.conf',
   }
 }

site/profiles/templates/puppet/autosign/autosign.conf.erb

@@ -0,0 +1,6 @@
+<% @subnet_ranges.each do |subnet| -%>
+<%= subnet %>
+<% end -%>
+<% @domains.each do |domain| -%>
+<%= domain %>
+<% end -%>