# Class: profiles::puppet::puppetca # # This class manages Puppet CA class profiles::puppet::puppetca ( Boolean $allow_subject_alt_names = false, Boolean $allow_authorization_extensions = false, Boolean $enable_infra_crl = false, Boolean $is_puppetca = false, ) { # manage the ca.cfg file file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf': ensure => 'file', owner => 'root', group => 'root', mode => '0644', content => template('profiles/puppet/puppet_ca.cfg.erb'), notify => Service['puppetserver'], } # manage the crl file if $is_puppetca { # export the puppet crl.pem @@file { '/etc/puppetlabs/puppet/ssl/crl.pem.latest': ensure => file, content => file('/etc/puppetlabs/puppet/ssl/crl.pem'), tag => 'crl_pem_export', } systemd::manage_dropin { 'copy_crl.conf': ensure => absent, unit => 'puppetserver.service', } }else{ # import the puppet crl.pem File <<| tag == 'crl_pem_export' |>> { require => Service['puppetserver'], } # copy latest to active location file { '/etc/puppetlabs/puppet/ssl/crl.pem': ensure => file, owner => 'puppet', group => 'puppet', source => '/etc/puppetlabs/puppet/ssl/crl.pem.latest', require => File['/etc/puppetlabs/puppet/ssl/crl.pem.latest'], } # copy the latest crl when restarting systemd::manage_dropin { 'copy_crl.conf': ensure => present, unit => 'puppetserver.service', service_entry => { 'ExecStartPost' => [ '/usr/bin/sleep 2', '/bin/cp /etc/puppetlabs/puppet/ssl/crl.pem.latest /etc/puppetlabs/puppet/ssl/crl.pem', ], }, require => File['/etc/puppetlabs/puppet/ssl/crl.pem'], } } # register the PuppetCA service with consul if $is_puppetca { consul::service { 'puppetca': service_name => 'puppetca', tags => ['ca', 'puppet', 'ssl'], address => $facts['networking']['ip'], port => 8140, checks => [ { id => 'puppetca_https_check', name => 'PuppetCA HTTPS Check', http => "https://${facts['networking']['fqdn']}:8140/status/v1/simple", method => 'GET', tls_skip_verify => true, interval => '10s', timeout => '1s', } ], } } }