unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
58acd83410
puppet-prod/site/profiles/manifests/puppet/puppetca.pp
Ben Vincent 58acd83410 feat: manage latest crl for puppet 
- ensure the latest crl.pem exists on each no-ca puppetserver
- ensure the latest crl.pem is used after each start of puppetserver
2024-06-15 23:32:50 +10:00

78 lines
2.4 KiB
Puppet
Raw Blame History

# Class: profiles::puppet::puppetca
#
# This class manages Puppet CA
class profiles::puppet::puppetca (
Boolean $allow_subject_alt_names = false,
Boolean $allow_authorization_extensions = false,
Boolean $enable_infra_crl = false,
Boolean $is_puppetca = false,
) {
# manage the ca.cfg file
file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0644',
content => template('profiles/puppet/puppet_ca.cfg.erb'),
notify => Service['puppetserver'],
}
# manage the crl file
if $is_puppetca {
# export the puppet crl.pem
@@file { '/etc/puppetlabs/puppet/ssl/crl.pem.latest':
ensure => file,
content => file('/etc/puppetlabs/puppet/ssl/crl.pem'),
tag => 'crl_pem_export',
}
systemd::manage_dropin { 'copy_crl.conf':
ensure => absent,
unit => 'puppetserver.service',
}
}else{
# import the puppet crl.pem
File <<| tag == 'crl_pem_export' |>> {
require => Service['puppetserver'],
}
# copy latest to active location
file { '/etc/puppetlabs/puppet/ssl/crl.pem':
ensure => file,
owner => 'puppet',
group => 'puppet',
source => '/etc/puppetlabs/puppet/ssl/crl.pem.latest',
require => File['/etc/puppetlabs/puppet/ssl/crl.pem.latest'],
}
# add a execstartpost to the puppetserver.service
systemd::manage_dropin { 'copy_crl.conf':
ensure => present,
unit => 'puppetserver.service',
service_entry => {
'ExecStartPost' => '/usr/bin/sleep 2; /bin/cp /etc/puppetlabs/puppet/ssl/crl.pem.latest /etc/puppetlabs/puppet/ssl/crl.pem',
},
require => File['/etc/puppetlabs/puppet/ssl/crl.pem'],
}
}
# register the PuppetCA service with consul
if $is_puppetca {
consul::service { 'puppetca':
service_name => 'puppetca',
tags => ['ca', 'puppet', 'ssl'],
address => $facts['networking']['ip'],
port => 8140,
checks => [
{
id => 'puppetca_https_check',
name => 'PuppetCA HTTPS Check',
http => "https://${facts['networking']['fqdn']}:8140/status/v1/simple",
method => 'GET',
tls_skip_verify => true,
interval => '10s',
timeout => '1s',
}
],
}
}
}
Reference in New Issue View Git Blame Copy Permalink