Ben Vincent
05d2599bc5
- install the vault rootca on all nodes - update ca-trust store on changes to the rootca certificate deployed
38 lines
1.2 KiB
Puppet
38 lines
1.2 KiB
Puppet
# ensure the ca certificate for vault is installed everywhere
|
|
class profiles::pki::vaultca {
|
|
$root_cacert = 'vaultcaroot.pem'
|
|
|
|
# Define the target path based on the operating system
|
|
case $facts['os']['family'] {
|
|
'RedHat': {
|
|
$ca_cert_target_path = "/etc/pki/ca-trust/source/anchors/${root_cacert}"
|
|
$update_ca_cert_command = 'update-ca-trust extract'
|
|
}
|
|
'Debian': {
|
|
$ca_cert_target_path = "/usr/local/share/ca-certificates/${root_cacert}"
|
|
$update_ca_cert_command = 'update-ca-certificates'
|
|
}
|
|
default: {
|
|
fail("Unsupported operating system: ${facts['os']['family']}")
|
|
}
|
|
}
|
|
|
|
# Ensure the CA certificate is present and contains the content from the template
|
|
file { $ca_cert_target_path:
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => template('profiles/pki/vaultcaroot.pem.erb'),
|
|
notify => Exec['update_ca_trust_store'],
|
|
}
|
|
|
|
# Execute the system command to update the CA trust store
|
|
exec { 'update_ca_trust_store':
|
|
command => $update_ca_cert_command,
|
|
path => ['/bin', '/usr/bin'],
|
|
refreshonly => true,
|
|
require => File[$ca_cert_target_path],
|
|
}
|
|
}
|