Ben Vincent
d0d67e316a
- set yum::versionlock to be only for redhat family - set puppet-agent require statement to use apt or yum - remove requirement of downloading puppet7-release-$dist.deb - create all paths in $base_path for vault certificate - set correct $PATH for update-ca-certificates - dynamically set debian release name - split packages to install from common.yaml to os-specific - create groups profile to manage local groups - change sysadmin to be a member of admins group - setup admins sudo rules
38 lines
1.2 KiB
Puppet
38 lines
1.2 KiB
Puppet
# ensure the ca certificate for vault is installed everywhere
|
|
class profiles::pki::vaultca {
|
|
$root_cacert = 'vaultcaroot.pem'
|
|
|
|
# Define the target path based on the operating system
|
|
case $facts['os']['family'] {
|
|
'RedHat': {
|
|
$ca_cert_target_path = "/etc/pki/ca-trust/source/anchors/${root_cacert}"
|
|
$update_ca_cert_command = 'update-ca-trust extract'
|
|
}
|
|
'Debian': {
|
|
$ca_cert_target_path = "/usr/local/share/ca-certificates/${root_cacert}"
|
|
$update_ca_cert_command = 'update-ca-certificates'
|
|
}
|
|
default: {
|
|
fail("Unsupported operating system: ${facts['os']['family']}")
|
|
}
|
|
}
|
|
|
|
# Ensure the CA certificate is present and contains the content from the template
|
|
file { $ca_cert_target_path:
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => template('profiles/pki/vaultcaroot.pem.erb'),
|
|
notify => Exec['update_ca_trust_store'],
|
|
}
|
|
|
|
# Execute the system command to update the CA trust store
|
|
exec { 'update_ca_trust_store':
|
|
command => $update_ca_cert_command,
|
|
path => ['/bin', '/usr/bin', 'sbin', '/usr/sbin'],
|
|
refreshonly => true,
|
|
require => File[$ca_cert_target_path],
|
|
}
|
|
}
|