Ben Vincent
90a9195cb0
- add fact to export vault public cert from agents - add fact to export list of trusted incus client certs - add method for incus clients to export their client cert to be trusted
35 lines
1.3 KiB
Puppet
35 lines
1.3 KiB
Puppet
# Define the exported resource type for incus client certificates
|
|
define incus::client_cert (
|
|
String $hostname,
|
|
Optional[String] $certificate = undef,
|
|
) {
|
|
|
|
if $certificate {
|
|
# Check if this hostname is already in the trust list
|
|
$trust_list = $facts['incus_trust_list']
|
|
$existing_client = $trust_list.filter |$client| { $client['name'] == $hostname }
|
|
|
|
if $existing_client.empty {
|
|
# Add new certificate using exec with heredoc
|
|
exec { "incus_trust_add_${hostname}":
|
|
path => ['/bin', '/usr/bin'],
|
|
command => "echo '${certificate}' > /tmp/${hostname}.crt && \
|
|
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
|
|
rm -f /tmp/${hostname}.crt",
|
|
unless => "incus config trust list --format=json | grep '\"name\":\"${hostname}\"'",
|
|
}
|
|
} else {
|
|
# Remove existing and add new certificate
|
|
$fingerprint = $existing_client[0]['fingerprint']
|
|
|
|
exec { "incus_trust_update_${hostname}":
|
|
path => ['/bin', '/usr/bin'],
|
|
command => "incus config trust remove ${fingerprint} && \
|
|
echo '${certificate}' > /tmp/${hostname}.crt && \
|
|
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
|
|
rm -f /tmp/${hostname}.crt",
|
|
onlyif => "incus config trust list --format=json | grep '${fingerprint}'",
|
|
}
|
|
}
|
|
}
|
|
} |