Ben Vincent
9536be5864
* profile::pupper::server * profile::puppet::puppetmaster * profile::puppet::g10k * profile::puppet::autosign * updated Puppetfile * updated role::puppet::puppetmaster * added profile::puppet::puppetmaster to puppetmaster role * added profile::puppet::server templates
55 lines
1.5 KiB
Puppet
55 lines
1.5 KiB
Puppet
# Class: profile::puppet::autosign
|
|
#
|
|
# This class manages an autosign script for the Puppet master.
|
|
# It sets up a Ruby script that automatically signs Puppet node requests
|
|
# originating from certain IP subnet ranges.
|
|
#
|
|
# Parameters:
|
|
# - `subnet_ranges`: An array of IP subnet ranges for which to automatically
|
|
# sign certificate requests.
|
|
#
|
|
# Actions:
|
|
# - Ensures the autosign script file is present and has the correct content and permissions.
|
|
#
|
|
# Usage:
|
|
# The class can be declared in a node definition or classified using an ENC or Hiera.
|
|
# Example:
|
|
# node 'puppet.example.com' {
|
|
# class { 'profile::puppet::autosign':
|
|
# subnet_ranges => ['198.18.17.0/24', '10.0.0.0/8'],
|
|
# }
|
|
# }
|
|
#
|
|
# Requirements:
|
|
# - Puppet master must have access to the /opt/puppetlabs/bin directory.
|
|
# - The gem 'ipaddr' module must be installed on the Puppet master.
|
|
# - The puppet 'puppetlabs/stdlib' module must be installed on the Puppet master.
|
|
#
|
|
# Limitations:
|
|
# This is designed to work on Unix-like systems.
|
|
class profile::puppet::autosign (
|
|
Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges,
|
|
) {
|
|
|
|
$script_content = @(END)
|
|
#!/usr/bin/env ruby
|
|
|
|
require 'yaml'
|
|
require 'ipaddr'
|
|
|
|
csr = YAML.load(STDIN.read)
|
|
networks = #{subnet_ranges}
|
|
|
|
ip = IPAddr.new(csr['facts']['networking']['ip'])
|
|
|
|
exit 1 unless networks.any? { |network| IPAddr.new(network).include?(ip) }
|
|
exit 0
|
|
END
|
|
|
|
file { '/opt/puppetlabs/bin/autosign.rb':
|
|
ensure => file,
|
|
content => $script_content,
|
|
mode => '0755',
|
|
}
|
|
}
|