Ben Vincent
b468f67103
- manage python script/venv to sign ssh host certificates - add approle_id to puppetmaster eyaml files - add class to sign ssh-rsa host keys - add facts to check if the current principals match the desired principals
78 lines
2.2 KiB
Puppet
78 lines
2.2 KiB
Puppet
# profiles::helpers::sshsignhost
|
|
#
|
|
# wrapper class for python, pip and venv
|
|
class profiles::helpers::sshsignhost (
|
|
String $script_name = 'sshsignhost',
|
|
Stdlib::AbsolutePath $base_path = "/opt/${script_name}",
|
|
Stdlib::AbsolutePath $venv_path = "${base_path}/venv",
|
|
Stdlib::AbsolutePath $config_path = "${base_path}/config.yaml",
|
|
Hash $vault_config = {},
|
|
String $owner = 'root',
|
|
String $group = 'root',
|
|
Boolean $systempkgs = false,
|
|
String $version = 'system',
|
|
Array[String[1]] $packages = ['requests', 'pyyaml'],
|
|
){
|
|
|
|
if $::facts['python3_version'] {
|
|
|
|
$python_version = $version ? {
|
|
'system' => $::facts['python3_version'],
|
|
default => $version,
|
|
}
|
|
|
|
# ensure the base_path exists
|
|
file { $base_path:
|
|
ensure => directory,
|
|
mode => '0755',
|
|
owner => $owner,
|
|
group => $group,
|
|
}
|
|
|
|
# create a venv
|
|
python::pyvenv { $venv_path :
|
|
ensure => present,
|
|
version => $python_version,
|
|
systempkgs => $systempkgs,
|
|
venv_dir => $venv_path,
|
|
owner => $owner,
|
|
group => $group,
|
|
require => File[$base_path],
|
|
}
|
|
|
|
# install the required pip packages
|
|
$packages.each |String $package| {
|
|
python::pip { "${venv_path}_${package}":
|
|
ensure => present,
|
|
pkgname => $package,
|
|
virtualenv => $venv_path,
|
|
}
|
|
}
|
|
|
|
# create the script from a template
|
|
file { "${base_path}/${script_name}":
|
|
ensure => file,
|
|
mode => '0755',
|
|
content => template("profiles/helpers/${script_name}.erb"),
|
|
require => Python::Pyvenv[$venv_path],
|
|
}
|
|
|
|
# create the config from a template
|
|
file { $config_path:
|
|
ensure => file,
|
|
mode => '0660',
|
|
owner => 'puppet',
|
|
group => 'root',
|
|
content => Sensitive(template("profiles/helpers/${script_name}_config.yaml.erb")),
|
|
require => Python::Pyvenv[$venv_path],
|
|
}
|
|
|
|
# create symbolic link in $PATH
|
|
file { "/usr/local/bin/${script_name}":
|
|
ensure => 'link',
|
|
target => "${base_path}/${script_name}",
|
|
require => File["${base_path}/${script_name}"],
|
|
}
|
|
}
|
|
}
|