unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
d8b354558d
puppet-prod/modules/incus/manifests/init.pp
Ben Vincent d8b354558d feat: add incus auto-client certificate trust (#406) 
- add fact to export vault public cert from agents
- add fact to export list of trusted incus client certs
- add method for incus clients to export their client cert to be trusted

Reviewed-on: #406
2025-10-17 22:46:26 +11:00

102 lines
2.7 KiB
Puppet
Raw Blame History

class incus (
Array[String] $packages = [
'incus',
'incus-tools',
'incus-client'
],
Boolean $cluster = false,
Boolean $init = true,
String $bridge = 'incusbr0',
Stdlib::Port $server_port = 8443,
Stdlib::IP::Address $server_addr = $facts['networking']['ip'],
Optional[String] $storage_images_volume = undef,
) {
package { $packages:
ensure => installed,
}
service { 'incus':
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
subscribe => [
File['/var/lib/incus/server.crt'],
File['/var/lib/incus/server.key'],
],
}
file_line { 'subuid_root':
ensure => present,
path => '/etc/subuid',
line => 'root:1000000:1000000000',
match => '^root:',
notify => Service['incus'],
}
file_line { 'subgid_root':
ensure => present,
path => '/etc/subgid',
line => 'root:1000000:1000000000',
match => '^root:',
notify => Service['incus'],
}
if $init {
file {'/root/incus.preseed.yaml':
ensure => file,
owner => root,
group => root,
content => template('incus/join_preseed.yaml.erb')
}
exec { 'initiate_incus':
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
creates => '/root/.incus_initialized',
require => File['/root/incus.preseed.yaml'],
}
}
file { '/var/lib/incus/server.crt':
ensure => file,
source => '/etc/pki/tls/vault/certificate.crt',
owner => 'root',
group => 'root',
mode => '0644',
}
file { '/var/lib/incus/server.key':
ensure => file,
source => '/etc/pki/tls/vault/private.key',
owner => 'root',
group => 'root',
mode => '0600',
}
if $facts['incus'] and $facts['incus']['config'] {
# set core.https_address
if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
exec { 'incus_config_set_core_https_address':
path => ['/bin', '/usr/bin'],
command => "incus config set core.https_address ${server_addr}:${server_port}",
}
}
# set storage.images_volume # path to store images
if $storage_images_volume {
if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume {
exec { 'incus_config_set_storage_images_volume':
path => ['/bin', '/usr/bin'],
command => "incus config set storage.images_volume ${storage_images_volume}",
}
}
}
# Collect exported client certificates and manage trust
Incus::Client_cert <<| tag == 'incus_client' |>> {
require => Service['incus'],
}
}
}
Reference in New Issue View Git Blame Copy Permalink