Puppet Class: puppet::server::ca::generate

Defined in:
manifests/server/ca/generate.pp

Summary

A short summary of the purpose of this class

Overview

A description of what this class does

Examples:

include puppet::server::ca::generate

Parameters:

  • dns_alt_names (Array[Stdlib::Fqdn]) (defaults to: ['puppet', $facts['networking']['fqdn']])

    Subject alternative names for the generated cert

  • certname (Variant[Boolean, Stdlib::Fqdn]) (defaults to: true)

    –certname parameter for generate command or not. If set to true than $::fqdn will be used as certname.

  • ttl (Variant[Pattern[/^[0-9]+[smhdy]?/], Integer]) (defaults to: '10y') 


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'manifests/server/ca/generate.pp', line 14

class puppet::server::ca::generate (
  Array[Stdlib::Fqdn] $dns_alt_names = ['puppet', $facts['networking']['fqdn']],
  Variant[Boolean, Stdlib::Fqdn] $certname = true,
  Variant[Pattern[/^[0-9]+[smhdy]?/], Integer] $ttl = '10y',
) {
  include puppet::globals

  $subject_alt_names_param = $dns_alt_names[0] ? {
    Stdlib::Fqdn => join(['--subject-alt-names', join($dns_alt_names, ',')], ' '),
    default      => '',
  }

  $certname_param = $certname ? {
    Stdlib::Fqdn => "--certname ${certname}",
    true         => "--certname ${facts['networking']['fqdn']}",
    default      => '',
  }

  $cert_generate_files = $puppet::globals::cert_generate_files
  $hostcert = $puppet::globals::hostcert

  # These Certificate assets shold be cleaned up before generate
  $timestamp = Timestamp.new().strftime('%Y%m%dT%H%M%S')
  $cert_generate_files.each |Stdlib::Unixpath $path| {
    exec { "backup ${path}":
      path    => '/bin:/usr/bin',
      command => "mv -n ${path} ${path}.${timestamp}",
      onlyif  => "test -f ${path}",
      unless  => "openssl x509 -in ${hostcert} -checkend 0",
      before  => Exec['puppetserver ca generate'],
    }
  }

  exec { 'stop puppetserver':
    command => 'systemctl stop puppetserver',
    path    => '/bin:/usr/bin',
    onlyif  => 'systemctl status puppetserver',
    unless  => "openssl x509 -in ${hostcert} -checkend 0",
  }

  #  puppetserver ca generate --force \
  #    --certname ci1-lv-lw-eu.host.gface.com --subject-alt-names ci1-lv-lw-eu.host.gface.com,puppet \
  #    --ttl 10y --ca-client
  exec { 'puppetserver ca generate':
    path    => '/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin:/bin:/usr/bin',
    command => "puppetserver ca generate --force --ca-client ${certname_param} ${subject_alt_names_param} --ttl ${ttl}", # lint:ignore:140chars
    unless  => "openssl x509 -in ${hostcert} -checkend 0",
    require => Exec['stop puppetserver'],
  }
}