9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
# File 'plans/configure_pe_certs.pp', line 9
plan complyadm::configure_pe_certs(
String $pe_target_name = '',
String $hiera_data_file_path = 'data/common.yaml',
String $pkcs7_public_key_path = 'keys/public_key.pkcs7.pem',
) {
if $pe_target_name != '' {
# Non Interactive Mode, PE has been provided, create and store certs
$resolvable_host_name = complyadm::get_yaml_key_value('resolvable_hostname', $hiera_data_file_path)
$certs = run_plan('complyadm::create_pe_certs', pe_target_name => $pe_target_name, resolvable_host_name => $resolvable_host_name)
return complyadm::save_pe_certs($certs[0], $certs[1], $certs[2], $hiera_data_file_path, $pkcs7_public_key_path)
}
complyadm::display("
A mutual TLS (mTLS) certificate is required for your Puppet Enterprise host to interact with
Security Compliance Management. A mTLS certificate can be automatically generated (provided
the Puppet Enterprise host exists as a target in your Bolt inventory) or provided manually.
mTLS can be configured post-install."
)
complyadm::display()
if Boolean(prompt('Would you like to configure mTLS?', 'default' => 'n')) == false {
return false
}
complyadm::display()
$inventory_targets = complyadm::bolt_project_inventory_targets()
if $inventory_targets.size > 1 {
if Boolean(
prompt('Automatically generate mTLS certificate?', 'default' => 'n')
) {
complyadm::display()
$pe_target = prompt::menu('Select Puppet Enterprise target:', $inventory_targets)
$pe_name = $pe_target.name
$resolvable_host_name = complyadm::get_yaml_key_value('resolvable_hostname', $hiera_data_file_path)
$certs = run_plan('complyadm::create_pe_certs', pe_target_name => $pe_name, resolvable_host_name => $resolvable_host_name)
complyadm::save_pe_certs($certs[0], $certs[1], $certs[2], $hiera_data_file_path, $pkcs7_public_key_path)
return true
}
}
complyadm::display()
if Boolean(prompt('Would you like to provide mTLS certificate files?', 'default' => 'n')) == false {
return false
}
complyadm::display()
if Boolean(prompt('Update TLS Cert?', 'default' => 'n')) {
$tls_crt = prompt('TLS Cert (Absolute path or Puppet file path)', 'default' => 'complyadm/pe_certs/tls.crt')
if file::exists($tls_crt) {
$tls_crt_contents = file::read($tls_crt)
$tls_crt_updated = complyadm::save_pe_certs($tls_crt_contents, '', '', $hiera_data_file_path, $pkcs7_public_key_path)
} else {
out::message("Path ${tls_crt} does not exist, TLS Certificate not updated")
$tls_crt_updated = false
}
} else {
$tls_crt_updated = false
}
complyadm::display()
if Boolean(prompt('Update TLS Key?', 'default' => 'n')) {
$tls_key = prompt('TLS Key (Absolute path or Puppet file path)', 'default' => 'complyadm/pe_certs/tls.key')
if file::exists($tls_key) {
$tls_key_contents = file::read($tls_key)
$tls_key_updated = complyadm::save_pe_certs('', $tls_key_contents, '', $hiera_data_file_path, $pkcs7_public_key_path)
} else {
out::message("Path ${tls_key} does not exist, TLS Key not updated")
$tls_key_updated = false
}
} else {
$tls_key_updated = false
}
complyadm::display()
if Boolean(prompt('Update CA Cert?', 'default' => 'n')) {
$ca_crt = prompt('CA Cert (Absolute path or Puppet file path)', 'default' => 'complyadm/pe_certs/ca.crt')
if file::exists($ca_crt) {
$ca_crt_contents = file::read($ca_crt)
$ca_crt_updated = complyadm::save_pe_certs('', '', $ca_crt_contents, $hiera_data_file_path, $pkcs7_public_key_path)
} else {
out::message("Path ${ca_crt} does not exist, CA Certificate not updated")
$ca_crt_updated = false
}
} else {
$ca_crt_updated = false
}
# return true if any changes have made made
return true in [$tls_crt_updated, $tls_key_updated, $ca_crt_updated]
}
|