Puppet Class: profile::openstack::base::puppetserver::cert_cleaning

Defined in:
modules/profile/manifests/openstack/base/puppetserver/cert_cleaning.pp

Summary

allows the cloudcontrol hosts to SSH in to clean Puppet certificates for deleted instances

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • openstack_control_nodes (Array[OpenStack::ControlNode]) (defaults to: lookup('profile::openstack::base::openstack_control_nodes')) 


4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'modules/profile/manifests/openstack/base/puppetserver/cert_cleaning.pp', line 4

class profile::openstack::base::puppetserver::cert_cleaning (
  Array[OpenStack::ControlNode] $openstack_control_nodes = lookup('profile::openstack::base::openstack_control_nodes'),
) {
  $openstack_control_node_hostnames = $openstack_control_nodes.map |$node| { $node['cloud_private_fqdn'] }
  $remote_cert_cleaners = $openstack_control_node_hostnames.map |Stdlib::Fqdn $node| { dnsquery::lookup($node) }.flatten

  user { 'certmanager':
    home   => '/nonexistent',
    system => true,
  }

  # Allow remote execution for cert cleanup
  ssh::userkey { 'certmanager.pub':
    content => template('puppetmaster/puppet_cert_manager.pub.erb'),
    user    => 'certmanager',
  }

  sudo::user { 'certmanager':
    privileges => [
      'ALL = (root) NOPASSWD: /usr/bin/puppetserver ca clean --certname *',
      'ALL = (root) NOPASSWD: /usr/bin/puppetserver ca list --all --format json',
    ],
  }

  security::access::config { 'certmanager':
    content  => "+ : certmanager : ${remote_cert_cleaners.join(' ')}\n",
    priority => 60,
  }
}