Puppet Class: puppetserver::ca

Defined in:
modules/puppetserver/manifests/ca.pp

Summary

configure the puppetserver CA

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • enable (Boolean) (defaults to: true)

    indicate if the ca is enable

  • intermediate_ca (Boolean) (defaults to: false)

    configure puppet Ca with an intermediate CA

  • ca_public_key (Optional[Stdlib::Filesource]) (defaults to: undef)

    location of the ihntermediate ca content

  • ca_crl (Optional[Stdlib::Filesource]) (defaults to: undef)

    location of the ihntermediate crl content

  • ca_private_key (Optional[Sensitive]) (defaults to: undef)

    the content of the W



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'modules/puppetserver/manifests/ca.pp', line 8

class puppetserver::ca (
    Boolean                      $enable          = true,
    Boolean                      $intermediate_ca = false,
    Optional[Stdlib::Filesource] $ca_public_key   = undef,
    Optional[Stdlib::Filesource] $ca_crl          = undef,
    Optional[Sensitive]          $ca_private_key  = undef,
) {
    if $intermediate_ca and [$ca_public_key, $ca_crl, $ca_private_key].any |$item| { $item =~ Undef } {
        alert("you must set all \$ca_public_key, \$ca_crl, \$ca_private_key when using \$intermediate_ca")
    }
    $base_content = 'puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service'
    if $enable {
        $ca_content = 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service'
    } else {
        $ca_content = 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service'
    }
    file { "${puppetserver::bootstap_config_dir}/ca.cfg":
        ensure  => file,
        content => "${[$base_content, $ca_content].join("\n")}\n",
        before  => Service['puppetserver'],
    }
    $custom_ca_dir = "${puppetserver::config_dir}/puppetserver/custom_ca"
    $ca_file = "${custom_ca_dir}/ca.pem"
    $key_file = "${custom_ca_dir}/ca.key"
    $crl_file = "${custom_ca_dir}/crl.pem"

    if $intermediate_ca {
        file {
            default:
                ensure => file,
                owner  => $puppetserver::owner,
                mode   => '0400',
                before => Exec['import intermediate CA file'];
            $custom_ca_dir:
                ensure => directory;
            $ca_file:
                source => $ca_public_key;
            $key_file:
                content => $ca_private_key;
            $crl_file:
                source => $ca_crl;
        }
        $command = @("COMMAND"/L)
        /usr/bin/puppetserver ca import \
         --cert-bundle ${ca_file} \
         --private-key ${key_file} \
         --crl-chain ${crl_file}
        |- COMMAND
        exec{'import intermediate CA file':
            command => $command,
            creates => "${puppetserver::config_dir}/puppetserver/ca",
        }
        Package['puppetserver'] ~> Exec['import intermediate CA file'] ~> Systemd::Unmask['puppetserver.service']
    }
}