Skip to content

Conditionally generate the CA cert. #783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Conditionally generate the CA cert. #783

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7c892c5
Conditionally generate the CA cert.
coolguydork Apr 2, 2021
a86918f
Added documentation.
coolguydork Apr 2, 2021
4fc67ad
Addressed @ekohl suggestion.
coolguydork Apr 12, 2021
bdbc335
Change to address @ekohl's suggestion.
coolguydork Apr 12, 2021
0683084
Removed empty line as suggested by @ekohl.
coolguydork Apr 20, 2021
5e43474
Merge branch 'make-build-ca-optional' of github.com:haloflightleader/…
coolguydork Apr 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,7 @@
#
# $server_puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true
#
# $server_puppetserver_auth_template:: Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf
# $server_puppetserver_auth_template:: Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf
#
# $server_puppetserver_trusted_agents:: Certificate names of puppet agents that are allowed to fetch *all* catalogs
# Defaults to [] and all agents are only allowed to fetch their own catalogs.
Expand Down Expand Up @@ -536,6 +536,8 @@
# invokes when on static_file_content requests.
# Defaults to undef
#
# $generate_ca_cert:: Defaults to true. When true, the a ca cert is generated.
Copy link
Member

@ekohl ekohl Apr 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# $generate_ca_cert:: Defaults to true. When true, the a ca cert is generated.
# $generate_ca_cert:: Whether or not a CA certificate is generated.

Copy link
Author

@coolguydork coolguydork Apr 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do.

#
# === Usage:
#
# * Simple usage:
Expand Down Expand Up @@ -734,6 +736,8 @@
Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files,
Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef,
Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef,
Boolean $generate_ca_cert = $puppet::params::generate_ca_cert,

Copy link
Member

@ekohl ekohl Apr 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

) inherits puppet::params {
contain puppet::config

Expand Down
1 change: 1 addition & 0 deletions manifests/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
$server_compile_mode = undef
$dns_alt_names = []
$use_srv_records = false
$generate_ca_cert = true

if defined('$::domain') {
$srv_domain = $facts['networking']['domain']
Expand Down
19 changes: 10 additions & 9 deletions manifests/server/config.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,15 +164,16 @@
$creates = $puppet::server::ssl_cert
$command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names"
}

exec {'puppet_server_config-generate_ca_cert':
creates => $creates,
command => $command,
umask => '0022',
require => [
Concat["${puppet::server::dir}/puppet.conf"],
Exec['puppet_server_config-create_ssl_dir'],
],
if $puppet::generate_ca_cert {
Copy link
Member

@ekohl ekohl Apr 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can move this up a bit so it also captures the if/else block to determine $creates and $command. They're only used in this exec.

Copy link
Author

@coolguydork coolguydork Apr 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, will do.

exec {'puppet_server_config-generate_ca_cert':
creates => $creates,
command => $command,
umask => '0022',
require => [
Concat["${puppet::server::dir}/puppet.conf"],
Exec['puppet_server_config-create_ssl_dir'],
],
}
}
} elsif $puppet::server::ca_crl_sync {
# If not a ca AND sync the crl from the ca master
Expand Down