Puppet Class: puppet::server::ca::import

Defined in:
manifests/server/ca/import.pp

Summary

Import existing CA into current server

Overview

Import existing CA into current server

Examples:

include puppet::server::ca::import

Parameters:

  • certname (Variant[ Boolean, Stdlib::Fqdn ]) (defaults to: true)

    Whether to use –certname parameter for import command or not. If set to true than $::fqdn will be used as certname. If set to false - no certname parameter (import command will generate random string). If set to string - provided provided string will be set as certname

  • import_path (Stdlib::Unixpath)
  • dns_alt_names (Array[Stdlib::Fqdn]) (defaults to: ['puppet', $::fqdn]) 


13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# File 'manifests/server/ca/import.pp', line 13

class puppet::server::ca::import (
  Stdlib::Unixpath
          $import_path,
  Array[Stdlib::Fqdn]
          $dns_alt_names = ['puppet', $::fqdn],
  Variant[
    Boolean,
    Stdlib::Fqdn
  ]       $certname      = true,
)
{
  include puppet::server::install
  include puppet::globals
  include puppet::params

  $localcacert = $puppet::params::localcacert
  $hostcrl     = $puppet::params::hostcrl
  $hostcert    = $puppet::params::hostcert

  $cacert      = $puppet::globals::cacert

  $import_cakey  = "${import_path}/ca_key.pem"
  $import_cacert = "${import_path}/ca_crt.pem"
  $import_cacrl  = "${import_path}/ca_crl.pem"

  $import_serial = "${import_path}/serial"
  $import_cert_inventory = "${import_path}/inventory.txt"

  $subject_alt_names_param = $dns_alt_names[0] ? {
    Stdlib::Fqdn => join(['--subject-alt-names', join($dns_alt_names, ',')], ' '),
    default      => '',
  }

  $certname_param = $certname ? {
    Stdlib::Fqdn => "--certname ${certname}",
    true         => "--certname ${::fqdn}",
    default      => '',
  }

  $import_condition = [
    "test -f ${import_cakey}",
    "test -f ${import_cacert}",
    "test -f ${import_cacrl}",
  ]

  # These PKI assets shold be cleaned up before CA import
  $timestamp = Timestamp.new().strftime('%Y%m%dT%H%M%S')
  exec {
    default:
      path    => '/bin:/usr/bin',
      creates => $cacert,
      before  => Exec['puppetserver ca import'],
    ;
    "backup ${hostcrl}":
      command => "mv -n ${hostcrl} ${hostcrl}.${timestamp}",
      onlyif  => [ "test -f ${hostcrl}" ] + $import_condition,
    ;
    "backup ${hostcert}":
      command => "mv -n ${hostcert} ${hostcert}.${timestamp}",
      onlyif  => [ "test -f ${hostcert}" ] + $import_condition,
    ;
    "backup ${localcacert}":
      command => "mv -n ${localcacert} ${localcacert}.${timestamp}",
      onlyif  => [ "test -f ${localcacert}" ] + $import_condition,
    ;
  }

  exec { 'puppetserver ca import':
    path    => '/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin:/bin:/usr/bin',
    command => "puppetserver ca import ${subject_alt_names_param} ${certname_param} --private-key ${import_cakey} --cert-bundle ${import_cacert} --crl-chain ${import_cacrl}", # lint:ignore:140chars
    onlyif  => [
      "test -f ${import_cakey}",
      "test -f ${import_cacert}",
      "test -f ${import_cacrl}",
    ],
    creates => $cacert,
  }

  Class['puppet::server::install'] -> Exec['puppetserver ca import']
}