From 7c892c5ea2f1a82c1254737082e360708f40b79c Mon Sep 17 00:00:00 2001 From: Peter Ong Date: Fri, 2 Apr 2021 10:53:23 -0700 Subject: [PATCH 1/5] Conditionally generate the CA cert. --- manifests/init.pp | 2 ++ manifests/params.pp | 1 + manifests/server/config.pp | 19 ++++++++++--------- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 1890e4b50..788c15f1a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -734,6 +734,8 @@ Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files, Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef, Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef, + Boolean $generate_ca_cert = $puppet::params::generate_ca_cert, + ) inherits puppet::params { contain puppet::config diff --git a/manifests/params.pp b/manifests/params.pp index e45e2367f..0d77efcc6 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -34,6 +34,7 @@ $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false + $generate_ca_cert = true if defined('$::domain') { $srv_domain = $facts['networking']['domain'] diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 1cfa8bc03..a3b1ef938 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -164,15 +164,16 @@ $creates = $puppet::server::ssl_cert $command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names" } - - exec {'puppet_server_config-generate_ca_cert': - creates => $creates, - command => $command, - umask => '0022', - require => [ - Concat["${puppet::server::dir}/puppet.conf"], - Exec['puppet_server_config-create_ssl_dir'], - ], + if $puppet::generate_ca_cert { + exec {'puppet_server_config-generate_ca_cert': + creates => $creates, + command => $command, + umask => '0022', + require => [ + Concat["${puppet::server::dir}/puppet.conf"], + Exec['puppet_server_config-create_ssl_dir'], + ], + } } } elsif $puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca master From a86918f7fd176c994d3a0d77ab6ee01d1d533142 Mon Sep 17 00:00:00 2001 From: Peter Ong Date: Fri, 2 Apr 2021 11:43:19 -0700 Subject: [PATCH 2/5] Added documentation. --- manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 788c15f1a..4eaa8a81f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -462,7 +462,7 @@ # # $server_puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # -# $server_puppetserver_auth_template:: Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf +# $server_puppetserver_auth_template:: Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf # # $server_puppetserver_trusted_agents:: Certificate names of puppet agents that are allowed to fetch *all* catalogs # Defaults to [] and all agents are only allowed to fetch their own catalogs. @@ -536,6 +536,8 @@ # invokes when on static_file_content requests. # Defaults to undef # +# $generate_ca_cert:: Defaults to true. When true, the a ca cert is generated. +# # === Usage: # # * Simple usage: From 4fc67adba2e0f70af0ab82470f9a07ff640d7ecf Mon Sep 17 00:00:00 2001 From: Peter Ong Date: Sun, 11 Apr 2021 20:56:49 -0700 Subject: [PATCH 3/5] Addressed @ekohl suggestion. --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 4eaa8a81f..80c2e5805 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -536,7 +536,7 @@ # invokes when on static_file_content requests. # Defaults to undef # -# $generate_ca_cert:: Defaults to true. When true, the a ca cert is generated. +# $generate_ca_cert:: Whether to generate CA certificate. Defaults to true. When true, the a ca cert is generated. # # === Usage: # From bdbc335e67b61f8f7561bd54024072e2a0a8a2db Mon Sep 17 00:00:00 2001 From: Peter Ong Date: Sun, 11 Apr 2021 20:59:31 -0700 Subject: [PATCH 4/5] Change to address @ekohl's suggestion. --- manifests/server/config.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index a3b1ef938..493c0a1f9 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -157,14 +157,15 @@ # Generate a new CA and host cert if our host cert doesn't exist if $puppet::server::ca { - if versioncmp($::puppetversion, '6.0') > 0 { - $creates = $puppet::server::ssl_ca_cert - $command = "${puppet::puppetserver_cmd} ca setup" - } else { - $creates = $puppet::server::ssl_cert - $command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names" - } if $puppet::generate_ca_cert { + if versioncmp($::puppetversion, '6.0') > 0 { + $creates = $puppet::server::ssl_ca_cert + $command = "${puppet::puppetserver_cmd} ca setup" + } else { + $creates = $puppet::server::ssl_cert + $command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names" + } + exec {'puppet_server_config-generate_ca_cert': creates => $creates, command => $command, From 0683084f6740af06bcbe26b13cd444052f4a0ae0 Mon Sep 17 00:00:00 2001 From: Peter Ong Date: Tue, 20 Apr 2021 09:52:44 -0700 Subject: [PATCH 5/5] Removed empty line as suggested by @ekohl. --- manifests/init.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 4eaa8a81f..7d7910579 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -737,7 +737,6 @@ Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef, Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef, Boolean $generate_ca_cert = $puppet::params::generate_ca_cert, - ) inherits puppet::params { contain puppet::config