diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index fd07a297..648241a1 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -4,7 +4,7 @@ name: CI🚦
on:
pull_request:
branches:
- - main
+ - 'main'
workflow_dispatch:
jobs:
diff --git a/README.md b/README.md
index 6c451b49..ef199598 100644
--- a/README.md
+++ b/README.md
@@ -99,6 +99,10 @@ The following environment variables are supported:
| **CA_HOSTNAME** | The DNS hostname for the puppetserver running the CA. Does nothing unless `CA_ENABLED=false`
`puppet` |
| **CA_PORT** | The listening port of the CA. Does nothing unless `CA_ENABLED=false`
`8140` |
| **CA_ALLOW_SUBJECT_ALT_NAMES** | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.
`false` |
+| **INTERMEDIATE_CA** | Allows to import an existing intermediate CA. Needs `INTERMEDIATE_CA_BUNDLE`, `INTERMEDIATE_CA_CHAIN` and `INTERMEDIATE_CA_KEY`. See [Puppet Intermediat CA](https://www.puppet.com/docs/puppet/latest/server/intermediate_ca.html) |
+| **INTERMEDIATE_CA_BUNDLE** | File path and name to the complete CA bundle (signing CA + Intermediate CA) |
+| **INTERMEDIATE_CRL_CHAIN** | File path and name to the complete CA CRL chain |
+| **INTERMEDIATE_CA_KEY** | File path and name to the private CA key |
| **PUPPET_REPORTS** | Sets `reports` in puppet.conf
`puppetdb` |
| **PUPPET_STORECONFIGS** | Sets `storeconfigs` in puppet.conf
`true` |
| **PUPPET_STORECONFIGS_BACKEND** | Sets `storeconfigs_backend` in puppet.conf
`puppetdb` |
diff --git a/puppetserver/Dockerfile b/puppetserver/Dockerfile
index d8cd733f..eb9cca63 100644
--- a/puppetserver/Dockerfile
+++ b/puppetserver/Dockerfile
@@ -35,6 +35,10 @@ ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
CA_HOSTNAME=puppet \
CA_PORT=8140 \
CA_ALLOW_SUBJECT_ALT_NAMES=false \
+ INTERMEDIATE_CA=false \
+ INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediat/ca.pem \
+ INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \
+ INTERMEDIATE_CA_KEY=/etc/puppetlabs/intermediate/key.pem \
USE_PUPPETDB=true \
PUPPETDB_SERVER_URLS=https://puppetdb:8081 \
PUPPET_STORECONFIGS_BACKEND="puppetdb" \
diff --git a/puppetserver/docker-entrypoint.d/90-ca.sh b/puppetserver/docker-entrypoint.d/90-ca.sh
index 50075dcd..e95b015d 100755
--- a/puppetserver/docker-entrypoint.d/90-ca.sh
+++ b/puppetserver/docker-entrypoint.d/90-ca.sh
@@ -45,31 +45,52 @@ else
hocon -f /etc/puppetlabs/puppetserver/conf.d/ca.conf \
set certificate-authority.allow-subject-alt-names "${CA_ALLOW_SUBJECT_ALT_NAMES}"
- new_cadir=/etc/puppetlabs/puppetserver/ca
-
- if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
- # There is no existing CA
-
- # Append user-supplied DNS Alt Names
- if [ -n "$DNS_ALT_NAMES" ]; then
- current="$(puppet config print --section main dns_alt_names)"
- # shell parameter expansion to remove trailing comma if there is one
- updated="${DNS_ALT_NAMES%,}"
- if [ -n "$current" ]; then updated="$current","$updated"; fi
- puppet config set --section main dns_alt_names "$updated"
- fi
-
- timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
- ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp"
-
- # See puppet.conf file for relevant settings
- puppetserver ca setup \
- --ca-name "$ca_name" \
- --config /etc/puppetlabs/puppet/puppet.conf
-
- elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
- # Legacy CA upgrade
- puppetserver ca migrate \
- --config /etc/puppetlabs/puppet/puppet.conf
+ if [[ "$INTERMEDIATE_CA" != "true" ]]; then
+ # sanity check
+ if [[ -z $INTERMEDIATE_CA_BUNDLE ]]; then
+ echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CA_BUNDLE'
+ exit 99
+ fi
+ if [[ -z $INTERMEDIATE_CRL_CHAIN ]]; then
+ echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CRL_CHAIN'
+ exit 99
+ fi
+ if [[ -z $INTERMEDIATE_CA_KEY ]]; then
+ echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CA_KEY'
+ exit 99
+ fi
+
+ puppetserver ca import \
+ --cert-bundle $INTERMEDIATE_CA_BUNDLE \
+ --crl-chain $INTERMEDIATE_CRL_CHAIN \
+ --private-key $INTERMEDIATE_CA_KEY
+ else
+ new_cadir=/etc/puppetlabs/puppetserver/ca
+
+ if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
+ # There is no existing CA
+
+ # Append user-supplied DNS Alt Names
+ if [ -n "$DNS_ALT_NAMES" ]; then
+ current="$(puppet config print --section main dns_alt_names)"
+ # shell parameter expansion to remove trailing comma if there is one
+ updated="${DNS_ALT_NAMES%,}"
+ if [ -n "$current" ]; then updated="$current","$updated"; fi
+ puppet config set --section main dns_alt_names "$updated"
+ fi
+
+ timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
+ ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp"
+
+ # See puppet.conf file for relevant settings
+ puppetserver ca setup \
+ --ca-name "$ca_name" \
+ --config /etc/puppetlabs/puppet/puppet.conf
+
+ elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
+ # Legacy CA upgrade
+ puppetserver ca migrate \
+ --config /etc/puppetlabs/puppet/puppet.conf
+ fi
fi
fi