From 84f7d5c6a8fbe66254c17f2a05661d60f776fa16 Mon Sep 17 00:00:00 2001 From: Martin Alfke Date: Tue, 27 Aug 2024 15:30:35 +0200 Subject: [PATCH 1/4] feat: Allow usage of intermediate CA fixes #94 Signed-off-by: Martin Alfke --- README.md | 4 ++ puppetserver/Dockerfile | 4 ++ puppetserver/docker-entrypoint.d/90-ca.sh | 73 +++++++++++++++-------- 3 files changed, 55 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 6c451b49..ef199598 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,10 @@ The following environment variables are supported: | **CA_HOSTNAME** | The DNS hostname for the puppetserver running the CA. Does nothing unless `CA_ENABLED=false`

`puppet` | | **CA_PORT** | The listening port of the CA. Does nothing unless `CA_ENABLED=false`

`8140` | | **CA_ALLOW_SUBJECT_ALT_NAMES** | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.

`false` | +| **INTERMEDIATE_CA** | Allows to import an existing intermediate CA. Needs `INTERMEDIATE_CA_BUNDLE`, `INTERMEDIATE_CA_CHAIN` and `INTERMEDIATE_CA_KEY`. See [Puppet Intermediat CA](https://www.puppet.com/docs/puppet/latest/server/intermediate_ca.html) | +| **INTERMEDIATE_CA_BUNDLE** | File path and name to the complete CA bundle (signing CA + Intermediate CA) | +| **INTERMEDIATE_CRL_CHAIN** | File path and name to the complete CA CRL chain | +| **INTERMEDIATE_CA_KEY** | File path and name to the private CA key | | **PUPPET_REPORTS** | Sets `reports` in puppet.conf

`puppetdb` | | **PUPPET_STORECONFIGS** | Sets `storeconfigs` in puppet.conf

`true` | | **PUPPET_STORECONFIGS_BACKEND** | Sets `storeconfigs_backend` in puppet.conf

`puppetdb` | diff --git a/puppetserver/Dockerfile b/puppetserver/Dockerfile index d8cd733f..eb9cca63 100644 --- a/puppetserver/Dockerfile +++ b/puppetserver/Dockerfile @@ -35,6 +35,10 @@ ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \ CA_HOSTNAME=puppet \ CA_PORT=8140 \ CA_ALLOW_SUBJECT_ALT_NAMES=false \ + INTERMEDIATE_CA=false \ + INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediat/ca.pem \ + INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \ + INTERMEDIATE_CA_KEY=/etc/puppetlabs/intermediate/key.pem \ USE_PUPPETDB=true \ PUPPETDB_SERVER_URLS=https://puppetdb:8081 \ PUPPET_STORECONFIGS_BACKEND="puppetdb" \ diff --git a/puppetserver/docker-entrypoint.d/90-ca.sh b/puppetserver/docker-entrypoint.d/90-ca.sh index 50075dcd..e95b015d 100755 --- a/puppetserver/docker-entrypoint.d/90-ca.sh +++ b/puppetserver/docker-entrypoint.d/90-ca.sh @@ -45,31 +45,52 @@ else hocon -f /etc/puppetlabs/puppetserver/conf.d/ca.conf \ set certificate-authority.allow-subject-alt-names "${CA_ALLOW_SUBJECT_ALT_NAMES}" - new_cadir=/etc/puppetlabs/puppetserver/ca - - if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then - # There is no existing CA - - # Append user-supplied DNS Alt Names - if [ -n "$DNS_ALT_NAMES" ]; then - current="$(puppet config print --section main dns_alt_names)" - # shell parameter expansion to remove trailing comma if there is one - updated="${DNS_ALT_NAMES%,}" - if [ -n "$current" ]; then updated="$current","$updated"; fi - puppet config set --section main dns_alt_names "$updated" - fi - - timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')" - ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp" - - # See puppet.conf file for relevant settings - puppetserver ca setup \ - --ca-name "$ca_name" \ - --config /etc/puppetlabs/puppet/puppet.conf - - elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then - # Legacy CA upgrade - puppetserver ca migrate \ - --config /etc/puppetlabs/puppet/puppet.conf + if [[ "$INTERMEDIATE_CA" != "true" ]]; then + # sanity check + if [[ -z $INTERMEDIATE_CA_BUNDLE ]]; then + echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CA_BUNDLE' + exit 99 + fi + if [[ -z $INTERMEDIATE_CRL_CHAIN ]]; then + echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CRL_CHAIN' + exit 99 + fi + if [[ -z $INTERMEDIATE_CA_KEY ]]; then + echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CA_KEY' + exit 99 + fi + + puppetserver ca import \ + --cert-bundle $INTERMEDIATE_CA_BUNDLE \ + --crl-chain $INTERMEDIATE_CRL_CHAIN \ + --private-key $INTERMEDIATE_CA_KEY + else + new_cadir=/etc/puppetlabs/puppetserver/ca + + if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then + # There is no existing CA + + # Append user-supplied DNS Alt Names + if [ -n "$DNS_ALT_NAMES" ]; then + current="$(puppet config print --section main dns_alt_names)" + # shell parameter expansion to remove trailing comma if there is one + updated="${DNS_ALT_NAMES%,}" + if [ -n "$current" ]; then updated="$current","$updated"; fi + puppet config set --section main dns_alt_names "$updated" + fi + + timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')" + ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp" + + # See puppet.conf file for relevant settings + puppetserver ca setup \ + --ca-name "$ca_name" \ + --config /etc/puppetlabs/puppet/puppet.conf + + elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then + # Legacy CA upgrade + puppetserver ca migrate \ + --config /etc/puppetlabs/puppet/puppet.conf + fi fi fi From 1b86734c1524477be177248a21e70ba21a0e1676 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Tue, 27 Aug 2024 16:06:48 +0200 Subject: [PATCH 2/4] fix: switch to ro token to use pull_request_target somewhat more safely Signed-off-by: Robert Waffen --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index fd07a297..9a6a252f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -2,7 +2,7 @@ name: CI🚦 on: - pull_request: + pull_request_target: branches: - main workflow_dispatch: From 86db8dc2daab6dc358f40dc483bdccb9d941b622 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Tue, 27 Aug 2024 16:10:18 +0200 Subject: [PATCH 3/4] fix: switch run options Signed-off-by: Robert Waffen --- .github/workflows/ci.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9a6a252f..4e28771f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -3,8 +3,6 @@ name: CI🚦 on: pull_request_target: - branches: - - main workflow_dispatch: jobs: From 928a530717b98d7a40b175ebe79cb89e18c10af2 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Tue, 27 Aug 2024 16:11:45 +0200 Subject: [PATCH 4/4] fix: run on both Signed-off-by: Robert Waffen --- .github/workflows/ci.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4e28771f..648241a1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -2,7 +2,9 @@ name: CI🚦 on: - pull_request_target: + pull_request: + branches: + - 'main' workflow_dispatch: jobs: