Skip to content

Commit

Permalink
feat: Allow usage of intermediate CA
Browse files Browse the repository at this point in the history
fixes #94

Signed-off-by: Martin Alfke <ma@betadots.de>
  • Loading branch information
tuxmea committed Aug 27, 2024
1 parent 1080242 commit 4f09add
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 26 deletions.
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,10 @@ The following environment variables are supported:
| **CA_HOSTNAME** | The DNS hostname for the puppetserver running the CA. Does nothing unless `CA_ENABLED=false`<br><br>`puppet` |
| **CA_PORT** | The listening port of the CA. Does nothing unless `CA_ENABLED=false`<br><br>`8140` |
| **CA_ALLOW_SUBJECT_ALT_NAMES** | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.<br><br>`false` |
| **INTERMEDIATE_CA** | Allows to import an existing intermediate CA. Needs `INTERMEDIATE_CA_BUNDLE`, `INTERMEDIATE_CA_CHAIN` and `INTERMEDIATE_CA_KEY`. See [Puppet Intermediat CA](https://www.puppet.com/docs/puppet/latest/server/intermediate_ca.html) |
| **INTERMEDIATE_CA_BUNDLE** | File path and name to the complete CA bundle (signing CA + Intermediate CA) |
| **INTERMEDIATE_CRL_CHAIN** | File path and name to the complete CA CRL chain |
| **INTERMEDIATE_CA_KEY** | File path and name to the private CA key |
| **PUPPET_REPORTS** | Sets `reports` in puppet.conf<br><br>`puppetdb` |
| **PUPPET_STORECONFIGS** | Sets `storeconfigs` in puppet.conf<br><br>`true` |
| **PUPPET_STORECONFIGS_BACKEND** | Sets `storeconfigs_backend` in puppet.conf<br><br>`puppetdb` |
Expand Down
4 changes: 4 additions & 0 deletions puppetserver/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
CA_HOSTNAME=puppet \
CA_PORT=8140 \
CA_ALLOW_SUBJECT_ALT_NAMES=false \
INTERMEDIATE_CA=false \
INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediat/ca.pem \
INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \
INTERMEDIATE_CA_KEY=/etc/puppetlabs/intermediate/key.pem \
USE_PUPPETDB=true \
PUPPETDB_SERVER_URLS=https://puppetdb:8081 \
PUPPET_STORECONFIGS_BACKEND="puppetdb" \
Expand Down
73 changes: 47 additions & 26 deletions puppetserver/docker-entrypoint.d/90-ca.sh
Original file line number Diff line number Diff line change
Expand Up @@ -45,31 +45,52 @@ else
hocon -f /etc/puppetlabs/puppetserver/conf.d/ca.conf \
set certificate-authority.allow-subject-alt-names "${CA_ALLOW_SUBJECT_ALT_NAMES}"

new_cadir=/etc/puppetlabs/puppetserver/ca

if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
# There is no existing CA

# Append user-supplied DNS Alt Names
if [ -n "$DNS_ALT_NAMES" ]; then
current="$(puppet config print --section main dns_alt_names)"
# shell parameter expansion to remove trailing comma if there is one
updated="${DNS_ALT_NAMES%,}"
if [ -n "$current" ]; then updated="$current","$updated"; fi
puppet config set --section main dns_alt_names "$updated"
fi

timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp"

# See puppet.conf file for relevant settings
puppetserver ca setup \
--ca-name "$ca_name" \
--config /etc/puppetlabs/puppet/puppet.conf

elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
# Legacy CA upgrade
puppetserver ca migrate \
--config /etc/puppetlabs/puppet/puppet.conf
if [[ "$INTERMEDIATE_CA" != "true" ]]; then
# sanity check
if [[ -z $INTERMEDIATE_CA_BUNDLE ]]; then
echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CA_BUNDLE'
exit 99
fi
if [[ -z $INTERMEDIATE_CRL_CHAIN ]]; then
echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CRL_CHAIN'
exit 99
fi
if [[ -z $INTERMEDIATE_CA_KEY ]]; then
echo 'Error: When enabling intermediate ca, one MUST specify INTERMEDIATE_CA_KEY'
exit 99
fi

puppetserver ca import \
--cert-bundle $INTERMEDIATE_CA_BUNDLE \
--crl-chain $INTERMEDIATE_CRL_CHAIN \
--private-key $INTERMEDIATE_CA_KEY
else
new_cadir=/etc/puppetlabs/puppetserver/ca

if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
# There is no existing CA

# Append user-supplied DNS Alt Names
if [ -n "$DNS_ALT_NAMES" ]; then
current="$(puppet config print --section main dns_alt_names)"
# shell parameter expansion to remove trailing comma if there is one
updated="${DNS_ALT_NAMES%,}"
if [ -n "$current" ]; then updated="$current","$updated"; fi
puppet config set --section main dns_alt_names "$updated"
fi

timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp"

# See puppet.conf file for relevant settings
puppetserver ca setup \
--ca-name "$ca_name" \
--config /etc/puppetlabs/puppet/puppet.conf

elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
# Legacy CA upgrade
puppetserver ca migrate \
--config /etc/puppetlabs/puppet/puppet.conf
fi
fi
fi

0 comments on commit 4f09add

Please sign in to comment.