From 8dca39b3f9b33780d856d54cf6fac683b0e3afbe Mon Sep 17 00:00:00 2001
From: Martin Alfke <ma@betadots.de>
Date: Thu, 9 Jan 2025 13:58:51 +0100
Subject: [PATCH] Manage ca_ttl setting

---
 README.md                                 | 1 +
 puppetserver/Dockerfile                   | 1 +
 puppetserver/docker-entrypoint.d/90-ca.sh | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 16aee59b..c406b903 100644
--- a/README.md
+++ b/README.md
@@ -97,6 +97,7 @@ The following environment variables are supported:
 | __PUPPETSERVER_PORT__                      | The port of the puppetserver<br><br>`8140`                                                                                                                    |
 | __AUTOSIGN__                               | Whether or not to enable autosigning on the puppetserver instance. Valid values are `true`, `false`, and `/path/to/autosign.conf`.<br><br>Defaults to `true`. |
 | __CA_ENABLED__                             | Whether or not this puppetserver instance has a running CA (Certificate Authority)<br><br>`true`                                                              |
+| __CA_TTL__                                 | CA expire date (in seconds)<br><br>`157680000`            |
 | __CA_HOSTNAME__                            | The DNS hostname for the puppetserver running the CA. Does nothing unless `CA_ENABLED=false`<br><br>`puppet`                                                  |
 | __CA_PORT__                                | The listening port of the CA. Does nothing unless `CA_ENABLED=false`<br><br>`8140`                                                                            |
 | __CA_ALLOW_SUBJECT_ALT_NAMES__             | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.<br><br>`false`        |
diff --git a/puppetserver/Dockerfile b/puppetserver/Dockerfile
index e7e724e2..7ea78654 100644
--- a/puppetserver/Dockerfile
+++ b/puppetserver/Dockerfile
@@ -49,6 +49,7 @@ ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
     CA_HOSTNAME=puppet \
     CA_PORT=8140 \
     CA_ALLOW_SUBJECT_ALT_NAMES=false \
+    CA_TTL=157680000 \
     INTERMEDIATE_CA=false \
     INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediate/ca.pem \
     INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \
diff --git a/puppetserver/docker-entrypoint.d/90-ca.sh b/puppetserver/docker-entrypoint.d/90-ca.sh
index 90acf8dc..338d2eb9 100755
--- a/puppetserver/docker-entrypoint.d/90-ca.sh
+++ b/puppetserver/docker-entrypoint.d/90-ca.sh
@@ -32,6 +32,9 @@ EOF
   hocon -f webserver.conf set webserver.ssl-crl-path $ssl_crl_path
   cd /
 
+  if [[ -z $CA_TTL ]]; then
+    puppet config set --section server ca_ttl "${CA_TTL}"
+
   # bootstrap certs for the puppetserver
   if [[ ! -f "$ssl_cert" ]]; then
     while ! ca_running; do