Last active
November 22, 2017 14:22
-
-
Save raphink/c6ba7c33707024179b4fa92e460092cc to your computer and use it in GitHub Desktop.
C2C blog post: Automatically renewing Puppet Certificates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| name: "Allow nodes to delete their own certificates", | |
| match-request: { | |
| path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$", | |
| type: regex, | |
| method: [delete] | |
| }, | |
| allow: "$2", | |
| sort-order: 500 | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class profile::puppet::certificate ( | |
| String $psk, | |
| ) { | |
| file { '/etc/puppetlabs/puppet/csr_attributes.yaml': | |
| ensure => file, | |
| owner => 'root', | |
| group => 'root', | |
| mode => '0440', | |
| content => "---\ncustom_attributes:\n 1.2.840.113549.1.9.7: '${psk}'\n", | |
| } | |
| ~> puppet_certificate { $::trusted['certname']: | |
| ensure => valid, | |
| onrefresh => 'regenerate', | |
| waitforcert => 60, | |
| renewal_grace_period => 20, | |
| clean => true, | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment