Forge Home

ca_expiry_check

Tools for monitoring and notifying of impending Puppet CA expiry

2,579 downloads

167 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.0 (latest)
  • 1.1.0
  • 1.0.0
  • 0.1.1
  • 0.1.0
released Jun 23rd 2023
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'martyewings-ca_expiry_check', '2.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add martyewings-ca_expiry_check
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install martyewings-ca_expiry_check --version 2.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

martyewings/ca_expiry_check — version 2.0.0 Jun 23rd 2023

ca_expiry_check

Table of Contents

  1. Description
  2. Usage - Configuration options and additional functionality
  3. Reference - An under-the-hood peek at what the module is doing and how

Description

This Module Provides facts and a class that are designed to inform and notify in the instance the Puppet CA is due to expire

Usage

The Facts contained in this module can be used for direct consumption by monitoring tools such as Splunk.

Alternativly assigning the class ca_expiry_check to nodes running a Puppet CA, Will "Notify" on Each Puppet run as soon as the certificate expiry is within a designated window. This window by default is 90 days, but is configurable through the use of the "alertwindow" parameter which takes an integer representing the desired alert window in seconds

Class Delcaration Optional.

To activate the notification functions of this module, classify your Primary Master (or which ever server hosts your main Puppet CA) with the ca_expiry_check class using your preferred classification method. Below is an example using site.pp.

node 'master.example.com' {
  include ca_expiry_check
}

To optionally configure the length of the window in which you are notified of impending expiry away from the default of 90 days, add the alertwindow parameter with a value in seconds to your classification.

class { 'ca_expiry_check':
  alertwindow              => 15552000,
}

Outputs

When the class is included once within the alert window period, there will be a corrective change, in the form of a notify, with the following messaging":

Puppet CA expiring on ${facts['ca_exp_date']} You should renew

Reference

Facts:

ca_exp_date

Prints the expiry date of the CA, confined to run only on Puppet Servers hosting the CA

ca_exp_seconds

Prints the number of seconds between now() and $ca_exp_date, confined to run only on Puppet Servers hosting the CA

Parameters:

alertwindow

Optional. Provides a method to alter the notification window value in seconds. Valid options: integer . Default value: 7776000 (90 days).