Forge Home

ca_extend

A set of Bolt Plans and Tasks to extend the CA cert in Puppet Enterprise

17,652 downloads

761 latest version

4.9 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 3.5.0 (latest)
  • 3.4.0
  • 3.3.1
  • 3.3.0
  • 3.2.0
  • 3.1.0
  • 3.0.0
  • 2.1.0
  • 2.0.0
  • 1.2.1
  • 1.2.0
  • 1.1.1
  • 1.1.0
  • 1.0.1
released Oct 10th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • , , , , ,
Tasks:
  • check_agent_expiry
  • check_ca_expiry
  • configure_master
  • extend_ca_cert
Plans:
  • extend_ca_cert
  • get_agent_facts
  • upload_ca_cert

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-ca_extend', '1.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-ca_extend
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-ca_extend --version 1.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppetlabs/ca_extend — version 1.0.1 Oct 10th 2019

ca_extend

Table of Contents

  1. Description
  2. Setup - The basics of getting started with ca_extend
  3. Usage - Configuration options and additional functionality

Description

A set of Plans and Tasks to extend the expiration date of the certificate for the certificate authority in Puppet Enterprise and distribute the certificate to agent nodes.

The functionality of this module is divided into two main plans:

  • ca_extend::extend_ca_cert
    • Extends the CA certificate and configures the master and any compile masters to use the new certificate
  • ca_extend::upload_ca_cert
    • Distributes the certificate to any number of agents. Any protocol supported by Bolt can be used, such as ssh, winrm, or PCP.

Regardless of whether the CA cert has passed expiration or not, the extend_ca_cert plan may be used to extend its expiration date in-place and configure the master and compilers to use it.

After the CA is functional again (or if it had yet to expire), there are two options for distributing the new cert to agents.

  • Using the ca_extend::upload_ca_cert plan or another method to copy the new ca.pem into place on agents.
  • Deleting ca.pem from agents and letting them download the file as part of the next Puppet agent run. The agent will re-download this file only if it is absent, so it must be deleted to get a new copy using this method.

There are also two complementary tasks to check the expiry of the CA cert and any agent certificates.

  • ca_extend::check_agent_expiry
    • Checks if any agent certificates expire by a certain date. Defaults to 3 months from today
  • ca_extend::check_ca_expiry
    • Checks if the CA certificate expires by a certain date. Defaults to 3 months from today

Setup

This module requires a Bolt installation >= 1.8.0 on either a client machine or the Puppet master

The recommended installation procedure for this module is to use a Bolt Puppetfile. From within a Boltdir, specify this module and puppetlabs-stdlib as dependencies and run bolt puppetfile install. For example, to install Bolt and the required modules on an EL 7 master:

sudo rpm -Uvh https://yum.puppet.com/puppet-tools-release-el-7.noarch.rpm
sudo yum install puppet-bolt
mkdir -p ~/Boltdir
cd !$

cat >>Puppetfile <<EOF
mod 'puppetlabs-stdlib'

mod 'puppetlabs-ca_extend'
EOF

bolt puppetfile install

Dependencies

Configuration

Inventory

This module works best with a Bolt inventory file to support simultaneous uploads to *nix and Windows agents. See the Bolt documentation for how to configure the inventory. See the REFERENCE.md for a sample inventory file.

Alternatively, one can use an ssh config file if only using this protocol to connect to agents. Bolt defaults to using ssh, which in turn will use ~/.ssh/config for options such as the username and identity file.

Connecting to PuppetDB

Another convenient way to specify targets for the ca_extend::upload_ca_cert plan is by connecting Bolt to PuppetDB, after which the --query can be used to specify a node list. See REFERENCE.md for an example.

Examples

bolt plan run ca_extend::extend_ca_cert master=<master_fqdn> compile_masters=<comma_separated_compile_master_fqdns>
bolt plan run ca_extend::upload_ca_cert cert=<path_to_cert> --nodes <TargetSpec>
bolt task run ca_extend::check_ca_expiry --nodes <TargetSpec>
bolt task run ca_extend::check_agent_expiry --nodes <TargetSpec>

See REFERENCE.md for more detailed example commands