Add puppet8 certificate renewal endpoint.

From https://www.puppet.com/docs/puppet/8/server/http_certificate_renew Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
theforeman · Jan 3, 2024 · 52d57e5 · 52d57e5
1 parent b234dda
commit 52d57e5
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 0 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -539,6 +539,12 @@
 # $server_ca_enable_infra_crl::             Enable the separate CRL for Puppet infrastructure nodes
 #                                           Defaults to false
 #
+# $server_ca_allow_auto_renewal::           Enable the auto renewal for client certificates
+#                                           Defaults to false
+#
+# $server_ca_allow_auto_renewal_cert_ttl::  Set the auto renewal interval for client certificates
+#                                           Defaults to 60d
+#
 # $server_max_open_files::                  Increase the max open files limit for Puppetserver.
 #                                           Defaults to undef
 #
@@ -748,6 +754,8 @@
   Boolean $server_ca_allow_sans = $puppet::params::server_ca_allow_sans,
   Boolean $server_ca_allow_auth_extensions = $puppet::params::server_ca_allow_auth_extensions,
   Boolean $server_ca_enable_infra_crl = $puppet::params::server_ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::params::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::params::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files,
   Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef,
   Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -406,6 +406,8 @@
   $server_ca_allow_sans                   = false
   $server_ca_allow_auth_extensions        = false
   $server_ca_enable_infra_crl             = false
+  $server_ca_allow_auto_renewal           = false
+  $server_ca_allow_auto_renewal_cert_ttl  = '60d'
   $server_max_open_files                  = undef
   $server_environment_vars                = {}
 

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -302,6 +302,11 @@
 #
 # $ca_enable_infra_crl::               Enable the separate CRL for Puppet infrastructure nodes
 #                                      Defaults to false
+# $server_ca_allow_auto_renewal::           Enable the auto renewal for client certificates
+#                                           Defaults to false
+#
+# $server_ca_allow_auto_renewal_cert_ttl::  Set the auto renewal interval for client certificates
+#                                           Defaults to 60d
 #
 # $acceptor_threads::                  This sets the number of threads that the webserver will dedicate to accepting
 #                                      socket connections for unencrypted HTTP traffic. If not provided, the webserver
@@ -454,6 +459,8 @@
   Boolean $ca_allow_sans = $puppet::server_ca_allow_sans,
   Boolean $ca_allow_auth_extensions = $puppet::server_ca_allow_auth_extensions,
   Boolean $ca_enable_infra_crl = $puppet::server_ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $max_open_files = $puppet::server_max_open_files,
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,

diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
@@ -73,6 +73,7 @@
 #   }
 #
 class puppet::server::puppetserver (
+  Optional[Pattern[/^[\d]\.[\d]+\.[\d]+$/]] $puppetserver_version = $puppet::server::puppetserver_version,
   String $config = $puppet::server::jvm_config,
   String $java_bin = $puppet::server::jvm_java_bin,
   Variant[String, Array[String]] $jvm_extra_args = $puppet::server::real_jvm_extra_args,
@@ -139,6 +140,8 @@
   Boolean $ca_allow_sans = $puppet::server::ca_allow_sans,
   Boolean $ca_allow_auth_extensions = $puppet::server::ca_allow_auth_extensions,
   Boolean $ca_enable_infra_crl = $puppet::server::ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::server::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::server::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $max_open_files = $puppet::server::max_open_files,
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server::versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server::versioned_code_content,
@@ -147,6 +150,17 @@
 ) {
   include puppet::server
 
+  # For Puppetserver, certain configuration parameters are version specific.
+  # We need a method to determine what version is installed.
+  if $puppetserver_version {
+    $real_puppetserver_version = $puppetserver_version
+  } elsif versioncmp($facts['puppetversion'], '7.0.0') >= 0 {
+    $real_puppetserver_version = $facts['puppetversion']
+  } else {
+    # our minimum supported version of puppet server
+    $real_puppetserver_version = '7.0.0'
+  }
+
   $puppetserver_package = pick($puppet::server::package, 'puppetserver')
 
   $jvm_heap_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}"]

diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -77,6 +77,20 @@ authorization: {
             name: "puppetlabs csr"
         },
 <%- if @server_ca -%>
+<%- if versioncmp(@real_puppetserver_version, '8.0.0') >= 0 -%>
+        {
+            # Allow nodes to renew their certificate
+            match-request: {
+                path: "/puppet-ca/v1/certificate_renewal"
+                type: path
+                method: post
+            }
+            # this endpoint should never be unauthenticated, as it requires the cert to be provided.
+            allow: "*"
+            sort-order: 500
+            name: "puppetlabs certificate renewal"
+        },
+<%- end -%>
         {
             # Allow the CA CLI to access the certificate_status endpoint
             match-request: {

diff --git a/templates/server/puppetserver/conf.d/ca.conf.erb b/templates/server/puppetserver/conf.d/ca.conf.erb
@@ -7,4 +7,11 @@ certificate-authority: {
 
     # enable the separate CRL for Puppet infrastructure nodes
     enable-infra-crl: <%= @ca_enable_infra_crl %>
+
+    # Setup auto renewal of certs
+    allow-auto-renewal: <%= @server_ca_allow_auto_renewal %>
+    # This value determines the lifetime of the cert if auto-renewal is enabled
+    auto-renewal-cert-ttl: <%= @server_ca_allow_auto_renewal_cert_ttl %>
+    # Default cert expiration time. If the value is set here, it will take precedence over ca-ttl setting in puppet.conf
+    #ca-ttl: "60d"
 }