Add puppet8 certificate renewal endpoint.

From https://www.puppet.com/docs/puppet/8/server/http_certificate_renew Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
theforeman · Jan 3, 2024 · ac3c426 · ac3c426
1 parent b234dda
commit ac3c426
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 0 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -539,6 +539,12 @@
 # $server_ca_enable_infra_crl::             Enable the separate CRL for Puppet infrastructure nodes
 #                                           Defaults to false
 #
+# $server_ca_allow_auto_renewal::           Enable the auto renewal for client certificates
+#                                           Defaults to false
+#
+# $server_ca_allow_auto_renewal_cert_ttl::  Set the auto renewal interval for client certificates
+#                                           Defaults to 60d
+#
 # $server_max_open_files::                  Increase the max open files limit for Puppetserver.
 #                                           Defaults to undef
 #
@@ -748,6 +754,8 @@
   Boolean $server_ca_allow_sans = $puppet::params::server_ca_allow_sans,
   Boolean $server_ca_allow_auth_extensions = $puppet::params::server_ca_allow_auth_extensions,
   Boolean $server_ca_enable_infra_crl = $puppet::params::server_ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::params::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::params::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files,
   Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef,
   Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -406,6 +406,8 @@
   $server_ca_allow_sans                   = false
   $server_ca_allow_auth_extensions        = false
   $server_ca_enable_infra_crl             = false
+  $server_ca_allow_auto_renewal           = false
+  $server_ca_allow_auto_renewal_cert_ttl  = '60d'
   $server_max_open_files                  = undef
   $server_environment_vars                = {}
 

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -302,6 +302,11 @@
 #
 # $ca_enable_infra_crl::               Enable the separate CRL for Puppet infrastructure nodes
 #                                      Defaults to false
+# $server_ca_allow_auto_renewal::           Enable the auto renewal for client certificates
+#                                           Defaults to false
+#
+# $server_ca_allow_auto_renewal_cert_ttl::  Set the auto renewal interval for client certificates
+#                                           Defaults to 60d
 #
 # $acceptor_threads::                  This sets the number of threads that the webserver will dedicate to accepting
 #                                      socket connections for unencrypted HTTP traffic. If not provided, the webserver
@@ -454,6 +459,8 @@
   Boolean $ca_allow_sans = $puppet::server_ca_allow_sans,
   Boolean $ca_allow_auth_extensions = $puppet::server_ca_allow_auth_extensions,
   Boolean $ca_enable_infra_crl = $puppet::server_ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $max_open_files = $puppet::server_max_open_files,
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,

diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
@@ -139,6 +139,8 @@
   Boolean $ca_allow_sans = $puppet::server::ca_allow_sans,
   Boolean $ca_allow_auth_extensions = $puppet::server::ca_allow_auth_extensions,
   Boolean $ca_enable_infra_crl = $puppet::server::ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::server::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::server::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $max_open_files = $puppet::server::max_open_files,
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server::versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server::versioned_code_content,

diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -77,6 +77,18 @@ authorization: {
             name: "puppetlabs csr"
         },
 <%- if @server_ca -%>
+        {
+            # Allow nodes to renew their certificate
+            match-request: {
+                path: "/puppet-ca/v1/certificate_renewal"
+                type: path
+                method: post
+            }
+            # this endpoint should never be unauthenticated, as it requires the cert to be provided.
+            allow: "*"
+            sort-order: 500
+            name: "puppetlabs certificate renewal"
+        },
         {
             # Allow the CA CLI to access the certificate_status endpoint
             match-request: {

diff --git a/templates/server/puppetserver/conf.d/ca.conf.erb b/templates/server/puppetserver/conf.d/ca.conf.erb
@@ -7,4 +7,11 @@ certificate-authority: {
 
     # enable the separate CRL for Puppet infrastructure nodes
     enable-infra-crl: <%= @ca_enable_infra_crl %>
+
+    # Setup auto renewal of certs
+    allow-auto-renewal: <%= @server_ca_allow_auto_renewal %>
+    # This value determines the lifetime of the cert if auto-renewal is enabled
+    auto-renewal-cert-ttl: <%= @server_ca_allow_auto_renewal_cert_ttl %>
+    # Default cert expiration time. If the value is set here, it will take precedence over ca-ttl setting in puppet.conf
+    #ca-ttl: "60d"
 }