Revision 11e65ebd
Added by Ewoud Kohl van Wijngaarden about 10 years ago
| manifests/config.pp | ||
|---|---|---|
|
# Set up the puppet config
|
||
|
class puppet::config(
|
||
|
$auth_template = $::puppet::auth_template,
|
||
|
$ca_server = $::puppet::ca_server,
|
||
|
$main_template = $::puppet::main_template,
|
||
|
$nsauth_template = $::puppet::nsauth_template,
|
||
|
$puppet_dir = $::puppet::dir,
|
||
|
$allow_any_crl_auth = $::puppet::allow_any_crl_auth,
|
||
|
$auth_template = $::puppet::auth_template,
|
||
|
$ca_server = $::puppet::ca_server,
|
||
|
$main_template = $::puppet::main_template,
|
||
|
$nsauth_template = $::puppet::nsauth_template,
|
||
|
$puppet_dir = $::puppet::dir,
|
||
|
) {
|
||
|
concat_build { 'puppet.conf': }
|
||
|
concat_fragment { 'puppet.conf+10-main':
|
||
| manifests/init.pp | ||
|---|---|---|
|
# the apache vhost to set up a proxy for all
|
||
|
# certificates pointing to the value.
|
||
|
#
|
||
|
# $allow_any_crl_auth:: Allow any authentication for the CRL. This
|
||
|
# is needed on the puppet CA to accept clients
|
||
|
# from a the puppet CA proxy.
|
||
|
# type:boolean
|
||
|
#
|
||
|
# === Usage:
|
||
|
#
|
||
|
# * Simple usage:
|
||
| ... | ... | |
|
$agent_template = $puppet::params::agent_template,
|
||
|
$auth_template = $puppet::params::auth_template,
|
||
|
$nsauth_template = $puppet::params::nsauth_template,
|
||
|
$allow_any_crl_auth = $puppet::params::allow_any_crl_auth,
|
||
|
$client_package = $puppet::params::client_package,
|
||
|
$agent = $puppet::params::agent,
|
||
|
$server = $puppet::params::server,
|
||
| ... | ... | |
|
validate_bool($agent_noop)
|
||
|
validate_bool($agent)
|
||
|
validate_bool($server)
|
||
|
validate_bool($allow_any_crl_auth)
|
||
|
validate_bool($server_ca)
|
||
|
validate_bool($server_passenger)
|
||
|
validate_bool($server_git_repo)
|
||
| manifests/params.pp | ||
|---|---|---|
|
$auth_template = 'puppet/auth.conf.erb'
|
||
|
$nsauth_template = 'puppet/namespaceauth.conf.erb'
|
||
|
|
||
|
# Allow any to the CRL. Needed in case of puppet CA proxy
|
||
|
$allow_any_crl_auth = false
|
||
|
|
||
|
# Will this host be a puppet agent ?
|
||
|
$agent = true
|
||
|
|
||
| spec/classes/puppet_config_spec.rb | ||
|---|---|---|
|
should contain_file('/etc/puppet/auth.conf').with_content(%r{^path /certificate_revocation_list/ca\nmethod find$})
|
||
|
end
|
||
|
end
|
||
|
|
||
|
describe 'with allow_any_crl_auth' do
|
||
|
let :pre_condition do
|
||
|
'class {"::puppet": allow_any_crl_auth => true}'
|
||
|
end
|
||
|
|
||
|
it 'should contain auth.conf with auth any' do
|
||
|
should contain_file('/etc/puppet/auth.conf').with_content(%r{^path /certificate_revocation_list/ca\nauth any$})
|
||
|
end
|
||
|
end
|
||
|
end
|
||
| templates/auth.conf.erb | ||
|---|---|---|
|
|
||
|
# allow all nodes to access the certificates services
|
||
|
path /certificate_revocation_list/ca
|
||
|
<% if @allow_any_crl_auth -%>
|
||
|
auth any
|
||
|
<% end -%>
|
||
|
method find
|
||
|
allow *
|
||
|
|
||
Also available in: Unified diff
Issue #4345: Add an allow_any_crl parameter
http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic
states the following should be present in auth.conf if using a puppet ca
proxy:
path /certificate_revocation_list
auth any
method find
allow *
In my testing /certificate_revocation_list/ca was sufficient.