Skip to content

Commit 8b5826c

Browse files
willaerkwillaerk
authored
Merge pull request #488 from cultuurnet/feature/trusted_puppet_ca
Add Puppet CA certificate to system truststore
2 parents f3656f8 + e33d952 commit 8b5826c

File tree

2 files changed

+46
-2
lines changed

2 files changed

+46
-2
lines changed

manifests/ca_certificates.pp

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
class profiles::ca_certificates (
22
Variant[String, Array[String]] $disabled_ca_certificates = [],
3+
Boolean $puppet_ca = true,
34
Boolean $publiq_development_ca = false
45
) inherits ::profiles {
56

@@ -21,6 +22,22 @@
2122
}
2223
}
2324

25+
file { 'Puppet CA certificate directory':
26+
ensure => 'directory',
27+
path => '/usr/local/share/ca-certificates/puppet'
28+
}
29+
30+
file { 'Puppet CA certificate':
31+
ensure => $puppet_ca ? {
32+
true => 'file',
33+
false => 'absent'
34+
},
35+
path => '/usr/local/share/ca-certificates/puppet/puppet-ca.crt',
36+
source => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
37+
require => File['Puppet CA certificate directory'],
38+
notify => Exec['Update CA certificates']
39+
}
40+
2441
exec { 'Update CA certificates':
2542
command => 'update-ca-certificates',
2643
path => [ '/usr/local/bin', '/usr/bin', '/usr/sbin', '/bin'],

spec/classes/ca_certificates_spec.rb

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212

1313
it { is_expected.to contain_class('profiles::ca_certificates').with(
1414
'disabled_ca_certificates' => [],
15+
'puppet_ca' => true,
1516
'publiq_development_ca' => false
1617
) }
1718

@@ -20,16 +21,31 @@
2021

2122
it { is_expected.to have_augeas_resource_count(0) }
2223

24+
it { is_expected.to contain_file('Puppet CA certificate directory').with(
25+
'ensure' => 'directory',
26+
'path' => '/usr/local/share/ca-certificates/puppet'
27+
) }
28+
29+
it { is_expected.to contain_file('Puppet CA certificate').with(
30+
'ensure' => 'file',
31+
'path' => '/usr/local/share/ca-certificates/puppet/puppet-ca.crt',
32+
'source' => '/etc/puppetlabs/puppet/ssl/certs/ca.pem'
33+
) }
34+
2335
it { is_expected.to contain_exec('Update CA certificates').with(
2436
'command' => 'update-ca-certificates',
2537
'path' => [ '/usr/local/bin', '/usr/bin', '/usr/sbin', '/bin'],
2638
'refreshonly' => true
2739
) }
40+
41+
it { is_expected.to contain_file('Puppet CA certificate').that_requires('File[Puppet CA certificate directory]') }
42+
it { is_expected.to contain_file('Puppet CA certificate').that_notifies('Exec[Update CA certificates]') }
2843
end
2944

30-
context "with disabled_ca_certificates => 'foobar'" do
45+
context "with disabled_ca_certificates => 'foobar' and puppet_ca => false" do
3146
let(:params) { {
32-
'disabled_ca_certificates' => 'foobar'
47+
'disabled_ca_certificates' => 'foobar',
48+
'puppet_ca' => false
3349
} }
3450

3551
it { is_expected.not_to contain_apt__source('publiq-tools') }
@@ -43,13 +59,24 @@
4359
'changes' => 'set *[.= \'foobar\'] \'!foobar\'',
4460
) }
4561

62+
it { is_expected.to contain_file('Puppet CA certificate directory').with(
63+
'ensure' => 'directory',
64+
'path' => '/usr/local/share/ca-certificates/puppet'
65+
) }
66+
67+
it { is_expected.to contain_file('Puppet CA certificate').with(
68+
'ensure' => 'absent',
69+
'path' => '/usr/local/share/ca-certificates/puppet/puppet-ca.crt'
70+
) }
71+
4672
it { is_expected.to contain_exec('Update CA certificates').with(
4773
'command' => 'update-ca-certificates',
4874
'path' => [ '/usr/local/bin', '/usr/bin', '/usr/sbin', '/bin'],
4975
'refreshonly' => true
5076
) }
5177

5278
it { is_expected.to contain_augeas('Disable CA certificate foobar').that_notifies('Exec[Update CA certificates]') }
79+
it { is_expected.to contain_file('Puppet CA certificate').that_notifies('Exec[Update CA certificates]') }
5380
end
5481

5582
context "with disabled_ca_certificates => ['badcert', 'expiredcert'] and publiq_development_root_ca => true" do

0 commit comments

Comments
 (0)