Affected Puppet, Ruby, OS and module versions/distributions
I'm running Puppet Enterprise 2021.7.1 on CentOS. I'm trying to implement this module to handle certificate renewal. I've set it up in our code repo with this on the agents:
puppet_certificate {
$trusted['certname']:
ensure => 'valid',
clean => true,
onrefresh => 'regenerate',
renewal_grace_period => 30,
waitforcert => 60,
}
And this puppet code to apply on to the puppet master servers, based on example in the README:
pe_puppet_authorization::rule {
'delete-self-certificate':
match_request_path => '^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$',
match_request_type => 'regex',
match_request_method => 'delete',
match_request_query_params => {'environment' => [ 'master', 'cert_renewal_test' ]},
allow => '$2',
sort_order => 500,
path => '/etc/puppetlabs/puppetserver/conf.d/auth.conf',
notify => Service['pe-puppetserver'],
}
I've played around with the sort_order, but there's an existing authorization rule in Puppet Enterprise ('puppetlabs certificate status') which is on the same match_request_path, and, depending on whether I supply a sort_order value that's lower or higher than the existing rule, the client either gets a HTTP/403 "denied by rule" message, or the server appears to break itself because it's not permitted to access the certificate_status URL.
Is there a code recipe example which can be supplied which should make this module work on Puppet Enterprise? (Or is there a problem with applying these authorization rules on PE?)
Affected Puppet, Ruby, OS and module versions/distributions
I'm running Puppet Enterprise 2021.7.1 on CentOS. I'm trying to implement this module to handle certificate renewal. I've set it up in our code repo with this on the agents:
And this puppet code to apply on to the puppet master servers, based on example in the README:
I've played around with the sort_order, but there's an existing authorization rule in Puppet Enterprise ('puppetlabs certificate status') which is on the same match_request_path, and, depending on whether I supply a
sort_ordervalue that's lower or higher than the existing rule, the client either gets a HTTP/403 "denied by rule" message, or the server appears to break itself because it's not permitted to access the certificate_status URL.Is there a code recipe example which can be supplied which should make this module work on Puppet Enterprise? (Or is there a problem with applying these authorization rules on PE?)