diff options
| author | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2023-09-27 22:07:48 +0200 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2023-09-27 22:07:48 +0200 |
| commit | e348016211fe4004b4baab0a340a9edb8bddfe4c (patch) | |
| tree | 25eef74d95c4449822bf4cca0bfc5802266e5cae | |
| parent | 0dfc9cef12c5aaac7da817d871317d645f45f34e (diff) | |
| download | itzks-systems-e348016211fe4004b4baab0a340a9edb8bddfe4c.tar.gz itzks-systems-e348016211fe4004b4baab0a340a9edb8bddfe4c.tar.bz2 itzks-systems-e348016211fe4004b4baab0a340a9edb8bddfe4c.zip | |
sbin/itzks-puppet-autosign-new-host-certificates: Support newer puppetserver ca API for handling certificate signing requests.
| -rwxr-xr-x | sbin/itzks-puppet-autosign-new-host-certificates | 78 |
1 files changed, 64 insertions, 14 deletions
diff --git a/sbin/itzks-puppet-autosign-new-host-certificates b/sbin/itzks-puppet-autosign-new-host-certificates index b65c903..4fbf678 100755 --- a/sbin/itzks-puppet-autosign-new-host-certificates +++ b/sbin/itzks-puppet-autosign-new-host-certificates @@ -16,27 +16,77 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# obtain list of puppet host certificate signing requests -NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')" +unset http_proxy +unset https_proxy -# if any, iterate over them individually -if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then +HOSTNAME="$(hostname -f)" +PUPPET_SERVER="$(dig puppet.intern +short | head -n1)" - echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do +if [ "${HOSTNAME}." != "${PUPPET_SERVER}" ]; then + exit 0 +fi + +source /etc/os-release + +if [ "${ID}" = "debian" ] && \ + ([ "${VERSION_CODENAME}" == "stretch" ] || \ + [ "${VERSION_CODENAME}" == "buster" ] || \ + [ "${VERSION_CODENAME}" == "bullseye" ]); then + + ### Puppet 5.x et al. (until Debian 11) + + # obtain list of puppet host certificate signing requests + NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')" + + # if any, iterate over them individually + if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then + + echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do + + # strip domain name + hostname_short="$(echo $host_csr | cut -d '.' -f1)" + + ## lookup host and see if it exists in LDAP: + ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'` + + if [ -n "${ldapsystem}" ]; then + + # yes, we should sign this host CSR + puppet cert sign "${host_csr}" + + fi + + done + + fi + +else + + # Puppet 7.x and newer... (Debian 12 and beyond) + + # obtain list of puppet host certificate signing requests + NEW_PUPPET_SIGNING_REQUESTS="$(puppetserver ca list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')" + + # if any, iterate over them individually + if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then + + echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do + + # strip domain name + hostname_short="$(echo $host_csr | cut -d '.' -f1)" - # strip domain name - hostname_short="$(echo $host_csr | cut -d '.' -f1)" + ## lookup host and see if it exists in LDAP: + ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'` - ## lookup host and see if it exists in LDAP: - ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'` + if [ -n "${ldapsystem}" ]; then - if [ -n "${ldapsystem}" ]; then + # yes, we should sign this host CSR + puppetserver ca sign --certname "${host_csr}" - # yes, we should sign this host CSR - puppet cert sign "${host_csr}" + fi - fi + done - done + fi fi |