itzks-puppet-autosign-new-host-certificates: Add script. Auto-sign puppet host CSRs if host is in LDAP.

1 files changed, 42 insertions, 0 deletions

diff --git a/sbin/itzks-puppet-autosign-new-host-certificates b/sbin/itzks-puppet-autosign-new-host-certificates
new file mode 100755
index 0000000..b65c903
--- /dev/null
+++ b/sbin/itzks-puppet-autosign-new-host-certificates
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Copyright (C) 2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# obtain list of puppet host certificate signing requests
+NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')"
+
+# if any, iterate over them individually
+if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then
+
+	echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
+
+		# strip domain name
+		hostname_short="$(echo $host_csr | cut -d '.' -f1)"
+
+		## lookup host and see if it exists in LDAP:
+		ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
+
+		if [ -n "${ldapsystem}" ]; then
+
+			# yes, we should sign this host CSR
+			puppet cert sign "${host_csr}"
+
+		fi
+
+	done
+
+fi