sbin/itzks-puppet-autosign-new-host-certificates: Support newer puppetserver ca API for handling certificate signing requests.

1 files changed, 64 insertions, 14 deletions

diff --git a/sbin/itzks-puppet-autosign-new-host-certificates b/sbin/itzks-puppet-autosign-new-host-certificates
index b65c903..4fbf678 100755
--- a/sbin/itzks-puppet-autosign-new-host-certificates
+++ b/sbin/itzks-puppet-autosign-new-host-certificates
@@ -16,27 +16,77 @@
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
-# obtain list of puppet host certificate signing requests
-NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')"
+unset http_proxy
+unset https_proxy
 
-# if any, iterate over them individually
-if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then
+HOSTNAME="$(hostname -f)"
+PUPPET_SERVER="$(dig puppet.intern +short | head -n1)"
 
-	echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
+if [ "${HOSTNAME}." != "${PUPPET_SERVER}" ]; then
+	exit 0
+fi
+
+source /etc/os-release
+
+if [ "${ID}" = "debian" ] && \
+   ([ "${VERSION_CODENAME}" == "stretch" ] || \
+    [ "${VERSION_CODENAME}" == "buster" ] || \
+    [ "${VERSION_CODENAME}" == "bullseye" ]); then
+
+	### Puppet 5.x et al. (until Debian 11)
+
+	# obtain list of puppet host certificate signing requests
+	NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')"
+
+	# if any, iterate over them individually
+	if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then
+
+		echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
+
+			# strip domain name
+			hostname_short="$(echo $host_csr | cut -d '.' -f1)"
+
+			## lookup host and see if it exists in LDAP:
+			ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
+
+			if [ -n "${ldapsystem}" ]; then
+
+				# yes, we should sign this host CSR
+				puppet cert sign "${host_csr}"
+
+			fi
+
+		done
+
+	fi
+
+else
+
+	# Puppet 7.x and newer... (Debian 12 and beyond)
+
+	# obtain list of puppet host certificate signing requests
+	NEW_PUPPET_SIGNING_REQUESTS="$(puppetserver ca list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')"
+
+	# if any, iterate over them individually
+	if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then
+
+		echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do
+
+			# strip domain name
+			hostname_short="$(echo $host_csr | cut -d '.' -f1)"
 
-		# strip domain name
-		hostname_short="$(echo $host_csr | cut -d '.' -f1)"
+			## lookup host and see if it exists in LDAP:
+			ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
 
-		## lookup host and see if it exists in LDAP:
-		ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`
+			if [ -n "${ldapsystem}" ]; then
 
-		if [ -n "${ldapsystem}" ]; then
+				# yes, we should sign this host CSR
+				puppetserver ca sign --certname "${host_csr}"
 
-			# yes, we should sign this host CSR
-			puppet cert sign "${host_csr}"
+			fi
 
-		fi
+		done
 
-	done
+	fi
 
 fi