From 1852b6cf92e0b08db26d3398faf41b2c8a20b400 Mon Sep 17 00:00:00 2001 From: Mike Gabriel Date: Fri, 24 Jan 2025 16:29:30 +0100 Subject: sbin/*puppet*: Rework puppet client/ca maintenance scripts. --- sbin/itzks-puppet-autosign-new-host-certificates | 92 ------------------------ 1 file changed, 92 deletions(-) delete mode 100755 sbin/itzks-puppet-autosign-new-host-certificates (limited to 'sbin/itzks-puppet-autosign-new-host-certificates') diff --git a/sbin/itzks-puppet-autosign-new-host-certificates b/sbin/itzks-puppet-autosign-new-host-certificates deleted file mode 100755 index 4fbf678..0000000 --- a/sbin/itzks-puppet-autosign-new-host-certificates +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/bash - -# Copyright (C) 2022 Mike Gabriel -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -unset http_proxy -unset https_proxy - -HOSTNAME="$(hostname -f)" -PUPPET_SERVER="$(dig puppet.intern +short | head -n1)" - -if [ "${HOSTNAME}." != "${PUPPET_SERVER}" ]; then - exit 0 -fi - -source /etc/os-release - -if [ "${ID}" = "debian" ] && \ - ([ "${VERSION_CODENAME}" == "stretch" ] || \ - [ "${VERSION_CODENAME}" == "buster" ] || \ - [ "${VERSION_CODENAME}" == "bullseye" ]); then - - ### Puppet 5.x et al. (until Debian 11) - - # obtain list of puppet host certificate signing requests - NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')" - - # if any, iterate over them individually - if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then - - echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do - - # strip domain name - hostname_short="$(echo $host_csr | cut -d '.' -f1)" - - ## lookup host and see if it exists in LDAP: - ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'` - - if [ -n "${ldapsystem}" ]; then - - # yes, we should sign this host CSR - puppet cert sign "${host_csr}" - - fi - - done - - fi - -else - - # Puppet 7.x and newer... (Debian 12 and beyond) - - # obtain list of puppet host certificate signing requests - NEW_PUPPET_SIGNING_REQUESTS="$(puppetserver ca list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')" - - # if any, iterate over them individually - if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then - - echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do - - # strip domain name - hostname_short="$(echo $host_csr | cut -d '.' -f1)" - - ## lookup host and see if it exists in LDAP: - ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'` - - if [ -n "${ldapsystem}" ]; then - - # yes, we should sign this host CSR - puppetserver ca sign --certname "${host_csr}" - - fi - - done - - fi - -fi -- cgit v1.2.3