modules/: Add module certregen.HEADmaster

1 files changed, 28 insertions, 0 deletions

diff --git a/code/environments/production/modules/certregen/manifests/client.pp b/code/environments/production/modules/certregen/manifests/client.pp
new file mode 100644
index 0000000..54eb153
--- /dev/null
+++ b/code/environments/production/modules/certregen/manifests/client.pp
@@ -0,0 +1,28 @@
+# Distribute the current Puppet CA certificate to client systems.
+#
+# To ensure the portability of this code and minimize dependencies, this class uses the `file`
+# function to distribute the CA certificate instead of having end nodes directly fetch the
+# certificate themselves. This means that Puppet installations using a master of master/CA server
+# and compile nodes will need to run Puppet on the compile masters before the CA cert can be
+# distributed to the agents.
+class certregen::client(
+  $manage_crl = true
+) {
+  file { $::localcacert:
+    ensure  => present,
+    content => file($settings::cacert, $settings::localcacert, '/dev/null'),
+    mode    => '0644',
+  }
+
+  $pe_build = getvar('::pe_build')
+  $crl_managed_by_pe = ($pe_build and versioncmp($pe_build, '3.7.0') >= 0) and is_classified_with('puppet_enterprise::profile::master')
+  $needs_crl = $manage_crl and !defined(File[$::hostcrl]) and !$crl_managed_by_pe
+
+  if $needs_crl {
+    file { $::hostcrl:
+      ensure  => present,
+      content => file($settings::cacrl, $settings::hostcrl, '/dev/null'),
+      mode    => '0644',
+    }
+  }
+}