code/environments/production/modules: Add ca_extend module instead.

1 files changed, 188 insertions, 0 deletions

diff --git a/code/environments/production/modules/ca_extend/REFERENCE.md b/code/environments/production/modules/ca_extend/REFERENCE.md
new file mode 100644
index 0000000..2657a3d
--- /dev/null
+++ b/code/environments/production/modules/ca_extend/REFERENCE.md
@@ -0,0 +1,188 @@
+# Reference
+
+<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
+
+## Table of Contents
+
+### Tasks
+
+* [`check_agent_expiry`](#check_agent_expiry): Check the expiration date of all agent certificates
+* [`check_ca_expiry`](#check_ca_expiry): Check the expiration date of a CA certificate
+* [`check_primary_cert`](#check_primary_cert): Check the expiration date of the primary server cert
+* [`configure_primary`](#configure_primary): Backup ssldir and copy newly generated CA certificate
+* [`extend_ca_cert`](#extend_ca_cert): Extend CA certificate expiry date
+
+### Plans
+
+* [`ca_extend::extend_ca_cert`](#ca_extendextend_ca_cert): Plan that extends the Puppet CA certificate and configures the primary Puppet server
+and Compilers to use the extended certificate.
+* [`ca_extend::get_agent_facts`](#ca_extendget_agent_facts): A plan to work around BOLT-1168 so that one agent failing in apply_prep won't cause the whole plan to fail.
+* [`ca_extend::upload_ca_cert`](#ca_extendupload_ca_cert): A plan to upload a given CA certificate to a number of Puppet agent nodes
+
+## Tasks
+
+### <a name="check_agent_expiry"></a>`check_agent_expiry`
+
+Check the expiration date of all agent certificates
+
+**Supports noop?** false
+
+#### Parameters
+
+##### `date`
+
+Data type: `Optional[String[1]]`
+
+YYYY-MM-DD date to test whether the certificates will expire by. Defaults to three months from today
+
+### <a name="check_ca_expiry"></a>`check_ca_expiry`
+
+Check the expiration date of a CA certificate
+
+**Supports noop?** false
+
+#### Parameters
+
+##### `cert`
+
+Data type: `Optional[String[1]]`
+
+Location of the CA certificate to check. Defaults to Puppet's default location
+
+##### `date`
+
+Data type: `Optional[String[1]]`
+
+YYYY-MM-DD date to test whether the certificate will expire by. Defaults to three months from today
+
+### <a name="check_primary_cert"></a>`check_primary_cert`
+
+Check the expiration date of the primary server cert
+
+**Supports noop?** false
+
+### <a name="configure_primary"></a>`configure_primary`
+
+Backup ssldir and copy newly generated CA certificate
+
+**Supports noop?** false
+
+#### Parameters
+
+##### `new_cert`
+
+Data type: `String`
+
+Location of the newly generated CA certificate
+
+##### `regen_primary_cert`
+
+Data type: `Boolean`
+
+Flag to regerate the primary server's certificate.  Set to true to perform the regeneration
+
+### <a name="extend_ca_cert"></a>`extend_ca_cert`
+
+Extend CA certificate expiry date
+
+**Supports noop?** false
+
+## Plans
+
+### <a name="ca_extendextend_ca_cert"></a>`ca_extend::extend_ca_cert`
+
+Plan that extends the Puppet CA certificate and configures the primary Puppet server
+and Compilers to use the extended certificate.
+
+#### Examples
+
+##### Extend the CA cert and regenerate the primary agent cert locally on the primary Puppet server
+
+```puppet
+bolt plan run ca_extend::extend_ca_cert regen_primary_cert=true --targets local://$(hostname -f) --run-as root
+```
+
+##### Extend the CA cert by running the plan remotely
+
+```puppet
+bolt plan run ca_extend::extend_ca_cert --targets <primary_fqdn> --run-as root
+```
+
+#### Parameters
+
+The following parameters are available in the `ca_extend::extend_ca_cert` plan:
+
+* [`targets`](#targets)
+* [`compilers`](#compilers)
+* [`ssldir`](#ssldir)
+* [`regen_primary_cert`](#regen_primary_cert)
+
+##### <a name="targets"></a>`targets`
+
+Data type: `TargetSpec`
+
+The target node on which to run the plan.  Should be the primary Puppet server
+
+##### <a name="compilers"></a>`compilers`
+
+Data type: `Optional[TargetSpec]`
+
+Optional comma separated list of compilers to upload the certificate to
+
+Default value: ``undef``
+
+##### <a name="ssldir"></a>`ssldir`
+
+Data type: `Any`
+
+Location of the ssldir on disk
+
+Default value: `'/etc/puppetlabs/puppet/ssl'`
+
+##### <a name="regen_primary_cert"></a>`regen_primary_cert`
+
+Data type: `Any`
+
+Whether to also regenerate the agent certificate of the primary Puppet server
+
+Default value: ``false``
+
+### <a name="ca_extendget_agent_facts"></a>`ca_extend::get_agent_facts`
+
+A plan to work around BOLT-1168 so that one agent failing in apply_prep won't cause the whole plan to fail.
+
+#### Parameters
+
+The following parameters are available in the `ca_extend::get_agent_facts` plan:
+
+* [`nodes`](#nodes)
+
+##### <a name="nodes"></a>`nodes`
+
+Data type: `TargetSpec`
+
+The targets to run apply_prep on
+
+### <a name="ca_extendupload_ca_cert"></a>`ca_extend::upload_ca_cert`
+
+A plan to upload a given CA certificate to a number of Puppet agent nodes
+
+#### Parameters
+
+The following parameters are available in the `ca_extend::upload_ca_cert` plan:
+
+* [`nodes`](#nodes)
+* [`cert`](#cert)
+
+##### <a name="nodes"></a>`nodes`
+
+Data type: `TargetSpec`
+
+The targets to upload the certificate to
+
+##### <a name="cert"></a>`cert`
+
+Data type: `String`
+
+The location of the CA certificate on disk of the local machine
+