From c311dea6eb48e9764a787eda315e4d9109e6c255 Mon Sep 17 00:00:00 2001
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Tue, 15 Feb 2022 21:47:33 +0100
Subject: modules/: Add module certregen.

---
 .../modules/certregen/manifests/client.pp          | 28 ++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 code/environments/production/modules/certregen/manifests/client.pp

(limited to 'code/environments/production/modules/certregen/manifests/client.pp')

diff --git a/code/environments/production/modules/certregen/manifests/client.pp b/code/environments/production/modules/certregen/manifests/client.pp
new file mode 100644
index 0000000..54eb153
--- /dev/null
+++ b/code/environments/production/modules/certregen/manifests/client.pp
@@ -0,0 +1,28 @@
+# Distribute the current Puppet CA certificate to client systems.
+#
+# To ensure the portability of this code and minimize dependencies, this class uses the `file`
+# function to distribute the CA certificate instead of having end nodes directly fetch the
+# certificate themselves. This means that Puppet installations using a master of master/CA server
+# and compile nodes will need to run Puppet on the compile masters before the CA cert can be
+# distributed to the agents.
+class certregen::client(
+  $manage_crl = true
+) {
+  file { $::localcacert:
+    ensure  => present,
+    content => file($settings::cacert, $settings::localcacert, '/dev/null'),
+    mode    => '0644',
+  }
+
+  $pe_build = getvar('::pe_build')
+  $crl_managed_by_pe = ($pe_build and versioncmp($pe_build, '3.7.0') >= 0) and is_classified_with('puppet_enterprise::profile::master')
+  $needs_crl = $manage_crl and !defined(File[$::hostcrl]) and !$crl_managed_by_pe
+
+  if $needs_crl {
+    file { $::hostcrl:
+      ensure  => present,
+      content => file($settings::cacrl, $settings::hostcrl, '/dev/null'),
+      mode    => '0644',
+    }
+  }
+}
-- 
cgit v1.2.3