Skip to content

Latest commit

 

History

History
222 lines (120 loc) · 5.85 KB

REFERENCE.md

File metadata and controls

222 lines (120 loc) · 5.85 KB

Reference

Table of Contents

Tasks

Plans

  • ca_extend::extend_ca_cert: Plan that extends the Puppet CA certificate and configures the primary Puppet server and Compilers to use the extended certificate.
  • ca_extend::get_agent_facts: A plan to work around BOLT-1168 so that one agent failing in apply_prep won't cause the whole plan to fail.
  • ca_extend::upload_ca_cert: A plan to upload a given CA certificate to a number of Puppet agent nodes

Tasks

check_agent_expiry

Check the expiration date of all agent certificates

Supports noop? false

Parameters

date

Data type: Optional[String[1]]

YYYY-MM-DD date to test whether the certificates will expire by. Defaults to three months from today

check_ca_expiry

Check the expiration date of a CA certificate

Supports noop? false

Parameters

cert

Data type: Optional[String[1]]

Location of the CA certificate to check. Defaults to Puppet's default location

date

Data type: Optional[String[1]]

YYYY-MM-DD date to test whether the certificate will expire by. Defaults to three months from today

check_crl_cert

Check the expiration date of the primary server crl

Supports noop? false

check_primary_cert

Check the expiration date of the primary server cert

Supports noop? false

configure_primary

Backup ssldir and copy newly generated CA certificate

Supports noop? false

Parameters

new_cert

Data type: String

Location of the newly generated CA certificate

regen_primary_cert

Data type: Boolean

Flag to regerate the primary server's certificate. Set to true to perform the regeneration

crl_truncate

Truncate the CRL issued by the Puppet CA

Supports noop? false

Parameters

ssldir

Data type: Optional[String[1]]

The location of the Puppet ssl dir

crl_expiration_days

Data type: Integer[1]

The number of days until the new CRL expires. Defaults to 15 years (5475 days)

run_puppet_agent

Data type: Boolean

Whether to run the Puppet agent after creating the CRL. Defaults to true

extend_ca_cert

Extend CA certificate expiry date

Supports noop? false

Plans

ca_extend::extend_ca_cert

Plan that extends the Puppet CA certificate and configures the primary Puppet server and Compilers to use the extended certificate.

Examples

Extend the CA cert and regenerate the primary agent cert locally on the primary Puppet server
bolt plan run ca_extend::extend_ca_cert regen_primary_cert=true --targets local://$(hostname -f) --run-as root
Extend the CA cert by running the plan remotely
bolt plan run ca_extend::extend_ca_cert --targets <primary_fqdn> --run-as root

Parameters

The following parameters are available in the ca_extend::extend_ca_cert plan:

targets

Data type: TargetSpec

The target node on which to run the plan. Should be the primary Puppet server

compilers

Data type: Optional[TargetSpec]

Optional comma separated list of compilers to upload the certificate to

Default value: undef

ssldir

Data type: Any

Location of the ssldir on disk

Default value: '/etc/puppetlabs/puppet/ssl'

regen_primary_cert

Data type: Any

Whether to also regenerate the agent certificate of the primary Puppet server

Default value: false

ca_extend::get_agent_facts

A plan to work around BOLT-1168 so that one agent failing in apply_prep won't cause the whole plan to fail.

Parameters

The following parameters are available in the ca_extend::get_agent_facts plan:

nodes

Data type: TargetSpec

The targets to run apply_prep on

ca_extend::upload_ca_cert

A plan to upload a given CA certificate to a number of Puppet agent nodes

Parameters

The following parameters are available in the ca_extend::upload_ca_cert plan:

nodes

Data type: TargetSpec

The targets to upload the certificate to

cert

Data type: String

The location of the CA certificate on disk of the local machine