Skip to content

Instantly share code, notes, and snippets.

@droopy4096

droopy4096/puppet_certs.yml

Last active April 6, 2018 21:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save droopy4096/8df9b4604f91d1e98b3f39eaa7a61f37 to your computer and use it in GitHub Desktop.
Save droopy4096/8df9b4604f91d1e98b3f39eaa7a61f37 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
puppet_certs.yml
- hosts: puppetmaster
tasks:
- name: stop master puppet
service: name=httpd state=stopped
tags:
- master
- service
- stop
- name: kill remaining httpd process
shell: pkill httpd
tags:
- master
- service
- stop
- name: remove old backup
file: path=/var/lib/puppet/ssl-{{ backup_suffix | default('backup') }} state=absent
tags:
- master
- cleanup
- name: "backup & remove ssl master certs"
shell: creates=/var/lib/puppet/ssl-{{ backup_suffix | default('backup') }} mv /var/lib/puppet/ssl /var/lib/puppet/ssl-{{ backup_suffix | default('backup') }}
tags:
- master
- remove
- hosts: puppetdb
tasks:
- name: stop puppet agent
service: name=puppet state=stopped
- name: stop puppetdb
service: name=puppetdb state=stopped
tags:
- master
- service
- stop
- hosts: all,!puppetmaster,!puppetdb
tasks:
- name: "stop puppet"
service: name=puppet state=stopped
tags:
- client
- service
- stop
- name: kill remaining puppet process
shell: pkill puppet
tags:
- master
- service
- stop
- name: remove old backup
file: path=/var/lib/puppet/ssl-{{ backup_suffix | default('backup') }} state=absent
tags:
- client
- cleanup
- name: "backup & remove ssl stuff"
shell: creates=/var/lib/puppet/ssl-{{ backup_suffix | default('backup') }} mv /var/lib/puppet/ssl /var/lib/puppet/ssl-{{ backup_suffix | default('backup') }}
tags:
- client
- remove
- hosts: puppetmaster
gather_facts: False
tasks:
- name: re-generate certs
shell: puppet cert list -a
tags:
- master
- generate
- name: "generate puppet master's new cert"
shell: "puppet master --no-daemonize --verbose 2>&1 | grep -m 1 -F 'Notice: Starting Puppet master'"
tags:
- master
- generate
ignore_errors: True
- name: start master puppet
service: name=httpd state=started
tags:
- master
- service
- start
- hosts: puppetdb
gather_facts: False
tasks:
- name: move old SSL out of the way
shell: mv /etc/puppetdb/ssl /etc/puppetdb/ssl-{{ backup_suffix | default('backup') }}
- name: create SSL dir
file: path=/etc/puppetdb/ssl state=directory owner=puppetdb group=puppetdb
- name: run puppet once
puppet:
- name: stop puppet agent
service: name=puppet state=stopped
- name: run puppetdb-ssl-setup
shell: /usr/libexec/puppetdb/puppetdb-ssl-setup
tags:
- master
- generate
- name: start puppetdb
service: name=puppetdb state=started
tags:
- master
- service
- start
- hosts: all,!puppetmaster,!puppetdb
gather_facts: False
tasks:
- name: update puppet
shell: yum -y --enablerepo=irt-puppet\* --disableplugin=priorities update puppet
tags:
- client
- upgrade
- name: "start puppet"
service: name=puppet state=started
tags:
- client
- service
- start
Raw
restore_puppet_certs.yml
# https://docs.puppet.com/puppet/3.7/ssl_regenerate_certificates.html
- hosts: puppetmaster
tasks:
- name: stop master puppet
service: name=httpd state=stopped
- name: "remove ssl master certs"
file: path=/var/lib/puppet/ssl state=absent
- name: "restore ssl master certs"
shell: removes=/var/lib/puppet/ssl-{{ backup_suffix | default('backup') }} /var/lib/puppet/ssl-{{ backup_suffix | default('backup') }} /var/lib/puppet/ssl
- hosts: all,!puppetmaster
tasks:
- name: "stop puppet"
service: name=puppet state=stopped pattern="puppet agent"
- name: "remove ssl certs"
file: path=/var/lib/puppet/ssl state=absent
- name: "restore ssl stuff"
shell: removes=/var/lib/puppet/ssl-{{ backup_suffix | default('backup') }} mv /var/lib/puppet/ssl-{{ backup_suffix | default('backup') }} /var/lib/puppet/ssl
- hosts: puppetmaster
gather_facts: False
tasks:
- name: start master puppet
service: name=httpd state=started
- hosts: all,!puppetmaster,!puppetdb
gather_facts: False
tasks:
- name: "start puppet"
service: name=puppet state=started
# puppet:
@droopy4096
Copy link
Author

restore part was never tested

@droopy4096
Copy link
Author

re-signing part was never run in one run - always split by tags/limits so no guarantees on whole playbook run, but it does reflect the steps I had to go through

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment