From 1ab7967f4b0327998c9eed65fbd1063037b1f1b9 Mon Sep 17 00:00:00 2001 From: dotconfig404 Date: Fri, 31 Oct 2025 07:40:08 +0100 Subject: [PATCH 1/7] refactor: change some hardcoded puppet paths to dynamic --- .../20-use-templates-initially.sh | 2 +- .../40-update-puppetdb-conf.sh | 2 +- .../70-set-dns-alt-names.sh | 3 ++- .../89-csr_attributes.rb | 3 ++- .../89-csr_attributes.sh | 3 ++- openvoxserver/container-entrypoint.d/90-ca.sh | 22 ++++++++++--------- .../container-entrypoint.d/99-log-config.sh | 22 ++++++++++--------- 7 files changed, 32 insertions(+), 25 deletions(-) diff --git a/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh b/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh index 390c2f3..b88fd85 100755 --- a/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh +++ b/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh @@ -7,7 +7,7 @@ set -e # default TEMPLATES=/var/tmp/puppet -cd /etc/puppetlabs/puppet +cd "$(puppet config print confdir)" for f in auth.conf hiera.yaml puppet.conf puppetdb.conf; do [ -f "$TEMPLATES/$f" ] && [ ! -f "$f" ] && { echo "Copying template $f from $TEMPLATES" diff --git a/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh b/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh index 072ce6f..f460b5c 100755 --- a/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh +++ b/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh @@ -3,5 +3,5 @@ set -e if test -n "${OPENVOXDB_SERVER_URLS}" ; then - sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" /etc/puppetlabs/puppet/puppetdb.conf + sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(puppet config print confdir)/puppetdb.conf fi diff --git a/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh b/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh index 37b14e3..7dc709f 100755 --- a/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh +++ b/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh @@ -7,9 +7,10 @@ config_section=main # Allow setting dns_alt_names for the compilers certificate. This # setting will only have an effect when the container is started without # an existing certificate on the /etc/puppetlabs/puppet volume + if [ -n "${DNS_ALT_NAMES}" ]; then certname=$(puppet config print certname) - if test ! -f "${SSLDIR}/certs/$certname.pem" ; then + if test ! -f "$(puppet config print ssldir)/certs/$certname.pem" ; then puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section "${config_section}" else actual=$(puppet config print dns_alt_names --section "${config_section}") diff --git a/openvoxserver/container-entrypoint.d/89-csr_attributes.rb b/openvoxserver/container-entrypoint.d/89-csr_attributes.rb index 3109f31..2a3e5d5 100755 --- a/openvoxserver/container-entrypoint.d/89-csr_attributes.rb +++ b/openvoxserver/container-entrypoint.d/89-csr_attributes.rb @@ -3,9 +3,10 @@ require 'json' require 'yaml' +target_path = ARGV[0] || '/etc/puppetlabs/puppet/csr_attributes.yaml' begin csr_yaml = YAML.dump(JSON.load(ENV['CSR_ATTRIBUTES'])) - File.write('/etc/puppetlabs/puppet/csr_attributes.yaml', csr_yaml) + File.write(target_path, csr_yaml) rescue => error puts "Error on reading JSON env. Terminating" puts "Malformed JSON: #{ENV['CSR_ATTRIBUTES']}" diff --git a/openvoxserver/container-entrypoint.d/89-csr_attributes.sh b/openvoxserver/container-entrypoint.d/89-csr_attributes.sh index 08cab7a..0873783 100755 --- a/openvoxserver/container-entrypoint.d/89-csr_attributes.sh +++ b/openvoxserver/container-entrypoint.d/89-csr_attributes.sh @@ -5,8 +5,9 @@ set -e # determine script location readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}") readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME") +readonly CSR_PATH=$(puppet config print csr_attributes) if [ -n "${CSR_ATTRIBUTES}" ]; then echo "CSR Attributes: ${CSR_ATTRIBUTES}" - /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" + /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH" fi diff --git a/openvoxserver/container-entrypoint.d/90-ca.sh b/openvoxserver/container-entrypoint.d/90-ca.sh index 23e79ef..fb711cc 100755 --- a/openvoxserver/container-entrypoint.d/90-ca.sh +++ b/openvoxserver/container-entrypoint.d/90-ca.sh @@ -15,11 +15,16 @@ puppetlabs.services.ca.certificate-authority-disabled-service/certificate-author puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service EOF + ssl_dir=$(puppet config print ssldir) ssl_cert=$(puppet config print hostcert) ssl_key=$(puppet config print hostprivkey) ssl_ca_cert=$(puppet config print localcacert) ssl_crl_path=$(puppet config print hostcrl) - + cadir=$(puppet config print cadir) + # `puppet config` cadir resolves to the system cadir, but `puppetserver ca` + # resolves it to ~/.puppetlabs/etc/puppetserver/ca as non-root + # explicitly setting it works around the issue... + puppet config set cadir $cadir cd /etc/puppetlabs/puppetserver/conf.d/ hocon -f webserver.conf set webserver.ssl-cert $ssl_cert @@ -59,7 +64,7 @@ else exit 99 fi - if [[ -f /etc/puppetlabs/puppetserver/ca/ca_crt.pem ]]; then + if [[ -f $cadir/ca_crt.pem ]]; then echo "CA already imported." else puppetserver ca import \ @@ -68,9 +73,8 @@ else --private-key $INTERMEDIATE_CA_KEY fi else - new_cadir=/etc/puppetlabs/puppetserver/ca - - if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then + + if [ ! -f "$cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then # There is no existing CA # Append user-supplied DNS Alt Names @@ -87,13 +91,11 @@ else # See puppet.conf file for relevant settings puppetserver ca setup \ - --ca-name "$ca_name" \ - --config /etc/puppetlabs/puppet/puppet.conf + --ca-name "$ca_name" - elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then + elif [ ! -f "$cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then # Legacy CA upgrade - puppetserver ca migrate \ - --config /etc/puppetlabs/puppet/puppet.conf + puppetserver ca migrate fi fi fi diff --git a/openvoxserver/container-entrypoint.d/99-log-config.sh b/openvoxserver/container-entrypoint.d/99-log-config.sh index 0b60df8..8c58677 100755 --- a/openvoxserver/container-entrypoint.d/99-log-config.sh +++ b/openvoxserver/container-entrypoint.d/99-log-config.sh @@ -8,18 +8,20 @@ echo "System configuration values:" echo "* HOSTNAME: '${HOSTNAME}'" echo "* hostname -f: '$(hostname -f)'" +ssl_dir=$(puppet config print ssldir) + if [ -n "${CERTNAME}" ]; then echo "* CERTNAME: '${CERTNAME}'" certname=${CERTNAME}.pem else echo "* CERTNAME: unset, try to use the oldest certificate in the certs directory, because this might be the one that was used initially." - if [ ! -d "${SSLDIR}/certs" ]; then + if [ ! -d "${ssl_dir}/certs" ]; then certname="Not-Found" - echo "WARNING: No certificates directory found in ${SSLDIR}!" + echo "WARNING: No certificates directory found in ${ssl_dir}!" else - certname=$(cd "${SSLDIR}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1) + certname=$(cd "${ssl_dir}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1) if [ -z "${certname}" ]; then - echo "WARNING: No certificates found in ${SSLDIR}/certs! Please set CERTNAME!" + echo "WARNING: No certificates found in ${ssl_dir}/certs! Please set CERTNAME!" fi fi fi @@ -27,22 +29,22 @@ fi echo "* OPENVOXSERVER_PORT: '${OPENVOXSERVER_PORT:-8140}'" echo "* Certname: '${certname}'" echo "* DNS_ALT_NAMES: '${DNS_ALT_NAMES}'" -echo "* SSLDIR: '${SSLDIR}'" +echo "* SSLDIR: '${ssl_dir}'" altnames="-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux" -if [ -f "${SSLDIR}/certs/ca.pem" ]; then +if [ -f "${ssl_dir}/certs/ca.pem" ]; then echo "CA Certificate:" # shellcheck disable=SC2086 # $altnames shouldn't be quoted - openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/ca.pem" $altnames + openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/ca.pem" $altnames fi if [ -n "${certname}" ]; then - if [ -f "${SSLDIR}/certs/${certname}" ]; then + if [ -f "${ssl_dir}/certs/${certname}" ]; then echo "Certificate ${certname}:" # shellcheck disable=SC2086 # $altnames shouldn't be quoted - openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/${certname}" $altnames + openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/${certname}" $altnames else - echo "WARNING: Certificate ${certname} not found in ${SSLDIR}/certs!" + echo "WARNING: Certificate ${certname} not found in ${ssl_dir}/certs!" fi fi From 23c76368360b95b3677c145e2eaf770bfcfa6700 Mon Sep 17 00:00:00 2001 From: dotconfig404 Date: Fri, 31 Oct 2025 07:55:11 +0100 Subject: [PATCH 2/7] refactor: remove unused environment variables --- openvoxserver/Containerfile.alpine | 2 -- 1 file changed, 2 deletions(-) diff --git a/openvoxserver/Containerfile.alpine b/openvoxserver/Containerfile.alpine index 8250f07..1420401 100644 --- a/openvoxserver/Containerfile.alpine +++ b/openvoxserver/Containerfile.alpine @@ -105,7 +105,6 @@ ENV AUTOSIGN=true \ CA_PORT=8140 \ CERTNAME="" \ CSR_ATTRIBUTES='{}' \ - DEBIAN_FRONTEND=noninteractive \ DNS_ALT_NAMES="" \ ENVIRONMENTPATH=/etc/puppetlabs/code/environments \ HIERACONFIG='$confdir/hiera.yaml' \ @@ -129,7 +128,6 @@ ENV AUTOSIGN=true \ OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \ OPENVOXSERVER_PORT=8140 \ PATH=$PATH:/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin \ - SSLDIR=/etc/puppetlabs/puppet/ssl \ USE_OPENVOXDB=true \ ### build variables apps_dir=/opt/puppetlabs/server/apps \ From 62a1cddec969af77935dad493829f9d3d2dddb5f Mon Sep 17 00:00:00 2001 From: dotconfig404 Date: Fri, 31 Oct 2025 07:59:40 +0100 Subject: [PATCH 3/7] fix: missing version in LABEL: move version vars to global scope --- openvoxserver/Containerfile.alpine | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/openvoxserver/Containerfile.alpine b/openvoxserver/Containerfile.alpine index 1420401..b28ce69 100644 --- a/openvoxserver/Containerfile.alpine +++ b/openvoxserver/Containerfile.alpine @@ -1,3 +1,7 @@ +ARG OPENVOXSERVER_VERSION=8.10.0 +ARG OPENVOXDB_VERSION=8.10.0 +ARG R10K_VERSION=5.0.0 + FROM alpine:3.22 AS base # Install JDK @@ -9,8 +13,8 @@ RUN apk update && apk upgrade \ FROM base AS build -ARG OPENVOXSERVER_VERSION=8.10.0 -ARG OPENVOXDB_VERSION=8.10.0 +ARG OPENVOXSERVER_VERSION +ARG OPENVOXDB_VERSION ADD https://artifacts.voxpupuli.org/openvox-server/${OPENVOXSERVER_VERSION}/openvox-server-${OPENVOXSERVER_VERSION}.tar.gz / ADD https://artifacts.voxpupuli.org/openvoxdb/${OPENVOXDB_VERSION}/openvoxdb-${OPENVOXDB_VERSION}.tar.gz / @@ -84,7 +88,8 @@ FROM base AS final ARG vcs_ref ARG build_date -ARG R10K_VERSION=5.0.0 +ARG R10K_VERSION +ARG OPENVOXSERVER_VERSION LABEL org.label-schema.maintainer="Voxpupuli Team " \ org.label-schema.vendor="OpenVoxProject" \ From 8520da774e40e3a5de5eb2d8a941656b8281742c Mon Sep 17 00:00:00 2001 From: dotconfig404 Date: Fri, 31 Oct 2025 08:00:36 +0100 Subject: [PATCH 4/7] fix: build_type undefined --- openvoxserver/Containerfile.alpine | 1 + 1 file changed, 1 insertion(+) diff --git a/openvoxserver/Containerfile.alpine b/openvoxserver/Containerfile.alpine index b28ce69..dbc3820 100644 --- a/openvoxserver/Containerfile.alpine +++ b/openvoxserver/Containerfile.alpine @@ -88,6 +88,7 @@ FROM base AS final ARG vcs_ref ARG build_date +ARG build_type ARG R10K_VERSION ARG OPENVOXSERVER_VERSION From 13c499c50d2f801fa6aad828841f96c590c50740 Mon Sep 17 00:00:00 2001 From: dotconfig404 Date: Fri, 31 Oct 2025 08:22:24 +0100 Subject: [PATCH 5/7] feat: non-root support --- openvoxserver/Containerfile.alpine | 7 +++++++ .../container-entrypoint.d/10-init-nonroot-puppet.sh | 9 +++++++++ .../container-entrypoint.d/30-set-permissions.sh | 8 -------- 3 files changed, 16 insertions(+), 8 deletions(-) create mode 100644 openvoxserver/container-entrypoint.d/10-init-nonroot-puppet.sh delete mode 100755 openvoxserver/container-entrypoint.d/30-set-permissions.sh diff --git a/openvoxserver/Containerfile.alpine b/openvoxserver/Containerfile.alpine index dbc3820..6745dc2 100644 --- a/openvoxserver/Containerfile.alpine +++ b/openvoxserver/Containerfile.alpine @@ -196,6 +196,13 @@ RUN apk update \ # install puppet gem as library into jruby loadpath && puppetserver gem install --no-document openvox +RUN chown -R puppet:puppet /var/log/puppetlabs/puppetserver/ \ +&& chown -R puppet:puppet /etc/puppetlabs/puppet/ \ +&& chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/ \ +&& chown -R puppet:puppet /etc/puppetlabs/puppetserver/ + +USER puppet + # k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"] diff --git a/openvoxserver/container-entrypoint.d/10-init-nonroot-puppet.sh b/openvoxserver/container-entrypoint.d/10-init-nonroot-puppet.sh new file mode 100644 index 0000000..9103791 --- /dev/null +++ b/openvoxserver/container-entrypoint.d/10-init-nonroot-puppet.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +# init confdir for non-root user +[ ! -d ~/.puppetlabs/etc/puppet ] && mkdir -p ~/.puppetlabs/etc/puppet +# to make CLI tools work properly confdir and codedir need the same as the user dirs (defaults to root user dirs) +hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-conf-dir $(puppet config print confdir) +hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-code-dir $(puppet config print codedir) diff --git a/openvoxserver/container-entrypoint.d/30-set-permissions.sh b/openvoxserver/container-entrypoint.d/30-set-permissions.sh deleted file mode 100755 index 9fcf936..0000000 --- a/openvoxserver/container-entrypoint.d/30-set-permissions.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -set -e - -chown -R puppet:puppet /etc/puppetlabs/puppet/ -chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/ -chown -R puppet:puppet /etc/puppetlabs/puppetserver/ -chown -R puppet:puppet /var/log/puppetlabs/puppetserver/ From 7dd30a00be615f29a9da0ee3239b446723bdb7cf Mon Sep 17 00:00:00 2001 From: dotconfig404 Date: Tue, 4 Nov 2025 09:59:52 +0100 Subject: [PATCH 6/7] fix: proper init dir and config sync when nonroot --- openvoxserver/Containerfile.alpine | 2 ++ .../10-sync-nonroot-config.sh | 25 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 openvoxserver/container-entrypoint.d/10-sync-nonroot-config.sh diff --git a/openvoxserver/Containerfile.alpine b/openvoxserver/Containerfile.alpine index 6745dc2..abd5c4c 100644 --- a/openvoxserver/Containerfile.alpine +++ b/openvoxserver/Containerfile.alpine @@ -202,6 +202,8 @@ RUN chown -R puppet:puppet /var/log/puppetlabs/puppetserver/ \ && chown -R puppet:puppet /etc/puppetlabs/puppetserver/ USER puppet +RUN install -d -m 0755 ~/.puppetlabs/etc/puppet \ +&& install -d -m 0755 ~/.puppetlabs/etc/puppetserver/ca # k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"] diff --git a/openvoxserver/container-entrypoint.d/10-sync-nonroot-config.sh b/openvoxserver/container-entrypoint.d/10-sync-nonroot-config.sh new file mode 100644 index 0000000..02c273a --- /dev/null +++ b/openvoxserver/container-entrypoint.d/10-sync-nonroot-config.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +if [ "$(id -u)" -ne 0 ]; then + # jruby-puppet's master-conf-dir/server-conf-dir and master-code-dir/server-code-dir + # need to be the same as confdir and codedir from puppet.conf in order to sync `puppetserver` + # and `puppet` defaults. + # See "Overriding Puppet settings in Puppet Server" in: + # https://help.puppet.com/core//8/Content/PuppetCore/server/puppet_conf_setting_diffs.htm + # + # "Any changes made to the master-conf-dir and master-code-dir settings absolutely MUST be made + # to the corresponding Puppet settings (confdir and codedir) as well to ensure that Puppet Server + # and the Puppet CLI tools (such as `puppetserver ca` and `puppet module`) use the same directories." + hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-conf-dir $(puppet config print confdir) + hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-code-dir $(puppet config print codedir) + + + # Despite setting the above, `puppet` and `puppetserver ca` still resolve to different CA directories when run as nonroot: + # - `puppetserver ca`: defaults to ~/.puppetlabs/etc/puppetserver/ca if run as nonroot and cadir is not set in puppet.conf + # - `puppet`: defaults to /etc/puppetlabs/puppetserver/ca by default + # + # To unify this, explicitly set cadir for nonroot users: + puppet config set cadir ~/.puppetlabs/etc/puppetserver/ca +fi \ No newline at end of file From 901c2fdf7460ffeff5cbeec778b10b3137ec5627 Mon Sep 17 00:00:00 2001 From: dotconfig404 Date: Tue, 4 Nov 2025 10:00:38 +0100 Subject: [PATCH 7/7] fix: fixed CA path when importing CA files --- .../10-init-nonroot-puppet.sh | 9 -------- openvoxserver/container-entrypoint.d/90-ca.sh | 23 ++++++++----------- 2 files changed, 10 insertions(+), 22 deletions(-) delete mode 100644 openvoxserver/container-entrypoint.d/10-init-nonroot-puppet.sh diff --git a/openvoxserver/container-entrypoint.d/10-init-nonroot-puppet.sh b/openvoxserver/container-entrypoint.d/10-init-nonroot-puppet.sh deleted file mode 100644 index 9103791..0000000 --- a/openvoxserver/container-entrypoint.d/10-init-nonroot-puppet.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -set -e - -# init confdir for non-root user -[ ! -d ~/.puppetlabs/etc/puppet ] && mkdir -p ~/.puppetlabs/etc/puppet -# to make CLI tools work properly confdir and codedir need the same as the user dirs (defaults to root user dirs) -hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-conf-dir $(puppet config print confdir) -hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-code-dir $(puppet config print codedir) diff --git a/openvoxserver/container-entrypoint.d/90-ca.sh b/openvoxserver/container-entrypoint.d/90-ca.sh index fb711cc..939bb34 100755 --- a/openvoxserver/container-entrypoint.d/90-ca.sh +++ b/openvoxserver/container-entrypoint.d/90-ca.sh @@ -15,16 +15,10 @@ puppetlabs.services.ca.certificate-authority-disabled-service/certificate-author puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service EOF - ssl_dir=$(puppet config print ssldir) ssl_cert=$(puppet config print hostcert) ssl_key=$(puppet config print hostprivkey) ssl_ca_cert=$(puppet config print localcacert) ssl_crl_path=$(puppet config print hostcrl) - cadir=$(puppet config print cadir) - # `puppet config` cadir resolves to the system cadir, but `puppetserver ca` - # resolves it to ~/.puppetlabs/etc/puppetserver/ca as non-root - # explicitly setting it works around the issue... - puppet config set cadir $cadir cd /etc/puppetlabs/puppetserver/conf.d/ hocon -f webserver.conf set webserver.ssl-cert $ssl_cert @@ -64,7 +58,8 @@ else exit 99 fi - if [[ -f $cadir/ca_crt.pem ]]; then + ca_cert=$(puppet config print cacert) + if [[ -f "$ca_cert" ]]; then echo "CA already imported." else puppetserver ca import \ @@ -73,8 +68,10 @@ else --private-key $INTERMEDIATE_CA_KEY fi else - - if [ ! -f "$cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then + new_cadir=$(puppet config print cadir) + ssl_dir=$(puppet config print ssldir) + + if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then # There is no existing CA # Append user-supplied DNS Alt Names @@ -93,9 +90,9 @@ else puppetserver ca setup \ --ca-name "$ca_name" - elif [ ! -f "$cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then + elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then # Legacy CA upgrade - puppetserver ca migrate - fi + puppetserver ca migrate + fi fi -fi +fi \ No newline at end of file