Merge pull request #78 from nwops/cert_check

reidmv · web-flow · commit ebcec2dbc1f3 · 2020-03-30T11:43:07.000-10:00
Make cert tasks more idempotent
diff --git a/tasks/sign_csr.rb b/tasks/sign_csr.rb
@@ -2,12 +2,20 @@
 #
 require 'json'
 require 'open3'
+require 'puppet'
+
+def csr_signed?(certname)
+  !File.exist?(File.join(Puppet.settings[:csrdir], "#{certname}.pem")) &&
+    File.exist?(File.join(Puppet.settings[:cadir], 'signed', "#{certname}.pem"))
+end
 
 def main
+  Puppet.initialize_settings
   params = JSON.parse(STDIN.read)
+  unsigned = params['certnames'].reject { |name| csr_signed?(name) }
 
   cmd = ['/opt/puppetlabs/bin/puppetserver', 'ca', 'sign',
-         '--certname', params['certnames'].join(',')]
+         '--certname', unsigned.join(',')]
 
   stdout, status = Open3.capture2(*cmd)
   puts stdout
diff --git a/tasks/submit_csr.rb b/tasks/submit_csr.rb
@@ -3,6 +3,12 @@
 require 'json'
 require 'open3'
 
+def already_signed?
+  cmd = ['/opt/puppetlabs/bin/puppet', 'ssl', 'verify']
+  _, status = Open3.capture2(*cmd)
+  status.success?
+end
+
 def main
   majver = `/opt/puppetlabs/bin/puppet --version`
            .chomp
@@ -22,6 +28,7 @@ def main
            '--dns-alt-names', conf['dns_alt_names'],
            conf['certname']]
   else
+    exit 0 if already_signed?
     cmd = ['/opt/puppetlabs/bin/puppet', 'ssl', 'submit_request']
   end
 
