Merge pull request #145 from voxpupuli/allow_setting_ca_ttl

Manage ca_ttl setting
voxpupuli · Jan 9, 2025 · b342caf · b342caf
2 parents b1ccaea + f8c698e
commit b342caf
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -97,6 +97,7 @@ The following environment variables are supported:
 | __PUPPETSERVER_PORT__                      | The port of the puppetserver<br><br>`8140`                                                                                                                    |
 | __AUTOSIGN__                               | Whether or not to enable autosigning on the puppetserver instance. Valid values are `true`, `false`, and `/path/to/autosign.conf`.<br><br>Defaults to `true`. |
 | __CA_ENABLED__                             | Whether or not this puppetserver instance has a running CA (Certificate Authority)<br><br>`true`                                                              |
+| __CA_TTL__                                 | CA expire date (in seconds or with suffix `s`, `m`, `h`, `d`, `y`)<br><br>`157680000`                                                                         |
 | __CA_HOSTNAME__                            | The DNS hostname for the puppetserver running the CA. Does nothing unless `CA_ENABLED=false`<br><br>`puppet`                                                  |
 | __CA_PORT__                                | The listening port of the CA. Does nothing unless `CA_ENABLED=false`<br><br>`8140`                                                                            |
 | __CA_ALLOW_SUBJECT_ALT_NAMES__             | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.<br><br>`false`        |

diff --git a/puppetserver/Dockerfile b/puppetserver/Dockerfile
@@ -49,6 +49,7 @@ ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
     CA_HOSTNAME=puppet \
     CA_PORT=8140 \
     CA_ALLOW_SUBJECT_ALT_NAMES=false \
+    CA_TTL=157680000 \
     INTERMEDIATE_CA=false \
     INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediate/ca.pem \
     INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \

diff --git a/puppetserver/docker-entrypoint.d/90-ca.sh b/puppetserver/docker-entrypoint.d/90-ca.sh
@@ -32,6 +32,8 @@ EOF
   hocon -f webserver.conf set webserver.ssl-crl-path $ssl_crl_path
   cd /
 
+  puppet config set --section server ca_ttl "${CA_TTL}"
+
   # bootstrap certs for the puppetserver
   if [[ ! -f "$ssl_cert" ]]; then
     while ! ca_running; do