diff --git a/README.md b/README.md
index 5aa434e..0446b79 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,21 @@ openssl::export::pem_key { 'foo':
}
```
+### Dynamic refresh of exported files
+
+If you want Puppet to refresh the PKCS#12, PEM/x509 or PEM key file in case the input files changed, set the dynamic mode on and list desired resources for subscription:
+
+```puppet
+openssl::export::pkcs12 { 'bar':
+ ensure => 'present',
+ basedir => '/path/to/dir',
+ pkey => '/here/is/my/private.key',
+ cert => '/there/is/the/cert.crt',
+ dynamic => true,
+ resources => File['/here/is/my/private.key','/there/is/the/cert.crt'],
+}
+```
+
### Create Diffie-Hellman parameters
The [openssl::dhparam](REFERENCE.md#openssldhparam) defined type and its back-end resource type [dhparam](REFERENCE.md#dhparam) allow to generate Diffie-Hellman parameters.
diff --git a/REFERENCE.md b/REFERENCE.md
index 15bcf45..0632859 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -913,12 +913,22 @@ Export certificate(s) to PEM/x509 format
The following parameters are available in the `openssl::export::pem_cert` defined type:
+* [`dynamic`](#-openssl--export--pem_cert--dynamic)
* [`ensure`](#-openssl--export--pem_cert--ensure)
+* [`resources`](#-openssl--export--pem_cert--resources)
* [`pfx_cert`](#-openssl--export--pem_cert--pfx_cert)
* [`der_cert`](#-openssl--export--pem_cert--der_cert)
* [`pem_cert`](#-openssl--export--pem_cert--pem_cert)
* [`in_pass`](#-openssl--export--pem_cert--in_pass)
+##### `dynamic`
+
+Data type: `Boolean`
+
+dynamically renew certificate file
+
+Default value: `false`
+
##### `ensure`
Data type: `Enum['present', 'absent']`
@@ -927,6 +937,14 @@ Whether the certificate file should exist
Default value: `present`
+##### `resources`
+
+Data type: `Variant[Type, Array[Type]]`
+
+List of resources to subscribe to for certificate file renewal
+
+Default value: `[]`
+
##### `pfx_cert`
Data type: `Optional[Stdlib::Absolutepath]`
@@ -969,7 +987,9 @@ The following parameters are available in the `openssl::export::pem_key` defined
* [`pfx_cert`](#-openssl--export--pem_key--pfx_cert)
* [`pem_key`](#-openssl--export--pem_key--pem_key)
+* [`dynamic`](#-openssl--export--pem_key--dynamic)
* [`ensure`](#-openssl--export--pem_key--ensure)
+* [`resources`](#-openssl--export--pem_key--resources)
* [`in_pass`](#-openssl--export--pem_key--in_pass)
* [`out_pass`](#-openssl--export--pem_key--out_pass)
@@ -987,14 +1007,30 @@ PEM certificate
Default value: `$title`
+##### `dynamic`
+
+Data type: `Boolean`
+
+dynamically renew key file
+
+Default value: `false`
+
##### `ensure`
Data type: `Enum['present', 'absent']`
-Whether the key file should exist
+Whether the keyfile should exist
Default value: `present`
+##### `resources`
+
+Data type: `Variant[Type, Array[Type]]`
+
+List of resources to subscribe to for key renewal
+
+Default value: `[]`
+
##### `in_pass`
Data type: `Optional[String]`
@@ -1022,7 +1058,9 @@ The following parameters are available in the `openssl::export::pkcs12` defined
* [`basedir`](#-openssl--export--pkcs12--basedir)
* [`pkey`](#-openssl--export--pkcs12--pkey)
* [`cert`](#-openssl--export--pkcs12--cert)
+* [`dynamic`](#-openssl--export--pkcs12--dynamic)
* [`ensure`](#-openssl--export--pkcs12--ensure)
+* [`resources`](#-openssl--export--pkcs12--resources)
* [`in_pass`](#-openssl--export--pkcs12--in_pass)
* [`out_pass`](#-openssl--export--pkcs12--out_pass)
* [`chaincert`](#-openssl--export--pkcs12--chaincert)
@@ -1045,6 +1083,14 @@ Data type: `Stdlib::Absolutepath`
Certificate
+##### `dynamic`
+
+Data type: `Boolean`
+
+dynamically renew PKCS12 file
+
+Default value: `false`
+
##### `ensure`
Data type: `Enum['present', 'absent']`
@@ -1053,6 +1099,14 @@ Whether the PKCS12 file should exist
Default value: `present`
+##### `resources`
+
+Data type: `Variant[Type, Array[Type]]`
+
+List of resources to subscribe to for PKCS12 renewal
+
+Default value: `[]`
+
##### `in_pass`
Data type: `Optional[String]`
diff --git a/manifests/export/pem_cert.pp b/manifests/export/pem_cert.pp
index 2bcd79f..8b41011 100644
--- a/manifests/export/pem_cert.pp
+++ b/manifests/export/pem_cert.pp
@@ -1,7 +1,11 @@
# @summary Export certificate(s) to PEM/x509 format
#
+# @param dynamic
+# dynamically renew certificate file
# @param ensure
# Whether the certificate file should exist
+# @param resources
+# List of resources to subscribe to for certificate file renewal
# @param pfx_cert
# PFX certificate/key container
# @param der_cert
@@ -12,11 +16,13 @@
# PFX password
#
define openssl::export::pem_cert (
- Enum['present', 'absent'] $ensure = present,
- Stdlib::Absolutepath $pem_cert = $title,
- Optional[Stdlib::Absolutepath] $pfx_cert = undef,
- Optional[Stdlib::Absolutepath] $der_cert = undef,
- Optional[String] $in_pass = undef,
+ Boolean $dynamic = false,
+ Enum['present', 'absent'] $ensure = present,
+ Variant[Type, Array[Type]] $resources = [],
+ Stdlib::Absolutepath $pem_cert = $title,
+ Optional[Stdlib::Absolutepath] $pfx_cert = undef,
+ Optional[Stdlib::Absolutepath] $der_cert = undef,
+ Optional[String] $in_pass = undef,
) {
#local variables
@@ -54,10 +60,19 @@
$passin_opt,
]
+ if $dynamic {
+ $exec_params = {
+ refreshonly => true,
+ subscribe => $resources,
+ }
+ } else {
+ $exec_params = { creates => $pem_cert, }
+ }
+
exec { "Export ${in_cert} to ${pem_cert}":
command => inline_template('<%= @cmd.join(" ") %>'),
path => $facts['path'],
- creates => $pem_cert,
+ * => $exec_params,
}
} else {
file { $pem_cert:
diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp
index 8820042..eddc0fd 100644
--- a/manifests/export/pem_key.pp
+++ b/manifests/export/pem_key.pp
@@ -4,19 +4,25 @@
# PFX certificate/key container
# @param pem_key
# PEM certificate
+# @param dynamic
+# dynamically renew key file
# @param ensure
-# Whether the key file should exist
+# Whether the keyfile should exist
+# @param resources
+# List of resources to subscribe to for key renewal
# @param in_pass
# PFX container password
# @param out_pass
# PEM key password
#
define openssl::export::pem_key (
- Stdlib::Absolutepath $pfx_cert,
- Stdlib::Absolutepath $pem_key = $title,
- Enum['present', 'absent'] $ensure = present,
- Optional[String] $in_pass = undef,
- Optional[String] $out_pass = undef,
+ Stdlib::Absolutepath $pfx_cert,
+ Stdlib::Absolutepath $pem_key = $title,
+ Boolean $dynamic = false,
+ Enum['present', 'absent'] $ensure = present,
+ Variant[Type, Array[Type]] $resources = [],
+ Optional[String] $in_pass = undef,
+ Optional[String] $out_pass = undef,
) {
if $ensure == 'present' {
$passin_opt = $in_pass ? {
@@ -38,10 +44,19 @@
$passout_opt,
]
+ if $dynamic {
+ $exec_params = {
+ refreshonly => true,
+ subscribe => $resources,
+ }
+ } else {
+ $exec_params = { creates => $pem_key, }
+ }
+
exec { "Export ${pfx_cert} to ${pem_key}":
command => inline_template('<%= @cmd.join(" ") %>'),
path => $facts['path'],
- creates => $pem_key,
+ * => $exec_params,
}
} else {
file { $pem_key:
diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp
index 01a6279..e79bf14 100644
--- a/manifests/export/pkcs12.pp
+++ b/manifests/export/pkcs12.pp
@@ -6,8 +6,12 @@
# Private key
# @param cert
# Certificate
+# @param dynamic
+# dynamically renew PKCS12 file
# @param ensure
# Whether the PKCS12 file should exist
+# @param resources
+# List of resources to subscribe to for PKCS12 renewal
# @param in_pass
# Private key password
# @param out_pass
@@ -16,13 +20,15 @@
# Chain certificate to include in pkcs12
#
define openssl::export::pkcs12 (
- Stdlib::Absolutepath $basedir,
- Stdlib::Absolutepath $pkey,
- Stdlib::Absolutepath $cert,
- Enum['present', 'absent'] $ensure = present,
- Optional[String] $chaincert = undef,
- Optional[String] $in_pass = undef,
- Optional[String] $out_pass = undef,
+ Stdlib::Absolutepath $basedir,
+ Stdlib::Absolutepath $pkey,
+ Stdlib::Absolutepath $cert,
+ Boolean $dynamic = false,
+ Enum['present', 'absent'] $ensure = present,
+ Variant[Type, Array[Type]] $resources = [],
+ Optional[String] $chaincert = undef,
+ Optional[String] $in_pass = undef,
+ Optional[String] $out_pass = undef,
) {
if $ensure == 'present' {
$pass_opt = $in_pass ? {
@@ -52,10 +58,21 @@
$passout_opt,
]
- exec { "Export ${name} to ${basedir}/${name}.p12":
+ $full_path = "${basedir}/${name}.p12"
+
+ if $dynamic {
+ $exec_params = {
+ refreshonly => true,
+ subscribe => $resources,
+ }
+ } else {
+ $exec_params = { creates => $full_path, }
+ }
+
+ exec { "Export ${name} to ${full_path}":
command => inline_template('<%= @cmd.join(" ") %>'),
path => $facts['path'],
- creates => "${basedir}/${name}.p12",
+ * => $exec_params,
}
} else {
file { "${basedir}/${name}.p12":
diff --git a/spec/defines/openssl_export_pem_cert_spec.rb b/spec/defines/openssl_export_pem_cert_spec.rb
index ef1e8d2..a478741 100644
--- a/spec/defines/openssl_export_pem_cert_spec.rb
+++ b/spec/defines/openssl_export_pem_cert_spec.rb
@@ -49,6 +49,24 @@
}
end
+ context 'when using defaults pkcs12 to PEM with dynamic refresh' do
+ let(:params) do
+ {
+ ensure: :present,
+ pfx_cert: '/etc/ssl/certs/foo.pfx',
+ dynamic: true,
+ }
+ end
+
+ it {
+ is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with(
+ command: 'openssl pkcs12 -in /etc/ssl/certs/foo.pfx -out /etc/ssl/certs/foo.pem ',
+ path: '/usr/bin:/bin:/usr/sbin:/sbin',
+ refreshonly: true
+ )
+ }
+ end
+
context 'when converting pkcs12 to PEM with password for just the certificate' do
let(:params) do
{