On 16/10/2015 11:11, Jonathan Gazeley wrote:
Here's a problem that might have an interesting solution.
I use Puppet to deploy (amongst other things) SSL certs for web
servers. One of my certs is expiring in January 2016 and I have
already been sent the replacement. They overlap by 7 days. I might
forget to make the change in January so I was wondering if there is a
way of configuring Puppet today to magically switch over the certs in
January. (i.e. continue deploy the current cert until a specific date
and then deploy the new one instead)
I see the generate function can be used to execute system calls to
fetch the date but I'm not sure about date comparisons in Puppet. I
guess I would need to use epoch time to compare as integers.
$date = generate("/bin/date +%s")
if $date > 1451606400 {
$cert = "newcert.crt"
} else {
$cert = "oldcert.crt"
}
file { 'cert.crt'
source => $cert
}
I also saw that Felix commented on a similar question on ServerFault:
"As an aside, I would personally refrain from implementing this kind
of thing. It comes with a high risk of falling onto your foot pretty
heavily. Don't build your friendly surprises into Puppet."
You can use the time() function from stdlib, to make this a little less
resource intensive:
https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/lib/puppet/parser/functions/time.rb
A different approach would be to use strftime (also from stdlib) to
interpolate the current year into the source URL of your cert and have
them called 'cert-2015.pem' and 'cert-2016.pem'
Felix' comment should be heeded, though. Especially the latter version
will "cause" an outage at the most inconvenient time of the year:
2016-01-01T00:10.
Cheers, David
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5620D0C3.8040706%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.
