Skip to content

Commit

Permalink
add option for removing cron provided by distro pkgs
Browse files Browse the repository at this point in the history
  • Loading branch information
gmenuel committed Nov 23, 2022
1 parent c999430 commit 1afbd1d
Show file tree
Hide file tree
Showing 7 changed files with 112 additions and 8 deletions.
38 changes: 38 additions & 0 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ The following parameters are available in the `letsencrypt` class:
* [`renew_post_hook_commands`](#renew_post_hook_commands)
* [`renew_deploy_hook_commands`](#renew_deploy_hook_commands)
* [`renew_additional_args`](#renew_additional_args)
* [`renew_disable_distro_cron`](#renew_disable_distro_cron)
* [`renew_cron_ensure`](#renew_cron_ensure)
* [`renew_cron_hour`](#renew_cron_hour)
* [`renew_cron_minute`](#renew_cron_minute)
Expand Down Expand Up @@ -258,6 +259,14 @@ Array of additional command line arguments to pass to 'certbot renew'.

Default value: `[]`

##### <a name="renew_disable_distro_cron"></a>`renew_disable_distro_cron`

Data type: `Any`

Boolean, set to true to disable the cron created by the distro package

Default value: ``true``

##### <a name="renew_cron_ensure"></a>`renew_cron_ensure`

Data type: `Any`
Expand Down Expand Up @@ -561,6 +570,8 @@ Note: Hooks set here will run before/after/for ALL certificates, including
any not managed by Puppet. If you want to create hooks for specific
certificates only, create them using letsencrypt::certonly.

will be deleted (unless systemd is used)

#### Parameters

The following parameters are available in the `letsencrypt::renew` class:
Expand All @@ -569,6 +580,9 @@ The following parameters are available in the `letsencrypt::renew` class:
* [`post_hook_commands`](#post_hook_commands)
* [`deploy_hook_commands`](#deploy_hook_commands)
* [`additional_args`](#additional_args)
* [`disable_distro_cron`](#disable_distro_cron)
* [`distro_renew_cron_file`](#distro_renew_cron_file)
* [`distro_renew_timer`](#distro_renew_timer)
* [`cron_ensure`](#cron_ensure)
* [`cron_hour`](#cron_hour)
* [`cron_minute`](#cron_minute)
Expand Down Expand Up @@ -611,6 +625,30 @@ Array of additional command line arguments to pass to 'certbot renew'.

Default value: `$letsencrypt::renew_additional_args`

##### <a name="disable_distro_cron"></a>`disable_distro_cron`

Data type: `Boolean`

Boolean, set to true to disable the cron created by the distro package

Default value: `$letsencrypt::renew_disable_distro_cron`

##### <a name="distro_renew_cron_file"></a>`distro_renew_cron_file`

Data type: `Optional[Stdlib::Unixpath]`

Optional Unixpath, if set and if disable_distro_cron is true this file

Default value: ``undef``

##### <a name="distro_renew_timer"></a>`distro_renew_timer`

Data type: `Optional[String]`

Optional String, name of the systemd timer to disable if disable_distro_cron is true

Default value: ``undef``

##### <a name="cron_ensure"></a>`cron_ensure`

Data type: `Enum['present', 'absent']`
Expand Down
2 changes: 2 additions & 0 deletions data/Debian-family.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@
letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136'
letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53'
letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare'
letsencrypt::renew::distro_renew_cron_file: /etc/cron.d/certbot
letsencrypt::renew::distro_renew_timer: certbot.timer
1 change: 1 addition & 0 deletions data/FreeBSD-family.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ letsencrypt::cron_owner_group: 'wheel'
letsencrypt::plugin::dns_rfc2136::package_name: 'py39-certbot-dns-rfc2136'
letsencrypt::plugin::dns_route53::package_name: 'py39-certbot-dns-route53'
letsencrypt::plugin::dns_cloudflare::package_name: 'py39-certbot-dns-cloudflare'
letsencrypt::renew::distro_renew_cron_file: /etc/periodic/weekly/500.certbot-3.9
1 change: 1 addition & 0 deletions data/RedHat-family.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ letsencrypt::configure_epel: true
letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136'
letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53'
letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare'
letsencrypt::renew::distro_renew_timer: certbot-renew.timer
2 changes: 2 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
# - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains.
# Example: "example.com www.example.com"
# @param renew_additional_args Array of additional command line arguments to pass to 'certbot renew'.
# @param renew_disable_distro_cron Boolean, set to true to disable the cron created by the distro package
# @param renew_cron_ensure Intended state of the cron resource running certbot renew.
# @param renew_cron_hour
# Optional string, integer or array of hour(s) the renewal command should run.
Expand Down Expand Up @@ -74,6 +75,7 @@
$renew_post_hook_commands = [],
$renew_deploy_hook_commands = [],
$renew_additional_args = [],
$renew_disable_distro_cron = true,
$renew_cron_ensure = 'absent',
$renew_cron_hour = fqdn_rand(24),
$renew_cron_minute = fqdn_rand(60),
Expand Down
36 changes: 28 additions & 8 deletions manifests/renew.pp
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@
# - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains.
# Example: "example.com www.example.com"
# @param additional_args Array of additional command line arguments to pass to 'certbot renew'.
# @param disable_distro_cron Boolean, set to true to disable the cron created by the distro package
# @param distro_renew_cron_file Optional Unixpath, if set and if disable_distro_cron is true this file
# will be deleted (unless systemd is used)
# @param distro_renew_timer Optional String, name of the systemd timer to disable if disable_distro_cron is true
# @param cron_ensure Intended state of the cron resource running certbot renew
# @param cron_hour
# Optional string, integer or array of hour(s) the renewal command should run.
Expand All @@ -28,14 +32,17 @@
# run. E.g. '2-30/2' to run on even days. Default: Every day.
#
class letsencrypt::renew (
Variant[String[1], Array[String[1]]] $pre_hook_commands = $letsencrypt::renew_pre_hook_commands,
Variant[String[1], Array[String[1]]] $post_hook_commands = $letsencrypt::renew_post_hook_commands,
Variant[String[1], Array[String[1]]] $deploy_hook_commands = $letsencrypt::renew_deploy_hook_commands,
Array[String[1]] $additional_args = $letsencrypt::renew_additional_args,
Enum['present', 'absent'] $cron_ensure = $letsencrypt::renew_cron_ensure,
Letsencrypt::Cron::Hour $cron_hour = $letsencrypt::renew_cron_hour,
Letsencrypt::Cron::Minute $cron_minute = $letsencrypt::renew_cron_minute,
Letsencrypt::Cron::Monthday $cron_monthday = $letsencrypt::renew_cron_monthday,
Variant[String[1], Array[String[1]]] $pre_hook_commands = $letsencrypt::renew_pre_hook_commands,
Variant[String[1], Array[String[1]]] $post_hook_commands = $letsencrypt::renew_post_hook_commands,
Variant[String[1], Array[String[1]]] $deploy_hook_commands = $letsencrypt::renew_deploy_hook_commands,
Array[String[1]] $additional_args = $letsencrypt::renew_additional_args,
Boolean $disable_distro_cron = $letsencrypt::renew_disable_distro_cron,
Optional[Stdlib::Unixpath] $distro_renew_cron_file = undef,
Optional[String] $distro_renew_timer = undef,
Enum['present', 'absent'] $cron_ensure = $letsencrypt::renew_cron_ensure,
Letsencrypt::Cron::Hour $cron_hour = $letsencrypt::renew_cron_hour,
Letsencrypt::Cron::Minute $cron_minute = $letsencrypt::renew_cron_minute,
Letsencrypt::Cron::Monthday $cron_monthday = $letsencrypt::renew_cron_monthday,
) {
# Directory used for Puppet-managed renewal hooks. Make sure old unmanaged
# hooks in this directory are purged. Leave custom hooks in the default
Expand Down Expand Up @@ -84,4 +91,17 @@
minute => $cron_minute,
monthday => $cron_monthday,
}

if $disable_distro_cron and $distro_renew_timer and $facts['service_provider'] == 'systemd' {
service { $distro_renew_timer:
ensure => stopped,
enable => false,
}
}
elsif $disable_distro_cron and $distro_renew_cron_file and $facts['service_provider'] != 'systemd' {
file { $distro_renew_cron_file:
ensure => file,
content => '# certbot renew managed by puppet',
}
}
}
40 changes: 40 additions & 0 deletions spec/classes/letsencrypt_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,46 @@
end
end

describe 'renew_cron_ensure and disable_distro_cron (with systemd)' do
let(:additional_params) do
{ renew_cron_ensure: 'present' }
end
let(:facts) do
facts.merge({
service_provider: 'systemd',
})
end

it do
case facts[:os]['family']
when 'RedHat'
is_expected.to contain_service('certbot-renew.timer').with(ensure: 'stopped', enable: false)
when 'Debian'
is_expected.to contain_service('certbot.timer').with(ensure: 'stopped', enable: false)
end
end
end

describe 'renew_cron_ensure and disable_distro_cron (without systemd)' do
let(:additional_params) do
{ renew_cron_ensure: 'present' }
end
let(:facts) do
facts.merge({
service_provider: 'init',
})
end

it do
case facts[:os]['family']
when 'Debian'
is_expected.to contain_file('/etc/cron.d/certbot')
when 'FreeBSD'
is_expected.to contain_file('/etc/periodic/weekly/500.certbot-3.9')
end
end
end

describe 'renew_cron_ensure and additional args' do
let(:additional_params) do
{ renew_cron_ensure: 'present',
Expand Down

0 comments on commit 1afbd1d

Please sign in to comment.