On 16/10/2015 11:11, Jonathan Gazeley wrote:
Here's a problem that might have an interesting solution.
I use Puppet to deploy (amongst other things) SSL certs for web
servers. One of my certs is expiring in January 2016 and I have
already been sent the replacement. They overlap by 7 days. I might
forget to make the change in January so I was wondering if there is a
way of configuring Puppet today to magically switch over the certs in
January. (i.e. continue deploy the current cert until a specific date
and then deploy the new one instead)
I see the generate function can be used to execute system calls to
fetch the date but I'm not sure about date comparisons in Puppet. I
guess I would need to use epoch time to compare as integers.
$date = generate("/bin/date +%s")
if $date > 1451606400 {
$cert = "newcert.crt"
} else {
$cert = "oldcert.crt"
}
file { 'cert.crt'
source => $cert
}
I also saw that Felix commented on a similar question on ServerFault:
"As an aside, I would personally refrain from implementing this kind
of thing. It comes with a high risk of falling onto your foot pretty
heavily. Don't build your friendly surprises into Puppet."
You can use the time() function from stdlib, to make this a little less
resource intensive:
https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/lib/puppet/parser/functions/time.rb
A different approach would be to use strftime (also from stdlib) to
interpolate the current year into the source URL of your cert and have
them called 'cert-2015.pem' and 'cert-2016.pem'
Felix' comment should be heeded, though. Especially the latter version
will "cause" an outage at the most inconvenient time of the year:
2016-01-01T00:10.
Cheers, David
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5620D0C3.8040706%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.
