From 846846a444c966e1497f8bd3c99982baa4f9bee2 Mon Sep 17 00:00:00 2001 From: Gregoire Menuel Date: Wed, 11 May 2022 13:00:04 +0200 Subject: [PATCH] add option for removing cron provided by distro pkgs --- REFERENCE.md | 38 ++++++++++++++++++++++++++++++++ data/Debian-family.yaml | 2 ++ data/FreeBSD-family.yaml | 1 + data/RedHat-family.yaml | 1 + manifests/init.pp | 2 ++ manifests/renew.pp | 36 +++++++++++++++++++++++------- spec/classes/letsencrypt_spec.rb | 35 +++++++++++++++++++++++++++++ 7 files changed, 107 insertions(+), 8 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 55fa4328..a490ac91 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -81,6 +81,7 @@ The following parameters are available in the `letsencrypt` class: * [`renew_post_hook_commands`](#renew_post_hook_commands) * [`renew_deploy_hook_commands`](#renew_deploy_hook_commands) * [`renew_additional_args`](#renew_additional_args) +* [`renew_disable_distro_cron`](#renew_disable_distro_cron) * [`renew_cron_ensure`](#renew_cron_ensure) * [`renew_cron_hour`](#renew_cron_hour) * [`renew_cron_minute`](#renew_cron_minute) @@ -258,6 +259,14 @@ Array of additional command line arguments to pass to 'certbot renew'. Default value: `[]` +##### `renew_disable_distro_cron` + +Data type: `Any` + +Boolean, set to true to disable the cron created by the distro package + +Default value: ``true`` + ##### `renew_cron_ensure` Data type: `Any` @@ -561,6 +570,8 @@ Note: Hooks set here will run before/after/for ALL certificates, including any not managed by Puppet. If you want to create hooks for specific certificates only, create them using letsencrypt::certonly. +will be deleted (unless systemd is used) + #### Parameters The following parameters are available in the `letsencrypt::renew` class: @@ -569,6 +580,9 @@ The following parameters are available in the `letsencrypt::renew` class: * [`post_hook_commands`](#post_hook_commands) * [`deploy_hook_commands`](#deploy_hook_commands) * [`additional_args`](#additional_args) +* [`disable_distro_cron`](#disable_distro_cron) +* [`distro_renew_cron_file`](#distro_renew_cron_file) +* [`distro_renew_timer`](#distro_renew_timer) * [`cron_ensure`](#cron_ensure) * [`cron_hour`](#cron_hour) * [`cron_minute`](#cron_minute) @@ -611,6 +625,30 @@ Array of additional command line arguments to pass to 'certbot renew'. Default value: `$letsencrypt::renew_additional_args` +##### `disable_distro_cron` + +Data type: `Boolean` + +Boolean, set to true to disable the cron created by the distro package + +Default value: `$letsencrypt::renew_disable_distro_cron` + +##### `distro_renew_cron_file` + +Data type: `Optional[Stdlib::Unixpath]` + +Optional Unixpath, if set and if disable_distro_cron is true this file + +Default value: ``undef`` + +##### `distro_renew_timer` + +Data type: `Optional[String]` + +Optional String, name of the systemd timer to disable if disable_distro_cron is true + +Default value: ``undef`` + ##### `cron_ensure` Data type: `Enum['present', 'absent']` diff --git a/data/Debian-family.yaml b/data/Debian-family.yaml index c52a03b6..4d41c8a3 100644 --- a/data/Debian-family.yaml +++ b/data/Debian-family.yaml @@ -2,3 +2,5 @@ letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136' letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53' letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare' +letsencrypt::renew::distro_renew_cron_file: /etc/cron.d/certbot +letsencrypt::renew::distro_renew_timer: certbot.timer diff --git a/data/FreeBSD-family.yaml b/data/FreeBSD-family.yaml index c1f6af2f..536a4253 100644 --- a/data/FreeBSD-family.yaml +++ b/data/FreeBSD-family.yaml @@ -5,3 +5,4 @@ letsencrypt::cron_owner_group: 'wheel' letsencrypt::plugin::dns_rfc2136::package_name: 'py38-certbot-dns-rfc2136' letsencrypt::plugin::dns_route53::package_name: 'py38-certbot-dns-route53' letsencrypt::plugin::dns_cloudflare::package_name: 'py38-certbot-dns-cloudflare' +letsencrypt::renew::distro_renew_cron_file: /etc/periodic/weekly/500.certbot-3.8 diff --git a/data/RedHat-family.yaml b/data/RedHat-family.yaml index 35f52041..d8c979be 100644 --- a/data/RedHat-family.yaml +++ b/data/RedHat-family.yaml @@ -3,3 +3,4 @@ letsencrypt::configure_epel: true letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136' letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53' letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare' +letsencrypt::renew::distro_renew_timer: certbot-renew.timer diff --git a/manifests/init.pp b/manifests/init.pp index 66954765..26eb2737 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,6 +39,7 @@ # - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains. # Example: "example.com www.example.com" # @param renew_additional_args Array of additional command line arguments to pass to 'certbot renew'. +# @param renew_disable_distro_cron Boolean, set to true to disable the cron created by the distro package # @param renew_cron_ensure Intended state of the cron resource running certbot renew. # @param renew_cron_hour # Optional string, integer or array of hour(s) the renewal command should run. @@ -74,6 +75,7 @@ $renew_post_hook_commands = [], $renew_deploy_hook_commands = [], $renew_additional_args = [], + $renew_disable_distro_cron = true, $renew_cron_ensure = 'absent', $renew_cron_hour = fqdn_rand(24), $renew_cron_minute = fqdn_rand(60, fqdn_rand_string(10)), diff --git a/manifests/renew.pp b/manifests/renew.pp index 350b9fff..19267f88 100644 --- a/manifests/renew.pp +++ b/manifests/renew.pp @@ -16,6 +16,10 @@ # - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains. # Example: "example.com www.example.com" # @param additional_args Array of additional command line arguments to pass to 'certbot renew'. +# @param disable_distro_cron Boolean, set to true to disable the cron created by the distro package +# @param distro_renew_cron_file Optional Unixpath, if set and if disable_distro_cron is true this file +# will be deleted (unless systemd is used) +# @param distro_renew_timer Optional String, name of the systemd timer to disable if disable_distro_cron is true # @param cron_ensure Intended state of the cron resource running certbot renew # @param cron_hour # Optional string, integer or array of hour(s) the renewal command should run. @@ -28,14 +32,17 @@ # run. E.g. '2-30/2' to run on even days. Default: Every day. # class letsencrypt::renew ( - Variant[String[1], Array[String[1]]] $pre_hook_commands = $letsencrypt::renew_pre_hook_commands, - Variant[String[1], Array[String[1]]] $post_hook_commands = $letsencrypt::renew_post_hook_commands, - Variant[String[1], Array[String[1]]] $deploy_hook_commands = $letsencrypt::renew_deploy_hook_commands, - Array[String[1]] $additional_args = $letsencrypt::renew_additional_args, - Enum['present', 'absent'] $cron_ensure = $letsencrypt::renew_cron_ensure, - Letsencrypt::Cron::Hour $cron_hour = $letsencrypt::renew_cron_hour, - Letsencrypt::Cron::Minute $cron_minute = $letsencrypt::renew_cron_minute, - Letsencrypt::Cron::Monthday $cron_monthday = $letsencrypt::renew_cron_monthday, + Variant[String[1], Array[String[1]]] $pre_hook_commands = $letsencrypt::renew_pre_hook_commands, + Variant[String[1], Array[String[1]]] $post_hook_commands = $letsencrypt::renew_post_hook_commands, + Variant[String[1], Array[String[1]]] $deploy_hook_commands = $letsencrypt::renew_deploy_hook_commands, + Array[String[1]] $additional_args = $letsencrypt::renew_additional_args, + Boolean $disable_distro_cron = $letsencrypt::renew_disable_distro_cron, + Optional[Stdlib::Unixpath] $distro_renew_cron_file = undef, + Optional[String] $distro_renew_timer = undef, + Enum['present', 'absent'] $cron_ensure = $letsencrypt::renew_cron_ensure, + Letsencrypt::Cron::Hour $cron_hour = $letsencrypt::renew_cron_hour, + Letsencrypt::Cron::Minute $cron_minute = $letsencrypt::renew_cron_minute, + Letsencrypt::Cron::Monthday $cron_monthday = $letsencrypt::renew_cron_monthday, ) { # Directory used for Puppet-managed renewal hooks. Make sure old unmanaged # hooks in this directory are purged. Leave custom hooks in the default @@ -84,4 +91,17 @@ minute => $cron_minute, monthday => $cron_monthday, } + + if $disable_distro_cron and $distro_renew_timer and $facts['service_provider'] == 'systemd' { + service { $distro_renew_timer: + ensure => stopped, + enable => false, + } + } + elsif $disable_distro_cron and $distro_renew_cron_file and $facts['service_provider'] != 'systemd' { + file { $distro_renew_cron_file: + ensure => file, + content => '# certbot renew managed by puppet', + } + } } diff --git a/spec/classes/letsencrypt_spec.rb b/spec/classes/letsencrypt_spec.rb index c69e530a..83c3e7cc 100644 --- a/spec/classes/letsencrypt_spec.rb +++ b/spec/classes/letsencrypt_spec.rb @@ -211,6 +211,41 @@ end end + describe 'renew_cron_ensure and disable_distro_cron (with systemd)' do + let(:additional_params) do + { renew_cron_ensure: 'present' } + end + let(:facts) do + facts.merge({ + service_provider: 'systemd', + }) + end + + it do + case facts[:osfamily] + when 'RedHat' + is_expected.to contain_service('certbot-renew.timer').with(ensure: 'stopped', enable: false) + when 'Debian' + is_expected.to contain_service('certbot.timer').with(ensure: 'stopped', enable: false) + end + end + end + + describe 'renew_cron_ensure and disable_distro_cron (without systemd)' do + let(:additional_params) do + { renew_cron_ensure: 'present' } + end + + it do + case facts[:osfamily] + when 'Debian' + is_expected.to contain_file('/etc/cron.d/certbot') + when 'FreeBSD' + is_expected.to contain_file('/etc/periodic/weekly/500.certbot-3.8') + end + end + end + describe 'renew_cron_ensure and additional args' do let(:additional_params) do { renew_cron_ensure: 'present',