summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile1
-rw-r--r--certmaster.spec4
-rw-r--r--docs/certmaster-sync.pod44
-rw-r--r--etc/certmaster.conf2
-rw-r--r--setup.py2
5 files changed, 52 insertions, 1 deletions
diff --git a/Makefile b/Makefile
index 01b915d..91456f2 100644
--- a/Makefile
+++ b/Makefile
@@ -17,6 +17,7 @@ manpage:
pod2man --center="certmaster-request" --release="" ./docs/certmaster-request.pod | gzip -c > ./docs/certmaster-request.1.gz
pod2man --center="certmaster" --release="" ./docs/certmaster.pod | gzip -c > ./docs/certmaster.1.gz
pod2man --center="certmaster-ca" --release="" ./docs/certmaster-ca.pod | gzip -c > ./docs/certmaster-ca.1.gz
+ pod2man --center="certmaster-sync" --release="" ./docs/certmaster-sync.pod | gzip -c > ./docs/certmaster-sync.1.gz
messages: certmaster/*.py
touch $(MESSAGESPOT)
diff --git a/certmaster.spec b/certmaster.spec
index f7fa30c..e50be18 100644
--- a/certmaster.spec
+++ b/certmaster.spec
@@ -62,6 +62,8 @@ certmaster is a easy mechanism for distributing SSL certificates
%install
test "x$RPM_BUILD_ROOT" != "x" && rm -rf $RPM_BUILD_ROOT
%{__python} setup.py install --prefix=/usr --root=$RPM_BUILD_ROOT
+ln -s %{_bindir}/certmaster-sync $RPM_BUILD_ROOT/var/lib/certmaster/triggers/sign/post/certmaster-sync
+ln -s %{_bindir}/certmaster-sync $RPM_BUILD_ROOT/var/lib/certmaster/triggers/remove/post/certmaster-sync
%clean
rm -fr $RPM_BUILD_ROOT
@@ -96,6 +98,8 @@ rm -fr $RPM_BUILD_ROOT
%dir /var/lib/certmaster/triggers/remove/
%dir /var/lib/certmaster/triggers/remove/pre
%dir /var/lib/certmaster/triggers/remove/post
+/var/lib/certmaster/triggers/sign/post/certmaster-sync
+/var/lib/certmaster/triggers/remove/post/certmaster-sync
%doc AUTHORS README LICENSE
%{_mandir}/man1/*.1.gz
diff --git a/docs/certmaster-sync.pod b/docs/certmaster-sync.pod
new file mode 100644
index 0000000..1519387
--- /dev/null
+++ b/docs/certmaster-sync.pod
@@ -0,0 +1,44 @@
+=head1 NAME
+
+certmaster-sync -- syncronize client certificates with Func.
+
+=head1 SYNOPSIS
+
+certmaster-sync [-f|--force]
+
+=head1 DESCRIPTION
+
+certmaster-sync syncronizes client certificates amongst certmaster clients via Func. It is assumed that the hosts who have requested certificates are reachable via Func for syncronization operations.
+
+certmaster-sync by default is called as a post-sign and post-clean trigger. In order to enable syncronization you must set B<sync_certs> to B<True>, see B<CONFIGURATION VALUES> below.
+
+The syncronization occurs by querying remote Func methods in B<certmastermod> on the minion hosts. This will gather information, copy any new certificates, and remove any certificates that have been cleaned.
+
+=head1 OPTIONS
+
+=over
+
+=item -f, --force
+
+Override the configuration value for B<sync_certs> in F</etc/certmaster/certmaster.conf>
+
+=back
+
+=head1 CONFIGURATION VALUES
+
+=over
+
+=item sync_certs
+
+B<sync_certs> determines whether or not the script will actually syncronize or if it will exit with no operation. You can use -f|--force to override this configuration value. (Default: False)
+
+=back
+
+=head1 ADDITONAL RESOURCES
+
+See https://fedorahosted.org/certmaster. It's a Wiki.
+See also https://fedorahosted.org/func
+
+=head1 AUTHOR
+
+John Eckersberg <jeckersb@redhat.com>
diff --git a/etc/certmaster.conf b/etc/certmaster.conf
index 7664376..cfdca9d 100644
--- a/etc/certmaster.conf
+++ b/etc/certmaster.conf
@@ -9,4 +9,4 @@ cert_dir = /etc/pki/certmaster
certroot = /var/lib/certmaster/certmaster/certs
csrroot = /var/lib/certmaster/certmaster/csrs
cert_extension = cert
-
+sync_certs = False
diff --git a/setup.py b/setup.py
index 8cf70eb..2a1fcdf 100644
--- a/setup.py
+++ b/setup.py
@@ -44,12 +44,14 @@ if __name__ == "__main__":
(manpath, ["docs/certmaster.1.gz"]),
(manpath, ["docs/certmaster-request.1.gz"]),
(manpath, ["docs/certmaster-ca.1.gz"]),
+ (manpath, ["docs/certmaster-sync.1.gz"]),
(rotpath, ['etc/certmaster_rotate']),
(logpath, []),
(certdir, []),
(etcpath, []),
(pkipath, []),
(aclpath, []),
+ ("%s/peers" % certdir, []),
("%s/sign/pre/" % trigpath, []),
("%s/sign/post/" % trigpath, []),
("%s/remove/pre/" % trigpath, []),