workaround for theforeman#969

jcpunk · jcpunk · commit 27826c34925c · 2025-11-25T19:49:53.000-06:00
diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb
@@ -524,6 +524,11 @@
           it 'should not sync the crl' do
             should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem')
           end
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_renewal"}) }
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_status"}) }
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/certificate_statuses"}) }
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/sign"}) }
+          it { should contain_file("#{conf_d_dir}/auth.conf").with_content(%r{path":\s*"/puppet-ca/v1/sign/all"}) }
         end
       end
 
diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -202,6 +202,46 @@ authorization: {
             sort-order: 500
             name: "puppetlabs cert clean"
         },
+        {
+            # Allow the CA CLI to access the certificate sign endpoint
+            match-request: {
+                path: "/puppet-ca/v1/sign"
+                type: path
+                method: post
+            }
+            allow: [
+<%- @server_ca_client_allowlist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+                {
+                    extensions: {
+                        pp_cli_auth: "true"
+                    }
+                }
+            ]
+            sort-order: 500
+            name: "puppetlabs cert sign"
+        },
+        {
+            # Allow the CA CLI to access the certificate sign all endpoint
+            match-request: {
+                path: "/puppet-ca/v1/sign/all"
+                type: path
+                method: post
+            }
+            allow: [
+<%- @server_ca_client_allowlist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+                {
+                    extensions: {
+                        pp_cli_auth: "true"
+                    }
+                }
+            ]
+            sort-order: 500
+            name: "puppetlabs cert sign all"
+        },
         {
             # Allow unauthenticated access to the status service endpoint
             match-request: {
