From 8dca39b3f9b33780d856d54cf6fac683b0e3afbe Mon Sep 17 00:00:00 2001
From: Martin Alfke <ma@betadots.de>
Date: Thu, 9 Jan 2025 13:58:51 +0100
Subject: [PATCH 1/3] Manage ca_ttl setting

---
 README.md                                 | 1 +
 puppetserver/Dockerfile                   | 1 +
 puppetserver/docker-entrypoint.d/90-ca.sh | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 16aee59b..c406b903 100644
--- a/README.md
+++ b/README.md
@@ -97,6 +97,7 @@ The following environment variables are supported:
 | __PUPPETSERVER_PORT__                      | The port of the puppetserver<br><br>`8140`                                                                                                                    |
 | __AUTOSIGN__                               | Whether or not to enable autosigning on the puppetserver instance. Valid values are `true`, `false`, and `/path/to/autosign.conf`.<br><br>Defaults to `true`. |
 | __CA_ENABLED__                             | Whether or not this puppetserver instance has a running CA (Certificate Authority)<br><br>`true`                                                              |
+| __CA_TTL__                                 | CA expire date (in seconds)<br><br>`157680000`            |
 | __CA_HOSTNAME__                            | The DNS hostname for the puppetserver running the CA. Does nothing unless `CA_ENABLED=false`<br><br>`puppet`                                                  |
 | __CA_PORT__                                | The listening port of the CA. Does nothing unless `CA_ENABLED=false`<br><br>`8140`                                                                            |
 | __CA_ALLOW_SUBJECT_ALT_NAMES__             | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.<br><br>`false`        |
diff --git a/puppetserver/Dockerfile b/puppetserver/Dockerfile
index e7e724e2..7ea78654 100644
--- a/puppetserver/Dockerfile
+++ b/puppetserver/Dockerfile
@@ -49,6 +49,7 @@ ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
     CA_HOSTNAME=puppet \
     CA_PORT=8140 \
     CA_ALLOW_SUBJECT_ALT_NAMES=false \
+    CA_TTL=157680000 \
     INTERMEDIATE_CA=false \
     INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediate/ca.pem \
     INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \
diff --git a/puppetserver/docker-entrypoint.d/90-ca.sh b/puppetserver/docker-entrypoint.d/90-ca.sh
index 90acf8dc..338d2eb9 100755
--- a/puppetserver/docker-entrypoint.d/90-ca.sh
+++ b/puppetserver/docker-entrypoint.d/90-ca.sh
@@ -32,6 +32,9 @@ EOF
   hocon -f webserver.conf set webserver.ssl-crl-path $ssl_crl_path
   cd /
 
+  if [[ -z $CA_TTL ]]; then
+    puppet config set --section server ca_ttl "${CA_TTL}"
+
   # bootstrap certs for the puppetserver
   if [[ ! -f "$ssl_cert" ]]; then
     while ! ca_running; do

From 5ca2a7272dcaa293a13d17e0c6ab299af9b0d5ad Mon Sep 17 00:00:00 2001
From: Martin Alfke <ma@betadots.de>
Date: Thu, 9 Jan 2025 14:04:25 +0100
Subject: [PATCH 2/3] add value type to readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c406b903..66385d3a 100644
--- a/README.md
+++ b/README.md
@@ -97,7 +97,7 @@ The following environment variables are supported:
 | __PUPPETSERVER_PORT__                      | The port of the puppetserver<br><br>`8140`                                                                                                                    |
 | __AUTOSIGN__                               | Whether or not to enable autosigning on the puppetserver instance. Valid values are `true`, `false`, and `/path/to/autosign.conf`.<br><br>Defaults to `true`. |
 | __CA_ENABLED__                             | Whether or not this puppetserver instance has a running CA (Certificate Authority)<br><br>`true`                                                              |
-| __CA_TTL__                                 | CA expire date (in seconds)<br><br>`157680000`            |
+| __CA_TTL__                                 | CA expire date (in seconds or with suffix `s`, `m`, `h`, `d`, `y`)<br><br>`157680000`                                                                         |
 | __CA_HOSTNAME__                            | The DNS hostname for the puppetserver running the CA. Does nothing unless `CA_ENABLED=false`<br><br>`puppet`                                                  |
 | __CA_PORT__                                | The listening port of the CA. Does nothing unless `CA_ENABLED=false`<br><br>`8140`                                                                            |
 | __CA_ALLOW_SUBJECT_ALT_NAMES__             | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.<br><br>`false`        |

From f8c698ef53399026681392a88b8e3f1b372be7d0 Mon Sep 17 00:00:00 2001
From: Martin Alfke <ma@betadots.de>
Date: Thu, 9 Jan 2025 14:05:28 +0100
Subject: [PATCH 3/3] CA_TTL is always set, removing if clouse

---
 puppetserver/docker-entrypoint.d/90-ca.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/puppetserver/docker-entrypoint.d/90-ca.sh b/puppetserver/docker-entrypoint.d/90-ca.sh
index 338d2eb9..cd9283ea 100755
--- a/puppetserver/docker-entrypoint.d/90-ca.sh
+++ b/puppetserver/docker-entrypoint.d/90-ca.sh
@@ -32,8 +32,7 @@ EOF
   hocon -f webserver.conf set webserver.ssl-crl-path $ssl_crl_path
   cd /
 
-  if [[ -z $CA_TTL ]]; then
-    puppet config set --section server ca_ttl "${CA_TTL}"
+  puppet config set --section server ca_ttl "${CA_TTL}"
 
   # bootstrap certs for the puppetserver
   if [[ ! -f "$ssl_cert" ]]; then