From 5640b9438ab0ecccac109ff4f0f2805dec9f2bf8 Mon Sep 17 00:00:00 2001
From: Robert Waffen <rwaffen@gmail.com>
Date: Thu, 2 Apr 2026 22:33:33 +0200
Subject: [PATCH] diff to 881

---
 .../20-use-templates-initially.sh             |  2 +-
 .../30-ensure-config.sh                       | 10 ---------
 .../30-set-permissions.sh                     |  8 +++++++
 .../40-update-puppetdb-conf.sh                |  2 +-
 .../70-set-dns-alt-names.sh                   |  2 +-
 .../84-enable_graphite.sh                     | 12 +---------
 .../89-csr_attributes.rb                      |  3 +--
 .../89-csr_attributes.sh                      |  3 +--
 openvoxserver/container-entrypoint.d/90-ca.sh | 18 +++++++--------
 .../container-entrypoint.d/99-log-config.sh   | 22 +++++++++----------
 10 files changed, 33 insertions(+), 49 deletions(-)
 delete mode 100755 openvoxserver/container-entrypoint.d/30-ensure-config.sh
 create mode 100755 openvoxserver/container-entrypoint.d/30-set-permissions.sh

diff --git a/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh b/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh
index b88fd85..390c2f3 100755
--- a/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh
+++ b/openvoxserver/container-entrypoint.d/20-use-templates-initially.sh
@@ -7,7 +7,7 @@ set -e
 # default
 TEMPLATES=/var/tmp/puppet
 
-cd "$(puppet config print confdir)"
+cd /etc/puppetlabs/puppet
 for f in auth.conf hiera.yaml puppet.conf puppetdb.conf; do
   [ -f "$TEMPLATES/$f" ] && [ ! -f "$f" ] && {
     echo "Copying template $f from $TEMPLATES"
diff --git a/openvoxserver/container-entrypoint.d/30-ensure-config.sh b/openvoxserver/container-entrypoint.d/30-ensure-config.sh
deleted file mode 100755
index 9ac44c2..0000000
--- a/openvoxserver/container-entrypoint.d/30-ensure-config.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-set -e
-
-puppet config set confdir /etc/puppetlabs/puppet
-puppet config set vardir /opt/puppetlabs/puppet/cache
-puppet config set logdir /var/log/puppetlabs/puppet
-puppet config set codedir /etc/puppetlabs/code
-puppet config set rundir /var/run/puppetlabs
-puppet config set manage_internal_file_permissions false
\ No newline at end of file
diff --git a/openvoxserver/container-entrypoint.d/30-set-permissions.sh b/openvoxserver/container-entrypoint.d/30-set-permissions.sh
new file mode 100755
index 0000000..9fcf936
--- /dev/null
+++ b/openvoxserver/container-entrypoint.d/30-set-permissions.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+chown -R puppet:puppet /etc/puppetlabs/puppet/
+chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/
+chown -R puppet:puppet /etc/puppetlabs/puppetserver/
+chown -R puppet:puppet /var/log/puppetlabs/puppetserver/
diff --git a/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh b/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh
index f460b5c..072ce6f 100755
--- a/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh
+++ b/openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh
@@ -3,5 +3,5 @@
 set -e
 
 if test -n "${OPENVOXDB_SERVER_URLS}" ; then
-  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(puppet config print confdir)/puppetdb.conf
+  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" /etc/puppetlabs/puppet/puppetdb.conf
 fi
diff --git a/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh b/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh
index 26df5fb..37b14e3 100755
--- a/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh
+++ b/openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh
@@ -9,7 +9,7 @@ config_section=main
 # an existing certificate on the /etc/puppetlabs/puppet volume
 if [ -n "${DNS_ALT_NAMES}" ]; then
     certname=$(puppet config print certname)
-    if test ! -f "$(puppet config print ssldir)/certs/$certname.pem" ; then
+    if test ! -f "${SSLDIR}/certs/$certname.pem" ; then
         puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section "${config_section}"
     else
         actual=$(puppet config print dns_alt_names --section "${config_section}")
diff --git a/openvoxserver/container-entrypoint.d/84-enable_graphite.sh b/openvoxserver/container-entrypoint.d/84-enable_graphite.sh
index 0a6f4fd..19c576b 100755
--- a/openvoxserver/container-entrypoint.d/84-enable_graphite.sh
+++ b/openvoxserver/container-entrypoint.d/84-enable_graphite.sh
@@ -7,19 +7,9 @@ readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}")
 readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME")
 
 if [[ "$OPENVOXSERVER_GRAPHITE_EXPORTER_ENABLED" == "true" ]]; then
-  # Only check for CERTNAME if graphite exporter is enabled
-  if [[ -z "$CERTNAME" ]]; then
-    echo "ERROR: CERTNAME environment variable is not set, and is required for the graphite exporter configuration."
-    exit 1
-  fi
-  
   if [[ -n "$OPENVOXSERVER_GRAPHITE_HOST" && -n "$OPENVOXSERVER_GRAPHITE_PORT" ]]; then
     echo "Enabling graphite exporter"
-    # Use multiple -e flags to perform multiple substitutions in a single pass
-    sed -e "s/GRAPHITE_HOST/$OPENVOXSERVER_GRAPHITE_HOST/" \
-        -e "s/GRAPHITE_PORT/$OPENVOXSERVER_GRAPHITE_PORT/" \
-        -e "s/server-id: localhost/server-id: $CERTNAME/" \
-        "$SCRIPT_PATH/84-metrics.conf.tmpl" > /etc/puppetlabs/puppetserver/conf.d/metrics.conf
+    sed -e "s/GRAPHITE_HOST/$OPENVOXSERVER_GRAPHITE_HOST/" -e "s/GRAPHITE_PORT/$OPENVOXSERVER_GRAPHITE_PORT/" "$SCRIPT_PATH/84-metrics.conf.tmpl" > /etc/puppetlabs/puppetserver/conf.d/metrics.conf
   else
     echo "ERROR: no OPENVOXSERVER_GRAPHITE_HOST or OPENVOXSERVER_GRAPHITE_PORT set."
     exit 99
diff --git a/openvoxserver/container-entrypoint.d/89-csr_attributes.rb b/openvoxserver/container-entrypoint.d/89-csr_attributes.rb
index 2a3e5d5..3109f31 100755
--- a/openvoxserver/container-entrypoint.d/89-csr_attributes.rb
+++ b/openvoxserver/container-entrypoint.d/89-csr_attributes.rb
@@ -3,10 +3,9 @@
 require 'json'
 require 'yaml'
 
-target_path = ARGV[0] || '/etc/puppetlabs/puppet/csr_attributes.yaml'
 begin
   csr_yaml = YAML.dump(JSON.load(ENV['CSR_ATTRIBUTES']))
-  File.write(target_path, csr_yaml)
+  File.write('/etc/puppetlabs/puppet/csr_attributes.yaml', csr_yaml)
 rescue => error
   puts "Error on reading JSON env. Terminating"
   puts "Malformed JSON: #{ENV['CSR_ATTRIBUTES']}"
diff --git a/openvoxserver/container-entrypoint.d/89-csr_attributes.sh b/openvoxserver/container-entrypoint.d/89-csr_attributes.sh
index 0873783..08cab7a 100755
--- a/openvoxserver/container-entrypoint.d/89-csr_attributes.sh
+++ b/openvoxserver/container-entrypoint.d/89-csr_attributes.sh
@@ -5,9 +5,8 @@ set -e
 # determine script location
 readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}")
 readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME")
-readonly CSR_PATH=$(puppet config print csr_attributes)
 
 if [ -n "${CSR_ATTRIBUTES}" ]; then
     echo "CSR Attributes: ${CSR_ATTRIBUTES}"
-    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH"
+    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb"
 fi
diff --git a/openvoxserver/container-entrypoint.d/90-ca.sh b/openvoxserver/container-entrypoint.d/90-ca.sh
index 2a139b4..23e79ef 100755
--- a/openvoxserver/container-entrypoint.d/90-ca.sh
+++ b/openvoxserver/container-entrypoint.d/90-ca.sh
@@ -59,8 +59,7 @@ else
       exit 99
     fi
 
-    ca_cert=$(puppet config print cacert)
-    if [[ -f "$ca_cert" ]]; then
+    if [[ -f /etc/puppetlabs/puppetserver/ca/ca_crt.pem ]]; then
       echo "CA already imported."
     else
       puppetserver ca import \
@@ -69,10 +68,9 @@ else
         --private-key $INTERMEDIATE_CA_KEY
     fi
   else
-    new_cadir=$(puppet config print cadir)
-    ssl_dir=$(puppet config print ssldir)
+    new_cadir=/etc/puppetlabs/puppetserver/ca
 
-    if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then
+    if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
         # There is no existing CA
 
         # Append user-supplied DNS Alt Names
@@ -89,11 +87,13 @@ else
 
         # See puppet.conf file for relevant settings
         puppetserver ca setup \
-            --ca-name "$ca_name" 
+            --ca-name "$ca_name" \
+            --config /etc/puppetlabs/puppet/puppet.conf
 
-    elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then
+    elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
         # Legacy CA upgrade
-        puppetserver ca migrate     
-        fi
+        puppetserver ca migrate \
+            --config /etc/puppetlabs/puppet/puppet.conf
+    fi
   fi
 fi
diff --git a/openvoxserver/container-entrypoint.d/99-log-config.sh b/openvoxserver/container-entrypoint.d/99-log-config.sh
index 8c58677..0b60df8 100755
--- a/openvoxserver/container-entrypoint.d/99-log-config.sh
+++ b/openvoxserver/container-entrypoint.d/99-log-config.sh
@@ -8,20 +8,18 @@ echo "System configuration values:"
 echo "* HOSTNAME: '${HOSTNAME}'"
 echo "* hostname -f: '$(hostname -f)'"
 
-ssl_dir=$(puppet config print ssldir)
-
 if [ -n "${CERTNAME}" ]; then
   echo "* CERTNAME: '${CERTNAME}'"
   certname=${CERTNAME}.pem
 else
   echo "* CERTNAME: unset, try to use the oldest certificate in the certs directory, because this might be the one that was used initially."
-  if [ ! -d "${ssl_dir}/certs" ]; then
+  if [ ! -d "${SSLDIR}/certs" ]; then
     certname="Not-Found"
-    echo "WARNING: No certificates directory found in ${ssl_dir}!"
+    echo "WARNING: No certificates directory found in ${SSLDIR}!"
   else
-    certname=$(cd "${ssl_dir}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1)
+    certname=$(cd "${SSLDIR}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1)
     if [ -z "${certname}" ]; then
-      echo "WARNING: No certificates found in ${ssl_dir}/certs! Please set CERTNAME!"
+      echo "WARNING: No certificates found in ${SSLDIR}/certs! Please set CERTNAME!"
     fi
   fi
 fi
@@ -29,22 +27,22 @@ fi
 echo "* OPENVOXSERVER_PORT: '${OPENVOXSERVER_PORT:-8140}'"
 echo "* Certname: '${certname}'"
 echo "* DNS_ALT_NAMES: '${DNS_ALT_NAMES}'"
-echo "* SSLDIR: '${ssl_dir}'"
+echo "* SSLDIR: '${SSLDIR}'"
 
 altnames="-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux"
 
-if [ -f "${ssl_dir}/certs/ca.pem" ]; then
+if [ -f "${SSLDIR}/certs/ca.pem" ]; then
   echo "CA Certificate:"
   # shellcheck disable=SC2086 # $altnames shouldn't be quoted
-  openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/ca.pem" $altnames
+  openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/ca.pem" $altnames
 fi
 
 if [ -n "${certname}" ]; then
-  if [ -f "${ssl_dir}/certs/${certname}" ]; then
+  if [ -f "${SSLDIR}/certs/${certname}" ]; then
     echo "Certificate ${certname}:"
     # shellcheck disable=SC2086 # $altnames shouldn't be quoted
-    openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/${certname}" $altnames
+    openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/${certname}" $altnames
   else
-    echo "WARNING: Certificate ${certname} not found in ${ssl_dir}/certs!"
+    echo "WARNING: Certificate ${certname} not found in ${SSLDIR}/certs!"
   fi
 fi