RubyGems - puppetserver-ca - Versions diffs - 1.7.0 → 2.0.1 - Mend

puppetserver-ca 1.7.0 → 2.0.1

Files changed (19) hide show

checksums.yaml +4 -4
data/README.md +20 -2
data/lib/puppetserver/ca/action/clean.rb +1 -1
data/lib/puppetserver/ca/action/enable.rb +1 -1
data/lib/puppetserver/ca/action/generate.rb +2 -30
data/lib/puppetserver/ca/action/import.rb +4 -1
data/lib/puppetserver/ca/action/list.rb +1 -1
data/lib/puppetserver/ca/action/migrate.rb +96 -0
data/lib/puppetserver/ca/action/revoke.rb +1 -1
data/lib/puppetserver/ca/action/setup.rb +4 -1
data/lib/puppetserver/ca/action/sign.rb +1 -1
data/lib/puppetserver/ca/cli.rb +2 -0
data/lib/puppetserver/ca/config/puppet.rb +50 -18
data/lib/puppetserver/ca/utils/config.rb +36 -0
data/lib/puppetserver/ca/utils/file_system.rb +13 -0
data/lib/puppetserver/ca/utils/http_client.rb +30 -0
data/lib/puppetserver/ca/version.rb +1 -1
data/puppetserver-ca.gemspec +2 -2
metadata +10 -9

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c28c8d7be542d749738c32b848b4bb318498a949fb52e4bf6d44a5da878583a7
-  data.tar.gz: c6e09079aa3463da55cc0c185c7bddad22ff1967cd57c0d687dc000072748749
+  metadata.gz: 33d0c2bbf4e4efae9ed5ee88619f47bfbd850b24b0e7fff02bf7e6a106d40d18
+  data.tar.gz: 70542df4956703b70b73ab3aa8e5cb4ef8c007925fb47dc1e2197d762e1a3269
 SHA512:
-  metadata.gz: 46f81f6b946a37380c520c9611aaf4ba89155fcdaa6eefa1500cece3a57c946498ce959862e99645cc9dfcbedd8667157abf0b03fcfb37068ce27c9819b3088a
-  data.tar.gz: 1e37edeee98389efa59e82f2d041337ca4ba72e9a82b2fdf053e40d0f02139454d0e8d547f070dfcde9a639aba19181cbd464f61e29351a4bee30cf2aff4f37a
+  metadata.gz: 399ef8c2fecd89f42db48d848685f61ac9efaffa1039a8e726b4c1b60dda3d82c996c4fff2cec8d315a35bcf5643a46233ae0647a5f79e2f730055e41b404e6f
+  data.tar.gz: 342d56b051591b0fbf2211e3f75dd7249ff934f087f1ad2b0005cbdc4dbb0d5d6228e22b248ab22d9a4bb90dd21026daa0ac7fc363937652b5887fe971b29079

data/README.md CHANGED

@@ -73,8 +73,26 @@ interactive prompt that will allow you to experiment.
 To install this gem onto your local machine, run `bundle exec rake install`.
-To release a new version, update the version number in `version.rb`, and then
-speak with Release Engineering.
+### Testing
+To test your changes on a VM:
+1. Build the gem with your changes: `gem build puppetserver-ca.gemspec`
+1. Copy the gem to your VM: `scp puppetserver-ca-<version>.gem <your-vm>:.`
+1. Install puppetserver (FOSS) by installing the relevant release package and then installing the puppetserver package. For example:
+    ```
+    $ wget http://nightlies.puppet.com/yum/puppet-nightly-release-el-7.noarch.rpm
+    $ rpm -i puppet-nightly-release-el-7.noarch.rpm
+    $ yum update
+    $ yum install -y puppetserver
+    ```
+1. Restart your shell so that puppet's bin dir is on your $PATH: `exec bash`
+1. Install the gem into puppet's gem directory using puppet's gem command:
+    ```
+    $ /opt/puppetlabs/puppet/bin/gem install --install-dir "/opt/puppetlabs/puppet/lib/ruby/vendor_gems" puppetserver-ca-<version>.gem
+    ```
+1. To confirm that installation was successful, run `puppetserver ca --help`
+### Releasing
+To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
 ## Contributing & Support

data/lib/puppetserver/ca/action/clean.rb CHANGED

@@ -85,7 +85,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
           result = clean_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/enable.rb CHANGED

@@ -45,7 +45,7 @@ BANNER
           end
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load(logger: @logger)
           settings = puppet.settings
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)

data/lib/puppetserver/ca/action/generate.rb CHANGED

@@ -126,7 +126,7 @@ BANNER
           # Load, resolve, and validate puppet config settings
           settings_overrides = {}
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(cli_overrides: settings_overrides, logger: @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
           # We don't want generate to respect the alt names setting, since it is usually
@@ -140,7 +140,7 @@ BANNER
           # Generate and save certs and associated keys
           if input['ca-client']
             # Refused to generate certs offfline if the CA service is running
-            return 1 if check_server_online(puppet.settings)
+            return 1 if HttpClient.check_server_online(puppet.settings, @logger)
             all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
           else
             all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
@@ -148,34 +148,6 @@ BANNER
           return all_passed ? 0 : 1
         end
-        # Queries the simple status endpoint for the status of the CA service.
-        # Returns true if it receives back a response of "running", and false if
-        # no connection can be made, or a different response is received.
-        def check_server_online(settings)
-          status_url = HttpClient::URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
-          begin
-            # Generating certs offline is necessary if the master cert has been destroyed
-            # or compromised. Since querying the status endpoint does not require a client cert, and
-            # we commonly won't have one, don't require one for creating the connection.
-            HttpClient.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
-              result = conn.get
-              if result.body == "running"
-                @logger.err "CA service is running. Please stop it before attempting to generate certs offline."
-                true
-              else
-                false
-              end
-            end
-            true
-          rescue Puppetserver::Ca::ConnectionFailed => e
-            if e.wrapped.is_a? Errno::ECONNREFUSED
-              return false
-            else
-              raise e
-            end
-          end
-        end
         # Certs authorized to talk to the CA API need to be signed offline,
         # in order to securely add the special auth extension.
         def generate_authorized_certs(certnames, alt_names, settings, digest)

data/lib/puppetserver/ca/action/import.rb CHANGED

@@ -4,6 +4,7 @@ require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
 require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
 require 'puppetserver/ca/x509_loader'
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(cli_overrides: settings_overrides, logger: @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -130,6 +131,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
           return []
         end

data/lib/puppetserver/ca/action/list.rb CHANGED

@@ -68,7 +68,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
           filter_names = certnames.any? \

data/lib/puppetserver/ca/action/migrate.rb ADDED

@@ -0,0 +1,96 @@
+require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/utils/http_client'
+require 'puppetserver/ca/utils/config'
+module Puppetserver
+  module Ca
+    module Action
+      class Migrate
+        include Puppetserver::Ca::Utils
+        PUPPETSERVER_CA_DIR = Puppetserver::Ca::Utils::Config.new_default_cadir
+        SUMMARY = "Migrate the existing CA directory to #{PUPPETSERVER_CA_DIR}"
+        BANNER = <<-BANNER
+Usage:
+  puppetserver ca migrate [--help]
+  puppetserver ca migrate [--config PATH]
+Description:
+  Migrate an existing CA directory to #{PUPPETSERVER_CA_DIR}. This is for
+  upgrading from Puppet Platform 6.x to Puppet 7. Use the currently configured
+  puppet.conf file in your installation, or supply one using the `--config` flag.
+Options:
+BANNER
+        def initialize(logger)
+          @logger = logger
+        end
+        def run(input)
+          config_path = input['config']
+          puppet = Config::Puppet.new(config_path)
+          puppet.load(logger: @logger, ca_dir_warn: false)
+          return 1 if HttpClient.check_server_online(puppet.settings, @logger)
+          errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
+          if !errors.empty?
+            instructions = <<-ERR
+Migration will not overwrite the directory at #{PUPPETSERVER_CA_DIR}. Have you already
+run this migration tool? Is this a puppet 7 installation? It is likely that you have
+already successfully run the migration or do not need to run it.
+ERR
+            errors << instructions
+            Errors.handle_with_usage(@logger, errors)
+            return 1
+          end
+          current_cadir = puppet.settings[:cadir]
+          if FileSystem.check_for_existing_files(current_cadir).empty?
+            error_message = <<-ERR
+No CA dir found at #{current_cadir}. Please check the configured cadir setting in your
+puppet.conf file and verify its contents.
+ERR
+            Errors.handle_with_usage(@logger, [error_message])
+            return 1
+          end
+          migrate(current_cadir)
+          @logger.inform <<-SUCCESS_MESSAGE
+CA dir successfully migrated to #{PUPPETSERVER_CA_DIR}. Symlink placed at #{current_cadir}
+for backwards compatibility. The puppetserver can be safely restarted now.
+SUCCESS_MESSAGE
+          return 0
+        end
+        def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
+          FileUtils.mv(old_cadir, new_cadir)
+          FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
+        def parse(args)
+          results = {}
+          parser = self.class.parser(results)
+          errors = CliParsing.parse_with_errors(parser, args)
+          errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
+          exit_code = errors_were_handled ? 1 : nil
+          return results, exit_code
+        end
+        def self.parser(parsed = {})
+          OptionParser.new do |opts|
+            opts.banner = BANNER
+            opts.on('--help', 'Display this command-specific help output') do |help|
+              parsed['help'] = true
+            end
+            opts.on('--config CONF', 'Path to puppet.conf') do |conf|
+              parsed['config'] = conf
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/puppetserver/ca/action/revoke.rb CHANGED

@@ -83,7 +83,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
           result =  revoke_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/setup.rb CHANGED

@@ -3,6 +3,7 @@ require 'optparse'
 require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(cli_overrides: settings_overrides, logger: @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -135,6 +136,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
           return []
         end

data/lib/puppetserver/ca/action/sign.rb CHANGED

@@ -62,7 +62,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
           ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)

data/lib/puppetserver/ca/cli.rb CHANGED

@@ -8,6 +8,7 @@ require 'puppetserver/ca/action/list'
 require 'puppetserver/ca/action/revoke'
 require 'puppetserver/ca/action/setup'
 require 'puppetserver/ca/action/sign'
+require 'puppetserver/ca/action/migrate'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/logger'
 require 'puppetserver/ca/utils/cli_parsing'
@@ -28,6 +29,7 @@ BANNER
         'import'   => Action::Import,
         'setup'    => Action::Setup,
         'enable' => Action::Enable,
+        'migrate' => Action::Migrate,
       }
       MAINT_ACTIONS = {

data/lib/puppetserver/ca/config/puppet.rb CHANGED

@@ -23,9 +23,9 @@ module Puppetserver
         # A regex describing valid formats with groups for capturing the value and units
         TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
-        def self.parse(config_path)
+        def self.parse(config_path, logger)
           instance = new(config_path)
-          instance.load
+          instance.load(logger: logger)
           return instance
         end
@@ -34,7 +34,7 @@ module Puppetserver
         def initialize(supplied_config_path = nil)
           @using_default_location = !supplied_config_path
-          @config_path = supplied_config_path || user_specific_conf_file
+          @config_path = supplied_config_path || user_specific_puppet_config
           @settings = nil
           @errors = []
@@ -46,33 +46,31 @@ module Puppetserver
         # on Windows are unsupported.
         # Note that Puppet Server runs as the [pe-]puppet user but to
         # start/stop it you must be root.
-        def user_specific_conf_dir
-          @user_specific_conf_dir ||=
-            if Puppetserver::Ca::Utils::Config.running_as_root?
-              '/etc/puppetlabs/puppet'
-            else
-              "#{ENV['HOME']}/.puppetlabs/etc/puppet"
-            end
+        def user_specific_puppet_confdir
+          @user_specific_puppet_confdir ||= Puppetserver::Ca::Utils::Config.puppet_confdir
         end
-        def user_specific_conf_file
-          user_specific_conf_dir + '/puppet.conf'
+        def user_specific_puppet_config
+          user_specific_puppet_confdir + '/puppet.conf'
         end
-        def load(cli_overrides = {})
+        def load(cli_overrides: {}, logger:, ca_dir_warn: true)
           if explicitly_given_config_file_or_default_config_exists?
             results = parse_text(File.read(@config_path))
           end
           results ||= {}
           results[:main] ||= {}
+          # The [master] config section is deprecated
+          # We now favor [server], but support both for backwards compatibility
           results[:master] ||= {}
+          results[:server] ||= {}
           results[:agent] ||= {}
-          overrides = results[:agent].merge(results[:main]).merge(results[:master])
+          overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
           overrides.merge!(cli_overrides)
-          @settings = resolve_settings(overrides).freeze
+          @settings = resolve_settings(overrides, logger, ca_dir_warn: ca_dir_warn).freeze
         end
         def default_certname
@@ -89,7 +87,7 @@ module Puppetserver
         # Resolve settings from default values, with any overrides for the
         # specific settings or their dependent settings (ssldir, cadir) taken into account.
-        def resolve_settings(overrides = {})
+        def resolve_settings(overrides = {}, logger, ca_dir_warn: true)
           unresolved_setting = /\$[a-z_]+/
           # Returning the key for unknown keys (rather than nil) is required to
@@ -101,9 +99,8 @@ module Puppetserver
           # These need to be evaluated before we can construct their dependent
           # defaults below
           base_defaults = [
-            [:confdir, user_specific_conf_dir],
+            [:confdir, user_specific_puppet_confdir],
             [:ssldir,'$confdir/ssl'],
-            [:cadir, '$ssldir/ca'],
             [:certdir, '$ssldir/certs'],
             [:certname, default_certname],
             [:server, 'puppet'],
@@ -148,6 +145,14 @@ module Puppetserver
             settings[setting_name] = substitutions[substitution_name] = subbed_value
           end
+          cadir = find_cadir(overrides.fetch(:cadir, false),
+                             settings[:confdir],
+                             settings[:ssldir],
+                             logger,
+                             ca_dir_warn)
+          settings[:cadir] = substitutions['$cadir'] = cadir
           dependent_defaults.each do |setting_name, default_value|
             setting_value = overrides.fetch(setting_name, default_value)
             settings[setting_name] = setting_value
@@ -210,6 +215,33 @@ module Puppetserver
        private
+        def find_cadir(configured_cadir, confdir, ssldir, logger, ca_dir_warn)
+          warning = 'The cadir is currently configured to be inside the ' +
+            '%{ssldir} directory. This config setting and the directory ' +
+            'location will not be used in a future version of puppet. ' +
+            'Please run the puppetserver ca tool to migrate out from the ' +
+            'puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. ' +
+            'Use `puppetserver ca migrate --help` for more info.'
+          if configured_cadir
+            if ca_dir_warn && configured_cadir.start_with?(ssldir)
+              logger.warn(warning % {ssldir: ssldir})
+            end
+            configured_cadir
+          else
+            old_cadir = Puppetserver::Ca::Utils::Config.old_default_cadir(confdir)
+            new_cadir = Puppetserver::Ca::Utils::Config.new_default_cadir(confdir)
+            if File.exist?(old_cadir) && !File.symlink?(old_cadir)
+              logger.warn(warning % {ssldir: ssldir}) if ca_dir_warn
+              old_cadir
+            else
+              new_cadir
+            end
+          end
+        end
         def explicitly_given_config_file_or_default_config_exists?
           !@using_default_location || File.exist?(@config_path)
         end

data/lib/puppetserver/ca/utils/config.rb CHANGED

@@ -1,3 +1,5 @@
+require 'puppetserver/ca/utils/file_system'
 module Puppetserver
   module Ca
     module Utils
@@ -19,6 +21,40 @@ module Puppetserver
           end.sort.uniq.join(", ")
         end
+        def self.puppet_confdir
+          if running_as_root?
+            '/etc/puppetlabs/puppet'
+          else
+            "#{ENV['HOME']}/.puppetlabs/etc/puppet"
+          end
+        end
+        def self.puppetserver_confdir(puppet_confdir)
+          File.join(File.dirname(puppet_confdir), 'puppetserver')
+        end
+        def self.default_ssldir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl')
+        end
+        def self.old_default_cadir(confdir = puppet_confdir)
+          File.join(confdir, 'ssl', 'ca')
+        end
+        def self.new_default_cadir(confdir = puppet_confdir)
+          File.join(puppetserver_confdir(confdir), 'ca')
+        end
+        def self.symlink_to_old_cadir(current_cadir, puppet_confdir)
+          old_cadir = old_default_cadir(puppet_confdir)
+          new_cadir = new_default_cadir(puppet_confdir)
+          return if current_cadir != new_cadir
+          # This is only run on setup/import, so there should be no files in the
+          # old cadir, so it should be safe to forcibly remove it (which we need
+          # to do in order to create a symlink).
+          Puppetserver::Ca::Utils::FileSystem.forcibly_symlink(new_cadir, old_cadir)
+        end
       end
     end
   end

data/lib/puppetserver/ca/utils/file_system.rb CHANGED

@@ -50,6 +50,19 @@ module Puppetserver
           errors
         end
+        def self.forcibly_symlink(source, link_target)
+          FileUtils.remove_dir(link_target, true)
+          FileUtils.symlink(source, link_target)
+          # Ensure the symlink has the same ownership as the source.
+          # This requires using `FileUtils.chown` rather than `File.chown`, as
+          # the latter will update the ownership of the source rather than the
+          # link itself.
+          # Symlink permissions are ignored in favor of the source's permissions,
+          # so we don't have to change those.
+          source_info = File.stat(source)
+          FileUtils.chown(source_info.uid, source_info.gid, link_target)
+        end
         def initialize
           @user, @group = find_user_and_group
         end

data/lib/puppetserver/ca/utils/http_client.rb CHANGED

@@ -159,6 +159,36 @@ module Puppetserver
           store
         end
+        # Queries the simple status endpoint for the status of the CA service.
+        # Returns true if it receives back a response of "running", and false if
+        # no connection can be made, or a different response is received.
+        def self.check_server_online(settings, logger)
+          status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
+          begin
+            # Generating certs offline is necessary if the master cert has been destroyed
+            # or compromised. Since querying the status endpoint does not require a client cert, and
+            # we commonly won't have one, don't require one for creating the connection.
+            # Additionally, we want to ensure the server is stopped before migrating the CA dir to
+            # avoid issues with writing to the CA dir and moving it.
+            self.new(settings, with_client_cert: false).with_connection(status_url) do |conn|
+              result = conn.get
+              if result.body == "running"
+                logger.err "Puppetserver service is running. Please stop it before attempting to run this command."
+                true
+              else
+                false
+              end
+            end
+          rescue Puppetserver::Ca::ConnectionFailed => e
+            if e.wrapped.is_a? Errno::ECONNREFUSED
+              return false
+            else
+              raise e
+            end
+          end
+        end
       end
     end
   end

data/lib/puppetserver/ca/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.7.0"
+    VERSION = "2.0.1"
   end
 end

data/puppetserver-ca.gemspec CHANGED

@@ -20,9 +20,9 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]
+  spec.add_runtime_dependency "facter", [">= 2.0.1", "< 5"]
   spec.add_development_dependency "bundler", ">= 1.16"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", ">= 12.3.3"
   spec.add_development_dependency "rspec", "~> 3.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-04-08 00:00:00.000000000 Z
+date: 2020-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -19,7 +19,7 @@ dependencies:
         version: 2.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 2.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -48,16 +48,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -99,6 +99,7 @@ files:
 - lib/puppetserver/ca/action/generate.rb
 - lib/puppetserver/ca/action/import.rb
 - lib/puppetserver/ca/action/list.rb
+- lib/puppetserver/ca/action/migrate.rb
 - lib/puppetserver/ca/action/revoke.rb
 - lib/puppetserver/ca/action/setup.rb
 - lib/puppetserver/ca/action/sign.rb
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.8
 signing_key:
 specification_version: 4
 summary: A simple CLI tool for interacting with Puppet Server's Certificate Authority