Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F8394404
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
113 KB
Subscribers
None
View Options
diff --git a/manifests/server.pp b/manifests/server.pp
index e260ec9..d601114 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -1,475 +1,475 @@
# == Class: puppet::server
#
# Sets up a puppet master.
#
# == puppet::server parameters
#
# $autosign:: If set to a boolean, autosign is enabled or disabled
# for all incoming requests. Otherwise this has to be
# set to the full file path of an autosign.conf file or
# an autosign script. If this is set to a script, make
# sure that script considers the content of autosign.conf
# as otherwise Foreman functionality might be broken.
#
# $autosign_entries:: A list of certnames or domain name globs
# whose certificate requests will automatically be signed.
# Defaults to an empty Array.
#
# $autosign_mode:: mode of the autosign file/script
#
# $autosign_content:: If set, write the autosign file content
# using the value of this parameter.
# Cannot be used at the same time as autosign_entries
# For example, could be a string, or
# file('another_module/autosign.sh') or
# template('another_module/autosign.sh.erb')
#
# $autosign_source:: If set, use this as the source for the autosign file,
# instead of autosign_content.
#
# $hiera_config:: The hiera configuration file.
#
# $user:: Name of the puppetmaster user.
#
# $group:: Name of the puppetmaster group.
#
# $dir:: Puppet configuration directory
#
# $ip:: Bind ip address of the puppetmaster
#
# $port:: Puppet master port
#
# $ca:: Provide puppet CA
#
# $ca_crl_filepath:: Path to ca_crl file
#
# $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to
# be agents of the CA master (MOM) defaults to false
#
# $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults
# to false
#
# $http:: Should the puppet master listen on HTTP as well as HTTPS.
# Useful for load balancer or reverse proxy scenarios. Note that
# the HTTP puppet master denies access from all clients by default,
# allowed clients must be specified with $http_allow.
#
# $http_port:: Puppet master HTTP port; defaults to 8139.
#
# $http_allow:: Array of allowed clients for the HTTP puppet master. Passed
# to Apache's 'Allow' directive.
#
# $reports:: List of report types to include on the puppetmaster
#
# $implementation:: Puppet master implementation, either "master" (traditional
# Ruby) or "puppetserver" (JVM-based)
#
# $passenger:: If set to true, we will configure apache with
# passenger. If set to false, we will enable the
# default puppetmaster service unless
# service_fallback is set to false. See 'Advanced
# server parameters' for more information.
# Only applicable when server_implementation is "master".
#
# $external_nodes:: External nodes classifier executable
#
# $git_repo:: Use git repository as a source of modules
#
# $dynamic_environments:: Use $environment in the modulepath
# Deprecated when $directory_environments is true,
# set $environments to [] instead.
#
# $directory_environments:: Enable directory environments, defaulting to true
# with Puppet 3.6.0 or higher
#
# $environments:: Environments to setup (creates directories).
# Applies only when $dynamic_environments
# is false
#
# $environments_owner:: The owner of the environments directory
#
# $environments_group:: The group owning the environments directory
#
# $environments_mode:: Environments directory mode.
#
# $envs_dir:: Directory that holds puppet environments
#
# $envs_target:: Indicates that $envs_dir should be
# a symbolic link to this target
#
# $common_modules_path:: Common modules paths (only when
# $git_repo_path and $dynamic_environments
# are false)
#
# $git_repo_path:: Git repository path
#
# $git_repo_mode:: Git repository mode
#
# $git_repo_group:: Git repository group
#
# $git_repo_user:: Git repository user
#
# $git_branch_map:: Git branch to puppet env mapping for the
# default post receive hook
#
# $post_hook_content:: Which template to use for git post hook
#
# $post_hook_name:: Name of a git hook
#
# $storeconfigs_backend:: Do you use storeconfigs? (note: not required)
# false if you don't, "active_record" for 2.X
# style db, "puppetdb" for puppetdb
#
# $app_root:: Directory where the application lives
#
# $ssl_dir:: SSL directory
#
# $package:: Custom package name for puppet master
#
# $version:: Custom package version for puppet master
#
# $certname:: The name to use when handling certificates.
#
# $strict_variables:: if set to true, it will throw parse errors
# when accessing undeclared variables.
#
# $additional_settings:: A hash of additional settings.
# Example: {trusted_node_data => true, ordering => 'manifest'}
#
# $rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and
# --vardir. The default is an empty array.
#
# $puppetdb_host:: PuppetDB host
#
# $puppetdb_port:: PuppetDB port
#
# $puppetdb_swf:: PuppetDB soft_write_failure
#
# $parser:: Sets the parser to use. Valid options are 'current' or 'future'.
# Defaults to 'current'.
#
# === Advanced server parameters:
#
# $httpd_service:: Apache/httpd service name to notify
# on configuration changes. Defaults
# to 'httpd' based on the default
# apache module included with foreman-installer.
#
# $service_fallback:: If passenger is not used, do we want to fallback
# to using the puppetmaster service? Set to false
# if you disabled passenger and you do NOT want to
# use the puppetmaster service. Defaults to true.
#
# $passenger_min_instances:: The PassengerMinInstances parameter. Sets the
# minimum number of application processes to run.
# Defaults to the number of processors on your
# system.
#
# $passenger_pre_start:: Pre-start the first passenger worker instance
# process during httpd start.
#
# $passenger_ruby:: The PassengerRuby parameter. Sets the Ruby
# interpreter for serving the puppetmaster rack
# application.
#
# $config_version:: How to determine the configuration version. When
# using git_repo, by default a git describe
# approach will be installed.
#
# $server_foreman_facts:: Should foreman receive facts from puppet
#
# $foreman:: Should foreman integration be installed
#
# $foreman_url:: Foreman URL
#
# $foreman_ssl_ca:: SSL CA of the Foreman server
#
# $foreman_ssl_cert:: Client certificate for authenticating against Foreman server
#
# $foreman_ssl_key:: Key for authenticating against Foreman server
#
# $puppet_basedir:: Where is the puppet code base located
#
# $enc_api:: What version of enc script to deploy. Valid
# values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
#
# $report_api:: What version of report processor to deploy.
# Valid values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
#
# $request_timeout:: Timeout in node.rb script for fetching
# catalog from Foreman (in seconds).
#
# $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...)
#
# $ca_proxy:: The actual server that handles puppet CA.
# Setting this to anything non-empty causes
# the apache vhost to set up a proxy for all
# certificates pointing to the value.
#
# $jvm_java_bin:: Set the default java to use.
#
# $jvm_config:: Specify the puppetserver jvm configuration file.
#
# $jvm_min_heap_size:: Specify the minimum jvm heap space.
#
# $jvm_max_heap_size:: Specify the maximum jvm heap space.
#
# $jvm_extra_args:: Additional java options to pass through.
# This can be used for Java versions prior to
# Java 8 to specify the max perm space to use:
# For example: '-XX:MaxPermSize=128m'.
#
# $jvm_cli_args:: Java options to use when using puppetserver
# subcommands (eg puppetserver gem).
#
# $jruby_gem_home:: Where jruby gems are located for puppetserver
#
# $allow_any_crl_auth:: Allow any authentication for the CRL. This
# is needed on the puppet CA to accept clients
# from a the puppet CA proxy.
#
# $auth_allowed:: An array of authenticated nodes allowed to
# access all catalog and node endpoints.
# default to ['$1']
#
# $default_manifest:: Toggle if default_manifest setting should
# be added to the [main] section
#
# $default_manifest_path:: A string setting the path to the default_manifest
#
# $default_manifest_content:: A string to set the content of the default_manifest
# If set to '' it will not manage the file
#
# $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master]
# configuration section. This is necessary to
# disable in case CA is delegated to a separate instance
#
# $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem"
# should be created with default user and group. This is used in
# the default Forman setup to reuse the key for TLS communication.
#
# $puppetserver_vardir:: The path of the puppetserver var dir
#
# $puppetserver_dir:: The path of the puppetserver config dir
#
# $puppetserver_version:: The version of puppetserver 2 installed (or being installed)
# Unfortunately, different versions of puppetserver need configuring differently,
# and there's no easy way of determining which version is being installed.
# Defaults to '2.3.1' but can be overriden if you're installing an older version.
#
# $max_active_instances:: Max number of active jruby instances. Defaults to
# processor count
#
# $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled)
#
# $idle_timeout:: How long the server will wait for a response on an existing connection
#
# $connect_timeout:: How long the server will wait for a response to a connection attempt
#
# $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed.
# Defaults to the Jetty default of 30s
#
# $ssl_protocols:: Array of SSL protocols to use.
# Defaults to [ 'TLSv1.2' ]
#
# $ssl_chain_filepath:: Path to certificate chain for puppetserver
# Defaults to "${ssl_dir}/ca/ca_crt.pem"
#
# $cipher_suites:: List of SSL ciphers to use in negotiation
# Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA',
# 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
#
# $ruby_load_paths:: List of ruby paths
# Defaults based on $::puppetversion
#
# $ca_client_whitelist:: The whitelist of client certificates that
# can query the certificate-status endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
#
# $admin_api_whitelist:: The whitelist of clients that
# can query the puppet-admin-api endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
#
# $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api
# Defaults to true
#
# $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf?
# Defaults to false (the puppetserver will use its own conf.d/auth.conf)
#
# $allow_header_cert_info:: Allow client authentication over HTTP Headers
# Defaults to false, is also activated by the $http setting
#
# $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false
#
# $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling?
# Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x
#
# $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true
#
class puppet::server(
Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign,
Array[String] $autosign_entries = $::puppet::autosign_entries,
Pattern[/^[0-9]{3,4}$/] $autosign_mode = $::puppet::autosign_mode,
Optional[String] $autosign_content = $::puppet::autosign_content,
Optional[String] $autosign_source = $::puppet::autosign_source,
String $hiera_config = $::puppet::hiera_config,
Array[String] $admin_api_whitelist = $::puppet::server_admin_api_whitelist,
String $user = $::puppet::server_user,
String $group = $::puppet::server_group,
String $dir = $::puppet::server_dir,
Stdlib::Absolutepath $codedir = $::puppet::codedir,
Integer $port = $::puppet::server_port,
String $ip = $::puppet::server_ip,
Boolean $ca = $::puppet::server_ca,
Optional[String] $ca_crl_filepath = $::puppet::ca_crl_filepath,
Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync,
Optional[Boolean] $crl_enable = $::puppet::server_crl_enable,
Boolean $ca_auth_required = $::puppet::server_ca_auth_required,
Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist,
Boolean $http = $::puppet::server_http,
Integer $http_port = $::puppet::server_http_port,
Array[String] $http_allow = $::puppet::server_http_allow,
String $reports = $::puppet::server_reports,
Enum['master', 'puppetserver'] $implementation = $::puppet::server_implementation,
Boolean $passenger = $::puppet::server_passenger,
Stdlib::Absolutepath $puppetserver_vardir = $::puppet::server_puppetserver_vardir,
Optional[Stdlib::Absolutepath] $puppetserver_rundir = $::puppet::server_puppetserver_rundir,
Optional[Stdlib::Absolutepath] $puppetserver_logdir = $::puppet::server_puppetserver_logdir,
Stdlib::Absolutepath $puppetserver_dir = $::puppet::server_puppetserver_dir,
Pattern[/^[\d]\.[\d]+\.[\d]+$/] $puppetserver_version = $::puppet::server_puppetserver_version,
Boolean $service_fallback = $::puppet::server_service_fallback,
Integer[0] $passenger_min_instances = $::puppet::server_passenger_min_instances,
Boolean $passenger_pre_start = $::puppet::server_passenger_pre_start,
Optional[String] $passenger_ruby = $::puppet::server_passenger_ruby,
String $httpd_service = $::puppet::server_httpd_service,
Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $::puppet::server_external_nodes,
Array[String] $cipher_suites = $::puppet::server_cipher_suites,
Optional[String] $config_version = $::puppet::server_config_version,
Integer[0] $connect_timeout = $::puppet::server_connect_timeout,
Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout,
Boolean $git_repo = $::puppet::server_git_repo,
Boolean $dynamic_environments = $::puppet::server_dynamic_environments,
Boolean $directory_environments = $::puppet::server_directory_environments,
Boolean $default_manifest = $::puppet::server_default_manifest,
Stdlib::Absolutepath $default_manifest_path = $::puppet::server_default_manifest_path,
String $default_manifest_content = $::puppet::server_default_manifest_content,
Array[String] $environments = $::puppet::server_environments,
String $environments_owner = $::puppet::server_environments_owner,
Optional[String] $environments_group = $::puppet::server_environments_group,
Pattern[/^[0-9]{3,4}$/] $environments_mode = $::puppet::server_environments_mode,
Stdlib::Absolutepath $envs_dir = $::puppet::server_envs_dir,
Optional[Stdlib::Absolutepath] $envs_target = $::puppet::server_envs_target,
Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $::puppet::server_common_modules_path,
Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $::puppet::server_git_repo_mode,
Stdlib::Absolutepath $git_repo_path = $::puppet::server_git_repo_path,
String $git_repo_group = $::puppet::server_git_repo_group,
String $git_repo_user = $::puppet::server_git_repo_user,
Hash[String, String] $git_branch_map = $::puppet::server_git_branch_map,
Integer[0] $idle_timeout = $::puppet::server_idle_timeout,
String $post_hook_content = $::puppet::server_post_hook_content,
String $post_hook_name = $::puppet::server_post_hook_name,
Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $storeconfigs_backend = $::puppet::server_storeconfigs_backend,
Stdlib::Absolutepath $app_root = $::puppet::server_app_root,
Array[Stdlib::Absolutepath] $ruby_load_paths = $::puppet::server_ruby_load_paths,
Stdlib::Absolutepath $ssl_dir = $::puppet::server_ssl_dir,
Boolean $ssl_dir_manage = $::puppet::server_ssl_dir_manage,
Boolean $ssl_key_manage = $::puppet::server_ssl_key_manage,
Array[String] $ssl_protocols = $::puppet::server_ssl_protocols,
Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $::puppet::server_ssl_chain_filepath,
Optional[Variant[String, Array[String]]] $package = $::puppet::server_package,
Optional[String] $version = $::puppet::server_version,
String $certname = $::puppet::server_certname,
Enum['v2', 'v1'] $enc_api = $::puppet::server_enc_api,
Enum['v2', 'v1'] $report_api = $::puppet::server_report_api,
Integer[0] $request_timeout = $::puppet::server_request_timeout,
Optional[String] $ca_proxy = $::puppet::server_ca_proxy,
Boolean $strict_variables = $::puppet::server_strict_variables,
Hash[String, Data] $additional_settings = $::puppet::server_additional_settings,
Array[String] $rack_arguments = $::puppet::server_rack_arguments,
Boolean $foreman = $::puppet::server_foreman,
Stdlib::HTTPUrl $foreman_url = $::puppet::server_foreman_url,
Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca,
Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $::puppet::server_foreman_ssl_cert,
Optional[Stdlib::Absolutepath] $foreman_ssl_key = $::puppet::server_foreman_ssl_key,
Boolean $server_foreman_facts = $::puppet::server_foreman_facts,
Optional[Stdlib::Absolutepath] $puppet_basedir = $::puppet::server_puppet_basedir,
Optional[String] $puppetdb_host = $::puppet::server_puppetdb_host,
Integer[0, 65535] $puppetdb_port = $::puppet::server_puppetdb_port,
Boolean $puppetdb_swf = $::puppet::server_puppetdb_swf,
Enum['current', 'future'] $parser = $::puppet::server_parser,
Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $::puppet::server_environment_timeout,
String $jvm_java_bin = $::puppet::server_jvm_java_bin,
String $jvm_config = $::puppet::server_jvm_config,
Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $::puppet::server_jvm_min_heap_size,
Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $::puppet::server_jvm_max_heap_size,
String $jvm_extra_args = $::puppet::server_jvm_extra_args,
Optional[String] $jvm_cli_args = $::puppet::server_jvm_cli_args,
Optional[Stdlib::Absolutepath] $jruby_gem_home = $::puppet::server_jruby_gem_home,
Integer[1] $max_active_instances = $::puppet::server_max_active_instances,
Integer[0] $max_requests_per_instance = $::puppet::server_max_requests_per_instance,
Boolean $use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf,
Boolean $check_for_updates = $::puppet::server_check_for_updates,
Boolean $environment_class_cache_enabled = $::puppet::server_environment_class_cache_enabled,
Boolean $allow_header_cert_info = $::puppet::server_allow_header_cert_info,
Boolean $puppetserver_jruby9k = $::puppet::server_puppetserver_jruby9k,
Boolean $puppetserver_metrics = $::puppet::server_puppetserver_metrics,
Boolean $puppetserver_experimental = $::puppet::server_puppetserver_experimental,
) {
if $implementation == 'master' and $ip != $puppet::params::ip {
notify {
'ip_not_supported':
message => "Bind IP address is unsupported for the ${implementation} implementation.",
loglevel => 'warning',
}
}
if $ca {
- $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem"
- $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem"
- $ssl_chain = $ssl_chain_filepath
- $_crl_enable = pick($crl_enable, true)
+ $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem"
+ $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem"
+ $ssl_chain = $ssl_chain_filepath
+ $crl_enable_real = pick($crl_enable, true)
} else {
- $ssl_ca_cert = "${ssl_dir}/certs/ca.pem"
- $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem")
- $ssl_chain = false
- $_crl_enable = pick($crl_enable, false)
+ $ssl_ca_cert = "${ssl_dir}/certs/ca.pem"
+ $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem")
+ $ssl_chain = false
+ $crl_enable_real = pick($crl_enable, false)
}
$ssl_cert = "${ssl_dir}/certs/${certname}.pem"
$ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem"
if $config_version == undef {
if $git_repo {
$config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long"
} else {
$config_version_cmd = undef
}
} else {
$config_version_cmd = $config_version
}
if $implementation == 'master' {
$pm_service = !$passenger and $service_fallback
$ps_service = undef
$rack_service = $passenger
} elsif $implementation == 'puppetserver' {
$pm_service = undef
$ps_service = true
$rack_service = false
}
class { '::puppet::server::install': }
~> class { '::puppet::server::config': }
~> class { '::puppet::server::service':
app_root => $app_root,
httpd_service => $httpd_service,
puppetmaster => $pm_service,
puppetserver => $ps_service,
rack => $rack_service,
}
-> Class['puppet::server']
Class['puppet::config'] ~> Class['puppet::server::service']
}
diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
index d9a6f4d..3c6153a 100644
--- a/manifests/server/puppetserver.pp
+++ b/manifests/server/puppetserver.pp
@@ -1,275 +1,284 @@
# == Class: puppet::server::puppetserver
#
# Configures the puppetserver jvm configuration file using augeas.
#
# === Parameters:
#
# * `java_bin`
# Path to the java executable to use
#
# * `config`
# Path to the jvm configuration file.
# This file is usually either /etc/default/puppetserver or
# /etc/sysconfig/puppetserver depending on your *nix flavor.
#
# * `jvm_min_heap_size`
# Translates into the -Xms option and is added to the JAVA_ARGS
#
# * `jvm_max_heap_size`
# Translates into the -Xmx option and is added to the JAVA_ARGS
#
# * `jvm_extra_args`
# Custom options to pass through to the java binary. These get added to
# the end of the JAVA_ARGS variable
#
# * `jvm_cli_args`
# Custom options to pass through to the java binary when using a
# puppetserver subcommand, (eg puppetserver gem). These get used
# in the JAVA_ARGS_CLI variable.
#
# * `server_puppetserver_dir`
# Puppetserver config directory
#
# * `server_puppetserver_vardir`
# Puppetserver var directory
#
# * `server_jruby_gem_home`
# Puppetserver jruby gemhome
#
# * `server_cipher_suites`
# Puppetserver array of acceptable ciphers
#
# * `server_ssl_protocols`
# Puppetserver array of acceptable ssl protocols
#
# * `server_max_active_instances`
# Puppetserver number of max jruby instances
#
# * `server_max_requests_per_instance`
# Puppetserver number of max requests per jruby instance
#
# === Example
#
# @example
#
# # configure memory for java < 8
# class {'::puppet::server::puppetserver':
# jvm_min_heap_size => '1G',
# jvm_max_heap_size => '3G',
# jvm_extra_args => '-XX:MaxPermSize=256m',
# }
#
class puppet::server::puppetserver (
$config = $::puppet::server::jvm_config,
$java_bin = $::puppet::server::jvm_java_bin,
$jvm_extra_args = $::puppet::server::jvm_extra_args,
$jvm_cli_args = $::puppet::server::jvm_cli_args,
$jvm_min_heap_size = $::puppet::server::jvm_min_heap_size,
$jvm_max_heap_size = $::puppet::server::jvm_max_heap_size,
$server_puppetserver_dir = $::puppet::server::puppetserver_dir,
$server_puppetserver_vardir = $::puppet::server::puppetserver_vardir,
$server_puppetserver_rundir = $::puppet::server::puppetserver_rundir,
$server_puppetserver_logdir = $::puppet::server::puppetserver_logdir,
$server_jruby_gem_home = $::puppet::server::jruby_gem_home,
$server_ruby_load_paths = $::puppet::server::ruby_load_paths,
$server_cipher_suites = $::puppet::server::cipher_suites,
$server_max_active_instances = $::puppet::server::max_active_instances,
$server_max_requests_per_instance = $::puppet::server::max_requests_per_instance,
$server_ssl_protocols = $::puppet::server::ssl_protocols,
+ $server_ssl_ca_crl = $::puppet::server::ssl_ca_crl,
+ $server_ssl_ca_cert = $::puppet::server::ssl_ca_cert,
+ $server_ssl_cert = $::puppet::server::ssl_cert,
+ $server_ssl_cert_key = $::puppet::server::ssl_cert_key,
+ $server_ssl_chain = $::puppet::server::ssl_chain,
+ $server_crl_enable = $::puppet::server::crl_enable_real,
+ $server_ip = $::puppet::server::ip,
+ $server_port = $::puppet::server::port,
$server_http = $::puppet::server::http,
$server_http_allow = $::puppet::server::http_allow,
+ $server_http_port = $::puppet::server::http_port,
$server_ca = $::puppet::server::ca,
$server_dir = $::puppet::server::dir,
$codedir = $::puppet::server::codedir,
$server_idle_timeout = $::puppet::server::idle_timeout,
$server_web_idle_timeout = $::puppet::server::web_idle_timeout,
$server_connect_timeout = $::puppet::server::connect_timeout,
$server_ca_auth_required = $::puppet::server::ca_auth_required,
$server_ca_client_whitelist = $::puppet::server::ca_client_whitelist,
$server_admin_api_whitelist = $::puppet::server::admin_api_whitelist,
$server_puppetserver_version = $::puppet::server::puppetserver_version,
$server_use_legacy_auth_conf = $::puppet::server::use_legacy_auth_conf,
$server_check_for_updates = $::puppet::server::check_for_updates,
$server_environment_class_cache_enabled = $::puppet::server::environment_class_cache_enabled,
$server_jruby9k = $::puppet::server::puppetserver_jruby9k,
$server_metrics = $::puppet::server::puppetserver_metrics,
$server_experimental = $::puppet::server::puppetserver_experimental,
) {
include ::puppet::server
if !(empty($server_http_allow)) {
fail('setting $server_http_allow is not supported for puppetserver as it would have no effect')
}
$puppetserver_package = pick($::puppet::server::package, 'puppetserver')
$jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args]
$jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' '))
if $::osfamily == 'FreeBSD' {
augeas { 'puppet::server::puppetserver::jvm':
context => '/files/etc/rc.conf',
changes => [ "set puppetserver_java_opts '\"${jvm_cmd}\"'" ],
}
} else {
if $jvm_cli_args {
$changes = [
"set JAVA_ARGS '\"${jvm_cmd}\"'",
"set JAVA_BIN ${java_bin}",
"set JAVA_ARGS_CLI '\"${jvm_cli_args}\"'",
]
} else {
$changes = [
"set JAVA_ARGS '\"${jvm_cmd}\"'",
"set JAVA_BIN ${java_bin}",
]
}
augeas { 'puppet::server::puppetserver::jvm':
lens => 'Shellvars.lns',
incl => $config,
context => "/files${config}",
changes => $changes,
}
if versioncmp($server_puppetserver_version, '2.4.99') == 0 {
$bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg,${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"
} elsif versioncmp($server_puppetserver_version, '2.5') >= 0 {
$bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"
} else { # 2.4
$bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg"
}
augeas { 'puppet::server::puppetserver::bootstrap':
lens => 'Shellvars.lns',
incl => $config,
context => "/files${config}",
changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'",
}
if versioncmp($server_puppetserver_version, '5.0') >= 0 {
$jruby_jar_changes = $server_jruby9k ? {
true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'",
default => 'rm JRUBY_JAR'
}
augeas { 'puppet::server::puppetserver::jruby_jar':
lens => 'Shellvars.lns',
incl => $config,
context => "/files${config}",
changes => $jruby_jar_changes,
}
}
}
# 2.4.99 configures for both 2.4 and 2.5 making upgrades and new installations easier when the
# precise version available isn't known
if versioncmp($server_puppetserver_version, '2.4.99') >= 0 {
$servicesd = "${server_puppetserver_dir}/services.d"
file { $servicesd:
ensure => directory,
}
file { "${servicesd}/ca.cfg":
ensure => file,
content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'),
}
unless $::osfamily == 'FreeBSD' {
file { '/opt/puppetlabs/server/apps/puppetserver/config':
ensure => directory,
}
file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d':
ensure => directory,
}
}
}
if versioncmp($server_puppetserver_version, '2.5') < 0 {
$bootstrapcfg = "${server_puppetserver_dir}/bootstrap.cfg"
file { $bootstrapcfg:
ensure => file,
}
$ca_enabled_ensure = $server_ca ? {
true => present,
default => absent,
}
$ca_disabled_ensure = $server_ca ? {
false => present,
default => absent,
}
file_line { 'ca_enabled':
ensure => $ca_enabled_ensure,
path => $bootstrapcfg,
line => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service',
require => File[$bootstrapcfg],
}
file_line { 'ca_disabled':
ensure => $ca_disabled_ensure,
path => $bootstrapcfg,
line => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service',
require => File[$bootstrapcfg],
}
if versioncmp($server_puppetserver_version, '2.3') >= 0 {
$versioned_code_service_ensure = present
} else {
$versioned_code_service_ensure = absent
}
file_line { 'versioned_code_service':
ensure => $versioned_code_service_ensure,
path => $bootstrapcfg,
line => 'puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service',
require => File[$bootstrapcfg],
}
}
if versioncmp($server_puppetserver_version, '2.2') < 0 {
$ca_conf_ensure = file
} else {
$ca_conf_ensure = absent
}
file { "${server_puppetserver_dir}/conf.d/ca.conf":
ensure => $ca_conf_ensure,
content => template('puppet/server/puppetserver/conf.d/ca.conf.erb'),
}
file { "${server_puppetserver_dir}/conf.d/puppetserver.conf":
ensure => file,
content => template('puppet/server/puppetserver/conf.d/puppetserver.conf.erb'),
}
file { "${server_puppetserver_dir}/conf.d/webserver.conf":
ensure => file,
content => template('puppet/server/puppetserver/conf.d/webserver.conf.erb'),
}
file { "${server_puppetserver_dir}/conf.d/auth.conf":
ensure => file,
content => template('puppet/server/puppetserver/conf.d/auth.conf.erb'),
}
$product_conf = "${server_puppetserver_dir}/conf.d/product.conf"
if versioncmp($server_puppetserver_version, '2.7') >= 0 {
$product_conf_ensure = file
hocon_setting { 'server_check_for_updates':
ensure => present,
path => $product_conf,
setting => 'product.check-for-updates',
value => $server_check_for_updates,
require => File[$product_conf],
}
} else {
$product_conf_ensure = absent
}
file { $product_conf:
ensure => $product_conf_ensure,
}
}
diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb
index ee93887..9637181 100644
--- a/spec/classes/puppet_server_config_spec.rb
+++ b/spec/classes/puppet_server_config_spec.rb
@@ -1,830 +1,919 @@
require 'spec_helper'
describe 'puppet::server::config' do
before :each do
@cacrl = Tempfile.new('cacrl')
File.open(@cacrl, 'w') { |f| f.write "This is my CRL File" }
Puppet.settings[:cacrl] = @cacrl.path
end
on_os_under_test.each do |os, facts|
next if unsupported_puppetmaster_osfamily(facts[:osfamily])
context "on #{os}" do
if Puppet.version < '4.0'
codedir = '/etc/puppet'
confdir = '/etc/puppet'
conf_file = '/etc/puppet/puppet.conf'
environments_dir = '/etc/puppet/environments'
logdir = '/var/log/puppet'
rundir = '/var/run/puppet'
vardir = '/var/lib/puppet'
puppetserver_vardir = '/var/lib/puppet'
puppetserver_logdir = '/var/log/puppet'
puppetserver_rundir = '/var/run/puppet'
ssldir = '/var/lib/puppet/ssl'
sharedir = '/usr/share/puppet'
etcdir = '/etc/puppet'
puppetcacmd = '/usr/bin/puppet cert'
additional_facts = {}
else
codedir = '/etc/puppetlabs/code'
confdir = '/etc/puppetlabs/puppet'
conf_file = '/etc/puppetlabs/puppet/puppet.conf'
environments_dir = '/etc/puppetlabs/code/environments'
logdir = '/var/log/puppetlabs/puppet'
rundir = '/var/run/puppetlabs'
vardir = '/opt/puppetlabs/puppet/cache'
puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver'
puppetserver_logdir = '/var/log/puppetlabs/puppetserver'
puppetserver_rundir = '/var/run/puppetlabs/puppetserver'
ssldir = '/etc/puppetlabs/puppet/ssl'
sharedir = '/opt/puppetlabs/puppet'
etcdir = '/etc/puppetlabs/puppet'
puppetcacmd = '/opt/puppetlabs/bin/puppet cert'
additional_facts = {:rubysitedir => '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0'}
end
if facts[:osfamily] == 'FreeBSD'
codedir = '/usr/local/etc/puppet'
confdir = '/usr/local/etc/puppet'
conf_file = '/usr/local/etc/puppet/puppet.conf'
environments_dir = '/usr/local/etc/puppet/environments'
logdir = '/var/log/puppet'
rundir = '/var/run/puppet'
vardir = '/var/puppet'
puppetserver_vardir = '/var/puppet/server/data/puppetserver'
puppetserver_logdir = '/var/log/puppetserver'
puppetserver_rundir = '/var/run/puppetserver'
ssldir = '/var/puppet/ssl'
sharedir = '/usr/local/share/puppet'
etcdir = '/usr/local/etc/puppet'
puppetcacmd = '/usr/local/bin/puppet cert'
additional_facts = {}
end
let(:facts) do
facts.merge({:clientcert => 'puppetmaster.example.com'}).merge(additional_facts)
end
describe 'with no custom parameters' do
let :pre_condition do
"class {'puppet': server => true}"
end
it 'should set up SSL permissions' do
should contain_file("#{ssldir}/private_keys").with({
:group => 'puppet',
:mode => '0750',
})
should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem").with({
:group => 'puppet',
:mode => '0640',
})
should contain_exec('puppet_server_config-create_ssl_dir').with({
:creates => ssldir,
:command => "/bin/mkdir -p #{ssldir}",
:umask => '0022',
})
should contain_exec('puppet_server_config-generate_ca_cert').with({
:creates => "#{ssldir}/certs/puppetmaster.example.com.pem",
:command => "#{puppetcacmd} --generate puppetmaster.example.com --allow-dns-alt-names",
:umask => '0022',
:require => ["Concat[#{conf_file}]", "Exec[puppet_server_config-create_ssl_dir]"],
})
end
context 'with non-AIO packages', :if => (Puppet.version < '4.0' || facts[:osfamily] == 'FreeBSD') do
it 'CA cert generation should notify the Apache service' do
should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[httpd]')
end
end
context 'with AIO packages', :if => (Puppet.version > '4.0' && facts[:osfamily] != 'FreeBSD') do
it 'CA cert generation should notify the puppetserver service' do
should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]')
end
end
it 'should set up the ENC' do
should contain_class('foreman::puppetmaster').with({
:foreman_url => "https://foo.example.com",
:receive_facts => true,
:puppet_home => puppetserver_vardir,
:puppet_etcdir => etcdir,
# Since this is managed inside the foreman module it does not
# make sense to test it here
#:puppet_basedir => '/usr/lib/ruby/site_ruby/1.9/puppet',
:timeout => 60,
})
end
it 'should set up the environments' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_file(sharedir).with_ensure('directory')
should contain_file("#{codedir}/environments/common").with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_file("#{sharedir}/modules").with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_puppet__server__env('development')
should contain_puppet__server__env('production')
end
it 'should configure puppet' do
should contain_puppet__config__main("logdir").with({'value' => "#{logdir}"})
should contain_puppet__config__main("rundir").with({'value' => "#{rundir}"})
should contain_puppet__config__main("ssldir").with({'value' => "#{ssldir}"})
should contain_puppet__config__main("privatekeydir").with({'value' => '$ssldir/private_keys { group = service }'})
should contain_puppet__config__main("hostprivkey").with({'value' => '$privatekeydir/$certname.pem { mode = 640 }'})
should contain_puppet__config__main("reports").with({'value' => 'foreman'})
if Puppet.version >= '3.6'
should contain_puppet__config__main("environmentpath").with({'value' => "#{codedir}/environments"})
should contain_puppet__config__main("basemodulepath").with({
'value' => ["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules"],
'joiner' => ':'})
end
should contain_puppet__config__agent('classfile').with({'value' => '$statedir/classes.txt'})
should contain_puppet__config__master('external_nodes').with({'value' => "#{etcdir}\/node.rb"})
should contain_puppet__config__master('node_terminus').with({'value' => 'exec'})
should contain_puppet__config__master('ca').with({'value' => 'true'})
should contain_puppet__config__master('ssldir').with({'value' => "#{ssldir}"})
should contain_puppet__config__master('parser').with({'value' => 'current'})
should contain_puppet__config__master("autosign").with({'value' => "#{etcdir}\/autosign.conf \{ mode = 0664 \}"})
should contain_concat(conf_file)
should_not contain_puppet__config__master('storeconfigs')
should contain_file("#{etcdir}/autosign.conf")
end
context 'on Puppet < 4.0.0', :if => (Puppet.version < '4.0.0') do
it 'should set configtimeout' do
should contain_puppet__config__agent('configtimeout').with({'value' => '120'})
end
end
context 'on Puppet >= 4.0.0', :if => (Puppet.version >= '4.0.0') do
it 'should not set configtimeout' do
should_not contain_puppet__config__agent('configtimeout')
end
end
it 'should not configure PuppetDB' do
should_not contain_class('puppetdb')
should_not contain_class('puppetdb::master::config')
end
end
describe "when autosign => true" do
let :pre_condition do
"class {'puppet':
server => true,
autosign => true,
}"
end
it 'should contain puppet.conf [main] with autosign = true' do
should contain_puppet__config__master('autosign').with({'value' => true})
end
end
describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do
let :pre_condition do
"class {'puppet':
server => true,
autosign => '/somedir/custom_autosign',
autosign_mode => '664',
}"
end
it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 664 }' do
should contain_puppet__config__master('autosign').with({'value' => "/somedir/custom_autosign { mode = 664 }"})
end
end
describe "when autosign_entries is not set" do
let :pre_condition do
"class {'puppet':
server => true,
}"
end
it 'should contain autosign.conf with out content set' do
should contain_file("#{confdir}/autosign.conf")
should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/)
should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/)
end
end
describe "when autosign_entries set to ['foo.bar']" do
let :pre_condition do
"class {'puppet':
server => true,
autosign_entries => ['foo.bar'],
}"
end
it 'should contain autosign.conf with content set' do
should contain_file("#{confdir}/autosign.conf")
should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/)
should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/)
end
end
describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do
let :pre_condition do
"class {'puppet':
server => true,
autosign_content => 'foo.bar',
autosign_entries => ['foo.bar'],
}"
end
it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) }
end
describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do
let :pre_condition do
"class {'puppet':
server => true,
autosign_source => 'puppet:///foo/bar',
autosign_entries => ['foo.bar'],
}"
end
it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) }
end
describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_content set to 'foo.bar'" do
let :pre_condition do
"class {'puppet':
server => true,
autosign => '#{confdir}/custom_autosign.sh',
autosign_mode => '775',
autosign_content => 'foo.bar',
}"
end
it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do
should contain_puppet__config__master('autosign').with({'value' => "#{confdir}/custom_autosign.sh { mode = 775 }"})
end
it 'should contain custom_autosign.sh with content set' do
should contain_file("#{confdir}/custom_autosign.sh")
should contain_file("#{confdir}/custom_autosign.sh").with_content(/foo.bar/)
end
end
describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_source set to 'puppet:///foo/bar'" do
let :pre_condition do
"class {'puppet':
server => true,
autosign => '#{confdir}/custom_autosign.sh',
autosign_mode => '775',
autosign_source => 'puppet:///foo/bar',
}"
end
it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do
should contain_puppet__config__master('autosign').with({'value' => "#{confdir}/custom_autosign.sh { mode = 775 }"})
end
it 'should contain custom_autosign.sh with content set' do
should contain_file("#{confdir}/custom_autosign.sh")
should contain_file("#{confdir}/custom_autosign.sh").with_source('puppet:///foo/bar')
end
end
describe "when hiera_config => '$confdir/hiera.yaml'" do
let :pre_condition do
"class {'puppet':
server => true,
hiera_config => '/etc/puppet/hiera/production/hiera.yaml',
}"
end
it 'should contain puppet.conf [main] with non-default hiera_config' do
should contain_puppet__config__main("hiera_config").with({'value' => '/etc/puppet/hiera/production/hiera.yaml'})
end
end
describe 'without foreman' do
let :pre_condition do
"class {'puppet':
server => true,
server_reports => 'store',
server_external_nodes => '',
}"
end
it 'should contain an empty external_nodes' do
should_not contain_puppet__config__master('external_nodes')
end
end
describe 'without external_nodes' do
let :pre_condition do
"class {'puppet':
server => true,
server_external_nodes => '',
}"
end
it 'should not contain external_nodes' do
should_not contain_puppet__config__master('external_nodes')
should_not contain_puppet__config__master('node_terminus')
end
end
describe 'with server_default_manifest => true and undef content' do
let :pre_condition do
'class { "::puppet":
server_default_manifest => true,
server => true
}'
end
it 'should contain default_manifest setting in puppet.conf' do
should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'})
end
it 'should_not contain default manifest /etc/puppet/manifests/default_manifest.pp' do
should_not contain_file('/etc/puppet/manifests/default_manifest.pp')
end
end
describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do
let :pre_condition do
'class { "::puppet":
server_default_manifest => true,
server_default_manifest_content => "include foo",
server => true
}'
end
it 'should contain default_manifest setting in puppet.conf' do
should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'})
end
it 'should contain default manifest /etc/puppet/manifests/default_manifest.pp' do
should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content(/include foo/)
end
end
describe 'with git repo' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'puppet',
})
end
it 'should create the git repo' do
should contain_file(vardir).with({
:ensure => 'directory',
:owner => 'puppet',
})
should contain_git__repo('puppet_repo').with({
:bare => true,
:target => "#{vardir}/puppet.git",
:user => 'puppet',
:require => %r{File\[#{environments_dir}\]},
})
should contain_file("#{vardir}/puppet.git/hooks/post-receive").with({
:owner => 'puppet',
:mode => '0755',
:require => %r{Git::Repo\[puppet_repo\]},
:content => %r{BRANCH_MAP = \{[^a-zA-Z=>]\}},
})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
context 'with directory environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_directory_environments => true,
}"
end
it 'should configure puppet.conf' do
should_not contain_puppet__config__master('config_version')
should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"})
end
end
context 'with config environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_directory_environments => false,
}"
end
it 'should configure puppet.conf' do
should contain_puppet__config__master('manifest').with({'value' => "#{environments_dir}/\$environment/manifests/site.pp"})
should contain_puppet__config__master('modulepath').with({'value' => "#{environments_dir}/\$environment/modules"})
should contain_puppet__config__master('config_version').with({'value' => "git --git-dir #{environments_dir}/\$environment/.git describe --all --long"})
end
end
end
describe 'with dynamic environments' do
context 'with directory environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => true,
server_environments_owner => 'apache',
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'apache',
})
end
it 'should configure puppet.conf' do
should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"})
should contain_puppet__config__main('basemodulepath').with({'value' => ["#{environments_dir}/common","#{codedir}/modules","#{sharedir}/modules"]})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
end
context 'with no common modules directory' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => true,
server_environments_owner => 'apache',
server_common_modules_path => '',
}"
end
it 'should configure puppet.conf' do
should_not contain_puppet__config__main('basemodulepath')
end
end
context 'with config environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => false,
server_environments_owner => 'apache',
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'apache',
})
end
it 'should configure puppet.conf' do
should contain_puppet__config__master('manifest').with({'value' => "#{environments_dir}/\$environment/manifests/site.pp"})
should contain_puppet__config__master('modulepath').with({'value' => "#{environments_dir}/\$environment/modules"})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
end
end
describe 'with SSL path overrides' do
let :pre_condition do
"class {'puppet':
server => true,
server_foreman_ssl_ca => '/etc/example/ca.pem',
server_foreman_ssl_cert => '/etc/example/cert.pem',
server_foreman_ssl_key => '/etc/example/key.pem',
}"
end
it 'should pass SSL parameters to the ENC' do
should contain_class('foreman::puppetmaster').with({
:ssl_ca => '/etc/example/ca.pem',
:ssl_cert => '/etc/example/cert.pem',
:ssl_key => '/etc/example/key.pem',
})
end
end
describe 'with a PuppetDB host set' do
let :pre_condition do
"class {'puppet':
server => true,
server_puppetdb_host => 'mypuppetdb.example.com',
server_storeconfigs_backend => 'puppetdb',
}"
end
it 'should configure PuppetDB' do
should compile.with_all_deps
should contain_class('puppetdb::master::config').with({
:puppetdb_server => 'mypuppetdb.example.com',
:puppetdb_port => 8081,
:puppetdb_soft_write_failure => false,
:manage_storeconfigs => false,
:restart_puppet => false,
})
end
end
describe 'with a puppet git branch map' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_git_branch_map => { 'a' => 'b', 'c' => 'd' }
}"
end
it 'should add the branch map to the post receive hook' do
should contain_file("#{vardir}/puppet.git/hooks/post-receive").
with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/)
end
end
describe 'with additional settings' do
let :pre_condition do
"class {'puppet':
server => true,
server_additional_settings => {stringify_facts => true},
}"
end
it 'should configure puppet.conf' do
should contain_puppet__config__master('stringify_facts').with({'value' => true})
end
end
describe 'directory environments default' do
let :pre_condition do
"class {'puppet':
server => true,
}"
end
context 'on old Puppet', :if => (Puppet.version < '3.6.0') do
it 'should be disabled' do
should_not contain_puppet__config__main('environmentpath')
end
end
context 'on Puppet 3.6.0+', :if => (Puppet.version >= '3.6.0') do
it 'should be enabled' do
should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"})
end
end
end
describe 'with server_parser => future' do
let :pre_condition do
"class {'puppet':
server => true,
server_parser => 'future',
}"
end
it 'should configure future parser' do
should contain_puppet__config__master('parser').with({'value' => "future"})
end
end
describe 'with server_environment_timeout set' do
let :pre_condition do
"class {'puppet':
server => true,
server_environment_timeout => '10m',
}"
end
it 'should configure environment_timeout accordingly' do
should contain_puppet__config__master('environment_timeout').with({'value' => "10m"})
end
end
describe 'with no ssldir managed for master' do
let :pre_condition do
"class {'puppet': server => true, server_ssl_dir_manage => false}"
end
it 'should not contain ssl_dir configuration setting in the master section' do
should_not contain_puppet__config__master('ssl_dir')
end
end
describe 'with ssl key management disabled for server' do
let :pre_condition do
"class {'puppet':
server => true,
server_certname => 'servercert',
server_ssl_key_manage => false,
server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl'
}"
end
it 'should not contain a default ssl key definition' do
should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem')
end
end
describe 'with nondefault CA settings' do
context 'with server_ca => false' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca => false,
}"
end
it 'should create the ssl directory' do
should contain_exec('puppet_server_config-create_ssl_dir')
end
it 'should not generate CA certificates' do
should_not contain_exec('puppet_server_config-generate_ca_cert')
end
end
end
describe 'with server_implementation => "puppetserver"', :if => (Puppet.version >= '4.0.0') do
let :pre_condition do
"class {'puppet':
server => true,
server_implementation => 'puppetserver'
}"
end
it 'should configure puppet.conf' do
should contain_puppet__config__master("vardir").with_value(puppetserver_vardir)
should contain_puppet__config__master("logdir").with_value(puppetserver_logdir)
should contain_puppet__config__master("rundir").with_value(puppetserver_rundir)
end
end
describe 'with server_ca_crl_sync => true' do
context 'with server_ca => false and running "puppet apply"' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca_crl_sync => true,
server_ca => false,
server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl'
}"
end
it 'should not sync the crl' do
should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem')
end
end
context 'with server_ca => false: running "puppet agent -t"' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca_crl_sync => true,
server_ca => false,
server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl'
}"
end
let(:facts) do
facts.merge({:servername => 'myserver' })
end
it 'should sync the crl from the ca' do
should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem').
with_content("This is my CRL File")
end
end
context 'with server_ca => true: running "puppet agent -t"' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca_crl_sync => true,
server_ca => true,
server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl'
}"
end
let(:facts) do
facts.merge({:servername => 'myserver' })
end
it 'should not sync the crl' do
should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem')
end
end
end
describe 'allow crl checking' do
context 'as ca' do
let :pre_condition do
"class {'puppet':
server => true,
server_implementation => 'puppetserver',
server_ca => true,
server_puppetserver_dir => '/etc/custom/puppetserver',
server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
}"
end
it 'should use the ca_crl.pem file' do
should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
with_content(/ssl-crl-path: #{ssldir}\/ca\/ca_crl.pem/)
end
end
context 'as non-ca with default' do
let :pre_condition do
"class {'puppet':
server => true,
server_implementation => 'puppetserver',
server_ca => false,
server_puppetserver_dir => '/etc/custom/puppetserver',
server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
}"
end
it 'should use the ca_crl.pem file' do
should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
without_content(/ssl-crl-path: #{ssldir}\/crl.pem/)
end
end
context 'as non-ca with default' do
let :pre_condition do
"class {'puppet':
server => true,
server_implementation => 'puppetserver',
server_ca => false,
server_crl_enable => true,
server_puppetserver_dir => '/etc/custom/puppetserver',
server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
}"
end
it 'should use the ca_crl.pem file' do
should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
with_content(/ssl-crl-path: #{ssldir}\/crl.pem/)
end
end
end
describe 'with ssl_chain_filepath overwritten' do
- let :pre_condition do
+ let :pre_condition do
"class {'puppet':
- server => true,
- server_implementation => 'puppetserver',
- server_ca => true,
- server_puppetserver_dir => '/etc/custom/puppetserver',
- server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems',
- server_ssl_chain_filepath => '/etc/example/certchain.pem',
+ server => true,
+ server_implementation => 'puppetserver',
+ server_ca => true,
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems',
+ server_ssl_chain_filepath => '/etc/example/certchain.pem',
}"
end
it 'should use the server_ssl_chain_filepath file' do
should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
with_content(/ssl-cert-chain: \/etc\/example\/certchain.pem/)
end
end
+
+ describe 'with server_ip parameter given to the puppet class' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_ip => '127.0.0.1',
+ }"
+ end
+
+ it 'should put the correct ip address in webserver.conf' do
+ should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').with_content(/ssl-host:\s127\.0\.0\.1/)
+ end
+ end
+
+ describe 'with server_certname parameter' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_certname => 'puppetserver43.example.com',
+ server_ssl_dir => '/etc/custom/puppet/ssl',
+ }"
+ end
+
+ it 'should put the correct ssl key path in webserver.conf' do
+ should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
+ with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem})
+ end
+
+ it 'should put the correct ssl cert path in webserver.conf' do
+ should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
+ with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem})
+ end
+ end
+
+ describe 'with server_http parameter set to true for the puppet class' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_http => true,
+ }"
+ end
+
+ it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
+ with_content(/ host:\s0\.0\.0\.0/).
+ with_content(/ port:\s8139/).
+ with({})
+ }
+
+ it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
+ with_content(/allow-header-cert-info: true/).
+ with({})
+ }
+ end
+
+ describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_allow_header_cert_info => true,
+ }"
+ end
+
+ it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
+ with_content(/allow-header-cert-info: true/).
+ with({})
+ }
+ end
+
+ describe 'with server_http_allow parameter set for the puppet class' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_http => true,
+ server_http_allow => ['1.2.3.4'],
+ }"
+ end
+
+ it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) }
+ end
end
end
end
diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
index 23459ff..9054d3e 100644
--- a/spec/classes/puppet_server_puppetserver_spec.rb
+++ b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -1,844 +1,761 @@
require 'spec_helper'
describe 'puppet::server::puppetserver' do
on_os_under_test.each do |os, facts|
next if facts[:osfamily] == 'windows'
next if facts[:osfamily] == 'Archlinux'
context "on #{os}" do
let :pre_condition do
"class {'puppet': server_implementation => 'puppetserver'}"
end
if Puppet.version < '4.0'
additional_facts = {}
else
additional_facts = {:rubysitedir => '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0'}
end
let(:facts) do
facts.merge(additional_facts)
end
let(:default_params) do {
:java_bin => '/usr/bin/java',
:config => '/etc/default/puppetserver',
:jvm_min_heap_size => '2G',
:jvm_max_heap_size => '2G',
:jvm_extra_args => '',
:jvm_cli_args => false, # In reality defaults to undef
:server_ca_auth_required => true,
:server_ca_client_whitelist => [ 'localhost', 'puppetserver123.example.com' ],
:server_admin_api_whitelist => [ 'localhost', 'puppetserver123.example.com' ],
:server_ruby_load_paths => [ '/some/path', ],
:server_ssl_protocols => [ 'TLSv1.2', ],
:server_cipher_suites => [ 'TLS_RSA_WITH_AES_256_CBC_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA', ],
:server_max_active_instances => 2,
:server_max_requests_per_instance => 0,
:server_http => false,
:server_http_allow => [],
:server_ca => true,
:server_puppetserver_version => '2.4.99',
:server_use_legacy_auth_conf => false,
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_puppetserver_vardir => '/opt/puppetlabs/server/data/puppetserver',
:server_puppetserver_rundir => '/var/run/puppetlabs/puppetserver',
:server_puppetserver_logdir => '/var/log/puppetlabs/puppetserver',
:server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems',
:server_dir => '/etc/puppetlabs/puppet',
:codedir => '/etc/puppetlabs/code',
:server_idle_timeout => 1200000,
:server_web_idle_timeout => 30000,
:server_connect_timeout => 120000,
:server_check_for_updates => true,
:server_environment_class_cache_enabled => false,
:server_jruby9k => false,
:server_metrics => true,
:server_experimental => true,
+ :server_ip => '0.0.0.0',
+ :server_port => '8140',
+ :server_http_port => '8139',
+ :server_ssl_ca_crl => '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem',
+ :server_ssl_ca_cert => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem',
+ :server_ssl_cert => '/etc/puppetlabs/puppet/ssl/certs/puppetserver123.example.com.pem',
+ :server_ssl_cert_key => '/etc/puppetlabs/puppet/ssl/private_keys/puppetserver123.example.com.pem',
+ :server_ssl_chain => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem',
+ :server_crl_enable => true,
} end
describe 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
it { should contain_file_line('ca_enabled').with_ensure('present') }
it { should contain_file_line('ca_disabled'). with_ensure('absent') }
it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') }
it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') }
if facts[:osfamily] == 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'',
]).
with_context('/files/etc/rc.conf').
with({})
}
else
it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') }
it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') }
it { should contain_augeas('puppet::server::puppetserver::bootstrap').
with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'')
}
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'',
'set JAVA_BIN /usr/bin/java',
]).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') }
it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf') }
it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
with_content(/ssl-host:\s0\.0\.0\.0/).
with_content(/ssl-port:\s8140/).
without_content(/ host:\s/).
without_content(/ port:\s8139/).
with({})
}
it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
with_content(/allow-header-cert-info: false/).
with({})
}
end
describe 'server_puppetserver_vardir' do
context 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ master-var-dir: /opt/puppetlabs/server/data/puppetserver\n])
end
end
context 'with custom server_puppetserver_vardir' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_puppetserver_vardir => '/opt/custom/puppetlabs/server/data/puppetserver',
})
end
it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ master-var-dir: /opt/custom/puppetlabs/server/data/puppetserver\n])
end
end
end
describe 'use-legacy-auth-conf' do
context 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have use-legacy-auth-conf: false in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ use-legacy-auth-conf: false\n])
end
end
context 'when use-legacy-auth-conf = true' do
let(:params) do
default_params.merge({
:server_use_legacy_auth_conf => true,
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have use-legacy-auth-conf: true in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ use-legacy-auth-conf: true\n])
end
end
context 'when server_puppetserver_version < 2.2' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.1.2',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should not have a use-legacy-auth-conf setting in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).not_to include('use-legacy-auth-conf')
end
end
end
describe 'environment-class-cache-enabled' do
context 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have environment-class-cache-enabled: false in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ environment-class-cache-enabled: false\n])
end
end
context 'when environment-class-cache-enabled = true' do
let(:params) do
default_params.merge({
:server_environment_class_cache_enabled => true,
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have environment-class-cache-enabled: true in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ environment-class-cache-enabled: true\n])
end
end
context 'when server_puppetserver_version < 2.4' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.2.2',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should not have a environment-class-cache-enabled setting in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).not_to include('environment-class-cache-enabled')
end
end
end
describe 'server_max_requests_per_instance' do
context 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ max-requests-per-instance: 0\n])
end
end
context 'custom server_max_requests_per_instance' do
let(:params) do
default_params.merge({
:server_max_requests_per_instance => 123456,
})
end
it 'should have custom max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ max-requests-per-instance: 123456\n])
end
end
end
describe 'versioned-code-service' do
context 'when server_puppetserver_version >= 2.5' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.5.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should_not contain_file_line('versioned_code_service') }
end
context 'when server_puppetserver_version >= 2.3 and < 2.5' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.3.1',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have versioned-code-service in bootstrap.cfg' do
should contain_file_line('versioned_code_service').
with_ensure('present').
with_path('/etc/custom/puppetserver/bootstrap.cfg').
with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service').
that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
end
end
context 'when server_puppetserver_version < 2.3' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.2.2',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should not have versioned-code-service in bootstrap.cfg' do
should contain_file_line('versioned_code_service').
with_ensure('absent').
with_path('/etc/custom/puppetserver/bootstrap.cfg').
with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service').
that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
end
end
end
describe 'bootstrap.cfg' do
context 'when server_puppetserver_version >= 2.5' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.5.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
it { should_not contain_file_line('ca_enabled') }
it { should_not contain_file_line('ca_disabled') }
end
context 'when server_puppetserver_version < 2.4.99' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.4.98',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
it {
should contain_file_line('ca_enabled').
with_ensure('present').
with_path('/etc/custom/puppetserver/bootstrap.cfg').
with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service').
that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
}
it {
should contain_file_line('ca_disabled').
with_ensure('absent').
with_path('/etc/custom/puppetserver/bootstrap.cfg').
with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service').
that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
}
unless facts[:osfamily] == 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::bootstrap').
with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\'').
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
end
describe 'ca.cfg' do
context 'when server_puppetserver_version >= 2.5' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.5.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') }
it {
should contain_file('/etc/custom/puppetserver/services.d/ca.cfg').
with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}).
with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service})
}
unless facts[:osfamily] == 'FreeBSD'
it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') }
it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') }
it { should contain_augeas('puppet::server::puppetserver::bootstrap').
with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'').
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
context 'when server_puppetserver_version >= 2.5 and server_ca => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.5.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_ca => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/services.d/ca.cfg').
with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}).
with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service})
}
end
context 'when server_puppetserver_version < 2.4.99' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.4.98',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should_not contain_file('/etc/custom/puppetserver/services.d') }
it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') }
it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') }
it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') }
end
end
describe 'server_ca related settings' do
context 'when server_puppetserver_version >= 2.2' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.2.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/).
with_content(/^\s+name: "certificate_status"/).
with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/).
with_content(/^\s+name: "certificate_statuses"/).
with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/).
with_content(/^\s+name: "environment-cache"/).
with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/).
with_content(/^\s+name: "jruby-pool"/).
with({}) # So we can use a trailing dot on each with_content line
}
it {
should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').
with_ensure('absent').
with({}) # So we can use a trailing dot on each with_content line
}
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
without_content(/^# Settings related to the puppet-admin HTTP API$/).
without_content(/^puppet-admin: \{$/).
without_content(/^\s+client-whitelist: \[$/).
without_content(/^\s+"localhost"\,$/).
without_content(/^\s+"puppetserver123.example.com"\,$/).
with({}) # So we can use a trailing dot on each with_content line
}
end
context 'when server_puppetserver_version < 2.2' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.1.1',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
without_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/).
without_content(/^\s+name: "certificate_status"/).
without_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/).
without_content(/^\s+name: "certificate_statuses"/).
without_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/).
without_content(/^\s+name: "environment-cache"/).
without_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/).
without_content(/^\s+name: "jruby-pool"/).
with({}) # So we can use a trailing dot on each with_content line
}
it {
should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').
with_content(/^\s+authorization-required: true$/).
with_content(/^\s+client-whitelist: \[$/).
with_content(/^\s+"localhost"\,$/).
with_content(/^\s+"puppetserver123.example.com"\,$/).
with({}) # So we can use a trailing dot on each with_content line
}
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
with_content(/^# Settings related to the puppet-admin HTTP API$/).
with_content(/^puppet-admin: \{$/).
with_content(/^\s+client-whitelist: \[$/).
with_content(/^\s+"localhost"\,$/).
with_content(/^\s+"puppetserver123.example.com"\,$/).
with({}) # So we can use a trailing dot on each with_content line
}
end
end
describe 'product.conf' do
context 'when server_puppetserver_version >= 2.7' do
let(:params) do
default_params.merge(
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_check_for_updates => false,
)
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/product.conf').
with_ensure('file')
}
it {
should contain_hocon_setting('server_check_for_updates').
with_path('/etc/custom/puppetserver/conf.d/product.conf').
with_setting('product.check-for-updates').
with_value(false)
}
end
context 'when server_puppetserver_version < 2.7' do
let(:params) do
default_params.merge(
:server_puppetserver_version => '2.6.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
)
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/product.conf').
with_ensure('absent')
}
it {
should_not contain_hocon_setting('server_check_for_updates')
}
end
end
describe 'server_metrics' do
context 'when server_puppetserver_version < 5.0 and server_metrics => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_metrics => true,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
without_content(%r{^ metrics-enabled: (.*)$}).
with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true})
}
end
context 'when server_puppetserver_version < 5.0 and server_metrics => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_metrics => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
without_content(%r{^ metrics-enabled: (.*)$}).
with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false})
}
end
context 'when server_puppetserver_version >= 5.0 and server_metrics => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_metrics => true,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)}).
with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true})
}
end
context 'when server_puppetserver_version >= 5.0 and server_metrics => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_metrics => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$}).
with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false})
}
end
end
describe 'server_experimental' do
context 'when server_puppetserver_version < 5.0 and server_experimental => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_experimental => true,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
without_content(%r{^(\ *)path: "/puppet/experimental"$})
}
end
context 'when server_puppetserver_version < 5.0 and server_experimental => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_experimental => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
without_content(%r{^(\ *)path: "/puppet/experimental"$})
}
end
context 'when server_puppetserver_version >= 5.0 and server_experimental => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_experimental => true,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
with_content(%r{^(\ *)path: "/puppet/experimental"$})
}
end
context 'when server_puppetserver_version >= 5.0 and server_experimental => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_experimental => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
without_content(%r{^(\ *)path: "/puppet/experimental"$})
}
end
end
unless facts[:osfamily] == 'FreeBSD'
describe 'server_jruby9k' do
context 'when server_puppetserver_version < 5.0 and server_jruby9k => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_jruby9k => true,
})
end
it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') }
end
context 'when server_puppetserver_version < 5.0 and server_jruby9k => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_jruby9k => false,
})
end
it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') }
end
context 'when server_puppetserver_version >= 5.0 and server_jruby9k => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_jruby9k => true,
})
end
it { should contain_augeas('puppet::server::puppetserver::jruby_jar').
with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
context 'when server_puppetserver_version >= 5.0 and server_jruby9k => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_jruby9k => false,
})
end
it { should contain_augeas('puppet::server::puppetserver::jruby_jar').
with_changes(['rm JRUBY_JAR']).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
end
describe 'with extra_args parameter' do
let :params do
default_params.merge({
:jvm_extra_args => ['-XX:foo=bar', '-XX:bar=foo'],
})
end
if facts[:osfamily] == 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'',
]).
with_context('/files/etc/rc.conf').
with({})
}
else
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'',
'set JAVA_BIN /usr/bin/java',
]).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
describe 'with cli_args parameter' do
let :params do
default_params.merge({
:jvm_cli_args => '-Djava.io.tmpdir=/var/puppettmp',
})
end
if facts[:osfamily] != 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'',
'set JAVA_BIN /usr/bin/java',
'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'',
]).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
describe 'with jvm_config file parameter' do
let :params do default_params.merge({
:config => '/etc/custom/puppetserver',
})
end
if facts[:osfamily] == 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_context('/files/etc/rc.conf').
with({})
}
else
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_context('/files/etc/custom/puppetserver').
with_incl('/etc/custom/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
-
- describe 'with server_ip parameter given to the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server_ip => '127.0.0.1', server_implementation => 'puppetserver'}"
- end
-
- it 'should put the correct ip address in webserver.conf' do
- should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').with_content(/ssl-host:\s127\.0\.0\.1/)
- end
- end
-
- describe 'with server_certname parameter given to the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server_certname => 'puppetserver43.example.com', server_implementation => 'puppetserver', server_ssl_dir => '/etc/custom/puppet/ssl'}"
- end
-
- it 'should put the correct ssl key path in webserver.conf' do
- should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
- with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem})
- end
-
- it 'should put the correct ssl cert path in webserver.conf' do
- should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
- with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem})
- end
- end
-
- describe 'with server_http parameter set to true for the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server_http => true, server_implementation => 'puppetserver'}"
- end
-
- it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
- with_content(/ host:\s0\.0\.0\.0/).
- with_content(/ port:\s8139/).
- with({})
- }
-
- it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
- with_content(/allow-header-cert-info: true/).
- with({})
- }
- end
-
- describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server_allow_header_cert_info => true, server_implementation => 'puppetserver'}"
- end
-
- it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
- with_content(/allow-header-cert-info: true/).
- with({})
- }
- end
-
- describe 'with server_http_allow parameter set for the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server => true, server_http => true, server_http_allow => ['1.2.3.4'], server_implementation => 'puppetserver'}"
- end
-
- it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) }
- end
end
end
end
diff --git a/templates/server/puppetserver/conf.d/webserver.conf.erb b/templates/server/puppetserver/conf.d/webserver.conf.erb
index e8a8938..f8c20c6 100644
--- a/templates/server/puppetserver/conf.d/webserver.conf.erb
+++ b/templates/server/puppetserver/conf.d/webserver.conf.erb
@@ -1,20 +1,20 @@
webserver: {
- access-log-config: <%= scope.lookupvar('puppet::server::puppetserver_dir') %>/request-logging.xml
+ access-log-config: <%= @server_puppetserver_dir %>/request-logging.xml
client-auth: want
-<%- if scope.lookupvar('puppet::server::http') -%>
- host: <%= scope.lookupvar('puppet::server::ip') %>
- port: <%= scope.lookupvar('puppet::server::http_port') %>
+<%- if @server_http -%>
+ host: <%= @server_ip %>
+ port: <%= @server_http_port %>
<%- end -%>
- ssl-host: <%= scope.lookupvar('puppet::server::ip') %>
- ssl-port: <%= scope.lookupvar('puppet::server::port') %>
- ssl-cert: <%= scope.lookupvar('puppet::server::ssl_cert') %>
- ssl-key: <%= scope.lookupvar('puppet::server::ssl_cert_key') %>
- ssl-ca-cert: <%= scope.lookupvar('puppet::server::ssl_ca_cert') %>
-<%- if scope.lookupvar('puppet::server::_crl_enable') -%>
- ssl-crl-path: <%= scope.lookupvar('puppet::server::ssl_ca_crl') %>
+ ssl-host: <%= @server_ip %>
+ ssl-port: <%= @server_port %>
+ ssl-cert: <%= @server_ssl_cert %>
+ ssl-key: <%= @server_ssl_cert_key %>
+ ssl-ca-cert: <%= @server_ssl_ca_cert %>
+<%- if @server_crl_enable -%>
+ ssl-crl-path: <%= @server_ssl_ca_crl %>
<%- end -%>
-<%- if scope.lookupvar('puppet::server::ca') -%>
- ssl-cert-chain: <%= scope.lookupvar('puppet::server::ssl_chain') %>
+<%- if @server_ca -%>
+ ssl-cert-chain: <%= @server_ssl_chain %>
<%- end -%>
idle-timeout-milliseconds: <%= @server_web_idle_timeout %>
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Wed, Jun 4, 7:24 PM (5 d, 23 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3326767
Attached To
rSPPUP puppet-theforeman-puppet
Event Timeline
Log In to Comment