Page MenuHomeSoftware Heritage

No OneTemporary

diff --git a/manifests/server.pp b/manifests/server.pp
index e260ec9..d601114 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -1,475 +1,475 @@
# == Class: puppet::server
#
# Sets up a puppet master.
#
# == puppet::server parameters
#
# $autosign:: If set to a boolean, autosign is enabled or disabled
# for all incoming requests. Otherwise this has to be
# set to the full file path of an autosign.conf file or
# an autosign script. If this is set to a script, make
# sure that script considers the content of autosign.conf
# as otherwise Foreman functionality might be broken.
#
# $autosign_entries:: A list of certnames or domain name globs
# whose certificate requests will automatically be signed.
# Defaults to an empty Array.
#
# $autosign_mode:: mode of the autosign file/script
#
# $autosign_content:: If set, write the autosign file content
# using the value of this parameter.
# Cannot be used at the same time as autosign_entries
# For example, could be a string, or
# file('another_module/autosign.sh') or
# template('another_module/autosign.sh.erb')
#
# $autosign_source:: If set, use this as the source for the autosign file,
# instead of autosign_content.
#
# $hiera_config:: The hiera configuration file.
#
# $user:: Name of the puppetmaster user.
#
# $group:: Name of the puppetmaster group.
#
# $dir:: Puppet configuration directory
#
# $ip:: Bind ip address of the puppetmaster
#
# $port:: Puppet master port
#
# $ca:: Provide puppet CA
#
# $ca_crl_filepath:: Path to ca_crl file
#
# $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to
# be agents of the CA master (MOM) defaults to false
#
# $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults
# to false
#
# $http:: Should the puppet master listen on HTTP as well as HTTPS.
# Useful for load balancer or reverse proxy scenarios. Note that
# the HTTP puppet master denies access from all clients by default,
# allowed clients must be specified with $http_allow.
#
# $http_port:: Puppet master HTTP port; defaults to 8139.
#
# $http_allow:: Array of allowed clients for the HTTP puppet master. Passed
# to Apache's 'Allow' directive.
#
# $reports:: List of report types to include on the puppetmaster
#
# $implementation:: Puppet master implementation, either "master" (traditional
# Ruby) or "puppetserver" (JVM-based)
#
# $passenger:: If set to true, we will configure apache with
# passenger. If set to false, we will enable the
# default puppetmaster service unless
# service_fallback is set to false. See 'Advanced
# server parameters' for more information.
# Only applicable when server_implementation is "master".
#
# $external_nodes:: External nodes classifier executable
#
# $git_repo:: Use git repository as a source of modules
#
# $dynamic_environments:: Use $environment in the modulepath
# Deprecated when $directory_environments is true,
# set $environments to [] instead.
#
# $directory_environments:: Enable directory environments, defaulting to true
# with Puppet 3.6.0 or higher
#
# $environments:: Environments to setup (creates directories).
# Applies only when $dynamic_environments
# is false
#
# $environments_owner:: The owner of the environments directory
#
# $environments_group:: The group owning the environments directory
#
# $environments_mode:: Environments directory mode.
#
# $envs_dir:: Directory that holds puppet environments
#
# $envs_target:: Indicates that $envs_dir should be
# a symbolic link to this target
#
# $common_modules_path:: Common modules paths (only when
# $git_repo_path and $dynamic_environments
# are false)
#
# $git_repo_path:: Git repository path
#
# $git_repo_mode:: Git repository mode
#
# $git_repo_group:: Git repository group
#
# $git_repo_user:: Git repository user
#
# $git_branch_map:: Git branch to puppet env mapping for the
# default post receive hook
#
# $post_hook_content:: Which template to use for git post hook
#
# $post_hook_name:: Name of a git hook
#
# $storeconfigs_backend:: Do you use storeconfigs? (note: not required)
# false if you don't, "active_record" for 2.X
# style db, "puppetdb" for puppetdb
#
# $app_root:: Directory where the application lives
#
# $ssl_dir:: SSL directory
#
# $package:: Custom package name for puppet master
#
# $version:: Custom package version for puppet master
#
# $certname:: The name to use when handling certificates.
#
# $strict_variables:: if set to true, it will throw parse errors
# when accessing undeclared variables.
#
# $additional_settings:: A hash of additional settings.
# Example: {trusted_node_data => true, ordering => 'manifest'}
#
# $rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and
# --vardir. The default is an empty array.
#
# $puppetdb_host:: PuppetDB host
#
# $puppetdb_port:: PuppetDB port
#
# $puppetdb_swf:: PuppetDB soft_write_failure
#
# $parser:: Sets the parser to use. Valid options are 'current' or 'future'.
# Defaults to 'current'.
#
# === Advanced server parameters:
#
# $httpd_service:: Apache/httpd service name to notify
# on configuration changes. Defaults
# to 'httpd' based on the default
# apache module included with foreman-installer.
#
# $service_fallback:: If passenger is not used, do we want to fallback
# to using the puppetmaster service? Set to false
# if you disabled passenger and you do NOT want to
# use the puppetmaster service. Defaults to true.
#
# $passenger_min_instances:: The PassengerMinInstances parameter. Sets the
# minimum number of application processes to run.
# Defaults to the number of processors on your
# system.
#
# $passenger_pre_start:: Pre-start the first passenger worker instance
# process during httpd start.
#
# $passenger_ruby:: The PassengerRuby parameter. Sets the Ruby
# interpreter for serving the puppetmaster rack
# application.
#
# $config_version:: How to determine the configuration version. When
# using git_repo, by default a git describe
# approach will be installed.
#
# $server_foreman_facts:: Should foreman receive facts from puppet
#
# $foreman:: Should foreman integration be installed
#
# $foreman_url:: Foreman URL
#
# $foreman_ssl_ca:: SSL CA of the Foreman server
#
# $foreman_ssl_cert:: Client certificate for authenticating against Foreman server
#
# $foreman_ssl_key:: Key for authenticating against Foreman server
#
# $puppet_basedir:: Where is the puppet code base located
#
# $enc_api:: What version of enc script to deploy. Valid
# values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
#
# $report_api:: What version of report processor to deploy.
# Valid values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
#
# $request_timeout:: Timeout in node.rb script for fetching
# catalog from Foreman (in seconds).
#
# $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...)
#
# $ca_proxy:: The actual server that handles puppet CA.
# Setting this to anything non-empty causes
# the apache vhost to set up a proxy for all
# certificates pointing to the value.
#
# $jvm_java_bin:: Set the default java to use.
#
# $jvm_config:: Specify the puppetserver jvm configuration file.
#
# $jvm_min_heap_size:: Specify the minimum jvm heap space.
#
# $jvm_max_heap_size:: Specify the maximum jvm heap space.
#
# $jvm_extra_args:: Additional java options to pass through.
# This can be used for Java versions prior to
# Java 8 to specify the max perm space to use:
# For example: '-XX:MaxPermSize=128m'.
#
# $jvm_cli_args:: Java options to use when using puppetserver
# subcommands (eg puppetserver gem).
#
# $jruby_gem_home:: Where jruby gems are located for puppetserver
#
# $allow_any_crl_auth:: Allow any authentication for the CRL. This
# is needed on the puppet CA to accept clients
# from a the puppet CA proxy.
#
# $auth_allowed:: An array of authenticated nodes allowed to
# access all catalog and node endpoints.
# default to ['$1']
#
# $default_manifest:: Toggle if default_manifest setting should
# be added to the [main] section
#
# $default_manifest_path:: A string setting the path to the default_manifest
#
# $default_manifest_content:: A string to set the content of the default_manifest
# If set to '' it will not manage the file
#
# $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master]
# configuration section. This is necessary to
# disable in case CA is delegated to a separate instance
#
# $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem"
# should be created with default user and group. This is used in
# the default Forman setup to reuse the key for TLS communication.
#
# $puppetserver_vardir:: The path of the puppetserver var dir
#
# $puppetserver_dir:: The path of the puppetserver config dir
#
# $puppetserver_version:: The version of puppetserver 2 installed (or being installed)
# Unfortunately, different versions of puppetserver need configuring differently,
# and there's no easy way of determining which version is being installed.
# Defaults to '2.3.1' but can be overriden if you're installing an older version.
#
# $max_active_instances:: Max number of active jruby instances. Defaults to
# processor count
#
# $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled)
#
# $idle_timeout:: How long the server will wait for a response on an existing connection
#
# $connect_timeout:: How long the server will wait for a response to a connection attempt
#
# $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed.
# Defaults to the Jetty default of 30s
#
# $ssl_protocols:: Array of SSL protocols to use.
# Defaults to [ 'TLSv1.2' ]
#
# $ssl_chain_filepath:: Path to certificate chain for puppetserver
# Defaults to "${ssl_dir}/ca/ca_crt.pem"
#
# $cipher_suites:: List of SSL ciphers to use in negotiation
# Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA',
# 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
#
# $ruby_load_paths:: List of ruby paths
# Defaults based on $::puppetversion
#
# $ca_client_whitelist:: The whitelist of client certificates that
# can query the certificate-status endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
#
# $admin_api_whitelist:: The whitelist of clients that
# can query the puppet-admin-api endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
#
# $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api
# Defaults to true
#
# $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf?
# Defaults to false (the puppetserver will use its own conf.d/auth.conf)
#
# $allow_header_cert_info:: Allow client authentication over HTTP Headers
# Defaults to false, is also activated by the $http setting
#
# $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false
#
# $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling?
# Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x
#
# $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true
#
class puppet::server(
Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign,
Array[String] $autosign_entries = $::puppet::autosign_entries,
Pattern[/^[0-9]{3,4}$/] $autosign_mode = $::puppet::autosign_mode,
Optional[String] $autosign_content = $::puppet::autosign_content,
Optional[String] $autosign_source = $::puppet::autosign_source,
String $hiera_config = $::puppet::hiera_config,
Array[String] $admin_api_whitelist = $::puppet::server_admin_api_whitelist,
String $user = $::puppet::server_user,
String $group = $::puppet::server_group,
String $dir = $::puppet::server_dir,
Stdlib::Absolutepath $codedir = $::puppet::codedir,
Integer $port = $::puppet::server_port,
String $ip = $::puppet::server_ip,
Boolean $ca = $::puppet::server_ca,
Optional[String] $ca_crl_filepath = $::puppet::ca_crl_filepath,
Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync,
Optional[Boolean] $crl_enable = $::puppet::server_crl_enable,
Boolean $ca_auth_required = $::puppet::server_ca_auth_required,
Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist,
Boolean $http = $::puppet::server_http,
Integer $http_port = $::puppet::server_http_port,
Array[String] $http_allow = $::puppet::server_http_allow,
String $reports = $::puppet::server_reports,
Enum['master', 'puppetserver'] $implementation = $::puppet::server_implementation,
Boolean $passenger = $::puppet::server_passenger,
Stdlib::Absolutepath $puppetserver_vardir = $::puppet::server_puppetserver_vardir,
Optional[Stdlib::Absolutepath] $puppetserver_rundir = $::puppet::server_puppetserver_rundir,
Optional[Stdlib::Absolutepath] $puppetserver_logdir = $::puppet::server_puppetserver_logdir,
Stdlib::Absolutepath $puppetserver_dir = $::puppet::server_puppetserver_dir,
Pattern[/^[\d]\.[\d]+\.[\d]+$/] $puppetserver_version = $::puppet::server_puppetserver_version,
Boolean $service_fallback = $::puppet::server_service_fallback,
Integer[0] $passenger_min_instances = $::puppet::server_passenger_min_instances,
Boolean $passenger_pre_start = $::puppet::server_passenger_pre_start,
Optional[String] $passenger_ruby = $::puppet::server_passenger_ruby,
String $httpd_service = $::puppet::server_httpd_service,
Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $::puppet::server_external_nodes,
Array[String] $cipher_suites = $::puppet::server_cipher_suites,
Optional[String] $config_version = $::puppet::server_config_version,
Integer[0] $connect_timeout = $::puppet::server_connect_timeout,
Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout,
Boolean $git_repo = $::puppet::server_git_repo,
Boolean $dynamic_environments = $::puppet::server_dynamic_environments,
Boolean $directory_environments = $::puppet::server_directory_environments,
Boolean $default_manifest = $::puppet::server_default_manifest,
Stdlib::Absolutepath $default_manifest_path = $::puppet::server_default_manifest_path,
String $default_manifest_content = $::puppet::server_default_manifest_content,
Array[String] $environments = $::puppet::server_environments,
String $environments_owner = $::puppet::server_environments_owner,
Optional[String] $environments_group = $::puppet::server_environments_group,
Pattern[/^[0-9]{3,4}$/] $environments_mode = $::puppet::server_environments_mode,
Stdlib::Absolutepath $envs_dir = $::puppet::server_envs_dir,
Optional[Stdlib::Absolutepath] $envs_target = $::puppet::server_envs_target,
Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $::puppet::server_common_modules_path,
Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $::puppet::server_git_repo_mode,
Stdlib::Absolutepath $git_repo_path = $::puppet::server_git_repo_path,
String $git_repo_group = $::puppet::server_git_repo_group,
String $git_repo_user = $::puppet::server_git_repo_user,
Hash[String, String] $git_branch_map = $::puppet::server_git_branch_map,
Integer[0] $idle_timeout = $::puppet::server_idle_timeout,
String $post_hook_content = $::puppet::server_post_hook_content,
String $post_hook_name = $::puppet::server_post_hook_name,
Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $storeconfigs_backend = $::puppet::server_storeconfigs_backend,
Stdlib::Absolutepath $app_root = $::puppet::server_app_root,
Array[Stdlib::Absolutepath] $ruby_load_paths = $::puppet::server_ruby_load_paths,
Stdlib::Absolutepath $ssl_dir = $::puppet::server_ssl_dir,
Boolean $ssl_dir_manage = $::puppet::server_ssl_dir_manage,
Boolean $ssl_key_manage = $::puppet::server_ssl_key_manage,
Array[String] $ssl_protocols = $::puppet::server_ssl_protocols,
Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $::puppet::server_ssl_chain_filepath,
Optional[Variant[String, Array[String]]] $package = $::puppet::server_package,
Optional[String] $version = $::puppet::server_version,
String $certname = $::puppet::server_certname,
Enum['v2', 'v1'] $enc_api = $::puppet::server_enc_api,
Enum['v2', 'v1'] $report_api = $::puppet::server_report_api,
Integer[0] $request_timeout = $::puppet::server_request_timeout,
Optional[String] $ca_proxy = $::puppet::server_ca_proxy,
Boolean $strict_variables = $::puppet::server_strict_variables,
Hash[String, Data] $additional_settings = $::puppet::server_additional_settings,
Array[String] $rack_arguments = $::puppet::server_rack_arguments,
Boolean $foreman = $::puppet::server_foreman,
Stdlib::HTTPUrl $foreman_url = $::puppet::server_foreman_url,
Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca,
Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $::puppet::server_foreman_ssl_cert,
Optional[Stdlib::Absolutepath] $foreman_ssl_key = $::puppet::server_foreman_ssl_key,
Boolean $server_foreman_facts = $::puppet::server_foreman_facts,
Optional[Stdlib::Absolutepath] $puppet_basedir = $::puppet::server_puppet_basedir,
Optional[String] $puppetdb_host = $::puppet::server_puppetdb_host,
Integer[0, 65535] $puppetdb_port = $::puppet::server_puppetdb_port,
Boolean $puppetdb_swf = $::puppet::server_puppetdb_swf,
Enum['current', 'future'] $parser = $::puppet::server_parser,
Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $::puppet::server_environment_timeout,
String $jvm_java_bin = $::puppet::server_jvm_java_bin,
String $jvm_config = $::puppet::server_jvm_config,
Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $::puppet::server_jvm_min_heap_size,
Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $::puppet::server_jvm_max_heap_size,
String $jvm_extra_args = $::puppet::server_jvm_extra_args,
Optional[String] $jvm_cli_args = $::puppet::server_jvm_cli_args,
Optional[Stdlib::Absolutepath] $jruby_gem_home = $::puppet::server_jruby_gem_home,
Integer[1] $max_active_instances = $::puppet::server_max_active_instances,
Integer[0] $max_requests_per_instance = $::puppet::server_max_requests_per_instance,
Boolean $use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf,
Boolean $check_for_updates = $::puppet::server_check_for_updates,
Boolean $environment_class_cache_enabled = $::puppet::server_environment_class_cache_enabled,
Boolean $allow_header_cert_info = $::puppet::server_allow_header_cert_info,
Boolean $puppetserver_jruby9k = $::puppet::server_puppetserver_jruby9k,
Boolean $puppetserver_metrics = $::puppet::server_puppetserver_metrics,
Boolean $puppetserver_experimental = $::puppet::server_puppetserver_experimental,
) {
if $implementation == 'master' and $ip != $puppet::params::ip {
notify {
'ip_not_supported':
message => "Bind IP address is unsupported for the ${implementation} implementation.",
loglevel => 'warning',
}
}
if $ca {
- $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem"
- $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem"
- $ssl_chain = $ssl_chain_filepath
- $_crl_enable = pick($crl_enable, true)
+ $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem"
+ $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem"
+ $ssl_chain = $ssl_chain_filepath
+ $crl_enable_real = pick($crl_enable, true)
} else {
- $ssl_ca_cert = "${ssl_dir}/certs/ca.pem"
- $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem")
- $ssl_chain = false
- $_crl_enable = pick($crl_enable, false)
+ $ssl_ca_cert = "${ssl_dir}/certs/ca.pem"
+ $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem")
+ $ssl_chain = false
+ $crl_enable_real = pick($crl_enable, false)
}
$ssl_cert = "${ssl_dir}/certs/${certname}.pem"
$ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem"
if $config_version == undef {
if $git_repo {
$config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long"
} else {
$config_version_cmd = undef
}
} else {
$config_version_cmd = $config_version
}
if $implementation == 'master' {
$pm_service = !$passenger and $service_fallback
$ps_service = undef
$rack_service = $passenger
} elsif $implementation == 'puppetserver' {
$pm_service = undef
$ps_service = true
$rack_service = false
}
class { '::puppet::server::install': }
~> class { '::puppet::server::config': }
~> class { '::puppet::server::service':
app_root => $app_root,
httpd_service => $httpd_service,
puppetmaster => $pm_service,
puppetserver => $ps_service,
rack => $rack_service,
}
-> Class['puppet::server']
Class['puppet::config'] ~> Class['puppet::server::service']
}
diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
index d9a6f4d..3c6153a 100644
--- a/manifests/server/puppetserver.pp
+++ b/manifests/server/puppetserver.pp
@@ -1,275 +1,284 @@
# == Class: puppet::server::puppetserver
#
# Configures the puppetserver jvm configuration file using augeas.
#
# === Parameters:
#
# * `java_bin`
# Path to the java executable to use
#
# * `config`
# Path to the jvm configuration file.
# This file is usually either /etc/default/puppetserver or
# /etc/sysconfig/puppetserver depending on your *nix flavor.
#
# * `jvm_min_heap_size`
# Translates into the -Xms option and is added to the JAVA_ARGS
#
# * `jvm_max_heap_size`
# Translates into the -Xmx option and is added to the JAVA_ARGS
#
# * `jvm_extra_args`
# Custom options to pass through to the java binary. These get added to
# the end of the JAVA_ARGS variable
#
# * `jvm_cli_args`
# Custom options to pass through to the java binary when using a
# puppetserver subcommand, (eg puppetserver gem). These get used
# in the JAVA_ARGS_CLI variable.
#
# * `server_puppetserver_dir`
# Puppetserver config directory
#
# * `server_puppetserver_vardir`
# Puppetserver var directory
#
# * `server_jruby_gem_home`
# Puppetserver jruby gemhome
#
# * `server_cipher_suites`
# Puppetserver array of acceptable ciphers
#
# * `server_ssl_protocols`
# Puppetserver array of acceptable ssl protocols
#
# * `server_max_active_instances`
# Puppetserver number of max jruby instances
#
# * `server_max_requests_per_instance`
# Puppetserver number of max requests per jruby instance
#
# === Example
#
# @example
#
# # configure memory for java < 8
# class {'::puppet::server::puppetserver':
# jvm_min_heap_size => '1G',
# jvm_max_heap_size => '3G',
# jvm_extra_args => '-XX:MaxPermSize=256m',
# }
#
class puppet::server::puppetserver (
$config = $::puppet::server::jvm_config,
$java_bin = $::puppet::server::jvm_java_bin,
$jvm_extra_args = $::puppet::server::jvm_extra_args,
$jvm_cli_args = $::puppet::server::jvm_cli_args,
$jvm_min_heap_size = $::puppet::server::jvm_min_heap_size,
$jvm_max_heap_size = $::puppet::server::jvm_max_heap_size,
$server_puppetserver_dir = $::puppet::server::puppetserver_dir,
$server_puppetserver_vardir = $::puppet::server::puppetserver_vardir,
$server_puppetserver_rundir = $::puppet::server::puppetserver_rundir,
$server_puppetserver_logdir = $::puppet::server::puppetserver_logdir,
$server_jruby_gem_home = $::puppet::server::jruby_gem_home,
$server_ruby_load_paths = $::puppet::server::ruby_load_paths,
$server_cipher_suites = $::puppet::server::cipher_suites,
$server_max_active_instances = $::puppet::server::max_active_instances,
$server_max_requests_per_instance = $::puppet::server::max_requests_per_instance,
$server_ssl_protocols = $::puppet::server::ssl_protocols,
+ $server_ssl_ca_crl = $::puppet::server::ssl_ca_crl,
+ $server_ssl_ca_cert = $::puppet::server::ssl_ca_cert,
+ $server_ssl_cert = $::puppet::server::ssl_cert,
+ $server_ssl_cert_key = $::puppet::server::ssl_cert_key,
+ $server_ssl_chain = $::puppet::server::ssl_chain,
+ $server_crl_enable = $::puppet::server::crl_enable_real,
+ $server_ip = $::puppet::server::ip,
+ $server_port = $::puppet::server::port,
$server_http = $::puppet::server::http,
$server_http_allow = $::puppet::server::http_allow,
+ $server_http_port = $::puppet::server::http_port,
$server_ca = $::puppet::server::ca,
$server_dir = $::puppet::server::dir,
$codedir = $::puppet::server::codedir,
$server_idle_timeout = $::puppet::server::idle_timeout,
$server_web_idle_timeout = $::puppet::server::web_idle_timeout,
$server_connect_timeout = $::puppet::server::connect_timeout,
$server_ca_auth_required = $::puppet::server::ca_auth_required,
$server_ca_client_whitelist = $::puppet::server::ca_client_whitelist,
$server_admin_api_whitelist = $::puppet::server::admin_api_whitelist,
$server_puppetserver_version = $::puppet::server::puppetserver_version,
$server_use_legacy_auth_conf = $::puppet::server::use_legacy_auth_conf,
$server_check_for_updates = $::puppet::server::check_for_updates,
$server_environment_class_cache_enabled = $::puppet::server::environment_class_cache_enabled,
$server_jruby9k = $::puppet::server::puppetserver_jruby9k,
$server_metrics = $::puppet::server::puppetserver_metrics,
$server_experimental = $::puppet::server::puppetserver_experimental,
) {
include ::puppet::server
if !(empty($server_http_allow)) {
fail('setting $server_http_allow is not supported for puppetserver as it would have no effect')
}
$puppetserver_package = pick($::puppet::server::package, 'puppetserver')
$jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args]
$jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' '))
if $::osfamily == 'FreeBSD' {
augeas { 'puppet::server::puppetserver::jvm':
context => '/files/etc/rc.conf',
changes => [ "set puppetserver_java_opts '\"${jvm_cmd}\"'" ],
}
} else {
if $jvm_cli_args {
$changes = [
"set JAVA_ARGS '\"${jvm_cmd}\"'",
"set JAVA_BIN ${java_bin}",
"set JAVA_ARGS_CLI '\"${jvm_cli_args}\"'",
]
} else {
$changes = [
"set JAVA_ARGS '\"${jvm_cmd}\"'",
"set JAVA_BIN ${java_bin}",
]
}
augeas { 'puppet::server::puppetserver::jvm':
lens => 'Shellvars.lns',
incl => $config,
context => "/files${config}",
changes => $changes,
}
if versioncmp($server_puppetserver_version, '2.4.99') == 0 {
$bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg,${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"
} elsif versioncmp($server_puppetserver_version, '2.5') >= 0 {
$bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"
} else { # 2.4
$bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg"
}
augeas { 'puppet::server::puppetserver::bootstrap':
lens => 'Shellvars.lns',
incl => $config,
context => "/files${config}",
changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'",
}
if versioncmp($server_puppetserver_version, '5.0') >= 0 {
$jruby_jar_changes = $server_jruby9k ? {
true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'",
default => 'rm JRUBY_JAR'
}
augeas { 'puppet::server::puppetserver::jruby_jar':
lens => 'Shellvars.lns',
incl => $config,
context => "/files${config}",
changes => $jruby_jar_changes,
}
}
}
# 2.4.99 configures for both 2.4 and 2.5 making upgrades and new installations easier when the
# precise version available isn't known
if versioncmp($server_puppetserver_version, '2.4.99') >= 0 {
$servicesd = "${server_puppetserver_dir}/services.d"
file { $servicesd:
ensure => directory,
}
file { "${servicesd}/ca.cfg":
ensure => file,
content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'),
}
unless $::osfamily == 'FreeBSD' {
file { '/opt/puppetlabs/server/apps/puppetserver/config':
ensure => directory,
}
file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d':
ensure => directory,
}
}
}
if versioncmp($server_puppetserver_version, '2.5') < 0 {
$bootstrapcfg = "${server_puppetserver_dir}/bootstrap.cfg"
file { $bootstrapcfg:
ensure => file,
}
$ca_enabled_ensure = $server_ca ? {
true => present,
default => absent,
}
$ca_disabled_ensure = $server_ca ? {
false => present,
default => absent,
}
file_line { 'ca_enabled':
ensure => $ca_enabled_ensure,
path => $bootstrapcfg,
line => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service',
require => File[$bootstrapcfg],
}
file_line { 'ca_disabled':
ensure => $ca_disabled_ensure,
path => $bootstrapcfg,
line => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service',
require => File[$bootstrapcfg],
}
if versioncmp($server_puppetserver_version, '2.3') >= 0 {
$versioned_code_service_ensure = present
} else {
$versioned_code_service_ensure = absent
}
file_line { 'versioned_code_service':
ensure => $versioned_code_service_ensure,
path => $bootstrapcfg,
line => 'puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service',
require => File[$bootstrapcfg],
}
}
if versioncmp($server_puppetserver_version, '2.2') < 0 {
$ca_conf_ensure = file
} else {
$ca_conf_ensure = absent
}
file { "${server_puppetserver_dir}/conf.d/ca.conf":
ensure => $ca_conf_ensure,
content => template('puppet/server/puppetserver/conf.d/ca.conf.erb'),
}
file { "${server_puppetserver_dir}/conf.d/puppetserver.conf":
ensure => file,
content => template('puppet/server/puppetserver/conf.d/puppetserver.conf.erb'),
}
file { "${server_puppetserver_dir}/conf.d/webserver.conf":
ensure => file,
content => template('puppet/server/puppetserver/conf.d/webserver.conf.erb'),
}
file { "${server_puppetserver_dir}/conf.d/auth.conf":
ensure => file,
content => template('puppet/server/puppetserver/conf.d/auth.conf.erb'),
}
$product_conf = "${server_puppetserver_dir}/conf.d/product.conf"
if versioncmp($server_puppetserver_version, '2.7') >= 0 {
$product_conf_ensure = file
hocon_setting { 'server_check_for_updates':
ensure => present,
path => $product_conf,
setting => 'product.check-for-updates',
value => $server_check_for_updates,
require => File[$product_conf],
}
} else {
$product_conf_ensure = absent
}
file { $product_conf:
ensure => $product_conf_ensure,
}
}
diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb
index ee93887..9637181 100644
--- a/spec/classes/puppet_server_config_spec.rb
+++ b/spec/classes/puppet_server_config_spec.rb
@@ -1,830 +1,919 @@
require 'spec_helper'
describe 'puppet::server::config' do
before :each do
@cacrl = Tempfile.new('cacrl')
File.open(@cacrl, 'w') { |f| f.write "This is my CRL File" }
Puppet.settings[:cacrl] = @cacrl.path
end
on_os_under_test.each do |os, facts|
next if unsupported_puppetmaster_osfamily(facts[:osfamily])
context "on #{os}" do
if Puppet.version < '4.0'
codedir = '/etc/puppet'
confdir = '/etc/puppet'
conf_file = '/etc/puppet/puppet.conf'
environments_dir = '/etc/puppet/environments'
logdir = '/var/log/puppet'
rundir = '/var/run/puppet'
vardir = '/var/lib/puppet'
puppetserver_vardir = '/var/lib/puppet'
puppetserver_logdir = '/var/log/puppet'
puppetserver_rundir = '/var/run/puppet'
ssldir = '/var/lib/puppet/ssl'
sharedir = '/usr/share/puppet'
etcdir = '/etc/puppet'
puppetcacmd = '/usr/bin/puppet cert'
additional_facts = {}
else
codedir = '/etc/puppetlabs/code'
confdir = '/etc/puppetlabs/puppet'
conf_file = '/etc/puppetlabs/puppet/puppet.conf'
environments_dir = '/etc/puppetlabs/code/environments'
logdir = '/var/log/puppetlabs/puppet'
rundir = '/var/run/puppetlabs'
vardir = '/opt/puppetlabs/puppet/cache'
puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver'
puppetserver_logdir = '/var/log/puppetlabs/puppetserver'
puppetserver_rundir = '/var/run/puppetlabs/puppetserver'
ssldir = '/etc/puppetlabs/puppet/ssl'
sharedir = '/opt/puppetlabs/puppet'
etcdir = '/etc/puppetlabs/puppet'
puppetcacmd = '/opt/puppetlabs/bin/puppet cert'
additional_facts = {:rubysitedir => '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0'}
end
if facts[:osfamily] == 'FreeBSD'
codedir = '/usr/local/etc/puppet'
confdir = '/usr/local/etc/puppet'
conf_file = '/usr/local/etc/puppet/puppet.conf'
environments_dir = '/usr/local/etc/puppet/environments'
logdir = '/var/log/puppet'
rundir = '/var/run/puppet'
vardir = '/var/puppet'
puppetserver_vardir = '/var/puppet/server/data/puppetserver'
puppetserver_logdir = '/var/log/puppetserver'
puppetserver_rundir = '/var/run/puppetserver'
ssldir = '/var/puppet/ssl'
sharedir = '/usr/local/share/puppet'
etcdir = '/usr/local/etc/puppet'
puppetcacmd = '/usr/local/bin/puppet cert'
additional_facts = {}
end
let(:facts) do
facts.merge({:clientcert => 'puppetmaster.example.com'}).merge(additional_facts)
end
describe 'with no custom parameters' do
let :pre_condition do
"class {'puppet': server => true}"
end
it 'should set up SSL permissions' do
should contain_file("#{ssldir}/private_keys").with({
:group => 'puppet',
:mode => '0750',
})
should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem").with({
:group => 'puppet',
:mode => '0640',
})
should contain_exec('puppet_server_config-create_ssl_dir').with({
:creates => ssldir,
:command => "/bin/mkdir -p #{ssldir}",
:umask => '0022',
})
should contain_exec('puppet_server_config-generate_ca_cert').with({
:creates => "#{ssldir}/certs/puppetmaster.example.com.pem",
:command => "#{puppetcacmd} --generate puppetmaster.example.com --allow-dns-alt-names",
:umask => '0022',
:require => ["Concat[#{conf_file}]", "Exec[puppet_server_config-create_ssl_dir]"],
})
end
context 'with non-AIO packages', :if => (Puppet.version < '4.0' || facts[:osfamily] == 'FreeBSD') do
it 'CA cert generation should notify the Apache service' do
should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[httpd]')
end
end
context 'with AIO packages', :if => (Puppet.version > '4.0' && facts[:osfamily] != 'FreeBSD') do
it 'CA cert generation should notify the puppetserver service' do
should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]')
end
end
it 'should set up the ENC' do
should contain_class('foreman::puppetmaster').with({
:foreman_url => "https://foo.example.com",
:receive_facts => true,
:puppet_home => puppetserver_vardir,
:puppet_etcdir => etcdir,
# Since this is managed inside the foreman module it does not
# make sense to test it here
#:puppet_basedir => '/usr/lib/ruby/site_ruby/1.9/puppet',
:timeout => 60,
})
end
it 'should set up the environments' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_file(sharedir).with_ensure('directory')
should contain_file("#{codedir}/environments/common").with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_file("#{sharedir}/modules").with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_puppet__server__env('development')
should contain_puppet__server__env('production')
end
it 'should configure puppet' do
should contain_puppet__config__main("logdir").with({'value' => "#{logdir}"})
should contain_puppet__config__main("rundir").with({'value' => "#{rundir}"})
should contain_puppet__config__main("ssldir").with({'value' => "#{ssldir}"})
should contain_puppet__config__main("privatekeydir").with({'value' => '$ssldir/private_keys { group = service }'})
should contain_puppet__config__main("hostprivkey").with({'value' => '$privatekeydir/$certname.pem { mode = 640 }'})
should contain_puppet__config__main("reports").with({'value' => 'foreman'})
if Puppet.version >= '3.6'
should contain_puppet__config__main("environmentpath").with({'value' => "#{codedir}/environments"})
should contain_puppet__config__main("basemodulepath").with({
'value' => ["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules"],
'joiner' => ':'})
end
should contain_puppet__config__agent('classfile').with({'value' => '$statedir/classes.txt'})
should contain_puppet__config__master('external_nodes').with({'value' => "#{etcdir}\/node.rb"})
should contain_puppet__config__master('node_terminus').with({'value' => 'exec'})
should contain_puppet__config__master('ca').with({'value' => 'true'})
should contain_puppet__config__master('ssldir').with({'value' => "#{ssldir}"})
should contain_puppet__config__master('parser').with({'value' => 'current'})
should contain_puppet__config__master("autosign").with({'value' => "#{etcdir}\/autosign.conf \{ mode = 0664 \}"})
should contain_concat(conf_file)
should_not contain_puppet__config__master('storeconfigs')
should contain_file("#{etcdir}/autosign.conf")
end
context 'on Puppet < 4.0.0', :if => (Puppet.version < '4.0.0') do
it 'should set configtimeout' do
should contain_puppet__config__agent('configtimeout').with({'value' => '120'})
end
end
context 'on Puppet >= 4.0.0', :if => (Puppet.version >= '4.0.0') do
it 'should not set configtimeout' do
should_not contain_puppet__config__agent('configtimeout')
end
end
it 'should not configure PuppetDB' do
should_not contain_class('puppetdb')
should_not contain_class('puppetdb::master::config')
end
end
describe "when autosign => true" do
let :pre_condition do
"class {'puppet':
server => true,
autosign => true,
}"
end
it 'should contain puppet.conf [main] with autosign = true' do
should contain_puppet__config__master('autosign').with({'value' => true})
end
end
describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do
let :pre_condition do
"class {'puppet':
server => true,
autosign => '/somedir/custom_autosign',
autosign_mode => '664',
}"
end
it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 664 }' do
should contain_puppet__config__master('autosign').with({'value' => "/somedir/custom_autosign { mode = 664 }"})
end
end
describe "when autosign_entries is not set" do
let :pre_condition do
"class {'puppet':
server => true,
}"
end
it 'should contain autosign.conf with out content set' do
should contain_file("#{confdir}/autosign.conf")
should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/)
should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/)
end
end
describe "when autosign_entries set to ['foo.bar']" do
let :pre_condition do
"class {'puppet':
server => true,
autosign_entries => ['foo.bar'],
}"
end
it 'should contain autosign.conf with content set' do
should contain_file("#{confdir}/autosign.conf")
should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/)
should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/)
end
end
describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do
let :pre_condition do
"class {'puppet':
server => true,
autosign_content => 'foo.bar',
autosign_entries => ['foo.bar'],
}"
end
it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) }
end
describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do
let :pre_condition do
"class {'puppet':
server => true,
autosign_source => 'puppet:///foo/bar',
autosign_entries => ['foo.bar'],
}"
end
it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) }
end
describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_content set to 'foo.bar'" do
let :pre_condition do
"class {'puppet':
server => true,
autosign => '#{confdir}/custom_autosign.sh',
autosign_mode => '775',
autosign_content => 'foo.bar',
}"
end
it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do
should contain_puppet__config__master('autosign').with({'value' => "#{confdir}/custom_autosign.sh { mode = 775 }"})
end
it 'should contain custom_autosign.sh with content set' do
should contain_file("#{confdir}/custom_autosign.sh")
should contain_file("#{confdir}/custom_autosign.sh").with_content(/foo.bar/)
end
end
describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_source set to 'puppet:///foo/bar'" do
let :pre_condition do
"class {'puppet':
server => true,
autosign => '#{confdir}/custom_autosign.sh',
autosign_mode => '775',
autosign_source => 'puppet:///foo/bar',
}"
end
it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do
should contain_puppet__config__master('autosign').with({'value' => "#{confdir}/custom_autosign.sh { mode = 775 }"})
end
it 'should contain custom_autosign.sh with content set' do
should contain_file("#{confdir}/custom_autosign.sh")
should contain_file("#{confdir}/custom_autosign.sh").with_source('puppet:///foo/bar')
end
end
describe "when hiera_config => '$confdir/hiera.yaml'" do
let :pre_condition do
"class {'puppet':
server => true,
hiera_config => '/etc/puppet/hiera/production/hiera.yaml',
}"
end
it 'should contain puppet.conf [main] with non-default hiera_config' do
should contain_puppet__config__main("hiera_config").with({'value' => '/etc/puppet/hiera/production/hiera.yaml'})
end
end
describe 'without foreman' do
let :pre_condition do
"class {'puppet':
server => true,
server_reports => 'store',
server_external_nodes => '',
}"
end
it 'should contain an empty external_nodes' do
should_not contain_puppet__config__master('external_nodes')
end
end
describe 'without external_nodes' do
let :pre_condition do
"class {'puppet':
server => true,
server_external_nodes => '',
}"
end
it 'should not contain external_nodes' do
should_not contain_puppet__config__master('external_nodes')
should_not contain_puppet__config__master('node_terminus')
end
end
describe 'with server_default_manifest => true and undef content' do
let :pre_condition do
'class { "::puppet":
server_default_manifest => true,
server => true
}'
end
it 'should contain default_manifest setting in puppet.conf' do
should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'})
end
it 'should_not contain default manifest /etc/puppet/manifests/default_manifest.pp' do
should_not contain_file('/etc/puppet/manifests/default_manifest.pp')
end
end
describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do
let :pre_condition do
'class { "::puppet":
server_default_manifest => true,
server_default_manifest_content => "include foo",
server => true
}'
end
it 'should contain default_manifest setting in puppet.conf' do
should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'})
end
it 'should contain default manifest /etc/puppet/manifests/default_manifest.pp' do
should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content(/include foo/)
end
end
describe 'with git repo' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'puppet',
})
end
it 'should create the git repo' do
should contain_file(vardir).with({
:ensure => 'directory',
:owner => 'puppet',
})
should contain_git__repo('puppet_repo').with({
:bare => true,
:target => "#{vardir}/puppet.git",
:user => 'puppet',
:require => %r{File\[#{environments_dir}\]},
})
should contain_file("#{vardir}/puppet.git/hooks/post-receive").with({
:owner => 'puppet',
:mode => '0755',
:require => %r{Git::Repo\[puppet_repo\]},
:content => %r{BRANCH_MAP = \{[^a-zA-Z=>]\}},
})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
context 'with directory environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_directory_environments => true,
}"
end
it 'should configure puppet.conf' do
should_not contain_puppet__config__master('config_version')
should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"})
end
end
context 'with config environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_directory_environments => false,
}"
end
it 'should configure puppet.conf' do
should contain_puppet__config__master('manifest').with({'value' => "#{environments_dir}/\$environment/manifests/site.pp"})
should contain_puppet__config__master('modulepath').with({'value' => "#{environments_dir}/\$environment/modules"})
should contain_puppet__config__master('config_version').with({'value' => "git --git-dir #{environments_dir}/\$environment/.git describe --all --long"})
end
end
end
describe 'with dynamic environments' do
context 'with directory environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => true,
server_environments_owner => 'apache',
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'apache',
})
end
it 'should configure puppet.conf' do
should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"})
should contain_puppet__config__main('basemodulepath').with({'value' => ["#{environments_dir}/common","#{codedir}/modules","#{sharedir}/modules"]})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
end
context 'with no common modules directory' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => true,
server_environments_owner => 'apache',
server_common_modules_path => '',
}"
end
it 'should configure puppet.conf' do
should_not contain_puppet__config__main('basemodulepath')
end
end
context 'with config environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => false,
server_environments_owner => 'apache',
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'apache',
})
end
it 'should configure puppet.conf' do
should contain_puppet__config__master('manifest').with({'value' => "#{environments_dir}/\$environment/manifests/site.pp"})
should contain_puppet__config__master('modulepath').with({'value' => "#{environments_dir}/\$environment/modules"})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
end
end
describe 'with SSL path overrides' do
let :pre_condition do
"class {'puppet':
server => true,
server_foreman_ssl_ca => '/etc/example/ca.pem',
server_foreman_ssl_cert => '/etc/example/cert.pem',
server_foreman_ssl_key => '/etc/example/key.pem',
}"
end
it 'should pass SSL parameters to the ENC' do
should contain_class('foreman::puppetmaster').with({
:ssl_ca => '/etc/example/ca.pem',
:ssl_cert => '/etc/example/cert.pem',
:ssl_key => '/etc/example/key.pem',
})
end
end
describe 'with a PuppetDB host set' do
let :pre_condition do
"class {'puppet':
server => true,
server_puppetdb_host => 'mypuppetdb.example.com',
server_storeconfigs_backend => 'puppetdb',
}"
end
it 'should configure PuppetDB' do
should compile.with_all_deps
should contain_class('puppetdb::master::config').with({
:puppetdb_server => 'mypuppetdb.example.com',
:puppetdb_port => 8081,
:puppetdb_soft_write_failure => false,
:manage_storeconfigs => false,
:restart_puppet => false,
})
end
end
describe 'with a puppet git branch map' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_git_branch_map => { 'a' => 'b', 'c' => 'd' }
}"
end
it 'should add the branch map to the post receive hook' do
should contain_file("#{vardir}/puppet.git/hooks/post-receive").
with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/)
end
end
describe 'with additional settings' do
let :pre_condition do
"class {'puppet':
server => true,
server_additional_settings => {stringify_facts => true},
}"
end
it 'should configure puppet.conf' do
should contain_puppet__config__master('stringify_facts').with({'value' => true})
end
end
describe 'directory environments default' do
let :pre_condition do
"class {'puppet':
server => true,
}"
end
context 'on old Puppet', :if => (Puppet.version < '3.6.0') do
it 'should be disabled' do
should_not contain_puppet__config__main('environmentpath')
end
end
context 'on Puppet 3.6.0+', :if => (Puppet.version >= '3.6.0') do
it 'should be enabled' do
should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"})
end
end
end
describe 'with server_parser => future' do
let :pre_condition do
"class {'puppet':
server => true,
server_parser => 'future',
}"
end
it 'should configure future parser' do
should contain_puppet__config__master('parser').with({'value' => "future"})
end
end
describe 'with server_environment_timeout set' do
let :pre_condition do
"class {'puppet':
server => true,
server_environment_timeout => '10m',
}"
end
it 'should configure environment_timeout accordingly' do
should contain_puppet__config__master('environment_timeout').with({'value' => "10m"})
end
end
describe 'with no ssldir managed for master' do
let :pre_condition do
"class {'puppet': server => true, server_ssl_dir_manage => false}"
end
it 'should not contain ssl_dir configuration setting in the master section' do
should_not contain_puppet__config__master('ssl_dir')
end
end
describe 'with ssl key management disabled for server' do
let :pre_condition do
"class {'puppet':
server => true,
server_certname => 'servercert',
server_ssl_key_manage => false,
server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl'
}"
end
it 'should not contain a default ssl key definition' do
should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem')
end
end
describe 'with nondefault CA settings' do
context 'with server_ca => false' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca => false,
}"
end
it 'should create the ssl directory' do
should contain_exec('puppet_server_config-create_ssl_dir')
end
it 'should not generate CA certificates' do
should_not contain_exec('puppet_server_config-generate_ca_cert')
end
end
end
describe 'with server_implementation => "puppetserver"', :if => (Puppet.version >= '4.0.0') do
let :pre_condition do
"class {'puppet':
server => true,
server_implementation => 'puppetserver'
}"
end
it 'should configure puppet.conf' do
should contain_puppet__config__master("vardir").with_value(puppetserver_vardir)
should contain_puppet__config__master("logdir").with_value(puppetserver_logdir)
should contain_puppet__config__master("rundir").with_value(puppetserver_rundir)
end
end
describe 'with server_ca_crl_sync => true' do
context 'with server_ca => false and running "puppet apply"' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca_crl_sync => true,
server_ca => false,
server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl'
}"
end
it 'should not sync the crl' do
should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem')
end
end
context 'with server_ca => false: running "puppet agent -t"' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca_crl_sync => true,
server_ca => false,
server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl'
}"
end
let(:facts) do
facts.merge({:servername => 'myserver' })
end
it 'should sync the crl from the ca' do
should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem').
with_content("This is my CRL File")
end
end
context 'with server_ca => true: running "puppet agent -t"' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca_crl_sync => true,
server_ca => true,
server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl'
}"
end
let(:facts) do
facts.merge({:servername => 'myserver' })
end
it 'should not sync the crl' do
should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem')
end
end
end
describe 'allow crl checking' do
context 'as ca' do
let :pre_condition do
"class {'puppet':
server => true,
server_implementation => 'puppetserver',
server_ca => true,
server_puppetserver_dir => '/etc/custom/puppetserver',
server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
}"
end
it 'should use the ca_crl.pem file' do
should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
with_content(/ssl-crl-path: #{ssldir}\/ca\/ca_crl.pem/)
end
end
context 'as non-ca with default' do
let :pre_condition do
"class {'puppet':
server => true,
server_implementation => 'puppetserver',
server_ca => false,
server_puppetserver_dir => '/etc/custom/puppetserver',
server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
}"
end
it 'should use the ca_crl.pem file' do
should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
without_content(/ssl-crl-path: #{ssldir}\/crl.pem/)
end
end
context 'as non-ca with default' do
let :pre_condition do
"class {'puppet':
server => true,
server_implementation => 'puppetserver',
server_ca => false,
server_crl_enable => true,
server_puppetserver_dir => '/etc/custom/puppetserver',
server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
}"
end
it 'should use the ca_crl.pem file' do
should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
with_content(/ssl-crl-path: #{ssldir}\/crl.pem/)
end
end
end
describe 'with ssl_chain_filepath overwritten' do
- let :pre_condition do
+ let :pre_condition do
"class {'puppet':
- server => true,
- server_implementation => 'puppetserver',
- server_ca => true,
- server_puppetserver_dir => '/etc/custom/puppetserver',
- server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems',
- server_ssl_chain_filepath => '/etc/example/certchain.pem',
+ server => true,
+ server_implementation => 'puppetserver',
+ server_ca => true,
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems',
+ server_ssl_chain_filepath => '/etc/example/certchain.pem',
}"
end
it 'should use the server_ssl_chain_filepath file' do
should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
with_content(/ssl-cert-chain: \/etc\/example\/certchain.pem/)
end
end
+
+ describe 'with server_ip parameter given to the puppet class' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_ip => '127.0.0.1',
+ }"
+ end
+
+ it 'should put the correct ip address in webserver.conf' do
+ should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').with_content(/ssl-host:\s127\.0\.0\.1/)
+ end
+ end
+
+ describe 'with server_certname parameter' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_certname => 'puppetserver43.example.com',
+ server_ssl_dir => '/etc/custom/puppet/ssl',
+ }"
+ end
+
+ it 'should put the correct ssl key path in webserver.conf' do
+ should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
+ with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem})
+ end
+
+ it 'should put the correct ssl cert path in webserver.conf' do
+ should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
+ with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem})
+ end
+ end
+
+ describe 'with server_http parameter set to true for the puppet class' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_http => true,
+ }"
+ end
+
+ it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
+ with_content(/ host:\s0\.0\.0\.0/).
+ with_content(/ port:\s8139/).
+ with({})
+ }
+
+ it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
+ with_content(/allow-header-cert-info: true/).
+ with({})
+ }
+ end
+
+ describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_allow_header_cert_info => true,
+ }"
+ end
+
+ it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
+ with_content(/allow-header-cert-info: true/).
+ with({})
+ }
+ end
+
+ describe 'with server_http_allow parameter set for the puppet class' do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ server_implementation => 'puppetserver',
+ server_puppetserver_dir => '/etc/custom/puppetserver',
+ server_http => true,
+ server_http_allow => ['1.2.3.4'],
+ }"
+ end
+
+ it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) }
+ end
end
end
end
diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
index 23459ff..9054d3e 100644
--- a/spec/classes/puppet_server_puppetserver_spec.rb
+++ b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -1,844 +1,761 @@
require 'spec_helper'
describe 'puppet::server::puppetserver' do
on_os_under_test.each do |os, facts|
next if facts[:osfamily] == 'windows'
next if facts[:osfamily] == 'Archlinux'
context "on #{os}" do
let :pre_condition do
"class {'puppet': server_implementation => 'puppetserver'}"
end
if Puppet.version < '4.0'
additional_facts = {}
else
additional_facts = {:rubysitedir => '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0'}
end
let(:facts) do
facts.merge(additional_facts)
end
let(:default_params) do {
:java_bin => '/usr/bin/java',
:config => '/etc/default/puppetserver',
:jvm_min_heap_size => '2G',
:jvm_max_heap_size => '2G',
:jvm_extra_args => '',
:jvm_cli_args => false, # In reality defaults to undef
:server_ca_auth_required => true,
:server_ca_client_whitelist => [ 'localhost', 'puppetserver123.example.com' ],
:server_admin_api_whitelist => [ 'localhost', 'puppetserver123.example.com' ],
:server_ruby_load_paths => [ '/some/path', ],
:server_ssl_protocols => [ 'TLSv1.2', ],
:server_cipher_suites => [ 'TLS_RSA_WITH_AES_256_CBC_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA', ],
:server_max_active_instances => 2,
:server_max_requests_per_instance => 0,
:server_http => false,
:server_http_allow => [],
:server_ca => true,
:server_puppetserver_version => '2.4.99',
:server_use_legacy_auth_conf => false,
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_puppetserver_vardir => '/opt/puppetlabs/server/data/puppetserver',
:server_puppetserver_rundir => '/var/run/puppetlabs/puppetserver',
:server_puppetserver_logdir => '/var/log/puppetlabs/puppetserver',
:server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems',
:server_dir => '/etc/puppetlabs/puppet',
:codedir => '/etc/puppetlabs/code',
:server_idle_timeout => 1200000,
:server_web_idle_timeout => 30000,
:server_connect_timeout => 120000,
:server_check_for_updates => true,
:server_environment_class_cache_enabled => false,
:server_jruby9k => false,
:server_metrics => true,
:server_experimental => true,
+ :server_ip => '0.0.0.0',
+ :server_port => '8140',
+ :server_http_port => '8139',
+ :server_ssl_ca_crl => '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem',
+ :server_ssl_ca_cert => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem',
+ :server_ssl_cert => '/etc/puppetlabs/puppet/ssl/certs/puppetserver123.example.com.pem',
+ :server_ssl_cert_key => '/etc/puppetlabs/puppet/ssl/private_keys/puppetserver123.example.com.pem',
+ :server_ssl_chain => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem',
+ :server_crl_enable => true,
} end
describe 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
it { should contain_file_line('ca_enabled').with_ensure('present') }
it { should contain_file_line('ca_disabled'). with_ensure('absent') }
it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') }
it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') }
if facts[:osfamily] == 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'',
]).
with_context('/files/etc/rc.conf').
with({})
}
else
it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') }
it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') }
it { should contain_augeas('puppet::server::puppetserver::bootstrap').
with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'')
}
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'',
'set JAVA_BIN /usr/bin/java',
]).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') }
it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf') }
it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
with_content(/ssl-host:\s0\.0\.0\.0/).
with_content(/ssl-port:\s8140/).
without_content(/ host:\s/).
without_content(/ port:\s8139/).
with({})
}
it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
with_content(/allow-header-cert-info: false/).
with({})
}
end
describe 'server_puppetserver_vardir' do
context 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ master-var-dir: /opt/puppetlabs/server/data/puppetserver\n])
end
end
context 'with custom server_puppetserver_vardir' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_puppetserver_vardir => '/opt/custom/puppetlabs/server/data/puppetserver',
})
end
it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ master-var-dir: /opt/custom/puppetlabs/server/data/puppetserver\n])
end
end
end
describe 'use-legacy-auth-conf' do
context 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have use-legacy-auth-conf: false in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ use-legacy-auth-conf: false\n])
end
end
context 'when use-legacy-auth-conf = true' do
let(:params) do
default_params.merge({
:server_use_legacy_auth_conf => true,
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have use-legacy-auth-conf: true in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ use-legacy-auth-conf: true\n])
end
end
context 'when server_puppetserver_version < 2.2' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.1.2',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should not have a use-legacy-auth-conf setting in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).not_to include('use-legacy-auth-conf')
end
end
end
describe 'environment-class-cache-enabled' do
context 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have environment-class-cache-enabled: false in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ environment-class-cache-enabled: false\n])
end
end
context 'when environment-class-cache-enabled = true' do
let(:params) do
default_params.merge({
:server_environment_class_cache_enabled => true,
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have environment-class-cache-enabled: true in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ environment-class-cache-enabled: true\n])
end
end
context 'when server_puppetserver_version < 2.4' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.2.2',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should not have a environment-class-cache-enabled setting in puppetserver.conf' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).not_to include('environment-class-cache-enabled')
end
end
end
describe 'server_max_requests_per_instance' do
context 'with default parameters' do
let(:params) do
default_params.merge({
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ max-requests-per-instance: 0\n])
end
end
context 'custom server_max_requests_per_instance' do
let(:params) do
default_params.merge({
:server_max_requests_per_instance => 123456,
})
end
it 'should have custom max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do
content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content]
expect(content).to include(%Q[ max-requests-per-instance: 123456\n])
end
end
end
describe 'versioned-code-service' do
context 'when server_puppetserver_version >= 2.5' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.5.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should_not contain_file_line('versioned_code_service') }
end
context 'when server_puppetserver_version >= 2.3 and < 2.5' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.3.1',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should have versioned-code-service in bootstrap.cfg' do
should contain_file_line('versioned_code_service').
with_ensure('present').
with_path('/etc/custom/puppetserver/bootstrap.cfg').
with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service').
that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
end
end
context 'when server_puppetserver_version < 2.3' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.2.2',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it 'should not have versioned-code-service in bootstrap.cfg' do
should contain_file_line('versioned_code_service').
with_ensure('absent').
with_path('/etc/custom/puppetserver/bootstrap.cfg').
with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service').
that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
end
end
end
describe 'bootstrap.cfg' do
context 'when server_puppetserver_version >= 2.5' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.5.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
it { should_not contain_file_line('ca_enabled') }
it { should_not contain_file_line('ca_disabled') }
end
context 'when server_puppetserver_version < 2.4.99' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.4.98',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
it {
should contain_file_line('ca_enabled').
with_ensure('present').
with_path('/etc/custom/puppetserver/bootstrap.cfg').
with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service').
that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
}
it {
should contain_file_line('ca_disabled').
with_ensure('absent').
with_path('/etc/custom/puppetserver/bootstrap.cfg').
with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service').
that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
}
unless facts[:osfamily] == 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::bootstrap').
with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\'').
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
end
describe 'ca.cfg' do
context 'when server_puppetserver_version >= 2.5' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.5.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') }
it {
should contain_file('/etc/custom/puppetserver/services.d/ca.cfg').
with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}).
with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service})
}
unless facts[:osfamily] == 'FreeBSD'
it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') }
it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') }
it { should contain_augeas('puppet::server::puppetserver::bootstrap').
with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'').
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
context 'when server_puppetserver_version >= 2.5 and server_ca => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.5.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_ca => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/services.d/ca.cfg').
with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}).
with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service})
}
end
context 'when server_puppetserver_version < 2.4.99' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.4.98',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it { should_not contain_file('/etc/custom/puppetserver/services.d') }
it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') }
it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') }
it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') }
end
end
describe 'server_ca related settings' do
context 'when server_puppetserver_version >= 2.2' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.2.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/).
with_content(/^\s+name: "certificate_status"/).
with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/).
with_content(/^\s+name: "certificate_statuses"/).
with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/).
with_content(/^\s+name: "environment-cache"/).
with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/).
with_content(/^\s+name: "jruby-pool"/).
with({}) # So we can use a trailing dot on each with_content line
}
it {
should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').
with_ensure('absent').
with({}) # So we can use a trailing dot on each with_content line
}
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
without_content(/^# Settings related to the puppet-admin HTTP API$/).
without_content(/^puppet-admin: \{$/).
without_content(/^\s+client-whitelist: \[$/).
without_content(/^\s+"localhost"\,$/).
without_content(/^\s+"puppetserver123.example.com"\,$/).
with({}) # So we can use a trailing dot on each with_content line
}
end
context 'when server_puppetserver_version < 2.2' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.1.1',
:server_puppetserver_dir => '/etc/custom/puppetserver',
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
without_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/).
without_content(/^\s+name: "certificate_status"/).
without_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/).
without_content(/^\s+name: "certificate_statuses"/).
without_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/).
without_content(/^\s+name: "environment-cache"/).
without_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/).
without_content(/^\s+name: "jruby-pool"/).
with({}) # So we can use a trailing dot on each with_content line
}
it {
should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').
with_content(/^\s+authorization-required: true$/).
with_content(/^\s+client-whitelist: \[$/).
with_content(/^\s+"localhost"\,$/).
with_content(/^\s+"puppetserver123.example.com"\,$/).
with({}) # So we can use a trailing dot on each with_content line
}
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
with_content(/^# Settings related to the puppet-admin HTTP API$/).
with_content(/^puppet-admin: \{$/).
with_content(/^\s+client-whitelist: \[$/).
with_content(/^\s+"localhost"\,$/).
with_content(/^\s+"puppetserver123.example.com"\,$/).
with({}) # So we can use a trailing dot on each with_content line
}
end
end
describe 'product.conf' do
context 'when server_puppetserver_version >= 2.7' do
let(:params) do
default_params.merge(
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_check_for_updates => false,
)
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/product.conf').
with_ensure('file')
}
it {
should contain_hocon_setting('server_check_for_updates').
with_path('/etc/custom/puppetserver/conf.d/product.conf').
with_setting('product.check-for-updates').
with_value(false)
}
end
context 'when server_puppetserver_version < 2.7' do
let(:params) do
default_params.merge(
:server_puppetserver_version => '2.6.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
)
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/product.conf').
with_ensure('absent')
}
it {
should_not contain_hocon_setting('server_check_for_updates')
}
end
end
describe 'server_metrics' do
context 'when server_puppetserver_version < 5.0 and server_metrics => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_metrics => true,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
without_content(%r{^ metrics-enabled: (.*)$}).
with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true})
}
end
context 'when server_puppetserver_version < 5.0 and server_metrics => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_metrics => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
without_content(%r{^ metrics-enabled: (.*)$}).
with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false})
}
end
context 'when server_puppetserver_version >= 5.0 and server_metrics => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_metrics => true,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)}).
with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true})
}
end
context 'when server_puppetserver_version >= 5.0 and server_metrics => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_metrics => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf').
with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$}).
with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false})
}
end
end
describe 'server_experimental' do
context 'when server_puppetserver_version < 5.0 and server_experimental => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_experimental => true,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
without_content(%r{^(\ *)path: "/puppet/experimental"$})
}
end
context 'when server_puppetserver_version < 5.0 and server_experimental => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_experimental => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
without_content(%r{^(\ *)path: "/puppet/experimental"$})
}
end
context 'when server_puppetserver_version >= 5.0 and server_experimental => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_experimental => true,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
with_content(%r{^(\ *)path: "/puppet/experimental"$})
}
end
context 'when server_puppetserver_version >= 5.0 and server_experimental => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_experimental => false,
})
end
it {
should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
without_content(%r{^(\ *)path: "/puppet/experimental"$})
}
end
end
unless facts[:osfamily] == 'FreeBSD'
describe 'server_jruby9k' do
context 'when server_puppetserver_version < 5.0 and server_jruby9k => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_jruby9k => true,
})
end
it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') }
end
context 'when server_puppetserver_version < 5.0 and server_jruby9k => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '2.7.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_jruby9k => false,
})
end
it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') }
end
context 'when server_puppetserver_version >= 5.0 and server_jruby9k => true' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_jruby9k => true,
})
end
it { should contain_augeas('puppet::server::puppetserver::jruby_jar').
with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
context 'when server_puppetserver_version >= 5.0 and server_jruby9k => false' do
let(:params) do
default_params.merge({
:server_puppetserver_version => '5.0.0',
:server_puppetserver_dir => '/etc/custom/puppetserver',
:server_jruby9k => false,
})
end
it { should contain_augeas('puppet::server::puppetserver::jruby_jar').
with_changes(['rm JRUBY_JAR']).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
end
describe 'with extra_args parameter' do
let :params do
default_params.merge({
:jvm_extra_args => ['-XX:foo=bar', '-XX:bar=foo'],
})
end
if facts[:osfamily] == 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'',
]).
with_context('/files/etc/rc.conf').
with({})
}
else
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'',
'set JAVA_BIN /usr/bin/java',
]).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
describe 'with cli_args parameter' do
let :params do
default_params.merge({
:jvm_cli_args => '-Djava.io.tmpdir=/var/puppettmp',
})
end
if facts[:osfamily] != 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_changes([
'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'',
'set JAVA_BIN /usr/bin/java',
'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'',
]).
with_context('/files/etc/default/puppetserver').
with_incl('/etc/default/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
describe 'with jvm_config file parameter' do
let :params do default_params.merge({
:config => '/etc/custom/puppetserver',
})
end
if facts[:osfamily] == 'FreeBSD'
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_context('/files/etc/rc.conf').
with({})
}
else
it { should contain_augeas('puppet::server::puppetserver::jvm').
with_context('/files/etc/custom/puppetserver').
with_incl('/etc/custom/puppetserver').
with_lens('Shellvars.lns').
with({})
}
end
end
-
- describe 'with server_ip parameter given to the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server_ip => '127.0.0.1', server_implementation => 'puppetserver'}"
- end
-
- it 'should put the correct ip address in webserver.conf' do
- should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').with_content(/ssl-host:\s127\.0\.0\.1/)
- end
- end
-
- describe 'with server_certname parameter given to the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server_certname => 'puppetserver43.example.com', server_implementation => 'puppetserver', server_ssl_dir => '/etc/custom/puppet/ssl'}"
- end
-
- it 'should put the correct ssl key path in webserver.conf' do
- should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
- with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem})
- end
-
- it 'should put the correct ssl cert path in webserver.conf' do
- should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
- with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem})
- end
- end
-
- describe 'with server_http parameter set to true for the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server_http => true, server_implementation => 'puppetserver'}"
- end
-
- it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').
- with_content(/ host:\s0\.0\.0\.0/).
- with_content(/ port:\s8139/).
- with({})
- }
-
- it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
- with_content(/allow-header-cert-info: true/).
- with({})
- }
- end
-
- describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server_allow_header_cert_info => true, server_implementation => 'puppetserver'}"
- end
-
- it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf').
- with_content(/allow-header-cert-info: true/).
- with({})
- }
- end
-
- describe 'with server_http_allow parameter set for the puppet class' do
- let(:params) do
- default_params.merge({
- :server_puppetserver_dir => '/etc/custom/puppetserver',
- })
- end
-
- let :pre_condition do
- "class {'puppet': server => true, server_http => true, server_http_allow => ['1.2.3.4'], server_implementation => 'puppetserver'}"
- end
-
- it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) }
- end
end
end
end
diff --git a/templates/server/puppetserver/conf.d/webserver.conf.erb b/templates/server/puppetserver/conf.d/webserver.conf.erb
index e8a8938..f8c20c6 100644
--- a/templates/server/puppetserver/conf.d/webserver.conf.erb
+++ b/templates/server/puppetserver/conf.d/webserver.conf.erb
@@ -1,20 +1,20 @@
webserver: {
- access-log-config: <%= scope.lookupvar('puppet::server::puppetserver_dir') %>/request-logging.xml
+ access-log-config: <%= @server_puppetserver_dir %>/request-logging.xml
client-auth: want
-<%- if scope.lookupvar('puppet::server::http') -%>
- host: <%= scope.lookupvar('puppet::server::ip') %>
- port: <%= scope.lookupvar('puppet::server::http_port') %>
+<%- if @server_http -%>
+ host: <%= @server_ip %>
+ port: <%= @server_http_port %>
<%- end -%>
- ssl-host: <%= scope.lookupvar('puppet::server::ip') %>
- ssl-port: <%= scope.lookupvar('puppet::server::port') %>
- ssl-cert: <%= scope.lookupvar('puppet::server::ssl_cert') %>
- ssl-key: <%= scope.lookupvar('puppet::server::ssl_cert_key') %>
- ssl-ca-cert: <%= scope.lookupvar('puppet::server::ssl_ca_cert') %>
-<%- if scope.lookupvar('puppet::server::_crl_enable') -%>
- ssl-crl-path: <%= scope.lookupvar('puppet::server::ssl_ca_crl') %>
+ ssl-host: <%= @server_ip %>
+ ssl-port: <%= @server_port %>
+ ssl-cert: <%= @server_ssl_cert %>
+ ssl-key: <%= @server_ssl_cert_key %>
+ ssl-ca-cert: <%= @server_ssl_ca_cert %>
+<%- if @server_crl_enable -%>
+ ssl-crl-path: <%= @server_ssl_ca_crl %>
<%- end -%>
-<%- if scope.lookupvar('puppet::server::ca') -%>
- ssl-cert-chain: <%= scope.lookupvar('puppet::server::ssl_chain') %>
+<%- if @server_ca -%>
+ ssl-cert-chain: <%= @server_ssl_chain %>
<%- end -%>
idle-timeout-milliseconds: <%= @server_web_idle_timeout %>
}

File Metadata

Mime Type
text/x-diff
Expires
Wed, Jun 4, 7:24 PM (5 d, 23 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3326767

Event Timeline