Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F9696179
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
116 KB
Subscribers
None
View Options
diff --git a/manifests/init.pp b/manifests/init.pp
index bb66a6c..0b49b20 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,807 +1,813 @@
# == Class: puppet
#
# This class installs and configures the puppet agent.
#
# === Parameters:
#
# $version:: Specify a specific version of a package to
# install. The version should be the exact
# match for your distro.
# You can also use certain values like 'latest'.
# type:string
#
# $user:: Override the name of the puppet user.
# type:string
#
# $group:: Override the name of the puppet group.
# type:string
#
# $dir:: Override the puppet directory.
# type:string
#
# $codedir:: Override the puppet code directory.
# type:string
#
# $vardir:: Override the puppet var directory.
# type:string
#
# $logdir:: Override the log directory.
# type:string
#
# $rundir:: Override the PID directory.
# type:string
#
# $ssldir:: Override where SSL certificates are kept.
# type:string
#
# $sharedir:: Override the system data directory.
# type:string
#
# $manage_packages:: Should this module install packages or not.
# Can also install only server packages with value
# of 'server' or only agent packages with 'agent'.
# Defaults to true
#
# $package_provider:: The provider used to install the agent.
# Defaults to chocolatey on Windows
# Defaults to undef elsewhere
# type:string
#
# $package_source:: The location of the file to be used by the
# agent's package resource.
# Defaults to undef. If 'windows' or 'msi' are
# used as the provider then this setting is
# required.
# type:string
#
# $port:: Override the port of the master we connect to.
# type:integer
#
# $listen:: Should the puppet agent listen for connections.
# type:boolean
#
# $listen_to:: An array of servers allowed to initiate a puppet run.
# If $listen = true one of three things will happen:
# 1) if $listen_to is not empty then this array
# will be used.
# 2) if $listen_to is empty and $puppetmaster is
# defined then only $puppetmaster will be
# allowed.
# 3) if $puppetmaster is not defined or empty,
# $fqdn will be used.
# type:array
#
# $pluginsync:: Enable pluginsync.
# type:boolean
#
# $splay:: Switch to enable a random amount of time
# to sleep before each run.
# type:boolean
#
# $splaylimit:: The maximum time to delay before runs.
# Defaults to being the same as the run interval.
# This setting can be a time interval in seconds
# (30 or 30s), minutes (30m), hours (6h), days (2d),
# or years (5y).
# type:string
#
# $runinterval:: Set up the interval (in seconds) to run
# the puppet agent.
# type:integer
#
# $autosign:: If set to a boolean, autosign is enabled or disabled
# for all incoming requests. Otherwise this has to be
# set to the full file path of an autosign.conf file or
# an autosign script. If this is set to a script, make
# sure that script considers the content of autosign.conf
# as otherwise Foreman functionality might be broken.
#
+# $autosign_entries:: A list of certnames or domain name globs
+# whose certificate requests will automatically be signed.
+# Defaults to an empty Array.
+# type: array
+#
# $autosign_mode:: mode of the autosign file/script
#
# $usecacheonfailure:: Switch to enable use of cached catalog on
# failure of run.
# type: boolean
#
# $runmode:: Select the mode to setup the puppet agent.
# Can be either 'cron', 'service',
# 'systemd.timer', or 'none'.
# type:string
#
# $unavailable_runmodes:: Runmodes that are not available for the
# current system. This module will not try
# to disable these modes. Default is []
# on Linux, ['cron', 'systemd.timer'] on
# Windows and ['systemd.timer'] on other
# systems.
# type: array
#
# $cron_cmd:: Specify command to launch when runmode is
# set 'cron'.
# type:string
#
# $systemd_cmd:: Specify command to launch when runmode is
# set 'systemd.timer'.
# type:string
#
# $show_diff:: Show and report changed files with diff output
# type:boolean
#
# $module_repository:: Use a different puppet module repository
# type:string
#
# $configtimeout:: How long the client should wait for the
# configuration to be retrieved before
# considering it a failure.
# type:integer
#
# $ca_server:: Use a different ca server. Should be either
# a string with the location of the ca_server
# or 'false'.
# type:string
#
# $ca_port:: Puppet CA port
# type:integer
#
# $dns_alt_names:: Use additional DNS names when generating a
# certificate. Defaults to an empty Array.
# type:array
#
# $classfile:: The file in which puppet agent stores a list
# of the classes associated with the retrieved
# configuration.
# type:string
#
# $hiera_config:: The hiera configuration file.
# type:string
#
# $syslogfacility:: Facility name to use when logging to syslog
# type:string
#
# $auth_template:: Use a custom template for the auth
# configuration.
# type:string
#
# $main_template:: Use a custom template for the main puppet
# configuration.
# type:string
#
# $use_srv_records:: Whether DNS SRV records will be used to resolve
# the Puppet master
# type:boolean
#
# $srv_domain:: Search domain for SRV records
# type:string
#
# $pluginsource:: URL to retrieve Puppet plugins from during pluginsync
# type:string
#
# $pluginfactsource:: URL to retrieve Puppet facts from during pluginsync
# type:string
#
# $additional_settings:: A hash of additional main settings.
# type:hash
#
# == puppet::agent parameters
#
# $agent:: Should a puppet agent be installed
# type:boolean
#
# $agent_noop:: Run the agent in noop mode.
# type:boolean
#
# $agent_template:: Use a custom template for the agent puppet
# configuration.
# type:string
#
# $client_package:: Install a custom package to provide
# the puppet client
# type:array
#
# $puppetmaster:: Hostname of your puppetmaster (server
# directive in puppet.conf)
# type:string
#
# $prerun_command:: A command which gets excuted before each Puppet run
# type:string
#
# $postrun_command:: A command which gets excuted after each Puppet run
# type:string
#
# $systemd_unit_name:: The name of the puppet systemd units.
# type:string
#
# $service_name:: The name of the puppet agent service.
# type:string
#
# $agent_restart_command:: The command which gets excuted on puppet service restart
# type:string
#
# $environment:: Default environment of the Puppet agent
# type:string
#
# $agent_additional_settings:: A hash of additional agent settings.
# Example: {stringify_facts => true}
# type:hash
#
# $remove_lock:: Remove the agent lock when running.
# type:boolean
#
# $client_certname:: The node's certificate name, and the unique
# identifier it uses when requesting catalogs.
# type:string
#
# $dir_owner:: Owner of the base puppet directory, used when
# puppet::server is false.
# type:string
#
# $dir_group:: Group of the base puppet directory, used when
# puppet::server is false.
# type:string
#
# == puppet::server parameters
#
# $server:: Should a puppet master be installed as well as the client
# type:boolean
#
# $server_user:: Name of the puppetmaster user.
# type:string
#
# $server_group:: Name of the puppetmaster group.
# type:string
#
# $server_dir:: Puppet configuration directory
# type:string
#
# $server_ip:: Bind ip address of the puppetmaster
# type:string
#
# $server_port:: Puppet master port
# type:integer
#
# $server_ca:: Provide puppet CA
# type:boolean
#
# $server_http:: Should the puppet master listen on HTTP as well as HTTPS.
# Useful for load balancer or reverse proxy scenarios. Note that
# the HTTP puppet master denies access from all clients by default,
# allowed clients must be specified with $server_http_allow.
# type:boolean
#
# $server_http_port:: Puppet master HTTP port; defaults to 8139.
# type:integer
#
# $server_http_allow:: Array of allowed clients for the HTTP puppet master. Passed
# to Apache's 'Allow' directive.
# type:array
#
# $server_reports:: List of report types to include on the puppetmaster
# type:string
#
# $server_implementation:: Puppet master implementation, either "master" (traditional
# Ruby) or "puppetserver" (JVM-based)
# type:string
#
# $server_passenger:: If set to true, we will configure apache with
# passenger. If set to false, we will enable the
# default puppetmaster service unless
# service_fallback is set to false. See 'Advanced
# server parameters' for more information.
# Only applicable when server_implementation is "master".
# type:boolean
#
# $server_external_nodes:: External nodes classifier executable
# type:string
#
# $server_template:: Which template should be used for master
# configuration
# type:string
#
# $server_main_template:: Which template should be used for master
# related configuration in the [main] section
# type:string
#
# $server_git_repo:: Use git repository as a source of modules
# type:boolean
#
# $server_dynamic_environments:: Use $environment in the modulepath
# Deprecated when $server_directory_environments is true,
# set $server_environments to [] instead.
# type:boolean
#
# $server_directory_environments:: Enable directory environments, defaulting to true
# with Puppet 3.6.0 or higher
# type:boolean
#
# $server_environments:: Environments to setup (creates directories).
# Applies only when $server_dynamic_environments
# is false
# type:array
#
# $server_environments_owner:: The owner of the environments directory
# type:string
#
# $server_environments_group:: The group owning the environments directory
# type:string
#
# $server_environments_mode:: Environments directory mode.
# type:string
#
# $server_envs_dir:: Directory that holds puppet environments
# type:string
#
# $server_envs_target:: Indicates that $envs_dir should be
# a symbolic link to this target
# type:string
#
# $server_common_modules_path:: Common modules paths (only when
# $server_git_repo_path and $server_dynamic_environments
# are false)
# type:array
#
# $server_git_repo_path:: Git repository path
# type:string
#
# $server_git_repo_mode:: Git repository mode
# type:string
#
# $server_git_repo_group:: Git repository group
# type:string
#
# $server_git_repo_user:: Git repository user
# type:string
#
# $server_git_branch_map:: Git branch to puppet env mapping for the
# default post receive hook
# type:hash
#
# $server_post_hook_content:: Which template to use for git post hook
# type:string
#
# $server_post_hook_name:: Name of a git hook
# type:string
#
# $server_storeconfigs_backend:: Do you use storeconfigs? (note: not required)
# false if you don't, "active_record" for 2.X
# style db, "puppetdb" for puppetdb
# type:string
#
# $server_app_root:: Directory where the application lives
# type:string
#
# $server_ssl_dir:: SSL directory
# type:string
#
# $server_package:: Custom package name for puppet master
# type:string
#
# $server_version:: Custom package version for puppet master
# type:string
#
# $server_certname:: The name to use when handling certificates.
# type:string
#
# $server_strict_variables:: if set to true, it will throw parse errors
# when accessing undeclared variables.
# type:boolean
#
# $server_additional_settings:: A hash of additional settings.
# Example: {trusted_node_data => true, ordering => 'manifest'}
# type:hash
#
# $server_rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and
# --vardir. The default is an empty array.
# type:array
#
# $server_puppetdb_host:: PuppetDB host
# type:string
#
# $server_puppetdb_port:: PuppetDB port
# type:integer
#
# $server_puppetdb_swf:: PuppetDB soft_write_failure
# type:boolean
#
# $server_parser:: Sets the parser to use. Valid options are 'current' or 'future'.
# Defaults to 'current'.
# type:string
#
# === Advanced server parameters:
#
# $server_httpd_service:: Apache/httpd service name to notify
# on configuration changes. Defaults
# to 'httpd' based on the default
# apache module included with foreman-installer.
# type:string
#
# $server_service_fallback:: If passenger is not used, do we want to fallback
# to using the puppetmaster service? Set to false
# if you disabled passenger and you do NOT want to
# use the puppetmaster service. Defaults to true.
# type:boolean
#
# $server_passenger_min_instances:: The PassengerMinInstances parameter. Sets the
# minimum number of application processes to run.
# Defaults to the number of processors on your
# system.
# type:integer
#
# $server_passenger_pre_start:: Pre-start the first passenger worker instance
# process during httpd start.
# type:boolean
#
# $server_passenger_ruby:: The PassengerRuby parameter. Sets the Ruby
# interpreter for serving the puppetmaster
# rack application.
# type:string
#
# $server_config_version:: How to determine the configuration version. When
# using git_repo, by default a git describe
# approach will be installed.
# type:string
#
# $server_facts:: Should foreman receive facts from puppet
# type:boolean
#
# $server_foreman:: Should foreman integration be installed
# type:boolean
#
# $server_foreman_url:: Foreman URL
# type:string
#
# $server_foreman_ssl_ca:: SSL CA of the Foreman server
# type:string
#
# $server_foreman_ssl_cert:: Client certificate for authenticating against Foreman server
# type:string
#
# $server_foreman_ssl_key:: Key for authenticating against Foreman server
# type:string
#
# $server_puppet_basedir:: Where is the puppet code base located
# type:string
#
# $server_enc_api:: What version of enc script to deploy. Valid
# values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
# type:string
#
# $server_report_api:: What version of report processor to deploy.
# Valid values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
# type:string
#
# $server_request_timeout:: Timeout in node.rb script for fetching
# catalog from Foreman (in seconds).
# type:integer
#
# $server_environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...)
# type:string
#
# $server_ca_proxy:: The actual server that handles puppet CA.
# Setting this to anything non-empty causes
# the apache vhost to set up a proxy for all
# certificates pointing to the value.
# type:string
#
# $server_jvm_java_bin:: Set the default java to use.
# type:string
#
# $server_jvm_config:: Specify the puppetserver jvm configuration file.
# type:string
#
# $server_jvm_min_heap_size:: Specify the minimum jvm heap space.
# type:string
#
# $server_jvm_max_heap_size:: Specify the maximum jvm heap space.
# type:string
#
# $server_jvm_extra_args:: Additional java options to pass through.
# This can be used for Java versions prior to
# Java 8 to specify the max perm space to use:
# For example: '-XX:MaxPermSpace=128m'.
# type:string
#
# $server_jruby_gem_home:: Where jruby gems are located for puppetserver
# type:string
#
# $allow_any_crl_auth:: Allow any authentication for the CRL. This
# is needed on the puppet CA to accept clients
# from a the puppet CA proxy.
# type:boolean
#
# $auth_allowed:: An array of authenticated nodes allowed to
# access all catalog and node endpoints.
# default to ['$1']
# type:array
#
# $server_default_manifest:: Toggle if default_manifest setting should
# be added to the [main] section
# type:boolean
#
# $server_default_manifest_path:: A string setting the path to the default_manifest
# type:string
#
# $server_default_manifest_content:: A string to set the content of the default_manifest
# If set to '' it will not manage the file
# type:string
#
# $server_ssl_dir_manage:: Toggle if ssl_dir should be added to the [master]
# configuration section. This is necessary to
# disable in case CA is delegated to a separate instance
# type:boolean
#
# $server_puppetserver_vardir:: The path of the puppetserver var dir
# type:string
#
# $server_puppetserver_dir:: The path of the puppetserver config dir
# type:string
#
# $server_puppetserver_version:: The version of puppetserver 2 installed (or being installed)
# Unfortunately, different versions of puppetserver need configuring differently,
# and there's no easy way of determining which version is being installed.
# Defaults to '2.3.1' but can be overriden if you're installing an older version.
# type:string
#
# $server_max_active_instances:: Max number of active jruby instances. Defaults to
# processor count
# type:integer
#
# $server_idle_timeout:: How long the server will wait for a response on an existing connection
# type:integer
#
# $server_connect_timeout:: How long the server will wait for a response to a connection attempt
# type:integer
#
# $server_ssl_protocols:: Array of SSL protocols to use.
# Defaults to [ 'TLSv1.2' ]
# type:array
#
# $server_cipher_suites:: List of SSL ciphers to use in negotiation
# Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA',
# 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
# type:array
#
# $server_ruby_load_paths:: List of ruby paths
# Defaults based on $::puppetversion
# type:array
#
# $server_ca_client_whitelist:: The whitelist of client certificates that
# can query the certificate-status endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
# type:array
#
# $server_admin_api_whitelist:: The whitelist of clients that
# can query the puppet-admin-api endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
# type:array
#
# $server_enable_ruby_profiler:: Should the puppetserver ruby profiler be enabled?
# Defaults to false
# type:boolean
#
# $server_ca_auth_required:: Whether client certificates are needed to access the puppet-admin api
# Defaults to true
# type:boolean
#
# $server_use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf?
# Defaults to false (the puppetserver will use its own conf.d/auth.conf)
# type:boolean
#
# === Usage:
#
# * Simple usage:
#
# include puppet
#
# * Installing a puppetmaster
#
# class {'puppet':
# server => true,
# }
#
# * Advanced usage:
#
# class {'puppet':
# agent_noop => true,
# version => '2.7.20-1',
# }
#
class puppet (
$version = $puppet::params::version,
$user = $puppet::params::user,
$group = $puppet::params::group,
$dir = $puppet::params::dir,
$codedir = $puppet::params::codedir,
$vardir = $puppet::params::vardir,
$logdir = $puppet::params::logdir,
$rundir = $puppet::params::rundir,
$ssldir = $puppet::params::ssldir,
$sharedir = $puppet::params::sharedir,
$manage_packages = $puppet::params::manage_packages,
$dir_owner = $puppet::params::dir_owner,
$dir_group = $puppet::params::dir_group,
$package_provider = $puppet::params::package_provider,
$package_source = $puppet::params::package_source,
$port = $puppet::params::port,
$listen = $puppet::params::listen,
$listen_to = $puppet::params::listen_to,
$pluginsync = $puppet::params::pluginsync,
$splay = $puppet::params::splay,
$splaylimit = $puppet::params::splaylimit,
$autosign = $puppet::params::autosign,
+ $autosign_entries = $puppet::params::autosign_entries,
$autosign_mode = $puppet::params::autosign_mode,
$runinterval = $puppet::params::runinterval,
$usecacheonfailure = $puppet::params::usecacheonfailure,
$runmode = $puppet::params::runmode,
$unavailable_runmodes = $puppet::params::unavailable_runmodes,
$cron_cmd = $puppet::params::cron_cmd,
$systemd_cmd = $puppet::params::systemd_cmd,
$agent_noop = $puppet::params::agent_noop,
$show_diff = $puppet::params::show_diff,
$module_repository = $puppet::params::module_repository,
$configtimeout = $puppet::params::configtimeout,
$ca_server = $puppet::params::ca_server,
$ca_port = $puppet::params::ca_port,
$prerun_command = $puppet::params::prerun_command,
$postrun_command = $puppet::params::postrun_command,
$dns_alt_names = $puppet::params::dns_alt_names,
$use_srv_records = $puppet::params::use_srv_records,
$srv_domain = $puppet::params::srv_domain,
$pluginsource = $puppet::params::pluginsource,
$pluginfactsource = $puppet::params::pluginfactsource,
$additional_settings = $puppet::params::additional_settings,
$agent_additional_settings = $puppet::params::agent_additional_settings,
$agent_restart_command = $puppet::params::agent_restart_command,
$classfile = $puppet::params::classfile,
$hiera_config = $puppet::params::hiera_config,
$main_template = $puppet::params::main_template,
$agent_template = $puppet::params::agent_template,
$auth_template = $puppet::params::auth_template,
$allow_any_crl_auth = $puppet::params::allow_any_crl_auth,
$auth_allowed = $puppet::params::auth_allowed,
$client_package = $puppet::params::client_package,
$agent = $puppet::params::agent,
$remove_lock = $puppet::params::remove_lock,
$client_certname = $puppet::params::client_certname,
$puppetmaster = $puppet::params::puppetmaster,
$systemd_unit_name = $puppet::params::systemd_unit_name,
$service_name = $puppet::params::service_name,
$syslogfacility = $puppet::params::syslogfacility,
$environment = $puppet::params::environment,
$server = $puppet::params::server,
$server_admin_api_whitelist = $puppet::params::server_admin_api_whitelist,
$server_user = $puppet::params::user,
$server_group = $puppet::params::group,
$server_dir = $puppet::params::dir,
$server_ip = $puppet::params::ip,
$server_port = $puppet::params::port,
$server_ca = $puppet::params::server_ca,
$server_ca_auth_required = $puppet::params::server_ca_auth_required,
$server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist,
$server_http = $puppet::params::server_http,
$server_http_port = $puppet::params::server_http_port,
$server_http_allow = $puppet::params::server_http_allow,
$server_reports = $puppet::params::server_reports,
$server_implementation = $puppet::params::server_implementation,
$server_passenger = $puppet::params::server_passenger,
$server_puppetserver_dir = $puppet::params::server_puppetserver_dir,
$server_puppetserver_vardir = $puppet::params::server_puppetserver_vardir,
$server_puppetserver_version = $puppet::params::server_puppetserver_version,
$server_service_fallback = $puppet::params::server_service_fallback,
$server_passenger_min_instances = $puppet::params::server_passenger_min_instances,
$server_passenger_pre_start = $puppet::params::server_passenger_pre_start,
$server_passenger_ruby = $puppet::params::server_passenger_ruby,
$server_httpd_service = $puppet::params::server_httpd_service,
$server_external_nodes = $puppet::params::server_external_nodes,
$server_template = $puppet::params::server_template,
$server_main_template = $puppet::params::server_main_template,
$server_cipher_suites = $puppet::params::server_cipher_suites,
$server_config_version = $puppet::params::server_config_version,
$server_connect_timeout = $puppet::params::server_connect_timeout,
$server_git_repo = $puppet::params::server_git_repo,
$server_dynamic_environments = $puppet::params::server_dynamic_environments,
$server_directory_environments = $puppet::params::server_directory_environments,
$server_default_manifest = $puppet::params::server_default_manifest,
$server_default_manifest_path = $puppet::params::server_default_manifest_path,
$server_default_manifest_content = $puppet::params::server_default_manifest_content,
$server_enable_ruby_profiler = $puppet::params::server_enable_ruby_profiler,
$server_environments = $puppet::params::server_environments,
$server_environments_owner = $puppet::params::server_environments_owner,
$server_environments_group = $puppet::params::server_environments_group,
$server_environments_mode = $puppet::params::server_environments_mode,
$server_envs_dir = $puppet::params::server_envs_dir,
$server_envs_target = $puppet::params::server_envs_target,
$server_common_modules_path = $puppet::params::server_common_modules_path,
$server_git_repo_mode = $puppet::params::server_git_repo_mode,
$server_git_repo_path = $puppet::params::server_git_repo_path,
$server_git_repo_group = $puppet::params::server_git_repo_group,
$server_git_repo_user = $puppet::params::server_git_repo_user,
$server_git_branch_map = $puppet::params::server_git_branch_map,
$server_idle_timeout = $puppet::params::server_idle_timeout,
$server_post_hook_content = $puppet::params::server_post_hook_content,
$server_post_hook_name = $puppet::params::server_post_hook_name,
$server_storeconfigs_backend = $puppet::params::server_storeconfigs_backend,
$server_app_root = $puppet::params::server_app_root,
$server_ruby_load_paths = $puppet::params::server_ruby_load_paths,
$server_ssl_dir = $puppet::params::server_ssl_dir,
$server_ssl_dir_manage = $puppet::params::server_ssl_dir_manage,
$server_ssl_protocols = $puppet::params::server_ssl_protocols,
$server_package = $puppet::params::server_package,
$server_version = $puppet::params::server_version,
$server_certname = $puppet::params::server_certname,
$server_enc_api = $puppet::params::server_enc_api,
$server_report_api = $puppet::params::server_report_api,
$server_request_timeout = $puppet::params::server_request_timeout,
$server_ca_proxy = $puppet::params::server_ca_proxy,
$server_strict_variables = $puppet::params::server_strict_variables,
$server_additional_settings = $puppet::params::server_additional_settings,
$server_rack_arguments = $puppet::params::server_rack_arguments,
$server_foreman = $puppet::params::server_foreman,
$server_foreman_url = $puppet::params::server_foreman_url,
$server_foreman_ssl_ca = $puppet::params::server_foreman_ssl_ca,
$server_foreman_ssl_cert = $puppet::params::server_foreman_ssl_cert,
$server_foreman_ssl_key = $puppet::params::server_foreman_ssl_key,
$server_facts = $puppet::params::server_facts,
$server_puppet_basedir = $puppet::params::server_puppet_basedir,
$server_puppetdb_host = $puppet::params::server_puppetdb_host,
$server_puppetdb_port = $puppet::params::server_puppetdb_port,
$server_puppetdb_swf = $puppet::params::server_puppetdb_swf,
$server_parser = $puppet::params::server_parser,
$server_environment_timeout = $puppet::params::server_environment_timeout,
$server_jvm_java_bin = $puppet::params::server_jvm_java_bin,
$server_jvm_config = $puppet::params::server_jvm_config,
$server_jvm_min_heap_size = $puppet::params::server_jvm_min_heap_size,
$server_jvm_max_heap_size = $puppet::params::server_jvm_max_heap_size,
$server_jvm_extra_args = $puppet::params::server_jvm_extra_args,
$server_jruby_gem_home = $puppet::params::server_jruby_gem_home,
$server_max_active_instances = $puppet::params::server_max_active_instances,
$server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf,
) inherits puppet::params {
validate_bool($listen)
validate_bool($pluginsync)
validate_bool($splay)
validate_bool($usecacheonfailure)
validate_bool($agent_noop)
validate_bool($agent)
validate_bool($remove_lock)
validate_bool($server)
validate_bool($allow_any_crl_auth)
validate_hash($additional_settings)
validate_hash($agent_additional_settings)
if $ca_server {
validate_string($ca_server)
}
validate_string($systemd_unit_name)
validate_string($service_name)
validate_array($listen_to)
validate_array($dns_alt_names)
validate_array($auth_allowed)
validate_absolute_path($dir)
validate_absolute_path($vardir)
validate_absolute_path($logdir)
validate_absolute_path($rundir)
if $manage_packages != true and $manage_packages != false {
validate_re($manage_packages, '^(server|agent)$')
}
include ::puppet::config
Class['puppet::config'] -> Class['puppet']
if $agent == true {
include ::puppet::agent
Class['puppet::agent'] -> Class['puppet']
}
if $server == true {
include ::puppet::server
Class['puppet::server'] -> Class['puppet']
}
}
diff --git a/manifests/params.pp b/manifests/params.pp
index c3fe289..b7b1299 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -1,389 +1,390 @@
# Default parameters
class puppet::params {
# Basic config
$version = 'present'
$user = 'puppet'
$group = 'puppet'
$ip = '0.0.0.0'
$port = 8140
$listen = false
$listen_to = []
$pluginsync = true
$splay = false
$splaylimit = '1800'
$runinterval = '1800'
$runmode = 'service'
# Not defined here as the commands depend on module parameter "dir"
$cron_cmd = undef
$systemd_cmd = undef
$agent_noop = false
$show_diff = false
$module_repository = undef
if versioncmp($::puppetversion, '4.0') < 0 or versioncmp($::puppetversion, '4.5') >= 0 {
$hiera_config = '$confdir/hiera.yaml'
} else {
$hiera_config = '$codedir/hiera.yaml'
}
$usecacheonfailure = true
$ca_server = undef
$ca_port = undef
$prerun_command = undef
$postrun_command = undef
$dns_alt_names = []
$use_srv_records = false
$srv_domain = $::domain
# lint:ignore:puppet_url_without_modules
$pluginsource = 'puppet:///plugins'
$pluginfactsource = 'puppet:///pluginfacts'
# lint:endignore
$classfile = '$statedir/classes.txt'
$syslogfacility = undef
$environment = $::environment
if versioncmp($::puppetversion, '4.0') < 0 {
$aio_package = false
$deb_naio_package = false
} elsif $::osfamily == 'Windows' or $::rubysitedir =~ /\/opt\/puppetlabs\/puppet/ {
$aio_package = true
$deb_naio_package = false
} else {
$aio_package = false
$deb_naio_package = ($::osfamily == 'Debian')
}
case $::osfamily {
'Windows' : {
# Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end
$dir_prefix = 'C:/ProgramData/PuppetLabs/puppet'
$dir = "${dir_prefix}/etc"
$codedir = "${dir_prefix}/etc"
$logdir = "${dir_prefix}/var/log"
$rundir = "${dir_prefix}/var/run"
$ssldir = "${dir_prefix}/etc/ssl"
$vardir = "${dir_prefix}/var"
$sharedir = "${dir_prefix}/share"
$bindir = "${dir_prefix}/bin"
$root_group = undef
$server_puppetserver_dir = undef
$server_puppetserver_vardir = undef
$server_ruby_load_paths = []
$server_jruby_gem_home = undef
}
/^(FreeBSD|DragonFly)$/ : {
$dir = '/usr/local/etc/puppet'
$codedir = '/usr/local/etc/puppet'
$logdir = '/var/log/puppet'
$rundir = '/var/run/puppet'
$ssldir = '/var/puppet/ssl'
$vardir = '/var/puppet'
$sharedir = '/usr/local/share/puppet'
$bindir = '/usr/local/bin'
$root_group = undef
$server_puppetserver_dir = undef
$server_puppetserver_vardir = '/var/puppet'
$server_ruby_load_paths = []
$server_jruby_gem_home = undef
}
default : {
if $aio_package {
$dir = '/etc/puppetlabs/puppet'
$codedir = '/etc/puppetlabs/code'
$logdir = '/var/log/puppetlabs/puppet'
$rundir = '/var/run/puppetlabs'
$ssldir = '/etc/puppetlabs/puppet/ssl'
$vardir = '/opt/puppetlabs/puppet/cache'
$sharedir = '/opt/puppetlabs/puppet'
$bindir = '/opt/puppetlabs/bin'
$server_puppetserver_dir = '/etc/puppetlabs/puppetserver'
$server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver'
$server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby']
$server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
} else {
$dir = '/etc/puppet'
$codedir = $deb_naio_package ? {
true => '/etc/puppet/code',
false => '/etc/puppet',
}
$logdir = '/var/log/puppet'
$rundir = '/var/run/puppet'
$ssldir = '/var/lib/puppet/ssl'
$vardir = '/var/lib/puppet'
$sharedir = '/usr/share/puppet'
$bindir = '/usr/bin'
$server_puppetserver_dir = '/etc/puppetserver'
$server_puppetserver_vardir = $vardir
$server_ruby_load_paths = []
$server_jruby_gem_home = '/var/lib/puppet/jruby-gems'
}
$root_group = undef
}
}
if versioncmp($::puppetversion, '4.0') < 0 {
$configtimeout = 120
} else {
$configtimeout = undef
}
- $autosign = "${dir}/autosign.conf"
- $autosign_mode = '0664'
+ $autosign = "${dir}/autosign.conf"
+ $autosign_entries = []
+ $autosign_mode = '0664'
$puppet_cmd = "${bindir}/puppet"
$manage_packages = true
if $aio_package and $::osfamily != 'Windows' {
$dir_owner = 'root'
$dir_group = $root_group
} elsif $::osfamily == 'Windows' {
$dir_owner = undef
$dir_group = undef
} else {
$dir_owner = $user
$dir_group = $group
}
$package_provider = $::osfamily ? {
'windows' => 'chocolatey',
default => undef,
}
$package_source = undef
# Need your own config templates? Specify here:
$main_template = 'puppet/puppet.conf.erb'
$agent_template = 'puppet/agent/puppet.conf.erb'
$auth_template = 'puppet/auth.conf.erb'
# Allow any to the CRL. Needed in case of puppet CA proxy
$allow_any_crl_auth = false
# Authenticated nodes to allow
$auth_allowed = ['$1']
# Will this host be a puppet agent ?
$agent = true
$remove_lock = true
$client_certname = $::clientcert
# Custom puppetmaster
if defined('$trusted') and $::trusted['authenticated'] == 'local' {
$puppetmaster = undef
} else {
$puppetmaster = $::puppetmaster
}
# Hashes containing additional settings
$additional_settings = {}
$agent_additional_settings = {}
$server_additional_settings = {}
# Will this host be a puppetmaster?
$server = false
$server_ca = true
$server_reports = 'foreman'
$server_passenger = true
$server_service_fallback = true
$server_passenger_min_instances = $::processorcount
$server_passenger_pre_start = true
$server_passenger_ruby = undef
$server_httpd_service = 'httpd'
$server_external_nodes = "${dir}/node.rb"
$server_enc_api = 'v2'
$server_report_api = 'v2'
$server_request_timeout = 60
$server_ca_proxy = undef
$server_certname = $::clientcert
$server_strict_variables = false
$server_rack_arguments = []
$server_http = false
$server_http_port = 8139
$server_http_allow = []
# use puppetserver (JVM) or puppet master (Ruby)?
$server_implementation = $aio_package ? {
true => 'puppetserver',
default => 'master',
}
# Need a new master template for the server?
$server_template = 'puppet/server/puppet.conf.erb'
# Template for server settings in [main]
$server_main_template = 'puppet/server/puppet.conf.main.erb'
# The script that is run to determine the reported manifest version. Undef
# means we determine it in server.pp
$server_config_version = undef
# Set 'false' for static environments, or 'true' for git-based workflow
$server_git_repo = false
# Git branch to puppet env mapping for the post receive hook
$server_git_branch_map = {}
# Static environments config, ignore if the git_repo or dynamic_environments is 'true'
# What environments do we have
$server_environments = ['development', 'production']
# Dynamic environments config (deprecated when directory_environments is true)
$server_dynamic_environments = false
# Directory environments config
$server_directory_environments = versioncmp($::puppetversion, '3.6.0') >= 0
# Owner of the environments dir: for cases external service needs write
# access to manage it.
$server_environments_owner = $user
$server_environments_group = $root_group
$server_environments_mode = '0755'
# Where we store our puppet environments
$server_envs_dir = "${codedir}/environments"
$server_envs_target = undef
# Modules in this directory would be shared across all environments
$server_common_modules_path = ["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules"]
# Dynamic environments config, ignore if the git_repo is 'false'
# Path to the repository
$server_git_repo_path = "${vardir}/puppet.git"
# mode of the repository
$server_git_repo_mode = '0755'
# user of the repository
$server_git_repo_user = $user
# group of the repository
$server_git_repo_group = $user
# Override these if you need your own hooks
$server_post_hook_content = 'puppet/server/post-receive.erb'
$server_post_hook_name = 'post-receive'
# PuppetDB config
$server_puppetdb_host = undef
$server_puppetdb_port = 8081
$server_puppetdb_swf = false
# Do you use storeconfigs? (note: not required)
# - undef if you don't
# - active_record for 2.X style db
# - puppetdb for puppetdb
$server_storeconfigs_backend = undef
# Passenger config
$server_app_root = "${dir}/rack"
$server_ssl_dir = $ssldir
$server_package = undef
$server_version = undef
if $aio_package {
$client_package = ['puppet-agent']
} elsif ($::osfamily == 'Debian') {
$client_package = $deb_naio_package ? {
true => ['puppet-agent', 'puppet'],
default => ['puppet-common', 'puppet']
}
} elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) {
if (versioncmp($::puppetversion, '4.0') > 0) {
$client_package = ['puppet4']
} else {
$client_package = ['puppet38']
}
} else {
$client_package = ['puppet']
}
$puppetrun_cmd = "${puppet_cmd} kick"
$puppetca_cmd = "${puppet_cmd} cert"
# Puppet service name
$service_name = $deb_naio_package ? {
true => 'puppet-agent',
default => 'puppet'
}
# Puppet onedshot systemd service and timer name
$systemd_unit_name = 'puppet-run'
# Mechanisms to manage and reload/restart the agent
# If supported on the OS, reloading is prefered since it does not kill a currently active puppet run
case $::osfamily {
'Debian' : {
$agent_restart_command = "/usr/sbin/service ${service_name} reload"
if ($::operatingsystem == 'Debian') and (versioncmp($::operatingsystemrelease, '8.0') >= 0) or
($::operatingsystem == 'Ubuntu') and (versioncmp($::operatingsystemrelease, '15.04') >= 0)
{
$unavailable_runmodes = []
} else {
$unavailable_runmodes = ['systemd.timer']
}
}
'Redhat' : {
$osreleasemajor = regsubst($::operatingsystemrelease, '^(\d+)\..*$', '\1') # workaround for the possibly missing operatingsystemmajrelease
$agent_restart_command = $osreleasemajor ? {
/^(5|6)$/ => "/sbin/service ${service_name} reload",
'7' => "/usr/bin/systemctl reload-or-restart ${service_name}",
default => undef,
}
$unavailable_runmodes = $osreleasemajor ? {
/^(5|6)$/ => ['systemd.timer'],
default => [],
}
}
'Windows': {
$agent_restart_command = undef
$unavailable_runmodes = ['cron', 'systemd.timer']
}
default : {
$agent_restart_command = undef
$unavailable_runmodes = ['systemd.timer']
}
}
# Foreman parameters
$lower_fqdn = downcase($::fqdn)
$server_foreman = true
$server_facts = true
$server_puppet_basedir = $aio_package ? {
true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet',
false => undef,
}
$server_foreman_url = "https://${lower_fqdn}"
$server_foreman_ssl_ca = undef
$server_foreman_ssl_cert = undef
$server_foreman_ssl_key = undef
# Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser
$server_parser = 'current'
# Timeout for cached environments, changed in puppet 3.7.x
$server_environment_timeout = undef
# puppet server configuration file
$server_jvm_config = $::osfamily ? {
'RedHat' => '/etc/sysconfig/puppetserver',
'Debian' => '/etc/default/puppetserver',
default => '/etc/default/puppetserver',
}
$server_jvm_java_bin = '/usr/bin/java'
$server_jvm_min_heap_size = '2G'
$server_jvm_max_heap_size = '2G'
$server_jvm_extra_args = '-XX:MaxPermSize=256m'
$server_ssl_dir_manage = true
$server_default_manifest = false
$server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp'
$server_default_manifest_content = '' # lint:ignore:empty_string_assignment
$server_max_active_instances = $::processorcount
$server_idle_timeout = 1200000
$server_connect_timeout = 120000
$server_enable_ruby_profiler = false
$server_ca_auth_required = true
$server_admin_api_whitelist = [ '127.0.0.1', '::1', $::ipaddress ]
$server_ca_client_whitelist = [ '127.0.0.1', '::1', $::ipaddress ]
$server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
$server_ssl_protocols = [ 'TLSv1.2', ]
# Puppetserver >= 2.2 Which auth.conf shall we use?
$server_use_legacy_auth_conf = false
# For puppetserver 2, certain configuration parameters are version specific. We assume a particular version here.
$server_puppetserver_version = '2.5.0'
}
diff --git a/manifests/server.pp b/manifests/server.pp
index 06d99b3..072d957 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -1,574 +1,581 @@
# == Class: puppet::server
#
# Sets up a puppet master.
#
# == puppet::server parameters
#
# $autosign:: If set to a boolean, autosign is enabled or disabled
# for all incoming requests. Otherwise this has to be
# set to the full file path of an autosign.conf file or
# an autosign script. If this is set to a script, make
# sure that script considers the content of autosign.conf
# as otherwise Foreman functionality might be broken.
#
+# $autosign_entries:: A list of certnames or domain name globs
+# whose certificate requests will automatically be signed.
+# Defaults to an empty Array.
+# type: array
+#
# $autosign_mode:: mode of the autosign file/script
#
# $hiera_config:: The hiera configuration file.
# type:string
#
# $user:: Name of the puppetmaster user.
# type:string
#
# $group:: Name of the puppetmaster group.
# type:string
#
# $dir:: Puppet configuration directory
# type:string
#
# $ip:: Bind ip address of the puppetmaster
# type:string
#
# $port:: Puppet master port
# type:integer
#
# $ca:: Provide puppet CA
# type:boolean
#
# $http:: Should the puppet master listen on HTTP as well as HTTPS.
# Useful for load balancer or reverse proxy scenarios. Note that
# the HTTP puppet master denies access from all clients by default,
# allowed clients must be specified with $http_allow.
# type:boolean
#
# $http_port:: Puppet master HTTP port; defaults to 8139.
# type:integer
#
# $http_allow:: Array of allowed clients for the HTTP puppet master. Passed
# to Apache's 'Allow' directive.
# type:array
#
# $reports:: List of report types to include on the puppetmaster
# type:string
#
# $implementation:: Puppet master implementation, either "master" (traditional
# Ruby) or "puppetserver" (JVM-based)
# type:string
#
# $passenger:: If set to true, we will configure apache with
# passenger. If set to false, we will enable the
# default puppetmaster service unless
# service_fallback is set to false. See 'Advanced
# server parameters' for more information.
# Only applicable when server_implementation is "master".
# type:boolean
#
# $external_nodes:: External nodes classifier executable
# type:string
#
# $template:: Which template should be used for master
# configuration
# type:string
#
# $main_template:: Which template should be used for master
# related configuration in the [main] section
# type:string
#
# $git_repo:: Use git repository as a source of modules
# type:boolean
#
# $dynamic_environments:: Use $environment in the modulepath
# Deprecated when $directory_environments is true,
# set $environments to [] instead.
# type:boolean
#
# $directory_environments:: Enable directory environments, defaulting to true
# with Puppet 3.6.0 or higher
# type:boolean
#
# $environments:: Environments to setup (creates directories).
# Applies only when $dynamic_environments
# is false
# type:array
#
# $environments_owner:: The owner of the environments directory
# type:string
#
# $environments_group:: The group owning the environments directory
# type:string
#
# $environments_mode:: Environments directory mode.
# type:string
#
# $envs_dir:: Directory that holds puppet environments
# type:string
#
# $envs_target:: Indicates that $envs_dir should be
# a symbolic link to this target
# type:string
#
# $common_modules_path:: Common modules paths (only when
# $git_repo_path and $dynamic_environments
# are false)
# type:array
#
# $git_repo_path:: Git repository path
# type:string
#
# $git_repo_mode:: Git repository mode
# type:string
#
# $git_repo_group:: Git repository group
# type:string
#
# $git_repo_user:: Git repository user
# type:string
#
# $git_branch_map:: Git branch to puppet env mapping for the
# default post receive hook
# type:hash
#
# $post_hook_content:: Which template to use for git post hook
# type:string
#
# $post_hook_name:: Name of a git hook
# type:string
#
# $storeconfigs_backend:: Do you use storeconfigs? (note: not required)
# false if you don't, "active_record" for 2.X
# style db, "puppetdb" for puppetdb
# type:string
#
# $app_root:: Directory where the application lives
# type:string
#
# $ssl_dir:: SSL directory
# type:string
#
# $package:: Custom package name for puppet master
# type:string
#
# $version:: Custom package version for puppet master
# type:string
#
# $certname:: The name to use when handling certificates.
# type:string
#
# $strict_variables:: if set to true, it will throw parse errors
# when accessing undeclared variables.
# type:boolean
#
# $additional_settings:: A hash of additional settings.
# Example: {trusted_node_data => true, ordering => 'manifest'}
# type:hash
#
# $rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and
# --vardir. The default is an empty array.
# type:array
#
# $puppetdb_host:: PuppetDB host
# type:string
#
# $puppetdb_port:: PuppetDB port
# type:integer
#
# $puppetdb_swf:: PuppetDB soft_write_failure
# type:boolean
#
# $parser:: Sets the parser to use. Valid options are 'current' or 'future'.
# Defaults to 'current'.
# type:string
#
# === Advanced server parameters:
#
# $httpd_service:: Apache/httpd service name to notify
# on configuration changes. Defaults
# to 'httpd' based on the default
# apache module included with foreman-installer.
# type:string
#
# $service_fallback:: If passenger is not used, do we want to fallback
# to using the puppetmaster service? Set to false
# if you disabled passenger and you do NOT want to
# use the puppetmaster service. Defaults to true.
# type:boolean
#
# $passenger_min_instances:: The PassengerMinInstances parameter. Sets the
# minimum number of application processes to run.
# Defaults to the number of processors on your
# system.
# type:integer
#
# $passenger_pre_start:: Pre-start the first passenger worker instance
# process during httpd start.
# type:boolean
#
# $passenger_ruby:: The PassengerRuby parameter. Sets the Ruby
# interpreter for serving the puppetmaster rack
# application.
# type:string
#
# $config_version:: How to determine the configuration version. When
# using git_repo, by default a git describe
# approach will be installed.
# type:string
#
# $server_facts:: Should foreman receive facts from puppet
# type:boolean
#
# $foreman:: Should foreman integration be installed
# type:boolean
#
# $foreman_url:: Foreman URL
# type:string
#
# $foreman_ssl_ca:: SSL CA of the Foreman server
# type:string
#
# $foreman_ssl_cert:: Client certificate for authenticating against Foreman server
# type:string
#
# $foreman_ssl_key:: Key for authenticating against Foreman server
# type:string
#
# $puppet_basedir:: Where is the puppet code base located
# type:string
#
# $enc_api:: What version of enc script to deploy. Valid
# values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
# type:string
#
# $report_api:: What version of report processor to deploy.
# Valid values are 'v2' for latest, and 'v1'
# for Foreman =< 1.2
# type:string
#
# $request_timeout:: Timeout in node.rb script for fetching
# catalog from Foreman (in seconds).
# type:integer
#
# $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...)
# type:string
#
# $ca_proxy:: The actual server that handles puppet CA.
# Setting this to anything non-empty causes
# the apache vhost to set up a proxy for all
# certificates pointing to the value.
# type:string
#
# $jvm_java_bin:: Set the default java to use.
# type:string
#
# $jvm_config:: Specify the puppetserver jvm configuration file.
# type:string
#
# $jvm_min_heap_size:: Specify the minimum jvm heap space.
# type:string
#
# $jvm_max_heap_size:: Specify the maximum jvm heap space.
# type:string
#
# $jvm_extra_args:: Additional java options to pass through.
# This can be used for Java versions prior to
# Java 8 to specify the max perm space to use:
# For example: '-XX:MaxPermSpace=128m'.
# type:string
#
# $jruby_gem_home:: Where jruby gems are located for puppetserver
# type:string
#
# $allow_any_crl_auth:: Allow any authentication for the CRL. This
# is needed on the puppet CA to accept clients
# from a the puppet CA proxy.
# type:boolean
#
# $auth_allowed:: An array of authenticated nodes allowed to
# access all catalog and node endpoints.
# default to ['$1']
# type:array
#
# $default_manifest:: Toggle if default_manifest setting should
# be added to the [main] section
# type:boolean
#
# $default_manifest_path:: A string setting the path to the default_manifest
# type:string
#
# $default_manifest_content:: A string to set the content of the default_manifest
# If set to '' it will not manage the file
# type:string
#
# $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master]
# configuration section. This is necessary to
# disable in case CA is delegated to a separate instance
# type:boolean
#
# $puppetserver_vardir:: The path of the puppetserver var dir
# type:string
#
# $puppetserver_dir:: The path of the puppetserver config dir
# type:string
#
# $puppetserver_version:: The version of puppetserver 2 installed (or being installed)
# Unfortunately, different versions of puppetserver need configuring differently,
# and there's no easy way of determining which version is being installed.
# Defaults to '2.3.1' but can be overriden if you're installing an older version.
# type:string
#
# $max_active_instances:: Max number of active jruby instances. Defaults to
# processor count
# type:integer
#
# $idle_timeout:: How long the server will wait for a response on an existing connection
# type:integer
#
# $connect_timeout:: How long the server will wait for a response to a connection attempt
# type:integer
#
# $ssl_protocols:: Array of SSL protocols to use.
# Defaults to [ 'TLSv1.2' ]
# type:array
#
# $cipher_suites:: List of SSL ciphers to use in negotiation
# Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA',
# 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
# type:array
#
# $ruby_load_paths:: List of ruby paths
# Defaults based on $::puppetversion
# type:array
#
# $ca_client_whitelist:: The whitelist of client certificates that
# can query the certificate-status endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
# type:array
#
# $admin_api_whitelist:: The whitelist of clients that
# can query the puppet-admin-api endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
# type:array
#
# $enable_ruby_profiler:: Should the puppetserver ruby profiler be enabled?
# Defaults to false
# type:boolean
#
# $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api
# Defaults to true
# type:boolean
#
# $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf?
# Defaults to false (the puppetserver will use its own conf.d/auth.conf)
# type:boolean
#
class puppet::server(
$autosign = $::puppet::autosign,
+ $autosign_entries = $::puppet::autosign_entries,
$autosign_mode = $::puppet::autosign_mode,
$hiera_config = $::puppet::hiera_config,
$admin_api_whitelist = $::puppet::server_admin_api_whitelist,
$user = $::puppet::server_user,
$group = $::puppet::server_group,
$dir = $::puppet::server_dir,
$port = $::puppet::server_port,
$ip = $::puppet::server_ip,
$ca = $::puppet::server_ca,
$ca_auth_required = $::puppet::server_ca_auth_required,
$ca_client_whitelist = $::puppet::server_ca_client_whitelist,
$http = $::puppet::server_http,
$http_port = $::puppet::server_http_port,
$http_allow = $::puppet::server_http_allow,
$reports = $::puppet::server_reports,
$implementation = $::puppet::server_implementation,
$passenger = $::puppet::server_passenger,
$puppetserver_vardir = $::puppet::server_puppetserver_vardir,
$puppetserver_dir = $::puppet::server_puppetserver_dir,
$puppetserver_version = $::puppet::server_puppetserver_version,
$service_fallback = $::puppet::server_service_fallback,
$passenger_min_instances = $::puppet::server_passenger_min_instances,
$passenger_pre_start = $::puppet::server_passenger_pre_start,
$passenger_ruby = $::puppet::server_passenger_ruby,
$httpd_service = $::puppet::server_httpd_service,
$external_nodes = $::puppet::server_external_nodes,
$template = $::puppet::server_template,
$main_template = $::puppet::server_main_template,
$cipher_suites = $::puppet::server_cipher_suites,
$config_version = $::puppet::server_config_version,
$connect_timeout = $::puppet::server_connect_timeout,
$git_repo = $::puppet::server_git_repo,
$dynamic_environments = $::puppet::server_dynamic_environments,
$directory_environments = $::puppet::server_directory_environments,
$default_manifest = $::puppet::server_default_manifest,
$default_manifest_path = $::puppet::server_default_manifest_path,
$default_manifest_content = $::puppet::server_default_manifest_content,
$enable_ruby_profiler = $::puppet::server_enable_ruby_profiler,
$environments = $::puppet::server_environments,
$environments_owner = $::puppet::server_environments_owner,
$environments_group = $::puppet::server_environments_group,
$environments_mode = $::puppet::server_environments_mode,
$envs_dir = $::puppet::server_envs_dir,
$envs_target = $::puppet::server_envs_target,
$common_modules_path = $::puppet::server_common_modules_path,
$git_repo_mode = $::puppet::server_git_repo_mode,
$git_repo_path = $::puppet::server_git_repo_path,
$git_repo_group = $::puppet::server_git_repo_group,
$git_repo_user = $::puppet::server_git_repo_user,
$git_branch_map = $::puppet::server_git_branch_map,
$idle_timeout = $::puppet::server_idle_timeout,
$post_hook_content = $::puppet::server_post_hook_content,
$post_hook_name = $::puppet::server_post_hook_name,
$storeconfigs_backend = $::puppet::server_storeconfigs_backend,
$app_root = $::puppet::server_app_root,
$ruby_load_paths = $::puppet::server_ruby_load_paths,
$ssl_dir = $::puppet::server_ssl_dir,
$ssl_dir_manage = $::puppet::server_ssl_dir_manage,
$ssl_protocols = $::puppet::server_ssl_protocols,
$package = $::puppet::server_package,
$version = $::puppet::server_version,
$certname = $::puppet::server_certname,
$enc_api = $::puppet::server_enc_api,
$report_api = $::puppet::server_report_api,
$request_timeout = $::puppet::server_request_timeout,
$ca_proxy = $::puppet::server_ca_proxy,
$strict_variables = $::puppet::server_strict_variables,
$additional_settings = $::puppet::server_additional_settings,
$rack_arguments = $::puppet::server_rack_arguments,
$foreman = $::puppet::server_foreman,
$foreman_url = $::puppet::server_foreman_url,
$foreman_ssl_ca = $::puppet::server_foreman_ssl_ca,
$foreman_ssl_cert = $::puppet::server_foreman_ssl_cert,
$foreman_ssl_key = $::puppet::server_foreman_ssl_key,
$server_facts = $::puppet::server_facts,
$puppet_basedir = $::puppet::server_puppet_basedir,
$puppetdb_host = $::puppet::server_puppetdb_host,
$puppetdb_port = $::puppet::server_puppetdb_port,
$puppetdb_swf = $::puppet::server_puppetdb_swf,
$parser = $::puppet::server_parser,
$environment_timeout = $::puppet::server_environment_timeout,
$jvm_java_bin = $::puppet::server_jvm_java_bin,
$jvm_config = $::puppet::server_jvm_config,
$jvm_min_heap_size = $::puppet::server_jvm_min_heap_size,
$jvm_max_heap_size = $::puppet::server_jvm_max_heap_size,
$jvm_extra_args = $::puppet::server_jvm_extra_args,
$jruby_gem_home = $::puppet::server_jruby_gem_home,
$max_active_instances = $::puppet::server_max_active_instances,
$use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf,
) {
validate_bool($ca)
validate_bool($http)
validate_bool($passenger)
validate_bool($git_repo)
validate_bool($service_fallback)
validate_bool($server_facts)
validate_bool($strict_variables)
validate_bool($foreman)
validate_bool($puppetdb_swf)
validate_bool($default_manifest)
validate_bool($ssl_dir_manage)
validate_bool($passenger_pre_start)
validate_integer($passenger_min_instances)
validate_hash($additional_settings)
if $default_manifest {
validate_absolute_path($default_manifest_path)
validate_string($default_manifest_content)
}
validate_string($hiera_config)
validate_string($external_nodes)
if $ca_proxy {
validate_string($ca_proxy)
}
if $puppetdb_host {
validate_string($puppetdb_host)
}
if $http {
validate_array($http_allow)
}
if ! is_bool($autosign) {
validate_absolute_path($autosign)
validate_string($autosign_mode)
+ validate_array($autosign_entries)
}
validate_array($rack_arguments)
validate_re($implementation, '^(master|puppetserver)$')
validate_re($parser, '^(current|future)$')
if $environment_timeout {
validate_re($environment_timeout, '^(unlimited|0|[0-9]+[smh]{1})$')
}
if $implementation == 'puppetserver' {
validate_re($jvm_min_heap_size, '^[0-9]+[kKmMgG]$')
validate_re($jvm_max_heap_size, '^[0-9]+[kKmMgG]$')
validate_absolute_path($puppetserver_dir)
validate_absolute_path($puppetserver_vardir)
validate_absolute_path($jruby_gem_home)
validate_integer($max_active_instances)
validate_integer($idle_timeout)
validate_integer($connect_timeout)
validate_array($ssl_protocols)
validate_array($cipher_suites)
validate_array($ruby_load_paths)
validate_array($ca_client_whitelist)
validate_array($admin_api_whitelist)
validate_bool($enable_ruby_profiler)
validate_bool($ca_auth_required)
validate_bool($use_legacy_auth_conf)
validate_re($puppetserver_version, '^[\d]\.[\d]+\.[\d]+$')
} else {
if $ip != $puppet::params::ip {
notify {
'ip_not_supported':
message => "Bind IP address is unsupported for the ${implementation} implementation.",
loglevel => 'warning',
}
}
}
if $ca {
$ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem"
$ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem"
$ssl_chain = "${ssl_dir}/ca/ca_crt.pem"
} else {
$ssl_ca_cert = "${ssl_dir}/certs/ca.pem"
$ssl_ca_crl = false
$ssl_chain = false
}
$ssl_cert = "${ssl_dir}/certs/${certname}.pem"
$ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem"
if $config_version == undef {
if $git_repo {
$config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long"
} else {
$config_version_cmd = undef
}
} else {
$config_version_cmd = $config_version
}
if $implementation == 'master' {
$pm_service = !$passenger and $service_fallback
$ps_service = undef
} elsif $implementation == 'puppetserver' {
$pm_service = undef
$ps_service = true
}
class { '::puppet::server::install': }~>
class { '::puppet::server::config': }~>
class { '::puppet::server::service':
puppetmaster => $pm_service,
puppetserver => $ps_service,
}->
Class['puppet::server']
Class['puppet::config'] ~> Class['puppet::server::service']
}
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
index f176c17..552fbf2 100644
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@@ -1,226 +1,231 @@
# Set up the puppet server config
class puppet::server::config inherits puppet::config {
if $::puppet::server::passenger and $::puppet::server::implementation == 'master' {
# Anchor the passenger config inside this
class { '::puppet::server::passenger': } -> Class['puppet::server::config']
}
if $::puppet::server::implementation == 'puppetserver' {
include ::puppet::server::puppetserver
anchor {'::puppet::server::puppetserver_start': } ->
Class['::puppet::server::puppetserver'] ~>
anchor {'::puppet::server::puppetserver_end': }
}
# Mirror the relationship, as defined() is parse-order dependent
# Ensures puppetmasters certs are generated before the proxy is needed
if defined(Class['foreman_proxy::config']) and $foreman_proxy::ssl {
Class['puppet::server::config'] ~> Class['foreman_proxy::config']
Class['puppet::server::config'] ~> Class['foreman_proxy::service']
}
## General configuration
$ca_server = $::puppet::ca_server
$ca_port = $::puppet::ca_port
$server_storeconfigs_backend = $::puppet::server::storeconfigs_backend
$server_external_nodes = $::puppet::server::external_nodes
$server_environment_timeout = $::puppet::server::environment_timeout
if $server_external_nodes and $server_external_nodes != '' {
$server_node_terminus = 'exec'
} else {
$server_node_terminus = 'plain'
}
concat::fragment { 'puppet.conf+30-master':
target => "${::puppet::dir}/puppet.conf",
content => template($::puppet::server::template),
order => '30',
}
concat::fragment { 'puppet.conf+15-main-master':
target => "${::puppet::dir}/puppet.conf",
content => template($::puppet::server::main_template),
order => '15',
}
file { "${puppet::vardir}/reports":
ensure => directory,
owner => $::puppet::server::user,
group => $::puppet::server::group,
mode => '0750',
}
## SSL and CA configuration
# Open read permissions to private keys to puppet group for foreman, proxy etc.
file { "${::puppet::server::ssl_dir}/private_keys":
ensure => directory,
owner => $::puppet::server::user,
group => $::puppet::server::group,
mode => '0750',
require => Exec['puppet_server_config-create_ssl_dir'],
}
file { "${::puppet::server::ssl_dir}/private_keys/${::puppet::server::certname}.pem":
owner => $::puppet::server::user,
group => $::puppet::server::group,
mode => '0640',
}
# 3.4.0+ supports umask
if versioncmp($::puppetversion, '3.4.0') >= 0 {
# If the ssl dir is not the default dir, it needs to be created before running
# the generate ca cert or it will fail.
exec {'puppet_server_config-create_ssl_dir':
creates => $::puppet::server::ssl_dir,
command => "/bin/mkdir -p ${::puppet::server::ssl_dir}",
umask => '0022',
}
# Generate a new CA and host cert if our host cert doesn't exist
if $::puppet::server::ca {
exec {'puppet_server_config-generate_ca_cert':
creates => $::puppet::server::ssl_cert,
command => "${::puppet::puppetca_cmd} --generate ${::puppet::server::certname}",
umask => '0022',
require => [Concat["${::puppet::server::dir}/puppet.conf"],
Exec['puppet_server_config-create_ssl_dir'],
],
}
}
} else {
# Copy of above without umask for pre-3.4
exec {'puppet_server_config-create_ssl_dir':
creates => $::puppet::server::ssl_dir,
command => "/bin/mkdir -p ${::puppet::server::ssl_dir}",
}
if $::puppet::server::ca {
exec {'puppet_server_config-generate_ca_cert':
creates => $::puppet::server::ssl_cert,
command => "${::puppet::puppetca_cmd} --generate ${::puppet::server::certname}",
require => [Concat["${::puppet::server::dir}/puppet.conf"],
Exec['puppet_server_config-create_ssl_dir'],
],
}
}
}
if $::puppet::server::passenger and $::puppet::server::implementation == 'master' and $::puppet::server::ca {
Exec['puppet_server_config-generate_ca_cert'] ~> Service[$::puppet::server::httpd_service]
}
# autosign file
if $::puppet::server_ca and ! is_bool($puppet::autosign) {
file { $puppet::autosign:
ensure => file,
owner => $puppet::user,
group => $puppet::group,
mode => $puppet::autosign_mode,
}
+ if !empty($puppet::autosign_entries) {
+ File[$puppet::autosign] {
+ content => template('puppet/server/autosign.conf.erb'),
+ }
+ }
}
# only manage this file if we provide content
if $::puppet::server::default_manifest and $::puppet::server::default_manifest_content != '' {
file { $::puppet::server::default_manifest_path:
ensure => file,
owner => $puppet::user,
group => $puppet::group,
mode => '0644',
content => $::puppet::server::default_manifest_content,
}
}
## Environments
# location where our puppet environments are located
if $::puppet::server::envs_target and $::puppet::server::envs_target != '' {
$ensure = 'link'
} else {
$ensure = 'directory'
}
file { $::puppet::server::envs_dir:
ensure => $ensure,
owner => $::puppet::server::environments_owner,
group => $::puppet::server::environments_group,
mode => $::puppet::server::environments_mode,
target => $::puppet::server::envs_target,
force => true,
}
if $::puppet::server::git_repo {
# need to chown the $vardir before puppet does it, or else
# we can't write puppet.git/ on the first run
include ::git
git::repo { 'puppet_repo':
bare => true,
target => $::puppet::server::git_repo_path,
mode => $::puppet::server::git_repo_mode,
user => $::puppet::server::git_repo_user,
group => $::puppet::server::git_repo_group,
require => File[$::puppet::server::envs_dir],
}
$git_branch_map = $::puppet::server::git_branch_map
# git post hook to auto generate an environment per branch
file { "${::puppet::server::git_repo_path}/hooks/${::puppet::server::post_hook_name}":
content => template($::puppet::server::post_hook_content),
owner => $::puppet::server::git_repo_user,
group => $::puppet::server::git_repo_group,
mode => $::puppet::server::git_repo_mode,
require => Git::Repo['puppet_repo'],
}
}
elsif ! $::puppet::server::dynamic_environments {
file { $puppet::sharedir:
ensure => directory,
}
if $puppet::server_common_modules_path and $puppet::server_common_modules_path != '' {
file { $puppet::server_common_modules_path:
ensure => directory,
owner => $::puppet::server_environments_owner,
group => $::puppet::server_environments_group,
mode => $::puppet::server_environments_mode,
}
}
# setup empty directories for our environments
puppet::server::env {$::puppet::server::environments: }
}
## Foreman
if $::puppet::server::foreman {
# Include foreman components for the puppetmaster
# ENC script, reporting script etc.
anchor { 'puppet::server::config_start': } ->
class {'::foreman::puppetmaster':
foreman_url => $::puppet::server::foreman_url,
receive_facts => $::puppet::server::server_facts,
puppet_home => $::puppet::server::puppetserver_vardir,
puppet_basedir => $::puppet::server::puppet_basedir,
puppet_etcdir => $puppet::dir,
enc_api => $::puppet::server::enc_api,
report_api => $::puppet::server::report_api,
timeout => $::puppet::server::request_timeout,
ssl_ca => pick($::puppet::server::foreman_ssl_ca, $::puppet::server::ssl_ca_cert),
ssl_cert => pick($::puppet::server::foreman_ssl_cert, $::puppet::server::ssl_cert),
ssl_key => pick($::puppet::server::foreman_ssl_key, $::puppet::server::ssl_cert_key),
} ~> anchor { 'puppet::server::config_end': }
}
## PuppetDB
if $::puppet::server::puppetdb_host {
class { '::puppetdb::master::config':
puppetdb_server => $::puppet::server::puppetdb_host,
puppetdb_port => $::puppet::server::puppetdb_port,
puppetdb_soft_write_failure => $::puppet::server::puppetdb_swf,
manage_storeconfigs => false,
restart_puppet => false,
}
Class['puppetdb::master::puppetdb_conf'] ~> Class['puppet::server::service']
}
}
diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb
index e8405b0..da2572b 100644
--- a/spec/classes/puppet_server_config_spec.rb
+++ b/spec/classes/puppet_server_config_spec.rb
@@ -1,616 +1,648 @@
require 'spec_helper'
describe 'puppet::server::config' do
on_supported_os.each do |os, os_facts|
next if only_test_os() and not only_test_os.include?(os)
next if exclude_test_os() and exclude_test_os.include?(os)
next if os_facts[:osfamily] == 'windows'
context "on #{os}" do
let (:default_facts) do
os_facts.merge({
:clientcert => 'puppetmaster.example.com',
:concat_basedir => '/nonexistant',
:fqdn => 'puppetmaster.example.com',
:puppetversion => Puppet.version,
}) end
if Puppet.version < '4.0'
codedir = '/etc/puppet'
+ confdir = '/etc/puppet'
conf_file = '/etc/puppet/puppet.conf'
environments_dir = '/etc/puppet/environments'
logdir = '/var/log/puppet'
rundir = '/var/run/puppet'
vardir = '/var/lib/puppet'
puppetserver_vardir = '/var/lib/puppet'
ssldir = '/var/lib/puppet/ssl'
sharedir = '/usr/share/puppet'
etcdir = '/etc/puppet'
puppetcacmd = '/usr/bin/puppet cert'
additional_facts = {}
else
codedir = '/etc/puppetlabs/code'
+ confdir = '/etc/puppetlabs/puppet'
conf_file = '/etc/puppetlabs/puppet/puppet.conf'
environments_dir = '/etc/puppetlabs/code/environments'
logdir = '/var/log/puppetlabs/puppet'
rundir = '/var/run/puppetlabs'
vardir = '/opt/puppetlabs/puppet/cache'
puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver'
ssldir = '/etc/puppetlabs/puppet/ssl'
sharedir = '/opt/puppetlabs/puppet'
etcdir = '/etc/puppetlabs/puppet'
puppetcacmd = '/opt/puppetlabs/bin/puppet cert'
additional_facts = {:rubysitedir => '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0'}
end
if os_facts[:osfamily] == 'FreeBSD'
codedir = '/usr/local/etc/puppet'
+ confdir = '/usr/local/etc/puppet'
conf_file = '/usr/local/etc/puppet/puppet.conf'
environments_dir = '/usr/local/etc/puppet/environments'
logdir = '/var/log/puppet'
rundir = '/var/run/puppet'
vardir = '/var/puppet'
puppetserver_vardir = '/var/puppet'
ssldir = '/var/puppet/ssl'
sharedir = '/usr/local/share/puppet'
etcdir = '/usr/local/etc/puppet'
puppetcacmd = '/usr/local/bin/puppet cert'
additional_facts = {}
end
let(:facts) { default_facts.merge(additional_facts) }
describe 'with no custom parameters' do
let :pre_condition do
"class {'puppet': server => true}"
end
it 'should set up SSL permissions' do
should contain_file("#{ssldir}/private_keys").with({
:group => 'puppet',
:mode => '0750',
})
should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem").with({
:group => 'puppet',
:mode => '0640',
})
should contain_exec('puppet_server_config-create_ssl_dir').with({
:creates => ssldir,
:command => "/bin/mkdir -p #{ssldir}",
})
should contain_exec('puppet_server_config-generate_ca_cert').with({
:creates => "#{ssldir}/certs/puppetmaster.example.com.pem",
:command => "#{puppetcacmd} --generate puppetmaster.example.com",
:require => ["Concat[#{conf_file}]", "Exec[puppet_server_config-create_ssl_dir]"],
})
end
context 'with non-AIO packages', :if => (Puppet.version < '4.0' || os_facts[:osfamily] == 'FreeBSD') do
it 'CA cert generation should notify the Apache service' do
should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[httpd]')
end
end
context 'with AIO packages', :if => (Puppet.version > '4.0' && os_facts[:osfamily] != 'FreeBSD') do
it 'CA cert generation should notify the puppetserver service' do
should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]')
end
end
context 'on Puppet 3.4+', :if => (Puppet.version >= '3.4.0') do
it 'should set sane umask on execs' do
should contain_exec('puppet_server_config-create_ssl_dir').with_umask('0022')
should contain_exec('puppet_server_config-generate_ca_cert').with_umask('0022')
end
end
it 'should set up the ENC' do
should contain_class('foreman::puppetmaster').with({
:foreman_url => "https://puppetmaster.example.com",
:receive_facts => true,
:puppet_home => puppetserver_vardir,
:puppet_etcdir => etcdir,
# Since this is managed inside the foreman module it does not
# make sense to test it here
#:puppet_basedir => '/usr/lib/ruby/site_ruby/1.9/puppet',
:timeout => 60,
})
end
it 'should set up the environments' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_file(sharedir).with_ensure('directory')
should contain_file("#{codedir}/environments/common").with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_file("#{sharedir}/modules").with({
:ensure => 'directory',
:owner => 'puppet',
:group => nil,
:mode => '0755',
})
should contain_puppet__server__env('development')
should contain_puppet__server__env('production')
end
it 'should configure puppet' do
should contain_concat__fragment('puppet.conf+10-main').
with_content(/^\s+logdir\s+= #{logdir}$/).
with_content(/^\s+rundir\s+= #{rundir}$/).
with_content(/^\s+ssldir\s+= #{ssldir}$/).
with_content(/^\s+privatekeydir\s+= \$ssldir\/private_keys \{ group = service \}$/).
with_content(/^\s+hostprivkey\s+= \$privatekeydir\/\$certname.pem \{ mode = 640 \}$/).
with({}) # So we can use a trailing dot on each with_content line
should contain_concat__fragment('puppet.conf+15-main-master').
with_content(/^\s+reports\s+= foreman$/).
with({}) # So we can use a trailing dot on each with_content line
if Puppet.version >= '3.6'
should contain_concat__fragment('puppet.conf+15-main-master').
with_content(/^\s+environmentpath\s+= #{codedir}\/environments$/).
with_content(/^\s+basemodulepath\s+= #{codedir}\/environments\/common:#{codedir}\/modules:#{sharedir}\/modules$/).
with({}) # So we can use a trailing dot on each with_content line
end
should contain_concat__fragment('puppet.conf+20-agent').
with_content(/^\s+classfile\s+= \$statedir\/classes.txt/).
with({}) # So we can use a trailing dot on each with_content line
should contain_concat__fragment('puppet.conf+30-master').
with_content(/^\s+external_nodes\s+= #{etcdir}\/node.rb$/).
with_content(/^\s+node_terminus\s+= exec$/).
with_content(/^\s+ca\s+= true$/).
with_content(/^\s+ssldir\s+= #{ssldir}$/).
with_content(/^\s+parser\s+=\s+current$/).
with_content(/^\s+autosign\s+= #{etcdir}\/autosign.conf \{ mode = 0664 \}$/).
with({}) # So we can use a trailing dot on each with_content line
should contain_concat(conf_file)
should_not contain_file('/etc/puppet/puppet.conf').with_content(/storeconfigs/)
should contain_file("#{etcdir}/autosign.conf")
end
context 'on Puppet < 4.0.0', :if => (Puppet.version < '4.0.0') do
it 'should set configtimeout' do
should contain_concat__fragment('puppet.conf+20-agent').
with_content(/^\s+configtimeout\s+= 120$/)
end
end
context 'on Puppet >= 4.0.0', :if => (Puppet.version >= '4.0.0') do
it 'should not set configtimeout' do
should contain_concat__fragment('puppet.conf+20-agent').
without_content(/^\s+configtimeout\s+= 120$/)
end
end
it 'should not configure PuppetDB' do
should_not contain_class('puppetdb')
should_not contain_class('puppetdb::master::config')
end
end
describe "when autosign => true" do
let :pre_condition do
"class {'puppet':
server => true,
autosign => true,
}"
end
it 'should contain puppet.conf [main] with autosign = true' do
should contain_concat__fragment('puppet.conf+30-master').
with_content(/^\s+autosign\s+= true$/).
with({}) # So we can use a trailing dot on each with_content line
end
end
describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do
let :pre_condition do
"class {'puppet':
server => true,
autosign => '/somedir/custom_autosign',
autosign_mode => '664',
}"
end
it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 664 }' do
should contain_concat__fragment('puppet.conf+30-master').
with_content(/^\s+autosign\s+= \/somedir\/custom_autosign { mode = 664 }$/).
with({}) # So we can use a trailing dot on each with_content line
end
end
+ describe "when autosign_entries is not set" do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ }"
+ end
+
+ it 'should contain autosign.conf with out content set' do
+ should contain_file("#{confdir}/autosign.conf")
+ should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/)
+ should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/)
+ end
+ end
+
+ describe "when autosign_entries set to ['foo.bar']" do
+ let :pre_condition do
+ "class {'puppet':
+ server => true,
+ autosign_entries => ['foo.bar'],
+ }"
+ end
+
+ it 'should contain autosign.conf with content set' do
+ should contain_file("#{confdir}/autosign.conf")
+ should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/)
+ should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/)
+ end
+ end
+
describe "when hiera_config => '$confdir/hiera.yaml'" do
let :pre_condition do
"class {'puppet':
server => true,
hiera_config => '/etc/puppet/hiera/production/hiera.yaml',
}"
end
it 'should contain puppet.conf [main] with non-default hiera_config' do
should contain_concat__fragment('puppet.conf+15-main-master').
with_content(/^\s+hiera_config\s+= \/etc\/puppet\/hiera\/production\/hiera.yaml$/).
with({}) # So we can use a trailing dot on each with_content line
end
end
describe 'without foreman' do
let :pre_condition do
"class {'puppet':
server => true,
server_reports => 'store',
server_external_nodes => '',
}"
end
it 'should contain an empty external_nodes' do
should contain_concat__fragment('puppet.conf+30-master').with_content(/^\s+external_nodes\s+=\s+$/)
end
end
describe 'without external_nodes' do
let :pre_condition do
"class {'puppet':
server => true,
server_external_nodes => '',
}"
end
it 'should not contain external_nodes' do
should contain_concat__fragment('puppet.conf+30-master').
with_content(/^\s+external_nodes\s+= $/).
with_content(/^\s+node_terminus\s+= plain$/).
with({})
end
end
describe 'with server_default_manifest => true and undef content' do
let :pre_condition do
'class { "::puppet":
server_default_manifest => true,
server => true
}'
end
it 'should contain default_manifest setting in puppet.conf' do
should contain_concat__fragment('puppet.conf+15-main-master').with_content(/\s+default_manifest = \/etc\/puppet\/manifests\/default_manifest\.pp$/)
end
it 'should_not contain default manifest /etc/puppet/manifests/default_manifest.pp' do
should_not contain_file('/etc/puppet/manifests/default_manifest.pp')
end
end
describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do
let :pre_condition do
'class { "::puppet":
server_default_manifest => true,
server_default_manifest_content => "include foo",
server => true
}'
end
it 'should contain default_manifest setting in puppet.conf' do
should contain_concat__fragment('puppet.conf+15-main-master').with_content(/\s+default_manifest = \/etc\/puppet\/manifests\/default_manifest\.pp$/)
end
it 'should contain default manifest /etc/puppet/manifests/default_manifest.pp' do
should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content(/include foo/)
end
end
describe 'with git repo' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'puppet',
})
end
it 'should create the git repo' do
should contain_file(vardir).with({
:ensure => 'directory',
:owner => 'puppet',
})
should contain_git__repo('puppet_repo').with({
:bare => true,
:target => "#{vardir}/puppet.git",
:user => 'puppet',
:require => %r{File\[#{environments_dir}\]},
})
should contain_file("#{vardir}/puppet.git/hooks/post-receive").with({
:owner => 'puppet',
:mode => '0755',
:require => %r{Git::Repo\[puppet_repo\]},
:content => %r{BRANCH_MAP = \{[^a-zA-Z=>]\}},
})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
context 'with directory environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_directory_environments => true,
}"
end
it 'should configure puppet.conf' do
should_not contain_concat__fragment('puppet.conf+30-master').with_content(%r{^\s+config_version\s+=$})
should contain_concat__fragment('puppet.conf+15-main-master').
with_content(%r{^\s+environmentpath\s+= #{environments_dir}$})
end
end
context 'with config environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_directory_environments => false,
}"
end
it 'should configure puppet.conf' do
should contain_concat__fragment('puppet.conf+30-master').
with_content(%r{^\s+manifest\s+= #{environments_dir}/\$environment/manifests/site.pp\n\s+modulepath\s+= #{environments_dir}/\$environment/modules$}).
with_content(%r{^\s+config_version\s+= git --git-dir #{environments_dir}/\$environment/.git describe --all --long$})
end
end
end
describe 'with dynamic environments' do
context 'with directory environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => true,
server_environments_owner => 'apache',
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'apache',
})
end
it 'should configure puppet.conf' do
should contain_concat__fragment('puppet.conf+15-main-master').
with_content(%r{^\s+environmentpath\s+= #{environments_dir}\n\s+basemodulepath\s+= #{environments_dir}/common:#{codedir}/modules:#{sharedir}/modules$})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
end
context 'with no common modules directory' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => true,
server_environments_owner => 'apache',
server_common_modules_path => '',
}"
end
it 'should configure puppet.conf' do
should contain_concat__fragment('puppet.conf+15-main-master').
without_content(%r{^\s+basemodulepath})
end
end
context 'with config environments' do
let :pre_condition do
"class {'puppet':
server => true,
server_dynamic_environments => true,
server_directory_environments => false,
server_environments_owner => 'apache',
}"
end
it 'should set up the environments directory' do
should contain_file(environments_dir).with({
:ensure => 'directory',
:owner => 'apache',
})
end
it 'should configure puppet.conf' do
should contain_concat__fragment('puppet.conf+30-master').
with_content(%r{^\s+manifest\s+= #{environments_dir}/\$environment/manifests/site.pp\n\s+modulepath\s+= #{environments_dir}/\$environment/modules$})
end
it { should_not contain_puppet__server__env('development') }
it { should_not contain_puppet__server__env('production') }
end
end
describe 'with SSL path overrides' do
let :pre_condition do
"class {'puppet':
server => true,
server_foreman_ssl_ca => '/etc/example/ca.pem',
server_foreman_ssl_cert => '/etc/example/cert.pem',
server_foreman_ssl_key => '/etc/example/key.pem',
}"
end
it 'should pass SSL parameters to the ENC' do
should contain_class('foreman::puppetmaster').with({
:ssl_ca => '/etc/example/ca.pem',
:ssl_cert => '/etc/example/cert.pem',
:ssl_key => '/etc/example/key.pem',
})
end
end
describe 'with a PuppetDB host set' do
let :pre_condition do
"class {'puppet':
server => true,
server_puppetdb_host => 'mypuppetdb.example.com',
server_storeconfigs_backend => 'puppetdb',
}"
end
it 'should configure PuppetDB' do
should compile.with_all_deps
should contain_class('puppetdb::master::config').with({
:puppetdb_server => 'mypuppetdb.example.com',
:puppetdb_port => 8081,
:puppetdb_soft_write_failure => false,
:manage_storeconfigs => false,
:restart_puppet => false,
})
end
end
describe 'with a puppet git branch map' do
let :pre_condition do
"class {'puppet':
server => true,
server_git_repo => true,
server_git_branch_map => { 'a' => 'b', 'c' => 'd' }
}"
end
it 'should add the branch map to the post receive hook' do
should contain_file("#{vardir}/puppet.git/hooks/post-receive").
with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/)
end
end
describe 'with additional settings' do
let :pre_condition do
"class {'puppet':
server => true,
server_additional_settings => {stringify_facts => true},
}"
end
it 'should configure puppet.conf' do
should contain_concat__fragment('puppet.conf+30-master').
with_content(/^\s+stringify_facts\s+= true$/).
with({}) # So we can use a trailing dot on each with_content line
end
end
describe 'directory environments default' do
let :pre_condition do
"class {'puppet':
server => true,
}"
end
context 'on old Puppet', :if => (Puppet.version < '3.6.0') do
it 'should be disabled' do
should contain_concat__fragment('puppet.conf+30-master').
without_content(%r{^\s+environmentpath\s+=$})
end
end
context 'on Puppet 3.6.0+', :if => (Puppet.version >= '3.6.0') do
it 'should be enabled' do
should contain_concat__fragment('puppet.conf+15-main-master').
with_content(%r{^\s+environmentpath\s+= #{environments_dir}$})
end
end
end
describe 'with server_parser => future' do
let :pre_condition do
"class {'puppet':
server => true,
server_parser => 'future',
}"
end
it 'should configure future parser' do
should contain_concat__fragment('puppet.conf+30-master').
with_content(/^\s+parser\s+=\s+future$/)
end
end
describe 'with server_environment_timeout set' do
let :pre_condition do
"class {'puppet':
server => true,
server_environment_timeout => '10m',
}"
end
it 'should configure environment_timeout accordingly' do
should contain_concat__fragment('puppet.conf+30-master').
with_content(/^\s+environment_timeout\s+=\s+10m$/)
end
end
describe 'with no ssldir managed for master' do
let :pre_condition do
"class {'puppet': server => true, server_ssl_dir_manage => false}"
end
it 'should not contain ssl_dir configuration setting in the master section' do
should_not contain_concat__fragment('puppet.conf+30-master').
with_content(/^\s+ssl_dir\s+=\s+.*$/)
end
end
describe 'with nondefault CA settings' do
context 'with server_ca => false' do
let :pre_condition do
"class {'puppet':
server => true,
server_ca => false,
}"
end
it 'should create the ssl directory' do
should contain_exec('puppet_server_config-create_ssl_dir')
end
it 'should not generate CA certificates' do
should_not contain_exec('puppet_server_config-generate_ca_cert')
end
end
end
end
end
end
diff --git a/templates/server/autosign.conf.erb b/templates/server/autosign.conf.erb
new file mode 100644
index 0000000..b299689
--- /dev/null
+++ b/templates/server/autosign.conf.erb
@@ -0,0 +1,4 @@
+# Managed by Puppet
+<% scope.lookupvar("puppet::server::autosign_entries").each do |entry| -%>
+<%= entry %>
+<% end -%>
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Mon, Aug 18, 7:15 PM (2 w, 14 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3331995
Attached To
rSPPUP puppet-theforeman-puppet
Event Timeline
Log In to Comment