diff --git a/.fixtures.yml b/.fixtures.yml index 0082e02..1e3d6de 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,10 +1,19 @@ fixtures: repositories: apache: 'https://github.com/puppetlabs/puppetlabs-apache.git' + augeas_core: + repo: 'https://github.com/puppetlabs/puppetlabs-augeas_core' + puppet_version: '>= 6.0.0' concat: 'https://github.com/puppetlabs/puppetlabs-concat.git' + cron_core: + repo: 'https://github.com/puppetlabs/puppetlabs-cron_core' + puppet_version: '>= 6.0.0' extlib: 'https://github.com/voxpupuli/puppet-extlib.git' foreman: 'https://github.com/theforeman/puppet-foreman.git' git: 'https://github.com/theforeman/puppet-git.git' inifile: 'https://github.com/puppetlabs/puppetlabs-inifile.git' puppetdb: 'https://github.com/puppetlabs/puppetlabs-puppetdb.git' stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git' + yumrepo_core: + repo: 'https://github.com/puppetlabs/puppetlabs-yumrepo_core' + puppet_version: '>= 6.0.0' diff --git a/.sync.yml b/.sync.yml index 14d582b..20efc90 100644 --- a/.sync.yml +++ b/.sync.yml @@ -1,25 +1,28 @@ --- .travis.yml: beaker_sets: - centos7-64 - centos6-64 - debian8-64 + - debian9-64 env: global: - PARALLEL_TEST_PROCESSORS=8 - # Some upgrade tests rely on PC1 version numbers - beaker_puppet_collection: pc1 + beaker_puppet_collections: + - pc1 + - puppet5 + - puppet6 Rakefile: param_docs_pattern: - manifests/init.pp spec/spec_helper.rb: extra_code: | aio = on_os_under_test.reject do |os, facts| ['FreeBSD', 'DragonFly', 'Windows'].include?(facts[:operatingsystem]) end.keys add_custom_fact :rubysitedir, '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0', :confine => aio def unsupported_puppetmaster_osfamily(osfamily) ['Archlinux', 'windows', 'Suse'].include?(osfamily) end diff --git a/.travis.yml b/.travis.yml index 2fe7fb9..a8eb24e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,40 +1,78 @@ --- # This file is managed centrally by modulesync # https://github.com/theforeman/foreman-installer-modulesync rvm: - 2.1.9 - 2.3.0 - 2.4.1 env: matrix: - PUPPET_VERSION=4.9 global: - PARALLEL_TEST_PROCESSORS=8 matrix: fast_finish: true include: - rvm: 2.4.1 env: PUPPET_VERSION=5.0 - rvm: 2.5.1 env: PUPPET_VERSION=5.0 + - rvm: 2.5.1 + env: PUPPET_VERSION=6.0 # Acceptance tests - rvm: 2.5.1 dist: trusty env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=pc1 BEAKER_debug=true BEAKER_setfile=centos7-64{hypervisor=docker\,hostname=centos7-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development + - rvm: 2.5.1 + dist: trusty + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=centos7-64{hypervisor=docker\,hostname=centos7-64.example.com} + script: bundle exec rake beaker + services: docker + bundler_args: --without development + - rvm: 2.5.1 + dist: trusty + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=centos7-64{hypervisor=docker\,hostname=centos7-64.example.com} + script: bundle exec rake beaker + services: docker + bundler_args: --without development - rvm: 2.5.1 dist: trusty env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=pc1 BEAKER_debug=true BEAKER_setfile=centos6-64{hypervisor=docker\,hostname=centos6-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development + - rvm: 2.5.1 + dist: trusty + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=centos6-64{hypervisor=docker\,hostname=centos6-64.example.com} + script: bundle exec rake beaker + services: docker + bundler_args: --without development + - rvm: 2.5.1 + dist: trusty + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=centos6-64{hypervisor=docker\,hostname=centos6-64.example.com} + script: bundle exec rake beaker + services: docker + bundler_args: --without development - rvm: 2.5.1 dist: trusty env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=pc1 BEAKER_debug=true BEAKER_setfile=debian8-64{hypervisor=docker\,hostname=debian8-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development + - rvm: 2.5.1 + dist: trusty + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_debug=true BEAKER_setfile=debian9-64{hypervisor=docker\,hostname=debian9-64.example.com} + script: bundle exec rake beaker + services: docker + bundler_args: --without development + - rvm: 2.5.1 + dist: trusty + env: PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=debian9-64{hypervisor=docker\,hostname=debian9-64.example.com} + script: bundle exec rake beaker + services: docker + bundler_args: --without development bundler_args: --without system_tests development sudo: false diff --git a/manifests/params.pp b/manifests/params.pp index c5b4d2c..260d399 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,485 +1,484 @@ # Default parameters class puppet::params { # Basic config $version = 'present' $manage_user = true $user = 'puppet' $group = 'puppet' $ip = '0.0.0.0' $port = 8140 $listen = false $listen_to = [] $pluginsync = true $splay = false $splaylimit = 1800 $runinterval = 1800 $runmode = 'service' $report = true # Not defined here as the commands depend on module parameter "dir" $cron_cmd = undef $systemd_cmd = undef $agent_noop = false $show_diff = false $module_repository = undef $hiera_config = '$confdir/hiera.yaml' $usecacheonfailure = true $ca_server = undef $ca_port = undef $ca_crl_filepath = undef $server_crl_enable = undef $prerun_command = undef $postrun_command = undef $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false if defined('$::domain') { $srv_domain = $::domain } else { $srv_domain = undef } # lint:ignore:puppet_url_without_modules $pluginsource = 'puppet:///plugins' $pluginfactsource = 'puppet:///pluginfacts' # lint:endignore $classfile = '$statedir/classes.txt' $syslogfacility = undef $environment = $::environment $aio_package = ($::osfamily == 'Windows' or $::rubysitedir =~ /\/opt\/puppetlabs\/puppet/) $deb_naio_package = ($::osfamily == 'Debian') $systemd_randomizeddelaysec = 0 case $::osfamily { 'Windows' : { # Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end $dir_prefix = 'C:/ProgramData/PuppetLabs/puppet' $dir = "${dir_prefix}/etc" $codedir = "${dir_prefix}/etc" $logdir = "${dir_prefix}/var/log" $rundir = "${dir_prefix}/var/run" $ssldir = "${dir_prefix}/etc/ssl" $vardir = "${dir_prefix}/var" $sharedir = "${dir_prefix}/share" $bindir = "${dir_prefix}/bin" $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } /^(FreeBSD|DragonFly)$/ : { $dir = '/usr/local/etc/puppet' $codedir = '/usr/local/etc/puppet' $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/puppet/ssl' $vardir = '/var/puppet' $sharedir = '/usr/local/share/puppet' $bindir = '/usr/local/bin' $root_group = undef $server_puppetserver_dir = '/usr/local/etc/puppetserver' $server_puppetserver_vardir = '/var/puppet/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetserver' $server_puppetserver_logdir = '/var/log/puppetserver' $ruby_gem_dir = regsubst($::rubyversion, '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$::rubysitedir, "${ruby_gem_dir}/facter-${::facterversion}/lib"] $server_jruby_gem_home = '/var/puppet/server/data/puppetserver/jruby-gems' } 'Archlinux' : { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/usr/bin' $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } default : { if $aio_package { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/opt/puppetlabs/bin' $server_puppetserver_dir = '/etc/puppetlabs/puppetserver' $server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetlabs/puppetserver' $server_puppetserver_logdir = '/var/log/puppetlabs/puppetserver' $server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby'] $server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems' } else { $dir = '/etc/puppet' $codedir = $deb_naio_package ? { true => '/etc/puppet/code', false => '/etc/puppet', } $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/lib/puppet/ssl' $vardir = '/var/lib/puppet' $sharedir = '/usr/share/puppet' $bindir = '/usr/bin' $server_puppetserver_dir = '/etc/puppetserver' $server_puppetserver_vardir = $vardir $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = '/var/lib/puppet/jruby-gems' } $root_group = undef } } $configtimeout = undef $autosign = "${dir}/autosign.conf" $autosign_entries = [] $autosign_mode = '0664' $autosign_content = undef $autosign_source = undef $puppet_cmd = "${bindir}/puppet" + $puppetserver_cmd = "${bindir}/puppetserver" $manage_packages = true if $::osfamily == 'Windows' { $dir_owner = undef $dir_group = undef } elsif $aio_package or $::osfamily == 'Suse' { $dir_owner = 'root' $dir_group = $root_group } else { $dir_owner = $user $dir_group = $group } $package_provider = $::osfamily ? { 'windows' => 'chocolatey', default => undef, } $package_source = undef # Need your own config templates? Specify here: $auth_template = 'puppet/auth.conf.erb' # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false # Authenticated nodes to allow $auth_allowed = ['$1'] # Will this host be a puppet agent ? $agent = true $remove_lock = true $client_certname = $::clientcert if defined('$::puppetmaster') { $puppetmaster = $::puppetmaster } else { $puppetmaster = undef } # Hashes containing additional settings $additional_settings = {} $agent_additional_settings = {} $server_additional_settings = {} # Will this host be a puppetmaster? $server = false $server_ca = true $server_ca_crl_sync = false $server_reports = 'foreman' $server_passenger = true $server_service_fallback = true $server_passenger_min_instances = abs($::processorcount) $server_passenger_pre_start = true $server_passenger_ruby = undef $server_httpd_service = 'httpd' $server_external_nodes = "${dir}/node.rb" $server_enc_api = 'v2' $server_report_api = 'v2' $server_request_timeout = 60 $server_ca_proxy = undef $server_certname = $::clientcert $server_strict_variables = false $server_rack_arguments = [] $server_http = false $server_http_port = 8139 $server_http_allow = [] # use puppetserver (JVM) or puppet master (Ruby)? $server_implementation = $aio_package ? { true => 'puppetserver', default => 'master', } # Need a new master template for the server? $server_template = 'puppet/server/puppet.conf.erb' # Template for server settings in [main] $server_main_template = 'puppet/server/puppet.conf.main.erb' # The script that is run to determine the reported manifest version. Undef # means we determine it in server.pp $server_config_version = undef # Set 'false' for static environments, or 'true' for git-based workflow $server_git_repo = false # Git branch to puppet env mapping for the post receive hook $server_git_branch_map = {} # Static environments config, ignore if the git_repo or dynamic_environments is 'true' # What environments do we have $server_environments = ['development', 'production'] # Dynamic environments config (deprecated when directory_environments is true) $server_dynamic_environments = false # Directory environments config $server_directory_environments = true # Owner of the environments dir: for cases external service needs write # access to manage it. $server_environments_owner = $user $server_environments_group = $root_group $server_environments_mode = '0755' # Where we store our puppet environments $server_envs_dir = "${codedir}/environments" $server_envs_target = undef # Modules in this directory would be shared across all environments $server_common_modules_path = unique(["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules']) # Dynamic environments config, ignore if the git_repo is 'false' # Path to the repository $server_git_repo_path = "${vardir}/puppet.git" # mode of the repository $server_git_repo_mode = '0755' # user of the repository $server_git_repo_user = $user # group of the repository $server_git_repo_group = $user # Override these if you need your own hooks $server_post_hook_content = 'puppet/server/post-receive.erb' $server_post_hook_name = 'post-receive' $server_custom_trusted_oid_mapping = undef # PuppetDB config $server_puppetdb_host = undef $server_puppetdb_port = 8081 $server_puppetdb_swf = false # Do you use storeconfigs? (note: not required) # - undef if you don't # - active_record for 2.X style db # - puppetdb for puppetdb $server_storeconfigs_backend = undef # Passenger config $server_app_root = "${dir}/rack" $server_ssl_dir = $ssldir $server_package = undef $server_version = undef if $aio_package { $client_package = ['puppet-agent'] } elsif $::osfamily == 'Debian' { $client_package = $deb_naio_package ? { true => ['puppet'], default => ['puppet-common', 'puppet'] } } elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) { if (versioncmp($::puppetversion, '5.0') > 0) { $client_package = ['puppet5'] } else { $client_package = ['puppet4'] } } else { $client_package = ['puppet'] } - $puppetca_cmd = "${puppet_cmd} cert" - # Puppet service name $service_name = 'puppet' # Puppet onedshot systemd service and timer name $systemd_unit_name = 'puppet-run' # Mechanisms to manage and reload/restart the agent # If supported on the OS, reloading is prefered since it does not kill a currently active puppet run case $::osfamily { 'Debian' : { $agent_restart_command = "/usr/sbin/service ${service_name} reload" if ($::operatingsystem == 'Debian' or $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '15.04') >= 0) { $unavailable_runmodes = [] } else { $unavailable_runmodes = ['systemd.timer'] } } 'Redhat' : { # PSBM is a CentOS 6 based distribution # it reports its $osreleasemajor as 2, not 6. # thats why we're matching for '2' in both parts # Amazon Linux is like RHEL6 but reports its osreleasemajor as 2017. $osreleasemajor = regsubst($::operatingsystemrelease, '^(\d+)\..*$', '\1') # workaround for the possibly missing operatingsystemmajrelease $agent_restart_command = $osreleasemajor ? { /^(2|5|6|2017)$/ => "/sbin/service ${service_name} reload", '7' => "/usr/bin/systemctl reload-or-restart ${service_name}", default => undef, } $unavailable_runmodes = $osreleasemajor ? { /^(2|5|6|2017)$/ => ['systemd.timer'], default => [], } } 'Windows': { $agent_restart_command = undef $unavailable_runmodes = ['cron', 'systemd.timer'] } 'Archlinux': { $agent_restart_command = "/usr/bin/systemctl reload-or-restart ${service_name}" $unavailable_runmodes = ['cron'] } default : { $agent_restart_command = undef $unavailable_runmodes = ['systemd.timer'] } } # Foreman parameters $lower_fqdn = downcase($::fqdn) $server_foreman = true $server_foreman_facts = true $server_puppet_basedir = $aio_package ? { true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet', false => undef, } $server_foreman_url = "https://${lower_fqdn}" $server_foreman_ssl_ca = undef $server_foreman_ssl_cert = undef $server_foreman_ssl_key = undef # Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser $server_parser = 'current' # Timeout for cached environments, changed in puppet 3.7.x $server_environment_timeout = undef # puppet server configuration file $server_jvm_config = $::osfamily ? { 'RedHat' => '/etc/sysconfig/puppetserver', 'Debian' => '/etc/default/puppetserver', default => '/etc/default/puppetserver', } $server_jvm_java_bin = '/usr/bin/java' if versioncmp($::puppetversion, '5.0.0') < 0 { $server_jvm_extra_args = '-XX:MaxPermSize=256m' } else { $server_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } $server_jvm_cli_args = undef # This is some very trivial "tuning". See the puppet reference: # https://docs.puppet.com/puppetserver/latest/tuning_guide.html if ($::memorysize_mb =~ String) { $mem_in_mb = scanf($::memorysize_mb, '%i')[0] } else { $mem_in_mb = 0 + $::memorysize_mb } if $mem_in_mb >= 3072 { $server_jvm_min_heap_size = '2G' $server_jvm_max_heap_size = '2G' $server_max_active_instances = min(abs($::processorcount), 4) } elsif $mem_in_mb >= 1024 { $server_max_active_instances = 1 $server_jvm_min_heap_size = '1G' $server_jvm_max_heap_size = '1G' } else { # VMs with 1GB RAM and a crash kernel enabled usually have an effective 992MB RAM $server_max_active_instances = 1 $server_jvm_min_heap_size = '768m' $server_jvm_max_heap_size = '768m' } $server_ssl_dir_manage = true $server_ssl_key_manage = true $server_default_manifest = false $server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp' $server_default_manifest_content = '' # lint:ignore:empty_string_assignment $server_max_requests_per_instance = 0 $server_max_queued_requests = 0 $server_max_retry_delay = 1800 $server_idle_timeout = 1200000 $server_web_idle_timeout = 30000 $server_connect_timeout = 120000 $server_ca_auth_required = true $server_admin_api_whitelist = [ 'localhost', $lower_fqdn ] $server_ca_client_whitelist = [ 'localhost', $lower_fqdn ] $server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA' ] $server_ssl_protocols = [ 'TLSv1.2' ] $server_ssl_chain_filepath = "${server_ssl_dir}/ca/ca_crt.pem" $server_check_for_updates = true $server_environment_class_cache_enabled = false $server_allow_header_cert_info = false $server_ca_allow_sans = false $server_ca_allow_auth_extensions = false # Puppetserver >= 2.2 Which auth.conf shall we use? $server_use_legacy_auth_conf = false # For Puppetserver, certain configuration parameters are version specific. We assume a particular version here. if versioncmp($::puppetversion, '5.5.7') >= 0 { $server_puppetserver_version = '5.3.6' } elsif versioncmp($::puppetversion, '5.5.0') >= 0 { $server_puppetserver_version = '5.3.0' } elsif versioncmp($::puppetversion, '5.1.0') >= 0 { $server_puppetserver_version = '5.1.0' } elsif versioncmp($::puppetversion, '5.0.0') >= 0 { $server_puppetserver_version = '5.0.0' } else { $server_puppetserver_version = '2.7.0' } # For Puppetserver 5, use JRuby 9k? $server_puppetserver_jruby9k = false # this switch also controls Ruby profiling, by default disabled for Puppetserver 2.x, enabled for 5.x $server_puppetserver_metrics = versioncmp($::puppetversion, '5.0.0') >= 0 # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false $server_metrics_graphite_host = '127.0.0.1' $server_metrics_graphite_port = 2003 $server_metrics_server_id = $lower_fqdn $server_metrics_graphite_interval = 5 $server_metrics_allowed = undef # For Puppetserver 5, should the /puppet/experimental route be enabled? $server_puppetserver_experimental = true # Normally agents can only fetch their own catalogs. If you want some nodes to be able to fetch *any* catalog, add them here. $server_puppetserver_trusted_agents = [] } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index bb62d29..fa17691 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,327 +1,333 @@ # Set up the puppet server config class puppet::server::config inherits puppet::config { if $::puppet::server::passenger and $::puppet::server::implementation == 'master' { contain 'puppet::server::passenger' } if $::puppet::server::implementation == 'puppetserver' { contain 'puppet::server::puppetserver' unless empty($::puppet::server::puppetserver_vardir) { puppet::config::master { 'vardir': value => $::puppet::server::puppetserver_vardir; } } unless empty($::puppet::server::puppetserver_rundir) { puppet::config::master { 'rundir': value => $::puppet::server::puppetserver_rundir; } } unless empty($::puppet::server::puppetserver_logdir) { puppet::config::master { 'logdir': value => $::puppet::server::puppetserver_logdir; } } } # Mirror the relationship, as defined() is parse-order dependent # Ensures puppetmasters certs are generated before the proxy is needed if defined(Class['foreman_proxy::config']) and $foreman_proxy::ssl { Class['puppet::server::config'] ~> Class['foreman_proxy::config'] Class['puppet::server::config'] ~> Class['foreman_proxy::service'] } # And before Foreman's cert-using service needs it if defined(Class['foreman::service']) and $foreman::ssl { Class['puppet::server::config'] -> Class['foreman::service'] } ## General configuration $ca_server = $::puppet::ca_server $ca_port = $::puppet::ca_port $server_storeconfigs_backend = $::puppet::server::storeconfigs_backend $server_external_nodes = $::puppet::server::external_nodes $server_environment_timeout = $::puppet::server::environment_timeout if $server_external_nodes and $server_external_nodes != '' { class{ '::puppet::server::enc': enc_path => $server_external_nodes, } } $autosign = ($::puppet::server::autosign =~ Boolean)? { true => $::puppet::server::autosign, false => "${::puppet::server::autosign} { mode = ${::puppet::server::autosign_mode} }" } puppet::config::main { 'reports': value => $::puppet::server::reports; } if $::puppet::server::hiera_config and !empty($::puppet::server::hiera_config){ puppet::config::main { 'hiera_config': value => $::puppet::server::hiera_config; } } if $puppet::server::directory_environments { puppet::config::main { 'environmentpath': value => $puppet::server::envs_dir; } } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { puppet::config::main { 'basemodulepath': value => $puppet::server::common_modules_path, joiner => ':'; } } if $puppet::server::default_manifest { puppet::config::main { 'default_manifest': value => $puppet::server::default_manifest_path; } } puppet::config::master { 'autosign': value => $autosign; 'ca': value => $::puppet::server::ca; 'certname': value => $::puppet::server::certname; 'parser': value => $::puppet::server::parser; 'strict_variables': value => $::puppet::server::strict_variables; } if $::puppet::server::ssl_dir_manage { puppet::config::master { 'ssldir': value => $::puppet::server::ssl_dir; } } if $server_environment_timeout { puppet::config::master { 'environment_timeout': value => $server_environment_timeout; } } if $server_storeconfigs_backend { puppet::config::master { 'storeconfigs': value => true; 'storeconfigs_backend': value => $server_storeconfigs_backend; } } if !$::puppet::server::directory_environments and ($::puppet::server::git_repo or $::puppet::server::dynamic_environments) { puppet::config::master { 'manifest': value => "${::puppet::server::envs_dir}/\$environment/manifests/site.pp"; 'modulepath': value => "${::puppet::server::envs_dir}/\$environment/modules"; } if $::puppet::server::config_version_cmd { puppet::config::master { 'config_version': value => $::puppet::server::config_version_cmd; } } } $::puppet::server_additional_settings.each |$key,$value| { puppet::config::master { $key: value => $value } } file { "${puppet::vardir}/reports": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', } if '/usr/share/puppet/modules' in $puppet::server::common_modules_path { # Create Foreman share dir which does not depend on Puppet version exec { 'mkdir -p /usr/share/puppet/modules': creates => '/usr/share/puppet/modules', path => ['/usr/bin', '/bin'], } } ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${::puppet::server::ssl_dir}/private_keys": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', require => Exec['puppet_server_config-create_ssl_dir'], } if $puppet::server::ssl_key_manage { file { "${::puppet::server::ssl_dir}/private_keys/${::puppet::server::certname}.pem": owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0640', } } if $puppet::server::custom_trusted_oid_mapping { $_custom_trusted_oid_mapping = { oid_mapping => $puppet::server::custom_trusted_oid_mapping, } file { "${::puppet::dir}/custom_trusted_oid_mapping.yaml": ensure => file, owner => 'root', group => $::puppet::params::root_group, mode => '0644', content => to_yaml($_custom_trusted_oid_mapping), } } # If the ssl dir is not the default dir, it needs to be created before running # the generate ca cert or it will fail. exec {'puppet_server_config-create_ssl_dir': creates => $::puppet::server::ssl_dir, command => "/bin/mkdir -p ${::puppet::server::ssl_dir}", umask => '0022', } # Generate a new CA and host cert if our host cert doesn't exist if $::puppet::server::ca { + if versioncmp($::puppetversion, '6.0') > 0 { + $command = "${::puppet::puppetserver_cmd} ca setup" + } else { + $command = "${::puppet::puppet_cmd} cert --generate ${::puppet::server::certname} --allow-dns-alt-names" + } + exec {'puppet_server_config-generate_ca_cert': creates => $::puppet::server::ssl_cert, - command => "${::puppet::puppetca_cmd} --generate ${::puppet::server::certname} --allow-dns-alt-names", + command => $command, umask => '0022', require => [ Concat["${::puppet::server::dir}/puppet.conf"], Exec['puppet_server_config-create_ssl_dir'], ], } } elsif $::puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca master if defined('$::servername') { file { $::puppet::server::ssl_ca_crl: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0644', content => file($::settings::cacrl, $::settings::hostcrl, '/dev/null'), } } } if $::puppet::server::passenger and $::puppet::server::implementation == 'master' and $::puppet::server::ca { Exec['puppet_server_config-generate_ca_cert'] ~> Service[$::puppet::server::httpd_service] } # autosign file if $::puppet::server_ca and !($puppet::server::autosign =~ Boolean) { if $::puppet::server::autosign_content or $::puppet::server::autosign_source { if !empty($::puppet::server::autosign_entries) { fail('Cannot set both autosign_content/autosign_source and autosign_entries') } $autosign_content = $::puppet::server::autosign_content } elsif !empty($::puppet::server::autosign_entries) { $autosign_content = template('puppet/server/autosign.conf.erb') } else { $autosign_content = undef } file { $::puppet::server::autosign: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => $::puppet::server::autosign_mode, content => $autosign_content, source => $::puppet::server::autosign_source, } } # only manage this file if we provide content if $::puppet::server::default_manifest and $::puppet::server::default_manifest_content != '' { file { $::puppet::server::default_manifest_path: ensure => file, owner => $puppet::user, group => $puppet::group, mode => '0644', content => $::puppet::server::default_manifest_content, } } ## Environments # location where our puppet environments are located if $::puppet::server::envs_target and $::puppet::server::envs_target != '' { $ensure = 'link' } else { $ensure = 'directory' } file { $::puppet::server::envs_dir: ensure => $ensure, owner => $::puppet::server::environments_owner, group => $::puppet::server::environments_group, mode => $::puppet::server::environments_mode, target => $::puppet::server::envs_target, force => true, } if $::puppet::server::git_repo { # need to chown the $vardir before puppet does it, or else # we can't write puppet.git/ on the first run include ::git git::repo { 'puppet_repo': bare => true, target => $::puppet::server::git_repo_path, mode => $::puppet::server::git_repo_mode, user => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, require => File[$::puppet::server::envs_dir], } $git_branch_map = $::puppet::server::git_branch_map # git post hook to auto generate an environment per branch file { "${::puppet::server::git_repo_path}/hooks/${::puppet::server::post_hook_name}": content => template($::puppet::server::post_hook_content), owner => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, mode => $::puppet::server::git_repo_mode, require => Git::Repo['puppet_repo'], } } elsif ! $::puppet::server::dynamic_environments { file { $puppet::sharedir: ensure => directory, } if $::puppet::server::common_modules_path and $::puppet::server::common_modules_path != '' { file { $::puppet::server::common_modules_path: ensure => directory, owner => $::puppet::server_environments_owner, group => $::puppet::server_environments_group, mode => $::puppet::server_environments_mode, } } # setup empty directories for our environments puppet::server::env {$::puppet::server::environments: } } ## Foreman if $::puppet::server::foreman { # Include foreman components for the puppetmaster # ENC script, reporting script etc. class { 'foreman::puppetmaster': foreman_url => $::puppet::server::foreman_url, receive_facts => $::puppet::server::server_foreman_facts, puppet_home => $::puppet::server::puppetserver_vardir, puppet_basedir => $::puppet::server::puppet_basedir, puppet_etcdir => $puppet::dir, enc_api => $::puppet::server::enc_api, report_api => $::puppet::server::report_api, timeout => $::puppet::server::request_timeout, ssl_ca => pick($::puppet::server::foreman_ssl_ca, $::puppet::server::ssl_ca_cert), ssl_cert => pick($::puppet::server::foreman_ssl_cert, $::puppet::server::ssl_cert), ssl_key => pick($::puppet::server::foreman_ssl_key, $::puppet::server::ssl_cert_key), } contain foreman::puppetmaster } ## PuppetDB if $::puppet::server::puppetdb_host { class { '::puppetdb::master::config': puppetdb_server => $::puppet::server::puppetdb_host, puppetdb_port => $::puppet::server::puppetdb_port, puppetdb_soft_write_failure => $::puppet::server::puppetdb_swf, manage_storeconfigs => false, restart_puppet => false, } Class['puppetdb::master::puppetdb_conf'] ~> Class['puppet::server::service'] } } diff --git a/spec/acceptance/puppetserver_upgrade_2_6_0_to_2_7_2_spec.rb b/spec/acceptance/puppetserver_upgrade_2_6_0_to_2_7_2_spec.rb index ca42b7b..632f191 100644 --- a/spec/acceptance/puppetserver_upgrade_2_6_0_to_2_7_2_spec.rb +++ b/spec/acceptance/puppetserver_upgrade_2_6_0_to_2_7_2_spec.rb @@ -1,90 +1,90 @@ require 'spec_helper_acceptance' -describe 'Scenario: 2.6.0 to 2.7.2 upgrade:' do +describe 'Scenario: 2.6.0 to 2.7.2 upgrade:', if: ENV['BEAKER_PUPPET_COLLECTION'] == 'pc1' do before(:context) do if check_for_package(default, 'puppetserver') on default, puppet('resource package puppetserver ensure=purged') on default, 'rm -rf /etc/sysconfig/puppetserver /etc/puppetlabs/puppetserver' on default, 'find /etc/puppetlabs/puppet/ssl/ -type f -delete' end # puppetserver won't start with lower than 2GB memory memoryfree_mb = fact('memoryfree_mb').to_i raise 'At least 2048MB free memory required' if memoryfree_mb < 256 end case fact('osfamily') when 'Debian' from_version = '2.6.0-1puppetlabs1' to_version = '2.7.2-1puppetlabs1' else from_version = '2.6.0' to_version = '2.7.2' end context 'install 2.6.0' do let(:pp) do <<-EOS class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', server_version => '#{from_version}', # only for install test - don't think to use this in production! # https://docs.puppet.com/puppetserver/latest/tuning_guide.html server_jvm_max_heap_size => '256m', server_jvm_min_heap_size => '256m', } EOS end it_behaves_like 'a idempotent resource' describe command('puppetserver --version') do its(:stdout) { is_expected.to match("puppetserver version: 2.6.0\n") } end describe service('puppetserver') do it { is_expected.to be_enabled } it { is_expected.to be_running } end describe port('8140') do it { is_expected.to be_listening } end end context 'upgrade to 2.7.2' do let(:pp) do <<-EOS class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', server_version => '#{to_version}', # only for install test - don't think to use this in production! # https://docs.puppet.com/puppetserver/latest/tuning_guide.html server_jvm_max_heap_size => '256m', server_jvm_min_heap_size => '256m', } EOS end it_behaves_like 'a idempotent resource' describe command('puppetserver --version') do its(:stdout) { is_expected.to match("puppetserver version: 2.7.2\n") } end describe service('puppetserver') do it { is_expected.to be_enabled } it { is_expected.to be_running } end describe port('8140') do it { is_expected.to be_listening } end end end diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb index 75185c1..c38be05 100644 --- a/spec/classes/puppet_server_spec.rb +++ b/spec/classes/puppet_server_spec.rb @@ -1,752 +1,760 @@ require 'spec_helper' describe 'puppet' do on_os_under_test.each do |os, facts| context "on #{os}", unless: unsupported_puppetmaster_osfamily(facts[:osfamily]) do if facts[:osfamily] == 'FreeBSD' codedir = '/usr/local/etc/puppet' conf_d_dir = '/usr/local/etc/puppetserver/conf.d' conf_file = '/usr/local/etc/puppet/puppet.conf' confdir = '/usr/local/etc/puppet' environments_dir = '/usr/local/etc/puppet/environments' etcdir = '/usr/local/etc/puppet' - puppetcacmd = '/usr/local/bin/puppet cert' + if facts[:puppetversion] >= '6.0' + puppetcacmd = '/usr/local/bin/puppetserver ca setup' + else + puppetcacmd = '/usr/local/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names' + end puppetserver_logdir = '/var/log/puppetserver' puppetserver_rundir = '/var/run/puppetserver' puppetserver_vardir = '/var/puppet/server/data/puppetserver' sharedir = '/usr/local/share/puppet' ssldir = '/var/puppet/ssl' vardir = '/var/puppet' else codedir = '/etc/puppetlabs/code' conf_d_dir = '/etc/puppetlabs/puppetserver/conf.d' conf_file = '/etc/puppetlabs/puppet/puppet.conf' confdir = '/etc/puppetlabs/puppet' environments_dir = '/etc/puppetlabs/code/environments' etcdir = '/etc/puppetlabs/puppet' - puppetcacmd = '/opt/puppetlabs/bin/puppet cert' + if facts[:puppetversion] >= '6.0' + puppetcacmd = '/opt/puppetlabs/bin/puppetserver ca setup' + else + puppetcacmd = '/opt/puppetlabs/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names' + end puppetserver_logdir = '/var/log/puppetlabs/puppetserver' puppetserver_rundir = '/var/run/puppetlabs/puppetserver' puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' sharedir = '/opt/puppetlabs/puppet' ssldir = '/etc/puppetlabs/puppet/ssl' vardir = '/opt/puppetlabs/puppet/cache' end let(:facts) { facts } let(:params) do { server: true, server_certname: 'puppetmaster.example.com' } end describe 'with no custom parameters' do it { should compile.with_all_deps } # install it { should contain_class('puppet::server::install') } it { should contain_user('puppet') } it { should contain_package('puppetserver') } # config it { should contain_class('puppet::server::config') } it { should contain_puppet__config__main('reports').with_value('foreman') } it { should contain_puppet__config__main('hiera_config').with_value('$confdir/hiera.yaml') } it { should contain_puppet__config__main('environmentpath').with_value("#{codedir}/environments") } it do should contain_puppet__config__main('basemodulepath') .with_value(["#{codedir}/environments/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) .with_joiner(':') end it { should_not contain_puppet__config__main('default_manifest') } it { should contain_puppet__config__master('autosign').with_value("#{etcdir}\/autosign.conf \{ mode = 0664 \}") } it { should contain_puppet__config__master('ca').with_value('true') } it { should contain_puppet__config__master('certname').with_value('puppetmaster.example.com') } it { should contain_puppet__config__master('parser').with_value('current') } it { should contain_puppet__config__master('strict_variables').with_value('false') } it { should contain_puppet__config__master('ssldir').with_value(ssldir) } it { should_not contain_puppet__config__master('environment_timeout') } it { should_not contain_puppet__config__master('storeconfigs') } it { should_not contain_puppet__config__master('storeconfigs_backend') } it { should_not contain_puppet__config__master('manifest') } it { should_not contain_puppet__config__master('modulepath') } it { should_not contain_puppet__config__master('config_version') } it { should contain_puppet__config__master('external_nodes').with_value("#{etcdir}\/node.rb") } it { should contain_puppet__config__master('node_terminus').with_value('exec') } it { should contain_puppet__config__master('logdir').with_value(puppetserver_logdir) } it { should contain_puppet__config__master('rundir').with_value(puppetserver_rundir) } it { should contain_puppet__config__master('vardir').with_value(puppetserver_vardir) } it 'should set up SSL permissions' do should contain_file("#{ssldir}/private_keys") \ .with_group('puppet') \ .with_mode('0750') should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem") \ .with_group('puppet') \ .with_mode('0640') should contain_exec('puppet_server_config-create_ssl_dir') \ .with_creates(ssldir) \ .with_command("/bin/mkdir -p #{ssldir}") \ .with_umask('0022') should contain_exec('puppet_server_config-generate_ca_cert') \ .with_creates("#{ssldir}/certs/puppetmaster.example.com.pem") \ - .with_command("#{puppetcacmd} --generate puppetmaster.example.com --allow-dns-alt-names") \ + .with_command(puppetcacmd) \ .with_umask('0022') \ .that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) end it { should contain_puppet__config__main('environmentpath').with_value(environments_dir) } it { should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') } it 'should set up the environments' do should contain_file(environments_dir) .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_file(sharedir).with_ensure('directory') should contain_file("#{codedir}/environments/common") .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_file("#{sharedir}/modules") .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_puppet__server__env('development') should contain_puppet__server__env('production') end it { should contain_concat(conf_file) } it { should_not contain_puppet__config__agent('configtimeout') } it { should_not contain_class('puppetdb') } it { should_not contain_class('puppetdb::master::config') } it { should_not contain_file("#{confdir}/custom_trusted_oid_mapping.yaml") } it { should contain_file("#{confdir}/autosign.conf") } it { should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) } it { should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) } it 'should set up the ENC' do should contain_class('foreman::puppetmaster') .with_foreman_url('https://foo.example.com') .with_receive_facts(true) .with_puppet_home(puppetserver_vardir) .with_puppet_etcdir(etcdir) .with_timeout(60) .with_puppet_basedir('/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet') end # service it { should contain_class('puppet::server::service') } it { should contain_class('puppet::server::puppetserver') } end describe 'with uppercase hostname' do let(:facts) do super().merge( fqdn: 'PUPPETMASTER.example.com', # clientcert is always lowercase by Puppet design clientcert: 'puppetmaster.example.com' ) end it { should compile.with_all_deps } it 'should use lowercase certificates' do should contain_class('puppet::server::puppetserver') .with_server_ssl_cert("#{ssldir}/certs/puppetmaster.example.com.pem") .with_server_ssl_cert_key("#{ssldir}/private_keys/puppetmaster.example.com.pem") end end describe 'with ip parameter' do let(:params) do super().merge(server_ip: '127.0.0.1') end it { should compile.with_all_deps } it { should contain_class('puppet::server').with_ip('127.0.0.1') } it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/host: 127.0.0.1/) } it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-host: 127.0.0.1/) } end context 'manage_packages' do tests = { false => false, 'agent' => false, 'server' => true } tests.each do |value, expected| describe "when manage_packages => #{value.inspect}" do let(:params) do super().merge(manage_packages: value) end it { should compile.with_all_deps } if expected it { should contain_package('puppetserver') } else it { should_not contain_package('puppetserver') } end end end end describe 'when autosign => true' do let(:params) do super().merge(autosign: true) end it { should contain_puppet__config__master('autosign').with_value(true) } end describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do let(:params) do super().merge( autosign: '/somedir/custom_autosign', autosign_mode: '664' ) end it { should contain_puppet__config__master('autosign').with_value('/somedir/custom_autosign { mode = 664 }') } end describe "when autosign_entries set to ['foo.bar']" do let(:params) do super().merge(autosign_entries: ['foo.bar']) end it 'should contain autosign.conf with content set' do should contain_file("#{confdir}/autosign.conf") should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do let(:params) do super().merge( autosign_content: 'foo.bar', autosign_entries: ['foo.bar'] ) end it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content/autosign_source and autosign_entries}) } end describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do let(:params) do super().merge( autosign_source: 'puppet:///foo/bar', autosign_entries: ['foo.bar'] ) end it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content\/autosign_source and autosign_entries}) } end context 'when autosign => /usr/local/bin/custom_autosign.sh, autosign_mode => 775' do let(:params) do super().merge( autosign: '/usr/local/bin/custom_autosign.sh', autosign_mode: '775' ) end describe "when autosign_content set to 'foo.bar'" do let(:params) do super().merge(autosign_content: 'foo.bar') end it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } it { should contain_file('/usr/local/bin/custom_autosign.sh').with_content('foo.bar') } end describe "autosign_source set to 'puppet:///foo/bar'" do let(:params) do super().merge(autosign_source: 'puppet:///foo/bar') end it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } it { should contain_file('/usr/local/bin/custom_autosign.sh').with_source('puppet:///foo/bar') } end end describe "when hiera_config => '/etc/puppet/hiera/production/hiera.yaml'" do let(:params) do super().merge(hiera_config: '/etc/puppet/hiera/production/hiera.yaml') end it { should contain_puppet__config__main('hiera_config').with_value('/etc/puppet/hiera/production/hiera.yaml') } end describe 'without foreman' do let(:params) do super().merge( server_foreman: false, server_reports: 'store', server_external_nodes: '' ) end it { should_not contain_class('foreman::puppetmaster') } it { should_not contain_puppet__config__master('node_terminus') } it { should_not contain_puppet__config__master('external_nodes') } end describe 'with server_default_manifest => true and undef content' do let(:params) do super().merge(server_default_manifest: true) end it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } it { should_not contain_file('/etc/puppet/manifests/default_manifest.pp') } end describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do let(:params) do super().merge( server_default_manifest: true, server_default_manifest_content: 'include foo' ) end it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } it { should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content('include foo') } end describe 'with git repo' do let(:params) do super().merge(server_git_repo: true) end it do should contain_class('puppet::server') .with_git_repo(true) .with_git_repo_path("#{vardir}/puppet.git") .with_post_hook_name('post-receive') end it 'should set up the environments directory' do should contain_file(environments_dir) \ .with_ensure('directory') \ .with_owner('puppet') end it 'should create the puppet user' do shell = case facts[:osfamily] when /^(FreeBSD|DragonFly)$/ '/usr/local/bin/git-shell' else '/usr/bin/git-shell' end should contain_user('puppet') .with_shell(shell) .that_requires('Class[git]') end it do should contain_file(vardir) .with_ensure('directory') .with_owner('puppet') end it do should contain_git__repo('puppet_repo') .with_bare(true) .with_target("#{vardir}/puppet.git") .with_user('puppet') .that_requires("File[#{environments_dir}]") end it do should contain_file("#{vardir}/puppet.git/hooks/post-receive") .with_owner('puppet') \ .with_mode('0755') \ .that_requires('Git::Repo[puppet_repo]') \ .with_content(/BRANCH_MAP = \{[^a-zA-Z=>]\}/) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } describe 'with a puppet git branch map' do let(:params) do super().merge(server_git_branch_map: { 'a' => 'b', 'c' => 'd' }) end it 'should add the branch map to the post receive hook' do should contain_file("#{vardir}/puppet.git/hooks/post-receive") .with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) end end context 'with directory environments' do let(:params) do super().merge(server_directory_environments: true) end it 'should configure puppet.conf' do should_not contain_puppet__config__master('config_version') should contain_puppet__config__main('environmentpath').with_value(environments_dir) end end context 'with config environments' do let(:params) do super().merge(server_directory_environments: false) end it 'should configure puppet.conf' do should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") should contain_puppet__config__master('config_version').with_value("git --git-dir #{environments_dir}/\$environment/.git describe --all --long") end end end describe 'with dynamic environments' do let(:params) do super().merge(server_dynamic_environments: true) end context 'with directory environments' do let(:params) do super().merge( server_directory_environments: true, server_environments_owner: 'apache' ) end it 'should set up the environments directory' do should contain_file(environments_dir) \ .with_ensure('directory') \ .with_owner('apache') end it 'should configure puppet.conf' do should contain_puppet__config__main('environmentpath').with_value(environments_dir) should contain_puppet__config__main('basemodulepath').with_value(["#{environments_dir}/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } end context 'with no common modules directory' do let(:params) do super().merge( server_directory_environments: true, server_environments_owner: 'apache', server_common_modules_path: '' ) end it { should_not contain_puppet__config__main('basemodulepath') } end context 'with config environments' do let(:params) do super().merge( server_directory_environments: false, server_environments_owner: 'apache' ) end it 'should set up the environments directory' do should contain_file(environments_dir) \ .with_ensure('directory') \ .with_owner('apache') end it 'should configure puppet.conf' do should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } end end describe 'with SSL path overrides' do let(:params) do super().merge( server_foreman_ssl_ca: '/etc/example/ca.pem', server_foreman_ssl_cert: '/etc/example/cert.pem', server_foreman_ssl_key: '/etc/example/key.pem' ) end it 'should pass SSL parameters to the ENC' do should contain_class('foreman::puppetmaster') .with_ssl_ca('/etc/example/ca.pem') .with_ssl_cert('/etc/example/cert.pem') .with_ssl_key('/etc/example/key.pem') end end describe 'with a PuppetDB host set' do let(:params) do super().merge( server_puppetdb_host: 'mypuppetdb.example.com', server_storeconfigs_backend: 'puppetdb' ) end it 'should configure PuppetDB' do should compile.with_all_deps should contain_class('puppetdb::master::config') .with_puppetdb_server('mypuppetdb.example.com') .with_puppetdb_port(8081) .with_puppetdb_soft_write_failure(false) .with_manage_storeconfigs(false) .with_restart_puppet(false) end end describe 'with additional settings' do let(:params) do super().merge(server_additional_settings: { 'stringify_facts' => true }) end it 'should configure puppet.conf' do should contain_puppet__config__master('stringify_facts').with_value(true) end end describe 'with server_parser => future' do let(:params) do super().merge(server_parser: 'future') end it { should contain_puppet__config__master('parser').with_value('future') } end describe 'with server_environment_timeout set' do let(:params) do super().merge(server_environment_timeout: '10m') end it { should contain_puppet__config__master('environment_timeout').with_value('10m') } end describe 'with no ssldir managed for master' do let(:params) do super().merge(server_ssl_dir_manage: false) end it { should_not contain_puppet__config__master('ssl_dir') } end describe 'with ssl key management disabled for server' do let(:params) do super().merge( server_certname: 'servercert', server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl', server_ssl_key_manage: false ) end it { should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') } end describe 'with nondefault CA settings' do let(:params) do super().merge(server_ca: false) end it { should contain_exec('puppet_server_config-create_ssl_dir') } it { should_not contain_exec('puppet_server_config-generate_ca_cert') } end describe 'with server_ca_crl_sync => true' do let(:params) do super().merge(server_ca_crl_sync: true) end context 'with server_ca => false and running "puppet apply"' do let(:params) do super().merge( server_ca: false, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end context 'with server_ca => false: running "puppet agent -t"' do let(:params) do super().merge( server_ca: false, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end let(:facts) do facts.merge(servername: 'myserver') end before :context do @cacrl = Tempfile.new('cacrl') File.open(@cacrl, 'w') { |f| f.write 'This is my CRL File' } Puppet.settings[:cacrl] = @cacrl.path end it 'should sync the crl from the ca' do should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') .with_content('This is my CRL File') end end context 'with server_ca => true: running "puppet agent -t"' do let(:params) do super().merge( server_ca: true, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end let(:facts) do facts.merge(servername: 'myserver') end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end end describe 'allow crl checking' do context 'as ca' do let(:params) do super().merge(server_ca: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/ca/ca_crl\.pem}) } end context 'as non-ca' do let(:params) do super().merge(server_ca: false) end it { should contain_file("#{conf_d_dir}/webserver.conf").without_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } context 'server_crl_enable' do let(:params) do super().merge(server_crl_enable: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } end end end describe 'with ssl_protocols overwritten' do let(:params) do super().merge(server_ssl_protocols: ['TLSv1.1', 'TLSv1.2']) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-protocols: \[\n( +)TLSv1.1,\n( +)TLSv1.2,\n( +)\]/) } end describe 'with ssl_protocols overwritten' do let(:params) do super().merge(server_cipher_suites: %w[TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA]) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/cipher-suites: \[\n( +)TLS_RSA_WITH_AES_256_CBC_SHA256,\n( +)TLS_RSA_WITH_AES_256_CBC_SHA,\n( +)\]/) } end describe 'with ssl_chain_filepath overwritten' do let(:params) do super().merge(server_ssl_chain_filepath: '/etc/example/certchain.pem') end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-cert-chain: /etc/example/certchain.pem}) } end describe 'with server_custom_trusted_oid_mapping overwritten' do let(:params) do super().merge(server_custom_trusted_oid_mapping: { '1.3.6.1.4.1.34380.1.2.1.1' => { shortname: 'myshortname', longname: 'My Long Name' }, '1.3.6.1.4.1.34380.1.2.1.2' => { shortname: 'myothershortname' } }) end it 'should have a configured custom_trusted_oid_mapping.yaml' do verify_exact_contents(catalogue, "#{confdir}/custom_trusted_oid_mapping.yaml", [ '---', 'oid_mapping:', ' 1.3.6.1.4.1.34380.1.2.1.1:', ' shortname: myshortname', ' longname: My Long Name', ' 1.3.6.1.4.1.34380.1.2.1.2:', ' shortname: myothershortname' ]) end end describe 'with server_certname parameter' do let(:params) do super().merge( server_certname: 'puppetserver43.example.com', server_ssl_dir: '/etc/custom/puppet/ssl' ) end it 'should put the correct ssl key path in webserver.conf' do should contain_file("#{conf_d_dir}/webserver.conf") .with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) end it 'should put the correct ssl cert path in webserver.conf' do should contain_file("#{conf_d_dir}/webserver.conf") .with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) end end describe 'with server_http parameter set to true for the puppet class' do let(:params) do super().merge(server_http: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ host:\s0\.0\.0\.0/).with_content(/ port:\s8139/) } it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end describe 'with server_allow_header_cert_info => true' do let(:params) do super().merge(server_allow_header_cert_info: true) end it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end end end end