diff --git a/.sync.yml b/.sync.yml index 89624cd..8dbe9a2 100644 --- a/.sync.yml +++ b/.sync.yml @@ -1,17 +1,16 @@ --- .travis.yml: beaker_sets: - centos7-64 - centos6-64 - debian8-64 - debian9-64 env: global: - PARALLEL_TEST_PROCESSORS=8 beaker_puppet_collections: - - pc1 - puppet5 - puppet6 Rakefile: param_docs_pattern: - manifests/init.pp diff --git a/.travis.yml b/.travis.yml index c4e7464..c64ddd1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,127 +1,82 @@ --- # This file is managed centrally by modulesync # https://github.com/theforeman/foreman-installer-modulesync -rvm: - - 2.1.9 - - 2.3.0 - - 2.4.1 env: - matrix: - - PUPPET_VERSION=4.9 global: - PARALLEL_TEST_PROCESSORS=8 matrix: fast_finish: true include: - rvm: 2.4.1 env: PUPPET_VERSION=5.0 - - rvm: 2.5.1 - env: PUPPET_VERSION=5.0 - rvm: 2.5.1 env: PUPPET_VERSION=6.0 # Acceptance tests - - rvm: 2.5.1 - env: - - BEAKER_PUPPET_COLLECTION=pc1 - - BEAKER_setfile=centos7-64{hostname=centos7-64.example.com} - script: bundle exec rake beaker - services: docker - bundler_args: --without development - before_install: - - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - - sudo service docker restart - - rvm: 2.5.1 env: - BEAKER_PUPPET_COLLECTION=puppet5 - BEAKER_setfile=centos7-64{hostname=centos7-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development before_install: - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - sudo service docker restart - rvm: 2.5.1 env: - BEAKER_PUPPET_COLLECTION=puppet6 - BEAKER_setfile=centos7-64{hostname=centos7-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development before_install: - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - sudo service docker restart - - rvm: 2.5.1 - env: - - BEAKER_PUPPET_COLLECTION=pc1 - - BEAKER_setfile=centos6-64{hostname=centos6-64.example.com} - script: bundle exec rake beaker - services: docker - bundler_args: --without development - before_install: - - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - - sudo service docker restart - - rvm: 2.5.1 env: - BEAKER_PUPPET_COLLECTION=puppet5 - BEAKER_setfile=centos6-64{hostname=centos6-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development before_install: - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - sudo service docker restart - rvm: 2.5.1 env: - BEAKER_PUPPET_COLLECTION=puppet6 - BEAKER_setfile=centos6-64{hostname=centos6-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development before_install: - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - sudo service docker restart - - rvm: 2.5.1 - env: - - BEAKER_PUPPET_COLLECTION=pc1 - - BEAKER_setfile=debian9-64{hostname=debian9-64.example.com} - script: bundle exec rake beaker - services: docker - bundler_args: --without development - before_install: - - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - - sudo service docker restart - - rvm: 2.5.1 env: - BEAKER_PUPPET_COLLECTION=puppet5 - BEAKER_setfile=debian9-64{hostname=debian9-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development before_install: - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - sudo service docker restart - rvm: 2.5.1 env: - BEAKER_PUPPET_COLLECTION=puppet6 - BEAKER_setfile=debian9-64{hostname=debian9-64.example.com} script: bundle exec rake beaker services: docker bundler_args: --without development before_install: - echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json - sudo service docker restart bundler_args: --without system_tests development -before_install: - - if [ $TRAVIS_RUBY_VERSION = 2.1.9 ] ; then - gem install -v 1.17.3 bundler --no-rdoc --no-ri; - fi -sudo: false +dist: xenial diff --git a/Gemfile b/Gemfile index 1018f50..8649454 100644 --- a/Gemfile +++ b/Gemfile @@ -1,41 +1,41 @@ # This file is managed centrally by modulesync # https://github.com/theforeman/foreman-installer-modulesync source 'https://rubygems.org' -gem 'puppet', ENV.key?('PUPPET_VERSION') ? "~> #{ENV['PUPPET_VERSION']}" : '>= 4.6' +gem 'puppet', ENV.key?('PUPPET_VERSION') ? "~> #{ENV['PUPPET_VERSION']}" : '>= 5.5' gem 'rake' gem 'rspec', '~> 3.0' gem 'rdoc', '~> 5.1.0', {"platforms"=>["ruby_21"]} gem 'rspec-puppet', '~> 2.3' gem 'rspec-puppet-facts', '>= 1.7' gem 'puppetlabs_spec_helper', '>= 2.1.1' gem 'puppet-lint', '>= 2' gem 'puppet-lint-classes_and_types_beginning_with_digits-check' gem 'puppet-lint-empty_string-check' gem 'puppet-lint-file_ensure-check' gem 'puppet-lint-leading_zero-check' gem 'puppet-lint-param-docs', '>= 1.3.0' gem 'puppet-lint-spaceship_operator_without_tag-check' gem 'puppet-lint-strict_indent-check' gem 'puppet-lint-trailing_comma-check' gem 'puppet-lint-undef_in_function-check' gem 'puppet-lint-unquoted_string-check' gem 'puppet-lint-variable_contains_upcase' gem 'puppet-lint-version_comparison-check' gem 'simplecov' gem 'github_changelog_generator', {"git"=>"https://github.com/skywinder/github-changelog-generator", "ref"=>"20ee04ba1234e9e83eb2ffb5056e23d641c7a018", "groups"=>["development"]} if RUBY_VERSION >= '2.2.2' gem 'puppet-blacksmith', '>= 4.1.0', {"groups"=>["development"]} gem 'beaker', '>= 4.2.0', {"groups"=>["system_tests"]} gem 'beaker-docker', {"groups"=>["system_tests"]} gem 'beaker-hostgenerator', '>= 1.1.10', {"groups"=>["system_tests"]} gem 'beaker-puppet', {"groups"=>["system_tests"]} gem 'beaker-rspec', {"groups"=>["system_tests"]} gem 'beaker-module_install_helper', {"groups"=>["system_tests"]} gem 'beaker-puppet_install_helper', {"groups"=>["system_tests"]} gem 'metadata-json-lint' gem 'kafo_module_lint' gem 'parallel_tests' # vim:ft=ruby diff --git a/README.md b/README.md index 53946a8..52d018f 100644 --- a/README.md +++ b/README.md @@ -1,180 +1,168 @@ [![Puppet Forge](https://img.shields.io/puppetforge/v/theforeman/puppet.svg)](https://forge.puppetlabs.com/theforeman/puppet) [![Build Status](https://travis-ci.org/theforeman/puppet-puppet.svg?branch=master)](https://travis-ci.org/theforeman/puppet-puppet) # Puppet module for installing the Puppet agent and master Installs and configures the Puppet agent and optionally a Puppet master (when `server` is true). Part of the [Foreman installer](https://github.com/theforeman/foreman-installer) or to be used as a Puppet module. -When using Puppet Server (version 2.2.x is the lowest version, this module supports), +When using Puppet Server (version 5.3.6 is the lowest version, this module supports), the module supports and assumes you will be installing the latest version. If you know you'll be installing an earlier or specific version, you will need to override `server_puppetserver_version`. More information in the Puppet Server section below. Many puppet.conf options for agents, masters and other are parameterized, with class documentation provided at the top of the manifests. In addition, there are hash parameters for each configuration section that can be used to supply any options that are not explicitly supported. ## Environments support The module helps configure Puppet environments using directory environments. These are set up under /etc/puppetlabs/code/environments. ## Git repo support Environments can be backed by git by setting `server_git_repo` to true, which sets up `/var/lib/puppet/puppet.git` where each branch maps to one environment. Avoid using 'master' as this name isn't permitted. On each push to the repo, a hook updates `/etc/puppet/environments` with the contents of the branch. Requires [theforeman/git](https://forge.puppetlabs.com/theforeman/git). ## Foreman integration With the 3.0.0 release the Foreman integration became optional. It will still by default install the Foreman integration when `server` is true, so if you wish to run a Puppet master without Foreman, it can be disabled by setting `server_foreman` to false. Requires [theforeman/foreman](https://forge.puppetlabs.com/theforeman/foreman). ## PuppetDB integration The Puppet master can be configured to export catalogs and reports to a PuppetDB instance, using the puppetlabs/puppetdb module. Use its `puppetdb::server` class to install the PuppetDB server and this module to configure the Puppet master to connect to PuppetDB. Requires [puppetlabs/puppetdb](https://forge.puppetlabs.com/puppetlabs/puppetdb) Please see the notes about using puppetlabs/puppetdb 5.x with older versions of Puppet (< 4.x) and PuppetDB (< 3.x) with newer releases of the module and set the values via hiera or an extra include of `puppetdb::globals` with `puppetdb_version` defined. # Installation Available from GitHub (via cloning or tarball), [Puppet Forge](https://forge.puppetlabs.com/theforeman/puppet) or as part of the Foreman installer. # Usage As a parameterized class, all the configurable options can be overridden from your wrapper classes or even your ENC (if it supports param classes). For example: # Agent and cron (or daemon): class { '::puppet': runmode => 'cron' } # Agent and puppetmaster: class { '::puppet': server => true } # You want to use git? class { '::puppet': server => true server_git_repo => true } # Maybe you're using gitolite, new hooks, and a different port? class { '::puppet': server => true server_port => 8141, server_git_repo => true, server_git_repo_path => '/var/lib/gitolite/repositories/puppet.git', server_post_hook_name => 'post-receive.puppet', server_post_hook_content => 'puppetserver/post-hook.puppet', } # Configure master without Foreman integration class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', } # Want to integrate with an existing PuppetDB? class { '::puppet': server => true, server_puppetdb_host => 'mypuppetdb.example.com', server_reports => 'puppetdb,foreman', server_storeconfigs_backend => 'puppetdb', } Look in _init.pp_ for what can be configured this way, see Contributing if anything doesn't work. To use this in standalone mode, edit a file (e.g. install.pp), put in a class resource, as per the examples above, and the execute _puppet apply_ e.g: cat > install.pp < true } EOF puppet apply install.pp --modulepath /path_to/extracted_tarball # Advanced scenarios An HTTP (non-SSL) puppetmaster instance can be set up (standalone or in addition to the SSL instance) by setting the `server_http` parameter to `true`. This is useful for reverse proxy or load balancer scenarios where the proxy/load balancer takes care of SSL termination. The HTTP puppetmaster instance expects the `X-Client-Verify`, `X-SSL-Client-DN` and `X-SSL-Subject` HTTP headers to have been set on the front end server. The listening port can be configured by setting `server_http_port` (which defaults to 8139). For puppetserver, this HTTP instance accepts **ALL** connections and no further restrictions can be configured. **Note that running an HTTP puppetmaster is a huge security risk when improperly configured. Allowed hosts should be tightly controlled; anyone with access to an allowed host can access all client catalogues and client certificates.** # Configure an HTTP puppetmaster vhost in addition to the standard SSL vhost class { '::puppet': server => true, server_http => true, server_http_port => 8130, # default: 8139 } ## Puppet Server configuration Puppet Server requires slightly different configuration between different versions, which this module supports. It's recommended that you set the `server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version you have installed. By default the module will configure for the latest version available. -Currently supported values and configuration behaviours are: - -* `5.1.0` (default for Puppet >= 5.1) - configures CRL reload service and `/puppet/v3/tasks` route -* `5.0.0` (default for Puppet 5.0.x) - configures metrics service and `/puppet/experimental` route -* `2.7.x` (default for Puppet < 5) - creates `product.conf` -* `2.5.x`, `2.6.x` - configures the certificate authority in `ca.cfg` -* `2.4.99` - configures for both 2.4 and 2.5, with `bootstrap.cfg` - and `ca.cfg` -* `2.3.x`, `2.4.x` - configures the certificate authority and - versioned-code-service in `bootstrap.cfg` -* `2.2.x` - configures the certificate authority in `bootstrap.cfg` - # Contributing * Fork the project * Commit and push until you are happy with your contribution # More info See https://theforeman.org or at #theforeman irc channel on freenode Copyright (c) 2010-2012 Ohad Levy This program and entire repository is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . diff --git a/manifests/params.pp b/manifests/params.pp index 812af65..1ea2fc6 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,438 +1,438 @@ # Default parameters # @api private class puppet::params { # Basic config $version = 'present' $manage_user = true $user = 'puppet' $group = 'puppet' $ip = '0.0.0.0' $port = 8140 $listen = false $listen_to = [] $pluginsync = true $splay = false $splaylimit = 1800 $runinterval = 1800 $runmode = 'service' $report = true # Not defined here as the commands depend on module parameter "dir" $cron_cmd = undef $systemd_cmd = undef $agent_noop = false $show_diff = false $module_repository = undef $hiera_config = '$confdir/hiera.yaml' $usecacheonfailure = true $ca_server = undef $ca_port = undef $ca_crl_filepath = undef $server_crl_enable = undef $prerun_command = undef $postrun_command = undef $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false if defined('$::domain') { $srv_domain = $::domain } else { $srv_domain = undef } # lint:ignore:puppet_url_without_modules $pluginsource = 'puppet:///plugins' $pluginfactsource = 'puppet:///pluginfacts' # lint:endignore $classfile = '$statedir/classes.txt' $syslogfacility = undef $environment = $::environment $aio_package = ($::osfamily == 'Windows' or $::rubysitedir =~ /\/opt\/puppetlabs\/puppet/) $systemd_randomizeddelaysec = 0 case $::osfamily { 'Windows' : { # Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end $dir_prefix = 'C:/ProgramData/PuppetLabs/puppet' $dir = "${dir_prefix}/etc" $codedir = "${dir_prefix}/etc" $logdir = "${dir_prefix}/var/log" $rundir = "${dir_prefix}/var/run" $ssldir = "${dir_prefix}/etc/ssl" $vardir = "${dir_prefix}/var" $sharedir = "${dir_prefix}/share" $bindir = "${dir_prefix}/bin" $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } /^(FreeBSD|DragonFly)$/ : { $dir = '/usr/local/etc/puppet' $codedir = '/usr/local/etc/puppet' $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/puppet/ssl' $vardir = '/var/puppet' $sharedir = '/usr/local/share/puppet' $bindir = '/usr/local/bin' $root_group = undef $server_puppetserver_dir = '/usr/local/etc/puppetserver' $server_puppetserver_vardir = '/var/puppet/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetserver' $server_puppetserver_logdir = '/var/log/puppetserver' $ruby_gem_dir = regsubst($::rubyversion, '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$::rubysitedir, "${ruby_gem_dir}/facter-${::facterversion}/lib"] $server_jruby_gem_home = '/var/puppet/server/data/puppetserver/jruby-gems' } 'Archlinux' : { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/usr/bin' $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } default : { if $aio_package { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/opt/puppetlabs/bin' $server_puppetserver_dir = '/etc/puppetlabs/puppetserver' $server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetlabs/puppetserver' $server_puppetserver_logdir = '/var/log/puppetlabs/puppetserver' $server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby'] $server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems' } else { $dir = '/etc/puppet' $codedir = $::osfamily ? { 'Debian' => '/etc/puppet/code', default => '/etc/puppet', } $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/lib/puppet/ssl' $vardir = '/var/lib/puppet' $sharedir = '/usr/share/puppet' $bindir = '/usr/bin' $server_puppetserver_dir = '/etc/puppetserver' $server_puppetserver_vardir = $vardir $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = '/var/lib/puppet/jruby-gems' } $root_group = undef } } $configtimeout = undef $autosign = "${dir}/autosign.conf" $autosign_entries = [] $autosign_mode = '0664' $autosign_content = undef $autosign_source = undef $puppet_cmd = "${bindir}/puppet" $puppetserver_cmd = "${bindir}/puppetserver" $manage_packages = true if $::osfamily == 'Windows' { $dir_owner = undef $dir_group = undef } elsif $aio_package or $::osfamily == 'Suse' { $dir_owner = 'root' $dir_group = $root_group } else { $dir_owner = $user $dir_group = $group } $package_provider = $::osfamily ? { 'windows' => 'chocolatey', default => undef, } $package_source = undef # Need your own config templates? Specify here: $auth_template = 'puppet/auth.conf.erb' # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false # Authenticated nodes to allow $auth_allowed = ['$1'] # Will this host be a puppet agent ? $agent = true $remove_lock = true $client_certname = $::clientcert if defined('$::puppetmaster') { $puppetmaster = $::puppetmaster } else { $puppetmaster = undef } # Hashes containing additional settings $additional_settings = {} $agent_additional_settings = {} $server_additional_settings = {} # Will this host be a puppetmaster? $server = false $server_ca = true $server_ca_crl_sync = false $server_reports = 'foreman' $server_external_nodes = "${dir}/node.rb" $server_enc_api = 'v2' $server_report_api = 'v2' $server_request_timeout = 60 $server_certname = $::clientcert $server_strict_variables = false $server_http = false $server_http_port = 8139 # Need a new master template for the server? $server_template = 'puppet/server/puppet.conf.erb' # Template for server settings in [main] $server_main_template = 'puppet/server/puppet.conf.main.erb' # The script that is run to determine the reported manifest version. Undef # means we determine it in server.pp $server_config_version = undef # Set 'false' for static environments, or 'true' for git-based workflow $server_git_repo = false # Git branch to puppet env mapping for the post receive hook $server_git_branch_map = {} # Owner of the environments dir: for cases external service needs write # access to manage it. $server_environments_owner = $user $server_environments_group = $root_group $server_environments_mode = '0755' # Where we store our puppet environments $server_envs_dir = "${codedir}/environments" $server_envs_target = undef # Modules in this directory would be shared across all environments $server_common_modules_path = unique(["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules']) # Dynamic environments config, ignore if the git_repo is 'false' # Path to the repository $server_git_repo_path = "${vardir}/puppet.git" # mode of the repository $server_git_repo_mode = '0755' # user of the repository $server_git_repo_user = $user # group of the repository $server_git_repo_group = $user # Override these if you need your own hooks $server_post_hook_content = 'puppet/server/post-receive.erb' $server_post_hook_name = 'post-receive' $server_custom_trusted_oid_mapping = undef # PuppetDB config $server_puppetdb_host = undef $server_puppetdb_port = 8081 $server_puppetdb_swf = false # Do you use storeconfigs? (note: not required) # - undef if you don't # - active_record for 2.X style db # - puppetdb for puppetdb $server_storeconfigs_backend = undef $puppet_major = regsubst($::puppetversion, '^(\d+)\..*$', '\1') if ($::osfamily =~ /(FreeBSD|DragonFly)/ and versioncmp($puppet_major, '5') >= 0) { $server_package = "puppetserver${puppet_major}" } else { $server_package = undef } $server_ssl_dir = $ssldir $server_version = undef if $aio_package { $client_package = ['puppet-agent'] } elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) { $client_package = ["puppet${puppet_major}"] } else { $client_package = ['puppet'] } # Puppet service name $service_name = 'puppet' # Puppet onedshot systemd service and timer name $systemd_unit_name = 'puppet-run' # Mechanisms to manage and reload/restart the agent # If supported on the OS, reloading is prefered since it does not kill a currently active puppet run case $::osfamily { 'Debian' : { $agent_restart_command = "/usr/sbin/service ${service_name} reload" $unavailable_runmodes = [] } 'Redhat' : { # PSBM is a CentOS 6 based distribution # it reports its $osreleasemajor as 2, not 6. # thats why we're matching for '2' in both parts # Amazon Linux is like RHEL6 but reports its osreleasemajor as 2017 or 2018. $osreleasemajor = regsubst($::operatingsystemrelease, '^(\d+)\..*$', '\1') # workaround for the possibly missing operatingsystemmajrelease $agent_restart_command = $osreleasemajor ? { /^(2|5|6|2017|2018)$/ => "/sbin/service ${service_name} reload", '7' => "/usr/bin/systemctl reload-or-restart ${service_name}", default => undef, } $unavailable_runmodes = $osreleasemajor ? { /^(2|5|6|2017|2018)$/ => ['systemd.timer'], default => [], } } 'Windows': { $agent_restart_command = undef $unavailable_runmodes = ['cron', 'systemd.timer'] } 'Archlinux': { $agent_restart_command = "/usr/bin/systemctl reload-or-restart ${service_name}" $unavailable_runmodes = ['cron'] } default : { $agent_restart_command = undef $unavailable_runmodes = ['systemd.timer'] } } # Foreman parameters $lower_fqdn = downcase($::fqdn) $server_foreman = true $server_foreman_facts = true $server_puppet_basedir = $aio_package ? { true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet', false => undef, } $server_foreman_url = "https://${lower_fqdn}" $server_foreman_ssl_ca = undef $server_foreman_ssl_cert = undef $server_foreman_ssl_key = undef # Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser $server_parser = 'current' # Timeout for cached environments, changed in puppet 3.7.x $server_environment_timeout = undef # puppet server configuration file $server_jvm_config = $::osfamily ? { 'RedHat' => '/etc/sysconfig/puppetserver', 'Debian' => '/etc/default/puppetserver', default => '/etc/default/puppetserver', } $server_jvm_java_bin = '/usr/bin/java' $server_jvm_extra_args = undef $server_jvm_cli_args = undef # This is some very trivial "tuning". See the puppet reference: # https://docs.puppet.com/puppetserver/latest/tuning_guide.html if ($::memorysize_mb =~ String) { $mem_in_mb = scanf($::memorysize_mb, '%i')[0] } else { $mem_in_mb = 0 + $::memorysize_mb } if $mem_in_mb >= 3072 { $server_jvm_min_heap_size = '2G' $server_jvm_max_heap_size = '2G' $server_max_active_instances = min(abs($::processorcount), 4) } elsif $mem_in_mb >= 1024 { $server_max_active_instances = 1 $server_jvm_min_heap_size = '1G' $server_jvm_max_heap_size = '1G' } else { # VMs with 1GB RAM and a crash kernel enabled usually have an effective 992MB RAM $server_max_active_instances = 1 $server_jvm_min_heap_size = '768m' $server_jvm_max_heap_size = '768m' } $server_ssl_dir_manage = true $server_ssl_key_manage = true $server_default_manifest = false $server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp' $server_default_manifest_content = '' # lint:ignore:empty_string_assignment $server_max_requests_per_instance = 0 $server_max_queued_requests = 0 $server_max_retry_delay = 1800 $server_idle_timeout = 1200000 $server_web_idle_timeout = 30000 $server_connect_timeout = 120000 $server_ca_auth_required = true $server_admin_api_whitelist = [ 'localhost', $lower_fqdn ] $server_ca_client_whitelist = [ 'localhost', $lower_fqdn ] $server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA' ] $server_ssl_protocols = [ 'TLSv1.2' ] $server_ssl_chain_filepath = "${server_ssl_dir}/ca/ca_crt.pem" $server_check_for_updates = true $server_environment_class_cache_enabled = false $server_allow_header_cert_info = false $server_ca_allow_sans = false $server_ca_allow_auth_extensions = false $server_ca_enable_infra_crl = false $server_max_open_files = undef $server_puppetserver_version = undef - # Puppetserver >= 2.2 Which auth.conf shall we use? + # Puppetserver 5.x Which auth.conf shall we use? $server_use_legacy_auth_conf = false # For Puppetserver 5, use JRuby 9k? $server_puppetserver_jruby9k = false # this switch also controls Ruby profiling, by default disabled for Puppetserver 2.x, enabled for 5.x $server_puppetserver_metrics = undef # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false $server_metrics_graphite_host = '127.0.0.1' $server_metrics_graphite_port = 2003 $server_metrics_server_id = $lower_fqdn $server_metrics_graphite_interval = 5 $server_metrics_allowed = undef # For Puppetserver 5, should the /puppet/experimental route be enabled? $server_puppetserver_experimental = true # Normally agents can only fetch their own catalogs. If you want some nodes to be able to fetch *any* catalog, add them here. $server_puppetserver_trusted_agents = [] } diff --git a/manifests/server.pp b/manifests/server.pp index d24922b..8a6f7cd 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,507 +1,497 @@ # == Class: puppet::server # # Sets up a puppet master. # # == puppet::server parameters # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $hiera_config:: The hiera configuration file. # # $manage_user:: Whether to manage the puppet user resource # # $user:: Name of the puppetmaster user. # # $group:: Name of the puppetmaster group. # # $dir:: Puppet configuration directory # # $ip:: Bind ip address of the puppetmaster # # $port:: Puppet master port # # $ca:: Provide puppet CA # # $ca_crl_filepath:: Path to ca_crl file # # $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to # be agents of the CA master (MOM) defaults to false # # $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults # to false # # $http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. # # $http_port:: Puppet master HTTP port; defaults to 8139. # # $reports:: List of report types to include on the puppetmaster # # $external_nodes:: External nodes classifier executable # # $git_repo:: Use git repository as a source of modules # # $environments_owner:: The owner of the environments directory # # $environments_group:: The group owning the environments directory # # $environments_mode:: Environments directory mode. # # $envs_dir:: Directory that holds puppet environments # # $envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $common_modules_path:: Common modules paths # # $git_repo_path:: Git repository path # # $git_repo_mode:: Git repository mode # # $git_repo_group:: Git repository group # # $git_repo_user:: Git repository user # # $git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $post_hook_content:: Which template to use for git post hook # # $post_hook_name:: Name of a git hook # # $storeconfigs_backend:: Do you use storeconfigs? (note: not required) # false if you don't, "active_record" for 2.X # style db, "puppetdb" for puppetdb # # $ssl_dir:: SSL directory # # $package:: Custom package name for puppet master # # $version:: Custom package version for puppet master # # $certname:: The name to use when handling certificates. # # $strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $puppetdb_host:: PuppetDB host # # $puppetdb_port:: PuppetDB port # # $puppetdb_swf:: PuppetDB soft_write_failure # # $parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # === Advanced server parameters: # # $codedir:: Override the puppet code directory. # # $config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $foreman:: Should foreman integration be installed # # $foreman_url:: Foreman URL # # $foreman_ssl_ca:: SSL CA of the Foreman server # # $foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $foreman_ssl_key:: Key for authenticating against Foreman server # # $puppet_basedir:: Where is the puppet code base located # # $enc_api:: What version of enc script to deploy. # # $report_api:: What version of report processor to deploy. # # $compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. # # # $request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $jvm_java_bin:: Set the default java to use. # # $jvm_config:: Specify the puppetserver jvm configuration file. # # $jvm_min_heap_size:: Specify the minimum jvm heap space. # # $jvm_max_heap_size:: Specify the maximum jvm heap space. # # $jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $default_manifest_path:: A string setting the path to the default_manifest # # $default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $puppetserver_vardir:: The path of the puppetserver var dir # # $puppetserver_rundir:: The path of the puppetserver run dir # # $puppetserver_logdir:: The path of the puppetserver log dir # # $puppetserver_dir:: The path of the puppetserver config dir # # $puppetserver_version:: The version of puppetserver installed (or being installed) # Unfortunately, different versions of puppetserver need configuring differently. # By default we attempt to derive the version from the puppet version itself but # can be overriden if you're installing an older version. # # $max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) # # $max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a # JRuby from the pool. (Puppetserver 5.x only) # Defaults to 0 (disabled) for Puppetserver >= 5.0 # # $max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on # 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) # Defaults to 1800 for Puppetserver >= 5.0 # # $idle_timeout:: How long the server will wait for a response on an existing connection # # $connect_timeout:: How long the server will wait for a response to a connection attempt # # $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. # Defaults to the Jetty default of 30s # # $ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $ssl_chain_filepath:: Path to certificate chain for puppetserver # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # $custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # # $check_for_updates:: Should the puppetserver phone home to check for available updates? # # $environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the # environment_classes API. # # # $allow_header_cert_info:: Allow client authentication over HTTP Headers # Defaults to false, is also activated by the $http setting # # $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? # Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # # $metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $puppetserver_trusted_agents:: Certificate names of agents that are allowed to fetch *all* catalogs. Defaults to empty array # # # $ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # Defaults to false # # $ca_enable_infra_crl:: Enable the separate CRL for Puppet infrastructure nodes # Defaults to false # # $acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for unencrypted HTTP traffic. If not provided, the webserver # defaults to the number of virtual cores on the host divided by 8, with a minimum # of 1 and maximum of 4. # # $selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for unencrypted HTTPS traffic. If not provided, # the webserver defaults to the minimum of: virtual cores on the host divided by 2 # or max-threads divided by 16, with a minimum of 1. # # $max_threads:: This sets the maximum number of threads assigned to responding to HTTP and/or # HTTPS requests for a single webserver, effectively changing how many # concurrent requests can be made at one time. If not provided, the # webserver defaults to 200. # # $ssl_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for encrypted HTTPS traffic. If not provided, defaults to # the number of virtual cores on the host divided by 8, with a minimum of 1 and maximum of 4. # # $ssl_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for encrypted HTTPS traffic. Defaults to the number of # virtual cores on the host divided by 2, with a minimum of 1 and maximum of 4. # The number of selector threads actually used by Jetty is twice the number of selectors # requested. For example, if a value of 3 is specified for the ssl-selector-threads setting, # Jetty will actually use 6 selector threads. class puppet::server( Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign, Array[String] $autosign_entries = $::puppet::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $::puppet::autosign_mode, Optional[String] $autosign_content = $::puppet::autosign_content, Optional[String] $autosign_source = $::puppet::autosign_source, String $hiera_config = $::puppet::hiera_config, Array[String] $admin_api_whitelist = $::puppet::server_admin_api_whitelist, Boolean $manage_user = $::puppet::server_manage_user, String $user = $::puppet::server_user, String $group = $::puppet::server_group, String $dir = $::puppet::server_dir, Stdlib::Absolutepath $codedir = $::puppet::codedir, Integer $port = $::puppet::server_port, String $ip = $::puppet::server_ip, Boolean $ca = $::puppet::server_ca, Optional[String] $ca_crl_filepath = $::puppet::ca_crl_filepath, Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync, Optional[Boolean] $crl_enable = $::puppet::server_crl_enable, Boolean $ca_auth_required = $::puppet::server_ca_auth_required, Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $::puppet::server_custom_trusted_oid_mapping, Boolean $http = $::puppet::server_http, Integer $http_port = $::puppet::server_http_port, String $reports = $::puppet::server_reports, Stdlib::Absolutepath $puppetserver_vardir = $::puppet::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $puppetserver_rundir = $::puppet::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $puppetserver_logdir = $::puppet::server_puppetserver_logdir, Stdlib::Absolutepath $puppetserver_dir = $::puppet::server_puppetserver_dir, Optional[Pattern[/^[\d]\.[\d]+\.[\d]+$/]] $puppetserver_version = $::puppet::server_puppetserver_version, Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $::puppet::server_external_nodes, Array[String] $cipher_suites = $::puppet::server_cipher_suites, Optional[String] $config_version = $::puppet::server_config_version, Integer[0] $connect_timeout = $::puppet::server_connect_timeout, Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout, Boolean $git_repo = $::puppet::server_git_repo, Boolean $default_manifest = $::puppet::server_default_manifest, Stdlib::Absolutepath $default_manifest_path = $::puppet::server_default_manifest_path, String $default_manifest_content = $::puppet::server_default_manifest_content, String $environments_owner = $::puppet::server_environments_owner, Optional[String] $environments_group = $::puppet::server_environments_group, Pattern[/^[0-9]{3,4}$/] $environments_mode = $::puppet::server_environments_mode, Stdlib::Absolutepath $envs_dir = $::puppet::server_envs_dir, Optional[Stdlib::Absolutepath] $envs_target = $::puppet::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $::puppet::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $::puppet::server_git_repo_mode, Stdlib::Absolutepath $git_repo_path = $::puppet::server_git_repo_path, String $git_repo_group = $::puppet::server_git_repo_group, String $git_repo_user = $::puppet::server_git_repo_user, Hash[String, String] $git_branch_map = $::puppet::server_git_branch_map, Integer[0] $idle_timeout = $::puppet::server_idle_timeout, String $post_hook_content = $::puppet::server_post_hook_content, String $post_hook_name = $::puppet::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $storeconfigs_backend = $::puppet::server_storeconfigs_backend, Array[Stdlib::Absolutepath] $ruby_load_paths = $::puppet::server_ruby_load_paths, Stdlib::Absolutepath $ssl_dir = $::puppet::server_ssl_dir, Boolean $ssl_dir_manage = $::puppet::server_ssl_dir_manage, Boolean $ssl_key_manage = $::puppet::server_ssl_key_manage, Array[String] $ssl_protocols = $::puppet::server_ssl_protocols, Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $::puppet::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $package = $::puppet::server_package, Optional[String] $version = $::puppet::server_version, String $certname = $::puppet::server_certname, Enum['v2'] $enc_api = $::puppet::server_enc_api, Enum['v2'] $report_api = $::puppet::server_report_api, Integer[0] $request_timeout = $::puppet::server_request_timeout, Boolean $strict_variables = $::puppet::server_strict_variables, Hash[String, Data] $additional_settings = $::puppet::server_additional_settings, Boolean $foreman = $::puppet::server_foreman, Stdlib::HTTPUrl $foreman_url = $::puppet::server_foreman_url, Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $::puppet::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $foreman_ssl_key = $::puppet::server_foreman_ssl_key, Boolean $server_foreman_facts = $::puppet::server_foreman_facts, Optional[Stdlib::Absolutepath] $puppet_basedir = $::puppet::server_puppet_basedir, Optional[String] $puppetdb_host = $::puppet::server_puppetdb_host, Integer[0, 65535] $puppetdb_port = $::puppet::server_puppetdb_port, Boolean $puppetdb_swf = $::puppet::server_puppetdb_swf, Enum['current', 'future'] $parser = $::puppet::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $::puppet::server_environment_timeout, String $jvm_java_bin = $::puppet::server_jvm_java_bin, String $jvm_config = $::puppet::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $::puppet::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $::puppet::server_jvm_max_heap_size, Optional[Variant[String,Array[String]]] $jvm_extra_args = $::puppet::server_jvm_extra_args, Optional[String] $jvm_cli_args = $::puppet::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $jruby_gem_home = $::puppet::server_jruby_gem_home, Integer[1] $max_active_instances = $::puppet::server_max_active_instances, Integer[0] $max_requests_per_instance = $::puppet::server_max_requests_per_instance, Integer[0] $max_queued_requests = $puppet::server_max_queued_requests, Integer[0] $max_retry_delay = $puppet::server_max_retry_delay, Boolean $use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $::puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $::puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $::puppet::server_allow_header_cert_info, Boolean $puppetserver_jruby9k = $::puppet::server_puppetserver_jruby9k, Optional[Boolean] $puppetserver_metrics = $::puppet::server_puppetserver_metrics, Boolean $metrics_jmx_enable = $::puppet::server_metrics_jmx_enable, Boolean $metrics_graphite_enable = $::puppet::server_metrics_graphite_enable, String $metrics_graphite_host = $::puppet::server_metrics_graphite_host, Integer $metrics_graphite_port = $::puppet::server_metrics_graphite_port, String $metrics_server_id = $::puppet::server_metrics_server_id, Integer $metrics_graphite_interval = $::puppet::server_metrics_graphite_interval, Variant[Undef, Array] $metrics_allowed = $::puppet::server_metrics_allowed, Boolean $puppetserver_experimental = $::puppet::server_puppetserver_experimental, Array[String] $puppetserver_trusted_agents = $::puppet::server_puppetserver_trusted_agents, Optional[Enum['off', 'jit', 'force']] $compile_mode = $::puppet::server_compile_mode, Optional[Integer[1]] $selector_threads = $::puppet::server_selector_threads, Optional[Integer[1]] $acceptor_threads = $::puppet::server_acceptor_threads, Optional[Integer[1]] $ssl_selector_threads = $::puppet::server_ssl_selector_threads, Optional[Integer[1]] $ssl_acceptor_threads = $::puppet::server_ssl_acceptor_threads, Optional[Integer[1]] $max_threads = $::puppet::server_max_threads, Boolean $ca_allow_sans = $::puppet::server_ca_allow_sans, Boolean $ca_allow_auth_extensions = $::puppet::server_ca_allow_auth_extensions, Boolean $ca_enable_infra_crl = $::puppet::server_ca_enable_infra_crl, Optional[Integer[1]] $max_open_files = $::puppet::server_max_open_files, ) { if $ca { $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" $ssl_chain = $ssl_chain_filepath $crl_enable_real = pick($crl_enable, true) } else { $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") $ssl_chain = false $crl_enable_real = pick($crl_enable, false) } $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" if $config_version == undef { if $git_repo { $config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long" } else { $config_version_cmd = undef } } else { $config_version_cmd = $config_version } # For Puppetserver, certain configuration parameters are version specific. We # assume a particular version here. if $puppetserver_version { $real_puppetserver_version = $puppetserver_version } elsif versioncmp($::puppetversion, '6.0.0') >= 0 { $real_puppetserver_version = '6.0.0' - } elsif versioncmp($::puppetversion, '5.5.7') >= 0 { + } else { $real_puppetserver_version = '5.3.6' - } elsif versioncmp($::puppetversion, '5.5.0') >= 0 { - $real_puppetserver_version = '5.3.0' - } elsif versioncmp($::puppetversion, '5.1.0') >= 0 { - $real_puppetserver_version = '5.1.0' - } elsif versioncmp($::puppetversion, '5.0.0') >= 0 { - $real_puppetserver_version = '5.0.0' - } else { - $real_puppetserver_version = '2.7.0' } # Prefer the user setting,otherwise disable for Puppetserver 2.x, enabled for 5.x - $real_puppetserver_metrics = pick($puppetserver_metrics, versioncmp($real_puppetserver_version, '5.0.0') >= 0) + $real_puppetserver_metrics = pick($puppetserver_metrics, true) if $jvm_extra_args { $real_jvm_extra_args = $jvm_extra_args - } elsif versioncmp($real_puppetserver_version, '5.0.0') < 0 { - $real_jvm_extra_args = '-XX:MaxPermSize=256m' } else { $real_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } contain puppet::server::install contain puppet::server::config contain puppet::server::service Class['puppet::server::install'] ~> Class['puppet::server::config'] Class['puppet::config', 'puppet::server::config'] ~> Class['puppet::server::service'] } diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index a03c3a9..e61e09f 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -1,280 +1,264 @@ # Configures the puppetserver jvm configuration file using augeas. # # @api private # # @param java_bin # Path to the java executable to use # # @param config # Path to the jvm configuration file. # This file is usually either /etc/default/puppetserver or # /etc/sysconfig/puppetserver depending on your *nix flavor. # # @param jvm_min_heap_size # Translates into the -Xms option and is added to the JAVA_ARGS # # @param jvm_max_heap_size # Translates into the -Xmx option and is added to the JAVA_ARGS # # @param jvm_extra_args # Custom options to pass through to the java binary. These get added to # the end of the JAVA_ARGS variable # # @param jvm_cli_args # Custom options to pass through to the java binary when using a # puppetserver subcommand, (eg puppetserver gem). These get used # in the JAVA_ARGS_CLI variable. # # @param server_puppetserver_dir # Puppetserver config directory # # @param server_puppetserver_vardir # Puppetserver var directory # # @param server_jruby_gem_home # Puppetserver jruby gemhome # # @param server_cipher_suites # Puppetserver array of acceptable ciphers # # @param server_ssl_protocols # Puppetserver array of acceptable ssl protocols # # @param server_max_active_instances # Puppetserver number of max jruby instances # # @param server_max_requests_per_instance # Puppetserver number of max requests per jruby instance # # @param server_max_queued_requests # The maximum number of requests that may be queued waiting # to borrow a JRuby from the pool. # # @param server_max_retry_delay # Sets the upper limit for the random sleep set as a Retry-After # header on 503 responses returned when max-queued-requests is enabled. # # @example # # # configure memory for java < 8 # class {'::puppet::server::puppetserver': # jvm_min_heap_size => '1G', # jvm_max_heap_size => '3G', # jvm_extra_args => '-XX:MaxPermSize=256m', # } # class puppet::server::puppetserver ( $config = $::puppet::server::jvm_config, $java_bin = $::puppet::server::jvm_java_bin, $jvm_extra_args = $::puppet::server::real_jvm_extra_args, $jvm_cli_args = $::puppet::server::jvm_cli_args, $jvm_min_heap_size = $::puppet::server::jvm_min_heap_size, $jvm_max_heap_size = $::puppet::server::jvm_max_heap_size, $server_puppetserver_dir = $::puppet::server::puppetserver_dir, $server_puppetserver_vardir = $::puppet::server::puppetserver_vardir, $server_puppetserver_rundir = $::puppet::server::puppetserver_rundir, $server_puppetserver_logdir = $::puppet::server::puppetserver_logdir, $server_jruby_gem_home = $::puppet::server::jruby_gem_home, $server_ruby_load_paths = $::puppet::server::ruby_load_paths, $server_cipher_suites = $::puppet::server::cipher_suites, $server_max_active_instances = $::puppet::server::max_active_instances, $server_max_requests_per_instance = $::puppet::server::max_requests_per_instance, $server_max_queued_requests = $::puppet::server::max_queued_requests, $server_max_retry_delay = $::puppet::server::max_retry_delay, $server_ssl_protocols = $::puppet::server::ssl_protocols, $server_ssl_ca_crl = $::puppet::server::ssl_ca_crl, $server_ssl_ca_cert = $::puppet::server::ssl_ca_cert, $server_ssl_cert = $::puppet::server::ssl_cert, $server_ssl_cert_key = $::puppet::server::ssl_cert_key, $server_ssl_chain = $::puppet::server::ssl_chain, $server_crl_enable = $::puppet::server::crl_enable_real, $server_ip = $::puppet::server::ip, $server_port = $::puppet::server::port, $server_http = $::puppet::server::http, $server_http_port = $::puppet::server::http_port, $server_ca = $::puppet::server::ca, $server_dir = $::puppet::server::dir, $codedir = $::puppet::server::codedir, $server_idle_timeout = $::puppet::server::idle_timeout, $server_web_idle_timeout = $::puppet::server::web_idle_timeout, $server_connect_timeout = $::puppet::server::connect_timeout, $server_ca_auth_required = $::puppet::server::ca_auth_required, $server_ca_client_whitelist = $::puppet::server::ca_client_whitelist, $server_admin_api_whitelist = $::puppet::server::admin_api_whitelist, $server_puppetserver_version = $::puppet::server::real_puppetserver_version, $server_use_legacy_auth_conf = $::puppet::server::use_legacy_auth_conf, $server_check_for_updates = $::puppet::server::check_for_updates, $server_environment_class_cache_enabled = $::puppet::server::environment_class_cache_enabled, $server_jruby9k = $::puppet::server::puppetserver_jruby9k, $server_metrics = $::puppet::server::real_puppetserver_metrics, $metrics_jmx_enable = $::puppet::server::metrics_jmx_enable, $metrics_graphite_enable = $::puppet::server::metrics_graphite_enable, $metrics_graphite_host = $::puppet::server::metrics_graphite_host, $metrics_graphite_port = $::puppet::server::metrics_graphite_port, $metrics_server_id = $::puppet::server::metrics_server_id, $metrics_graphite_interval = $::puppet::server::metrics_graphite_interval, $metrics_allowed = $::puppet::server::metrics_allowed, $server_experimental = $::puppet::server::puppetserver_experimental, $server_trusted_agents = $::puppet::server::puppetserver_trusted_agents, $allow_header_cert_info = $::puppet::server::allow_header_cert_info, $compile_mode = $::puppet::server::compile_mode, $acceptor_threads = $::puppet::server::acceptor_threads, $selector_threads = $::puppet::server::selector_threads, $ssl_acceptor_threads = $::puppet::server::ssl_acceptor_threads, $ssl_selector_threads = $::puppet::server::ssl_selector_threads, $max_threads = $::puppet::server::max_threads, $ca_allow_sans = $::puppet::server::ca_allow_sans, $ca_allow_auth_extensions = $::puppet::server::ca_allow_auth_extensions, $ca_enable_infra_crl = $::puppet::server::ca_enable_infra_crl, $max_open_files = $::puppet::server::max_open_files, ) { include ::puppet::server - if versioncmp($server_puppetserver_version, '2.7') < 0 { - fail('puppetserver <2.7 is not supported by this module version') + if versioncmp($server_puppetserver_version, '5.3.6') < 0 { + fail('puppetserver <5.3.6 is not supported by this module version') } $puppetserver_package = pick($::puppet::server::package, 'puppetserver') $jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args] $jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' ')) if $::osfamily == 'FreeBSD' { $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", ] # lint:ignore:single_quote_string_with_variables augeas { 'puppet::server::puppetserver::jvm': context => '/files/etc/rc.conf', changes => [ "set puppetserver_java_opts '\"${jvm_cmd}\"'" ], } } else { if $jvm_cli_args { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", "set JAVA_ARGS_CLI '\"${jvm_cli_args}\"'", ] } else { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", ] } augeas { 'puppet::server::puppetserver::jvm': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $changes, } $bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" - if versioncmp($server_puppetserver_version, '5.3') >= 0 { - $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", "\"/opt/puppetlabs/puppet/lib/ruby/vendor_gems\""] # lint:ignore:single_quote_string_with_variables - } else { - $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", ] # lint:ignore:single_quote_string_with_variables - } + $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", "\"/opt/puppetlabs/puppet/lib/ruby/vendor_gems\""] # lint:ignore:single_quote_string_with_variables augeas { 'puppet::server::puppetserver::bootstrap': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'", } - if versioncmp($server_puppetserver_version, '5.0') >= 0 { - $jruby_jar_changes = $server_jruby9k ? { - true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'", - default => 'rm JRUBY_JAR' - } + $jruby_jar_changes = $server_jruby9k ? { + true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'", + default => 'rm JRUBY_JAR' + } - augeas { 'puppet::server::puppetserver::jruby_jar': - lens => 'Shellvars.lns', - incl => $config, - context => "/files${config}", - changes => $jruby_jar_changes, - } + augeas { 'puppet::server::puppetserver::jruby_jar': + lens => 'Shellvars.lns', + incl => $config, + context => "/files${config}", + changes => $jruby_jar_changes, } $ensure_max_open_files = $max_open_files ? { undef => 'absent', default => 'present', } if $facts['service_provider'] == 'systemd' { systemd::dropin_file { 'puppetserver.service-limits.conf': ensure => $ensure_max_open_files, filename => 'limits.conf', unit => 'puppetserver.service', content => "[Service]\nLimitNOFILE=${max_open_files}\n", } } else { file_line { 'puppet::server::puppetserver::max_open_files': ensure => $ensure_max_open_files, path => $config, line => "ulimit -n ${max_open_files}", match => '^ulimit\ -n', } } } $servicesd = "${server_puppetserver_dir}/services.d" file { $servicesd: ensure => directory, } file { "${servicesd}/ca.cfg": ensure => file, content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'), } unless $::osfamily == 'FreeBSD' { file { '/opt/puppetlabs/server/apps/puppetserver/config': ensure => directory, } file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d': ensure => directory, } } - if versioncmp($server_puppetserver_version, '5.3.6') >= 0 { - $ca_conf_ensure = present - } else { - $ca_conf_ensure = absent - } - file { "${server_puppetserver_dir}/conf.d/ca.conf": - ensure => $ca_conf_ensure, + ensure => file, content => template('puppet/server/puppetserver/conf.d/ca.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/puppetserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/puppetserver.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/auth.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/auth.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/webserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/webserver.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/product.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/product.conf.erb'), } - if versioncmp($server_puppetserver_version, '5.0') >= 0 { - $metrics_conf = "${server_puppetserver_dir}/conf.d/metrics.conf" - - $metrics_conf_ensure = $server_metrics ? { - true => file, - default => absent - } + $metrics_conf_ensure = $server_metrics ? { + true => file, + default => absent + } - file { $metrics_conf: - ensure => $metrics_conf_ensure, - content => template('puppet/server/puppetserver/conf.d/metrics.conf.erb'), - } + file { "${server_puppetserver_dir}/conf.d/metrics.conf": + ensure => $metrics_conf_ensure, + content => template('puppet/server/puppetserver/conf.d/metrics.conf.erb'), } } diff --git a/metadata.json b/metadata.json index 7cd9433..ca26fb8 100644 --- a/metadata.json +++ b/metadata.json @@ -1,112 +1,112 @@ { "name": "theforeman-puppet", "version": "11.0.0", "author": "theforeman", "summary": "Puppet agent and server configuration", "license": "GPL-3.0+", "source": "git://github.com/theforeman/puppet-puppet", "project_page": "https://github.com/theforeman/puppet-puppet", "issues_url": "https://github.com/theforeman/puppet-puppet/issues", "description": "Module for installing the Puppet agent and Puppet server", "tags": [ "foreman", "puppet", "puppetmaster", "puppet-server" ], "dependencies": [ { "name": "puppetlabs/concat", "version_requirement": ">= 1.0.0 < 6.0.0" }, { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.13.0 < 6.0.0" }, { "name": "puppet/extlib", "version_requirement": ">= 3.0.0 < 4.0.0" } ], "requirements": [ { "name": "puppet", - "version_requirement": ">= 4.6.1 < 7.0.0" + "version_requirement": ">= 5.5.8 < 7.0.0" } ], "operatingsystem_support": [ { "operatingsystem": "RedHat", "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "Scientific", "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "Fedora", "operatingsystemrelease": [ "26" ] }, { "operatingsystem": "Debian", "operatingsystemrelease": [ "9" ] }, { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "16.04", "18.04" ] }, { "operatingsystem": "FreeBSD", "operatingsystemrelease": [ "11", "12" ] }, { "operatingsystem": "DragonFly", "operatingsystemrelease": [ "4" ] }, { "operatingsystem": "Archlinux" }, { "operatingsystem": "SLES", "operatingsystemrelease": [ "11", "12" ] }, { "operatingsystem": "windows", "operatingsystemrelease": [ "7", "8", "2008 R2", "2012", "2012 R2" ] } ] } diff --git a/spec/acceptance/puppetserver_config_spec.rb b/spec/acceptance/puppetserver_config_spec.rb index ec8dac4..8c85ecd 100644 --- a/spec/acceptance/puppetserver_config_spec.rb +++ b/spec/acceptance/puppetserver_config_spec.rb @@ -1,41 +1,41 @@ require 'spec_helper_acceptance' -describe 'Puppetserver config options', unless: ENV['BEAKER_PUPPET_COLLECTION'] == 'pc1' && fact('lsbdistcodename') == 'stretch' do +describe 'Puppetserver config options' do before(:context) do if check_for_package(default, 'puppetserver') on default, puppet('resource package puppetserver ensure=purged') on default, 'rm -rf /etc/sysconfig/puppetserver /etc/puppetlabs/puppetserver' on default, 'find /etc/puppetlabs/puppet/ssl/ -type f -delete' end # puppetserver won't start with lower than 2GB memory memoryfree_mb = fact('memoryfree_mb').to_i raise 'At least 2048MB free memory required' if memoryfree_mb < 256 end describe 'server_max_open_files' do let(:pp) do <<-MANIFEST class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', # only for install test - don't think to use this in production! # https://docs.puppet.com/puppetserver/latest/tuning_guide.html server_jvm_max_heap_size => '256m', server_jvm_min_heap_size => '256m', server_max_open_files => 32143, } MANIFEST end it_behaves_like 'a idempotent resource' # pgrep -f java.*puppetserver would be better. But i cannot get it to work. Shellwords.escape() seems to break something describe command("grep '^Max open files' /proc/`cat /var/run/puppetlabs/puppetserver/puppetserver.pid`/limits"), :sudo => true do its(:exit_status) { is_expected.to eq 0 } its(:stdout) { is_expected.to match %r{^Max open files\s+32143\s+32143\s+files\s*$} } end end end diff --git a/spec/acceptance/puppetserver_latest_spec.rb b/spec/acceptance/puppetserver_latest_spec.rb index 71dced5..0c56af0 100644 --- a/spec/acceptance/puppetserver_latest_spec.rb +++ b/spec/acceptance/puppetserver_latest_spec.rb @@ -1,32 +1,32 @@ require 'spec_helper_acceptance' -describe 'Scenario: install puppetserver (latest):', unless: ENV['BEAKER_PUPPET_COLLECTION'] == 'pc1' && fact('lsbdistcodename') == 'stretch' do +describe 'Scenario: install puppetserver (latest):' do before(:context) do if check_for_package(default, 'puppetserver') on default, puppet('resource package puppetserver ensure=purged') on default, 'rm -rf /etc/sysconfig/puppetserver /etc/puppetlabs/puppetserver' on default, 'find /etc/puppetlabs/puppet/ssl/ -type f -delete' end # puppetserver won't start with lower than 2GB memory memoryfree_mb = fact('memoryfree_mb').to_i raise 'At least 2048MB free memory required' if memoryfree_mb < 256 end let(:pp) do <<-EOS class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', # only for install test - don't think to use this in production! # https://docs.puppet.com/puppetserver/latest/tuning_guide.html server_jvm_max_heap_size => '256m', server_jvm_min_heap_size => '256m', } EOS end it_behaves_like 'a idempotent resource' end diff --git a/spec/acceptance/puppetserver_upgrade_2_6_0_to_2_7_2_spec.rb b/spec/acceptance/puppetserver_upgrade_2_6_0_to_2_7_2_spec.rb deleted file mode 100644 index b7a40d4..0000000 --- a/spec/acceptance/puppetserver_upgrade_2_6_0_to_2_7_2_spec.rb +++ /dev/null @@ -1,90 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'Scenario: 2.6.0 to 2.7.2 upgrade:', if: ENV['BEAKER_PUPPET_COLLECTION'] == 'pc1' && fact('lsbdistcodename') != 'stretch' do - before(:context) do - if check_for_package(default, 'puppetserver') - on default, puppet('resource package puppetserver ensure=purged') - on default, 'rm -rf /etc/sysconfig/puppetserver /etc/puppetlabs/puppetserver' - on default, 'find /etc/puppetlabs/puppet/ssl/ -type f -delete' - end - - # puppetserver won't start with lower than 2GB memory - memoryfree_mb = fact('memoryfree_mb').to_i - raise 'At least 2048MB free memory required' if memoryfree_mb < 256 - end - - case fact('osfamily') - when 'Debian' - from_version = '2.7.0-1puppetlabs1' - to_version = '2.7.2-1puppetlabs1' - else - from_version = '2.7.0' - to_version = '2.7.2' - end - - context 'install 2.7.0' do - let(:pp) do - <<-EOS - class { '::puppet': - server => true, - server_foreman => false, - server_reports => 'store', - server_external_nodes => '', - server_version => '#{from_version}', - # only for install test - don't think to use this in production! - # https://docs.puppet.com/puppetserver/latest/tuning_guide.html - server_jvm_max_heap_size => '256m', - server_jvm_min_heap_size => '256m', - } - EOS - end - - it_behaves_like 'a idempotent resource' - - describe command('puppetserver --version') do - its(:stdout) { is_expected.to match("puppetserver version: 2.7.0\n") } - end - - describe service('puppetserver') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - describe port('8140') do - it { is_expected.to be_listening } - end - end - - context 'upgrade to 2.7.2' do - let(:pp) do - <<-EOS - class { '::puppet': - server => true, - server_foreman => false, - server_reports => 'store', - server_external_nodes => '', - server_version => '#{to_version}', - # only for install test - don't think to use this in production! - # https://docs.puppet.com/puppetserver/latest/tuning_guide.html - server_jvm_max_heap_size => '256m', - server_jvm_min_heap_size => '256m', - } - EOS - end - - it_behaves_like 'a idempotent resource' - - describe command('puppetserver --version') do - its(:stdout) { is_expected.to match("puppetserver version: 2.7.2\n") } - end - - describe service('puppetserver') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - describe port('8140') do - it { is_expected.to be_listening } - end - end -end diff --git a/spec/acceptance/puppetserver_upgrade_5_1_3_to_5_3_6_spec.rb b/spec/acceptance/puppetserver_upgrade_5_3_6_to_5_3_7_spec.rb similarity index 89% rename from spec/acceptance/puppetserver_upgrade_5_1_3_to_5_3_6_spec.rb rename to spec/acceptance/puppetserver_upgrade_5_3_6_to_5_3_7_spec.rb index 91f9423..c1f0256 100644 --- a/spec/acceptance/puppetserver_upgrade_5_1_3_to_5_3_6_spec.rb +++ b/spec/acceptance/puppetserver_upgrade_5_3_6_to_5_3_7_spec.rb @@ -1,90 +1,90 @@ require 'spec_helper_acceptance' -describe 'Scenario: 5.1.3 to 5.3.6 upgrade:', if: ENV['BEAKER_PUPPET_COLLECTION'] == 'puppet5' && fact('lsbdistcodename') != 'bionic' do +describe 'Scenario: 5.3.6 to 5.3.7 upgrade:', if: ENV['BEAKER_PUPPET_COLLECTION'] == 'puppet5' && fact('lsbdistcodename') != 'bionic' do before(:context) do if check_for_package(default, 'puppetserver') on default, puppet('resource package puppetserver ensure=purged') on default, 'rm -rf /etc/sysconfig/puppetserver /etc/puppetlabs/puppetserver' on default, 'rm -rf /etc/puppetlabs/puppet/ssl' end # puppetserver won't start with lower than 2GB memory memoryfree_mb = fact('memoryfree_mb').to_i raise 'At least 2048MB free memory required' if memoryfree_mb < 256 end case fact('osfamily') when 'Debian' - from_version = "5.1.3-1#{fact('lsbdistcodename')}" - to_version = "5.3.6-1#{fact('lsbdistcodename')}" + from_version = "5.3.6-1#{fact('lsbdistcodename')}" + to_version = "5.3.7-1#{fact('lsbdistcodename')}" else - from_version = '5.1.3' - to_version = '5.3.6' + from_version = '5.3.6' + to_version = '5.3.7' end - context 'install 5.1.3' do + context 'install 5.3.6' do let(:pp) do <<-EOS class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', server_version => '#{from_version}', # only for install test - don't think to use this in production! # https://docs.puppet.com/puppetserver/latest/tuning_guide.html server_jvm_max_heap_size => '256m', server_jvm_min_heap_size => '256m', } EOS end it_behaves_like 'a idempotent resource' describe command('puppetserver --version') do - its(:stdout) { is_expected.to match("puppetserver version: 5.1.3\n") } + its(:stdout) { is_expected.to match("puppetserver version: 5.3.6\n") } end describe service('puppetserver') do it { is_expected.to be_enabled } it { is_expected.to be_running } end describe port('8140') do it { is_expected.to be_listening } end end - context 'upgrade to 5.3.6' do + context 'upgrade to 5.3.7' do let(:pp) do <<-EOS class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', server_version => '#{to_version}', # only for install test - don't think to use this in production! # https://docs.puppet.com/puppetserver/latest/tuning_guide.html server_jvm_max_heap_size => '256m', server_jvm_min_heap_size => '256m', } EOS end it_behaves_like 'a idempotent resource' describe command('puppetserver --version') do - its(:stdout) { is_expected.to match("puppetserver version: 5.3.6\n") } + its(:stdout) { is_expected.to match("puppetserver version: 5.3.7\n") } end describe service('puppetserver') do it { is_expected.to be_enabled } it { is_expected.to be_running } end describe port('8140') do it { is_expected.to be_listening } end end end diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index 416de7d..1d1134f 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -1,610 +1,458 @@ require 'spec_helper' describe 'puppet' do on_os_under_test.each do |os, facts| next if unsupported_puppetmaster_osfamily(facts[:osfamily]) context "on #{os}" do let(:facts) do facts end let(:auth_conf) { '/etc/custom/puppetserver/conf.d/auth.conf' } let(:puppetserver_conf) { '/etc/custom/puppetserver/conf.d/puppetserver.conf' } let(:params) do { server: true, # We set these values because they're calculated server_jvm_config: '/etc/default/puppetserver', server_jvm_min_heap_size: '2G', server_jvm_max_heap_size: '2G', server_jvm_extra_args: '', server_max_active_instances: 2, server_puppetserver_dir: '/etc/custom/puppetserver', - server_puppetserver_version: '2.7.0', + server_puppetserver_version: '5.3.6', } end let(:server_vardir) do if ['FreeBSD', 'DragonFly'].include?(facts[:operatingsystem]) '/var/puppet/server/data/puppetserver' else '/opt/puppetlabs/server/data/puppetserver' end end describe 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') .with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) .with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) - .without_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) + .with_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'']) .with_context('/files/etc/rc.conf') } else it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap') .with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') - + .with_context('/files/etc/default/puppetserver') + .with_incl('/etc/default/puppetserver') + .with_lens('Shellvars.lns') } it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java']) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } end - - it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').with_ensure('absent') } + it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') + .with_ensure('file') + .with_content(/^( *)allow-subject-alt-names: false$/) + .with_content(/^( *)allow-authorization-extensions: false$/) + .without_content(/^( *)enable-infra-crl: false$/) + } it { should contain_file(puppetserver_conf) .without_content(/^# Settings related to the puppet-admin HTTP API$/) .without_content(/^puppet-admin: \{$/) .without_content(/^\s+client-whitelist: \[$/) .without_content(/^\s+"localhost"\,$/) .without_content(/^\s+"puppetserver123.example.com"\,$/) + .with_content(/^ max-queued-requests: 0\n/) + .with_content(/^ max-retry-delay: 1800\n/) } it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf') .with_content(/ssl-host:\s0\.0\.0\.0/) .with_content(/ssl-port:\s8140/) .without_content(/ host:\s/) .without_content(/ port:\s8139/) .without_content(/selector-threads:/) .without_content(/acceptor-threads:/) .without_content(/ssl-selector-threads:/) .without_content(/ssl-acceptor-threads:/) .without_content(/max-threads:/) } it { should contain_file(auth_conf) .with_content(/allow-header-cert-info: false/) .with_content(%r{^\s+path: "/puppet-ca/v1/certificate_status"}) .with_content(/^\s+name: "puppetlabs cert status"/) .with_content(%r{^\s+path: "/puppet-ca/v1/certificate_statuses"}) .with_content(/^\s+name: "puppetlabs cert statuses"/) .with_content(%r{^\s+path: "/puppet-admin-api/v1/environment-cache"}) .with_content(/^\s+name: "environment-cache"/) .with_content(%r{^\s+path: "/puppet-admin-api/v1/jruby-pool"}) .with_content(/^\s+name: "jruby-pool"/) + .with_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) + .with_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) + .with_content(/^( *)pp_cli_auth: "true"$/) } end describe 'server_puppetserver_vardir' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(%r{^ master-var-dir: #{server_vardir}$}) } end context 'with custom server_puppetserver_vardir' do let(:params) { super().merge(server_puppetserver_vardir: '/opt/custom/puppetserver') } it { should contain_file(puppetserver_conf).with_content(%r{^ master-var-dir: /opt/custom/puppetserver$}) } end end describe 'use-legacy-auth-conf' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: false$/) } end context 'when use-legacy-auth-conf = true' do let(:params) { super().merge(server_use_legacy_auth_conf: true) } it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: true$/) } end end describe 'environment-class-cache-enabled' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ environment-class-cache-enabled: false$/) } end context 'when environment-class-cache-enabled = true' do let(:params) { super().merge(server_environment_class_cache_enabled: true) } it { should contain_file(puppetserver_conf).with_content(/^ environment-class-cache-enabled: true$/) } end end describe 'server_max_requests_per_instance' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ max-requests-per-instance: 0$/) } end context 'custom server_max_requests_per_instance' do let(:params) { super().merge(server_max_requests_per_instance: 123_456) } it { should contain_file(puppetserver_conf).with_content(/^ max-requests-per-instance: 123456$/) } end end describe 'server_max_queued_requests' do - context 'when server_puppetserver_version >= 5.0' do - let(:params) { super().merge(server_puppetserver_version: '5.0.0') } - - context 'with default parameters' do - it { should contain_file(puppetserver_conf).with_content(/^ max-queued-requests: 0\n/) } - end - context 'with custom server_max_queued_requests' do let(:params) { super().merge(server_max_queued_requests: 100) } it { should contain_file(puppetserver_conf).with_content(/^ max-queued-requests: 100\n/) } end - end - - context 'when server_puppetserver_version < 5.0 with default parameters' do - it { should contain_file(puppetserver_conf).without_content('max-queued-requests') } - end end describe 'server_max_retry_delay' do - context 'when server_puppetserver_version >= 5.0' do - let(:params) { super().merge(server_puppetserver_version: '5.0.0') } - - context 'with default parameters' do - it { should contain_file(puppetserver_conf).with_content(/^ max-retry-delay: 1800\n/) } - end - context 'with custom server_max_retry_delay' do let(:params) { super().merge(server_max_retry_delay: 100) } it { should contain_file(puppetserver_conf).with_content(/^ max-retry-delay: 100\n/) } end - end - - context 'when server_puppetserver_version < 5.0 with default parameters' do - it { should contain_file(puppetserver_conf).without_content('max-retry-delay') } - end end describe 'ca.cfg' do - it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } - it { - should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') - .with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) - .with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) - } - unless facts[:osfamily] == 'FreeBSD' - it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } - it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } - it { - should contain_augeas('puppet::server::puppetserver::bootstrap') - .with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') - .with_context('/files/etc/default/puppetserver') - .with_incl('/etc/default/puppetserver') - .with_lens('Shellvars.lns') - } - end - context 'when server_ca => false' do let(:params) { super().merge(server_ca: false) } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') .with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) .with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) - } - end - - context 'when server_puppetserver_version >= 5.1' do - let(:params) { super().merge(server_puppetserver_version: '5.1.0') } - it { - should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') - .with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) - .with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) .with_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } end end describe 'product.conf' do context 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf') .with_content(/^\s+check-for-updates: true/) } end context 'with server_check_for_updates => false' do let(:params) { super().merge(server_check_for_updates: false) } it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf') .with_content(/^\s+check-for-updates: false/) } end end describe 'server_metrics' do - context 'when server_puppetserver_version < 5.0' do - context 'when server_metrics => true' do - let(:params) { super().merge(server_puppetserver_metrics: true) } - it { - should contain_file(puppetserver_conf) - .without_content(/^ metrics-enabled: (.*)$/) - .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true/) - } - it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } + context 'when server_metrics => true' do + let(:params) do + super().merge( + server_puppetserver_metrics: true, + server_metrics_graphite_enable: true, + server_metrics_graphite_host: 'graphitehost.example.com', + server_metrics_graphite_port: 2003, + server_metrics_server_id: 'puppetserver.example.com', + server_metrics_graphite_interval: 5, + server_metrics_allowed: ['single.element.array'], + ) end - context 'when server_metrics => false' do - let(:params) { super().merge(server_puppetserver_metrics: false) } - it { - should contain_file(puppetserver_conf) - .without_content(/^ metrics-enabled: (.*)$/) - .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false/) - } - it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } - end + it { + should contain_file(puppetserver_conf) + .with_content(/^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)/) + .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true/) + } + it { + should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') + .with_content(/^( *)metrics-allowed: \[\n( *)"single.element.array",\n( *)\]/) + .with_content(/^( *)server-id: "puppetserver.example.com"/) + .with_content(/^( *)jmx: \{\n( *)enabled: true/) + .with_content(/^( *)graphite: \{\n( *)enabled: true/) + .with_content(/^( *)host: "graphitehost.example.com"/) + .with_content(/^( *)port: 2003/) + .with_content(/^( *)update-interval-seconds: 5/) + } end - context 'when server_puppetserver_version >= 5.0' do - let(:params) { super().merge(server_puppetserver_version: '5.0.0') } - - context 'when server_metrics => true' do - let(:params) do - super().merge( - server_puppetserver_metrics: true, - server_metrics_graphite_enable: true, - server_metrics_graphite_host: 'graphitehost.example.com', - server_metrics_graphite_port: 2003, - server_metrics_server_id: 'puppetserver.example.com', - server_metrics_graphite_interval: 5, - server_metrics_allowed: ['single.element.array'], - ) - end - - it { - should contain_file(puppetserver_conf) - .with_content(/^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)/) - .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true/) - } - it { - should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') - .with_content(/^( *)metrics-allowed: \[\n( *)"single.element.array",\n( *)\]/) - .with_content(/^( *)server-id: "puppetserver.example.com"/) - .with_content(/^( *)jmx: \{\n( *)enabled: true/) - .with_content(/^( *)graphite: \{\n( *)enabled: true/) - .with_content(/^( *)host: "graphitehost.example.com"/) - .with_content(/^( *)port: 2003/) - .with_content(/^( *)update-interval-seconds: 5/) - } - end - - context 'when server_metrics => false' do - let(:params) { super().merge(server_puppetserver_metrics: false) } - it { - should contain_file(puppetserver_conf) - .with_content(/^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$/) - .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false/) - } - it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf').with_ensure('absent') } - end + context 'when server_metrics => false' do + let(:params) { super().merge(server_puppetserver_metrics: false) } + it { + should contain_file(puppetserver_conf) + .with_content(/^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$/) + .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false/) + } + it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf').with_ensure('absent') } end end describe 'server_experimental' do - context 'when server_puppetserver_version < 5.0' do - context 'when server_experimental => true' do - let(:params) { super().merge(server_puppetserver_experimental: true) } - it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/experimental"$}) } - end - - context 'when server_experimental => false' do - let(:params) { super().merge(server_puppetserver_experimental: false) } - it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/experimental"$}) } - end + context 'when server_experimental => true' do + let(:params) { super().merge(server_puppetserver_experimental: true) } + it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "/puppet/experimental"$}) } end - context 'when server_puppetserver_version >= 5.0' do - let(:params) { super().merge(server_puppetserver_version: '5.0.0') } - - context 'when server_experimental => true' do - let(:params) { super().merge(server_puppetserver_experimental: true) } - it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "/puppet/experimental"$}) } - end - - context 'when server_experimental => false' do - let(:params) { super().merge(server_puppetserver_experimental: false) } - it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/experimental"$}) } - end - end - end - - describe 'puppet tasks information' do - context 'when server_puppetserver_version < 5.1' do - it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } - end - - context 'when server_puppetserver_version >= 5.1' do - let(:params) { super().merge(server_puppetserver_version: '5.1.0') } - it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } - end - end - - describe 'puppet facts upload' do - context 'when server_puppetserver_version >= 5.3' do - let(:params) { super().merge(server_puppetserver_version: '5.3.0') } - it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) } - end - - context 'when server_puppetserver_version < 5.3' do - let(:params) { super().merge(server_puppetserver_version: '5.2.0') } - it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) } + context 'when server_experimental => false' do + let(:params) { super().merge(server_puppetserver_experimental: false) } + it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end describe 'server_trusted_agents' do context 'when set' do let(:params) { super().merge(server_puppetserver_trusted_agents: ['jenkins', 'octocatalog-diff']) } it { should contain_file(auth_conf).with_content(/^ allow: \["jenkins", "octocatalog-diff", "\$1"\]$/) } end end describe 'server_jruby9k', unless: facts[:osfamily] == 'FreeBSD' do - context 'when server_puppetserver_version < 5.0' do - - context 'when server_jruby9k => true' do - let(:params) { super().merge(server_puppetserver_jruby9k: true) } - it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } - end - - context 'when server_jruby9k => false' do - let(:params) { super().merge(server_puppetserver_jruby9k: false) } - it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } + context 'when server_jruby9k => true' do + let(:params) { super().merge(server_puppetserver_jruby9k: true) } + it do + should contain_augeas('puppet::server::puppetserver::jruby_jar') + .with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']) + .with_context('/files/etc/default/puppetserver') + .with_incl('/etc/default/puppetserver') + .with_lens('Shellvars.lns') end end - context 'when server_puppetserver_version >= 5.0' do - let(:params) { super().merge(server_puppetserver_version: '5.0.0') } - - context 'when server_jruby9k => true' do - let(:params) { super().merge(server_puppetserver_jruby9k: true) } - it do - should contain_augeas('puppet::server::puppetserver::jruby_jar') - .with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']) - .with_context('/files/etc/default/puppetserver') - .with_incl('/etc/default/puppetserver') - .with_lens('Shellvars.lns') - end - end - - context 'when server_jruby9k => false' do - let(:params) { super().merge(server_puppetserver_jruby9k: false) } - it do - should contain_augeas('puppet::server::puppetserver::jruby_jar') - .with_changes(['rm JRUBY_JAR']) - .with_context('/files/etc/default/puppetserver') - .with_incl('/etc/default/puppetserver') - .with_lens('Shellvars.lns') - end + context 'when server_jruby9k => false' do + let(:params) { super().merge(server_puppetserver_jruby9k: false) } + it do + should contain_augeas('puppet::server::puppetserver::jruby_jar') + .with_changes(['rm JRUBY_JAR']) + .with_context('/files/etc/default/puppetserver') + .with_incl('/etc/default/puppetserver') + .with_lens('Shellvars.lns') end end end describe 'server_max_open_files', unless: facts[:osfamily] == 'FreeBSD' do context 'when server_max_open_files => undef' do it do if facts['service_provider'] == 'systemd' should contain_systemd__dropin_file('puppetserver.service-limits.conf') .with_ensure('absent') else should contain_file_line('puppet::server::puppetserver::max_open_files') .with_ensure('absent') end end end context 'when server_max_open_files => 32143' do let(:params) { super().merge(server_max_open_files: 32143) } it do if facts['service_provider'] == 'systemd' should contain_systemd__dropin_file('puppetserver.service-limits.conf') .with_ensure('present') .with_filename('limits.conf') .with_unit('puppetserver.service') .with_content("[Service]\nLimitNOFILE=32143\n") else should contain_file_line('puppet::server::puppetserver::max_open_files') .with_ensure('present') .with_path('/etc/default/puppetserver') .with_line('ulimit -n 32143') .with_match('^ulimit\ -n') end end end end describe 'with extra_args parameter' do let(:params) { super().merge(server_jvm_extra_args: ['-XX:foo=bar', '-XX:bar=foo']) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'']) .with_context('/files/etc/rc.conf') } else it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', 'set JAVA_BIN /usr/bin/java' ]) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } end end describe 'with cli_args parameter', unless: facts[:osfamily] == 'FreeBSD' do let(:params) { super().merge(server_jvm_cli_args: '-Djava.io.tmpdir=/var/puppettmp') } it do should contain_augeas('puppet::server::puppetserver::jvm') .with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java', 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'' ]) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') end end describe 'with jvm_config file parameter' do let(:params) { super().merge(server_jvm_config: '/etc/custom/puppetserver') } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm').with_context('/files/etc/rc.conf') } else it do should contain_augeas('puppet::server::puppetserver::jvm') .with_context('/files/etc/custom/puppetserver') .with_incl('/etc/custom/puppetserver') .with_lens('Shellvars.lns') end end end describe 'gem-path' do - context 'when server_puppetserver_version < 5.3' do + if ['FreeBSD', 'DragonFly'].include?(facts[:osfamily]) it do should contain_file(puppetserver_conf) .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "#{server_vardir}/vendored-jruby-gems"\]$}) end - end - - context 'when server_puppetserver_version >= 5.3' do - let(:params) { super().merge(server_puppetserver_version: '5.3.0') } - - if ['FreeBSD', 'DragonFly'].include?(facts[:osfamily]) - it do - should contain_file(puppetserver_conf) - .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "#{server_vardir}/vendored-jruby-gems"\]$}) - end - else - it do - should contain_file(puppetserver_conf) - .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "#{server_vardir}/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"\]$}) - end + else + it do + should contain_file(puppetserver_conf) + .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "#{server_vardir}/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"\]$}) end end end describe 'Puppet Server CA related settings' do - context 'when server_puppetserver_version < 5.3.6' do - let(:params) { super().merge(server_puppetserver_version: '5.3.5') } - context 'with default parameters' do - it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').with_ensure('absent') } - it { should contain_file(auth_conf).without_content(/^( *)pp_cli_auth: "true"$/) } - end - end - context 'when server_puppetserver_version >= 5.3.6 and < 6.0.0' do - let(:params) { super().merge(server_puppetserver_version: '5.3.6') } - context 'with default parameters' do - it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') - .with_ensure('present') - .with_content(/^( *)allow-subject-alt-names: false$/) - .with_content(/^( *)allow-authorization-extensions: false$/) - .without_content(/^( *)enable-infra-crl: false$/) - } - it { should contain_file(auth_conf).with_content(/^( *)pp_cli_auth: "true"$/) } - end - context 'with ca parameters set' do let(:params) { super().merge( server_ca_allow_sans: true, server_ca_allow_auth_extensions: true, ) } it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') - .with_ensure('present') + .with_ensure('file') .with_content(/^( *)allow-subject-alt-names: true$/) .with_content(/^( *)allow-authorization-extensions: true$/) } end end context 'when server_puppetserver_version >= 6.0.0' do let(:params) { super().merge(server_puppetserver_version: '6.0.0') } context 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') - .with_ensure('present') + .with_ensure('file') .with_content(/^( *)allow-subject-alt-names: false$/) .with_content(/^( *)allow-authorization-extensions: false$/) .with_content(/^( *)enable-infra-crl: false$/) } it { should contain_file(auth_conf).with_content(/^( *)pp_cli_auth: "true"$/) } end context 'with ca parameters set' do let(:params) { super().merge( server_ca_allow_sans: true, server_ca_allow_auth_extensions: true, server_ca_enable_infra_crl: true, ) } it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') - .with_ensure('present') + .with_ensure('file') .with_content(/^( *)allow-subject-alt-names: true$/) .with_content(/^( *)allow-authorization-extensions: true$/) .with_content(/^( *)enable-infra-crl: true$/) } end end end - describe 'when server_puppetserver_version < 2.7' do - let(:params) { super().merge(server_puppetserver_version: '2.6.0') } - it { should raise_error(Puppet::Error, /puppetserver <2.7 is not supported by this module version/) } + describe 'when server_puppetserver_version < 5.3.6' do + let(:params) { super().merge(server_puppetserver_version: '5.3.5') } + it { should raise_error(Puppet::Error, /puppetserver <5.3.6 is not supported by this module version/) } end describe 'allow jetty specific server threads' do context 'with thread config' do let(:params) do super().merge( server_selector_threads: 1, server_acceptor_threads: 2, server_ssl_selector_threads: 3, server_ssl_acceptor_threads: 4, server_max_threads: 5 ) end it { is_expected.to compile.with_all_deps } it { is_expected.to contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/selector-threads: 1/). with_content(/acceptor-threads: 2/). with_content(/ssl-selector-threads: 3/). with_content(/ssl-acceptor-threads: 4/). with_content(/max-threads: 5/) } end end end end end diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb index 9d2f70c..fb6dee7 100644 --- a/templates/auth.conf.erb +++ b/templates/auth.conf.erb @@ -1,171 +1,163 @@ # # Managed by Puppet # # This is the default auth.conf file, which implements the default rules # used by the puppet master. (That is, the rules below will still apply # even if this file is deleted.) # # The ACLs are evaluated in top-down order. More specific stanzas should # be towards the top of the file and more general ones at the bottom; # otherwise, the general rules may "steal" requests that should be # governed by the specific rules. # # See https://puppet.com/docs/puppet/latest/config_file_auth.html # for a more complete description of auth.conf's behavior. # # Supported syntax: # Each stanza in auth.conf starts with a path to match, followed # by optional modifiers, and finally, a series of allow or deny # directives. # # Example Stanza # --------------------------------- # path /path/to/resource # simple prefix match # # path ~ regex # alternately, regex match # [environment envlist] # [method methodlist] # [auth[enthicated] {yes|no|on|off|any}] # allow [host|backreference|*|regex] # deny [host|backreference|*|regex] # allow_ip [ip|cidr|ip_wildcard|*] # deny_ip [ip|cidr|ip_wildcard|*] # # The path match can either be a simple prefix match or a regular # expression. `path /file` would match both `/file_metadata` and # `/file_content`. Regex matches allow the use of backreferences # in the allow/deny directives. # # The regex syntax is the same as for Ruby regex, and captures backreferences # for use in the `allow` and `deny` lines of that stanza # # Examples: # # path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. # allow * # Allow all authenticated nodes (since auth # # defaults to `yes`). # # path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by # allow $1 # certname), but not any other node's catalog. # # path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to # auth yes # access the "extra_files" # allow /^(.+)\.example\.com$/ # mount point; note this must # allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, # # since it is more specific. # # environment:: restrict an ACL to a comma-separated list of environments # method:: restrict an ACL to a comma-separated list of HTTP methods # auth:: restrict an ACL to an authenticated or unauthenticated request # the default when unspecified is to restrict the ACL to authenticated requests # (ie exactly as if auth yes was present). # # CONTROLLING FILE ACCESS (previously in fileserver.conf) # In previous versions of Puppet, you controlled file access by adding # rules to fileserver.conf. In Puppet 5 with Puppet Server, you can control # file access in auth.conf by controlling the /file_metadata(s)/, # /file_content(s)/, and /static_file_content/ paths. See the # Puppet Server documentation at # https://puppet.com/docs/puppetserver/latest/config_file_auth.html. # # If you are not using Puppet Server, or are using Puppet Server but with the # "jruby-puppet.use-legacy-auth-conf" setting set to "true", you could set the # desired file access in a new rule in this file. For example: # # path ~ ^/file_(metadata|content)s?/extra_files/ # auth yes # allow /^(.+)\.example\.com$/ # allow_ip 192.168.100.0/24 # # If added to auth.conf BEFORE the default "path /file" rule, this rule # will add stricter restrictions to the extra_files mount point. ### Authenticated ACLs - these rules apply only when the client ### has a valid certificate and is thus authenticated path /puppet/v3/environments method find allow * -<% if @puppetversion.to_f < 5.0 -%> - -path /puppet/v3/resource_type -method search -allow * -<% end -%> # allow nodes to retrieve their own catalog path ~ ^/puppet/v3/catalog/([^/]+)$ method find allow <%= @auth_allowed.join(', ') %> # allow nodes to retrieve their own node definition path ~ ^/puppet/v3/node/([^/]+)$ method find allow <%= @auth_allowed.join(', ') %> # allow all nodes to store their own reports path ~ ^/puppet/v3/report/([^/]+)$ method save allow <%= @auth_allowed.join(', ') %> -<% if @puppetversion.to_f >= 5.5 -%> # allow all nodes to update their own facts path ~ ^/puppet/v3/facts/([^/]+)$ method save allow <%= @auth_allowed.join(', ') %> -<% end -%> # Allow all nodes to access all file services; this is necessary for # pluginsync, file serving from modules, and file serving from custom # mount points (see fileserver.conf). Note that the `/file` prefix matches # requests to both the file_metadata and file_content paths. See "Examples" # above if you need more granular access control for custom mount points. path /puppet/v3/file allow * path /puppet/v3/status method find allow * # allow all nodes to access the certificates services path /puppet-ca/v1/certificate_revocation_list/ca <% if @allow_any_crl_auth -%> auth any <% end -%> method find allow * ### Unauthenticated ACLs, for clients without valid certificates; authenticated ### clients can also access these paths, though they rarely need to. # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master's certificate path /puppet-ca/v1/certificate/ca auth any method find allow * # allow nodes to retrieve the certificate they requested earlier path /puppet-ca/v1/certificate/ auth any method find allow * # allow nodes to request a new certificate path /puppet-ca/v1/certificate_request auth any method find, save allow * <% if scope.lookupvar('::puppet::listen') -%> path /run auth any method save allow <%= if (!@listen_to.empty?) then @listen_to.join(",") elsif ( @puppetmaster and !@puppetmaster.empty? ) then @puppetmaster else @fqdn end %> <% end -%> # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / auth any diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index 04bcc95..eeb3e71 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -1,334 +1,297 @@ # # Managed by Puppet # authorization: { version: 1 allow-header-cert-info: <%= @server_http || @allow_header_cert_info %> rules: [ { # Allow nodes to retrieve their own catalog match-request: { path: "^/puppet/v3/catalog/([^/]+)$" type: regex method: [get, post] } allow: <%= @server_trusted_agents << '$1' %> sort-order: 500 name: "puppetlabs catalog" }, { # Allow nodes to retrieve the certificate they requested earlier match-request: { path: "/puppet-ca/v1/certificate/" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs certificate" }, { # Allow all nodes to access the certificate revocation list match-request: { path: "/puppet-ca/v1/certificate_revocation_list/ca" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs crl" }, { # Allow nodes to request a new certificate match-request: { path: "/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow-unauthenticated: true sort-order: 500 name: "puppetlabs csr" }, <%- if @server_ca -%> { # Allow the CA CLI to access the certificate_status endpoint match-request: { path: "/puppet-ca/v1/certificate_status" type: path method: [get, put, delete] } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.3.6']) >= 0 -%> { extensions: { pp_cli_auth: "true" } } -<%- end -%> ] <%- end -%> sort-order: 500 name: "puppetlabs cert status" }, { # Allow the CA CLI to access the certificate_statuses endpoint match-request: { path: "/puppet-ca/v1/certificate_statuses" type: path method: get } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.3.6']) >= 0 -%> { extensions: { pp_cli_auth: "true" } } -<%- end -%> ] <%- end -%> sort-order: 500 name: "puppetlabs cert statuses" }, <%- end -%> { # Allow unauthenticated access to the status service endpoint match-request: { path: "/status/v1/services" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status service - full" }, -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.3.6']) >= 0 -%> { match-request: { path: "/status/v1/simple" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status service - simple" }, -<%- end -%> { match-request: { path: "/puppet-admin-api/v1/environment-cache" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "environment-cache" }, { match-request: { path: "/puppet-admin-api/v1/jruby-pool" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "jruby-pool" }, { match-request: { path: "/puppet/v3/environments" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environments" }, { match-request: { path: "/puppet/v3/environment_classes" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environment classes" }, -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) < 0 -%> - { - match-request: { - path: "/puppet/v3/resource_type" - type: path - method: [get, post] - } - allow: "*" - sort-order: 500 - name: "puppetlabs resource type" - }, - { - # Allow nodes to access all file services; this is necessary for - # pluginsync, file serving from modules, and file serving from - # custom mount points (see fileserver.conf). Note that the `/file` - # prefix matches requests to file_metadata, file_content, and - # file_bucket_file paths. - match-request: { - path: "/puppet/v3/file" - type: path - } - allow: "*" - sort-order: 500 - name: "puppetlabs file" - }, -<%- else -%> { # Allow nodes to access all file_bucket_files. Note that access for # the 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_bucket_file" type: path method: [get, head, post, put] } allow: "*" sort-order: 500 name: "puppetlabs file bucket file" }, { # Allow nodes to access all file_content. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_content" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file content" }, { # Allow nodes to access all file_metadata. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_metadata" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file metadata" }, -<%- end -%> { # Allow nodes to retrieve only their own node definition match-request: { path: "^/puppet/v3/node/([^/]+)$" type: regex method: get } allow: "$1" sort-order: 500 name: "puppetlabs node" }, { # Allow nodes to store only their own reports match-request: { path: "^/puppet/v3/report/([^/]+)$" type: regex method: put } allow: "$1" sort-order: 500 name: "puppetlabs report" }, -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.3']) >= 0 -%> { # Allow nodes to update their own facts match-request: { path: "^/puppet/v3/facts/([^/]+)$" type: regex method: put } allow: "$1" sort-order: 500 name: "puppetlabs facts" }, -<%- end -%> { match-request: { path: "/puppet/v3/status" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status" }, { match-request: { path: "/puppet/v3/static_file_content" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs static file content" }, -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.1']) >= 0 -%> { match-request: { path: "/puppet/v3/tasks" type: path } allow: "*" sort-order: 500 name: "puppet tasks information" }, -<%- end -%> -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 && @server_experimental -%> +<%- if @server_experimental -%> { # Allow all users access to the experimental endpoint # which currently only provides a dashboard web ui. match-request: { path: "/puppet/experimental" type: path } allow-unauthenticated: true sort-order: 500 name: "puppetlabs experimental" }, <%- end -%> { # Deny everything else. This ACL is not strictly # necessary, but illustrates the default policy match-request: { path: "/" type: path } deny: "*" sort-order: 999 name: "puppetlabs deny all" } ] } diff --git a/templates/server/puppetserver/conf.d/puppetserver.conf.erb b/templates/server/puppetserver/conf.d/puppetserver.conf.erb index 0f52a38..a8f0b07 100644 --- a/templates/server/puppetserver/conf.d/puppetserver.conf.erb +++ b/templates/server/puppetserver/conf.d/puppetserver.conf.erb @@ -1,121 +1,117 @@ # # Managed by Puppet # # configuration for the JRuby interpreters jruby-puppet: { # Where the puppet-agent dependency places puppet, facter, etc... # Puppet server expects to load Puppet from this location ruby-load-path: [ <%- @server_ruby_load_paths.each do |ruby_load_path| -%> <%= ruby_load_path %>, <%- end -%> ] # This setting determines where JRuby will install gems. It is used for loading gems, # and also by the `puppetserver gem` command line tool. gem-home: <%= @server_jruby_gem_home %> # This setting defines the complete "GEM_PATH" for jruby. If set, it should include # the gem-home directory as well as any other directories that gems can be loaded # from (including the vendored gems directory for gems that ship with puppetserver) gem-path: [<%= @server_gem_paths.join(', ') %>] # PLEASE NOTE: Use caution when modifying the below settings. Modifying # these settings will change the value of the corresponding Puppet settings # for Puppet Server, but not for the Puppet CLI tools. This likely will not # be a problem with master-var-dir, master-run-dir, or master-log-dir unless # some critical setting in puppet.conf is interpolating the value of one # of the corresponding settings, but it is important that any changes made to # master-conf-dir and master-code-dir are also made to the corresponding Puppet # settings when running the Puppet CLI tools. See # https://docs.puppetlabs.com/puppetserver/latest/puppet_conf_setting_diffs.html#overriding-puppet-settings-in-puppet-server # for more information. # (optional) path to puppet conf dir; if not specified, will use # the puppet default master-conf-dir: <%= @server_dir %> # (optional) path to puppet code dir; if not specified, will use # the puppet default master-code-dir: <%= @codedir %> # (optional) path to puppet var dir; if not specified, will use # the puppet default master-var-dir: <%= @server_puppetserver_vardir %> # (optional) path to puppet run dir; if not specified, will use # the puppet default master-run-dir: <%= @server_puppetserver_rundir %> # (optional) path to puppet log dir; if not specified, will use # the puppet default master-log-dir: <%= @server_puppetserver_logdir %> # (optional) maximum number of JRuby instances to allow max-active-instances: <%= @server_max_active_instances %> # (optional) the number of HTTP requests a given JRuby instance will handle in its lifetime. max-requests-per-instance: <%= @server_max_requests_per_instance %> -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 -%> # (optional) The maximum number of requests that may be queued waiting to borrow a JRuby from the pool. max-queued-requests: <%= @server_max_queued_requests %> # (optional) Sets the upper limit for the random sleep set as a Retry-After header on 503 responses returned when max-queued-requests is enabled. max-retry-delay: <%= @server_max_retry_delay %> -<%- end -%> # (optional) Authorize access to Puppet master endpoints via rules # specified in the legacy Puppet auth.conf file (if true) or via rules # specified in the Puppet Server HOCON-formatted auth.conf (if false or not # specified). use-legacy-auth-conf: <%= @server_use_legacy_auth_conf %> # (optional) enable or disable environment class cache environment-class-cache-enabled: <%= @server_environment_class_cache_enabled %> <%- if @compile_mode %> compile-mode: <%= @compile_mode %> <%- end -%> } # settings related to HTTPS client requests made by Puppet Server http-client: { # A list of acceptable protocols for making HTTPS requests ssl-protocols: [ <%- @server_ssl_protocols.each do |protocol| -%> <%= protocol %>, <%- end -%> ] # A list of acceptable cipher suites for making HTTPS requests cipher-suites: [ <%- @server_cipher_suites.each do |cipher| -%> <%= cipher %>, <%- end -%> ] -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 -%> # Whether to enable http-client metrics; defaults to 'true'. metrics-enabled: <%= @server_metrics %> -<%- end -%> # The amount of time, in milliseconds, that an outbound HTTP connection # will wait for data to be available before closing the socket. If not # defined, defaults to 20 minutes. If 0, the timeout is infinite and if # negative, the value is undefined by the application and governed by the # system default behavior. idle-timeout-milliseconds: <%= @server_idle_timeout %> # The amount of time, in milliseconds, that an outbound HTTP connection will # wait to connect before giving up. Defaults to 2 minutes if not set. If 0, # the timeout is infinite and if negative, the value is undefined in the # application and governed by the system default behavior. connect-timeout-milliseconds: <%= @server_connect_timeout %> } # settings related to profiling the puppet Ruby code profiler: { # enable or disable profiling for the Ruby code; enabled: <%= @server_metrics %> } diff --git a/templates/server/puppetserver/services.d/ca.cfg.erb b/templates/server/puppetserver/services.d/ca.cfg.erb index 71e93ba..562b422 100644 --- a/templates/server/puppetserver/services.d/ca.cfg.erb +++ b/templates/server/puppetserver/services.d/ca.cfg.erb @@ -1,10 +1,8 @@ # # Managed by Puppet # # To enable the CA service, leave the following line uncommented <%= '#' unless @server_ca -%>puppetlabs.services.ca.certificate-authority-service/certificate-authority-service # To disable the CA service, comment out the above line and uncomment the line below <%= '#' if @server_ca -%>puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service -<%- if scope.function_versioncmp([@server_puppetserver_version, '5.1']) >= 0 -%> puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service -<%- end -%>