diff --git a/manifests/params.pp b/manifests/params.pp index 5c06a22..1a3e951 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,480 +1,482 @@ # Default parameters class puppet::params { # Basic config $version = 'present' $manage_user = true $user = 'puppet' $group = 'puppet' $ip = '0.0.0.0' $port = 8140 $listen = false $listen_to = [] $pluginsync = true $splay = false $splaylimit = 1800 $runinterval = 1800 $runmode = 'service' $report = true # Not defined here as the commands depend on module parameter "dir" $cron_cmd = undef $systemd_cmd = undef $agent_noop = false $show_diff = false $module_repository = undef $hiera_config = '$confdir/hiera.yaml' $usecacheonfailure = true $ca_server = undef $ca_port = undef $ca_crl_filepath = undef $server_crl_enable = undef $prerun_command = undef $postrun_command = undef $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false if defined('$::domain') { $srv_domain = $::domain } else { $srv_domain = undef } # lint:ignore:puppet_url_without_modules $pluginsource = 'puppet:///plugins' $pluginfactsource = 'puppet:///pluginfacts' # lint:endignore $classfile = '$statedir/classes.txt' $syslogfacility = undef $environment = $::environment $aio_package = ($::osfamily == 'Windows' or $::rubysitedir =~ /\/opt\/puppetlabs\/puppet/) $deb_naio_package = ($::osfamily == 'Debian') $systemd_randomizeddelaysec = 0 case $::osfamily { 'Windows' : { # Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end $dir_prefix = 'C:/ProgramData/PuppetLabs/puppet' $dir = "${dir_prefix}/etc" $codedir = "${dir_prefix}/etc" $logdir = "${dir_prefix}/var/log" $rundir = "${dir_prefix}/var/run" $ssldir = "${dir_prefix}/etc/ssl" $vardir = "${dir_prefix}/var" $sharedir = "${dir_prefix}/share" $bindir = "${dir_prefix}/bin" $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } /^(FreeBSD|DragonFly)$/ : { $dir = '/usr/local/etc/puppet' $codedir = '/usr/local/etc/puppet' $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/puppet/ssl' $vardir = '/var/puppet' $sharedir = '/usr/local/share/puppet' $bindir = '/usr/local/bin' $root_group = undef $server_puppetserver_dir = '/usr/local/etc/puppetserver' $server_puppetserver_vardir = '/var/puppet/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetserver' $server_puppetserver_logdir = '/var/log/puppetserver' $ruby_gem_dir = regsubst($::rubyversion, '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$::rubysitedir, "${ruby_gem_dir}/facter-${::facterversion}/lib"] $server_jruby_gem_home = '/var/puppet/server/data/puppetserver/jruby-gems' } 'Archlinux' : { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/usr/bin' $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } default : { if $aio_package { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/opt/puppetlabs/bin' $server_puppetserver_dir = '/etc/puppetlabs/puppetserver' $server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetlabs/puppetserver' $server_puppetserver_logdir = '/var/log/puppetlabs/puppetserver' $server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby'] $server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems' } else { $dir = '/etc/puppet' $codedir = $deb_naio_package ? { true => '/etc/puppet/code', false => '/etc/puppet', } $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/lib/puppet/ssl' $vardir = '/var/lib/puppet' $sharedir = '/usr/share/puppet' $bindir = '/usr/bin' $server_puppetserver_dir = '/etc/puppetserver' $server_puppetserver_vardir = $vardir $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = '/var/lib/puppet/jruby-gems' } $root_group = undef } } $configtimeout = undef $autosign = "${dir}/autosign.conf" $autosign_entries = [] $autosign_mode = '0664' $autosign_content = undef $autosign_source = undef $puppet_cmd = "${bindir}/puppet" $manage_packages = true if $::osfamily == 'Windows' { $dir_owner = undef $dir_group = undef } elsif $aio_package or $::osfamily == 'Suse' { $dir_owner = 'root' $dir_group = $root_group } else { $dir_owner = $user $dir_group = $group } $package_provider = $::osfamily ? { 'windows' => 'chocolatey', default => undef, } $package_source = undef # Need your own config templates? Specify here: $auth_template = 'puppet/auth.conf.erb' # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false # Authenticated nodes to allow $auth_allowed = ['$1'] # Will this host be a puppet agent ? $agent = true $remove_lock = true $client_certname = $::clientcert if defined('$::puppetmaster') { $puppetmaster = $::puppetmaster } else { $puppetmaster = undef } # Hashes containing additional settings $additional_settings = {} $agent_additional_settings = {} $server_additional_settings = {} # Will this host be a puppetmaster? $server = false $server_ca = true $server_ca_crl_sync = false $server_reports = 'foreman' $server_passenger = true $server_service_fallback = true $server_passenger_min_instances = abs($::processorcount) $server_passenger_pre_start = true $server_passenger_ruby = undef $server_httpd_service = 'httpd' $server_external_nodes = "${dir}/node.rb" $server_enc_api = 'v2' $server_report_api = 'v2' $server_request_timeout = 60 $server_ca_proxy = undef $server_certname = $::clientcert $server_strict_variables = false $server_rack_arguments = [] $server_http = false $server_http_port = 8139 $server_http_allow = [] # use puppetserver (JVM) or puppet master (Ruby)? $server_implementation = $aio_package ? { true => 'puppetserver', default => 'master', } # Need a new master template for the server? $server_template = 'puppet/server/puppet.conf.erb' # Template for server settings in [main] $server_main_template = 'puppet/server/puppet.conf.main.erb' # The script that is run to determine the reported manifest version. Undef # means we determine it in server.pp $server_config_version = undef # Set 'false' for static environments, or 'true' for git-based workflow $server_git_repo = false # Git branch to puppet env mapping for the post receive hook $server_git_branch_map = {} # Static environments config, ignore if the git_repo or dynamic_environments is 'true' # What environments do we have $server_environments = ['development', 'production'] # Dynamic environments config (deprecated when directory_environments is true) $server_dynamic_environments = false # Directory environments config $server_directory_environments = true # Owner of the environments dir: for cases external service needs write # access to manage it. $server_environments_owner = $user $server_environments_group = $root_group $server_environments_mode = '0755' # Where we store our puppet environments $server_envs_dir = "${codedir}/environments" $server_envs_target = undef # Modules in this directory would be shared across all environments $server_common_modules_path = unique(["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules']) # Dynamic environments config, ignore if the git_repo is 'false' # Path to the repository $server_git_repo_path = "${vardir}/puppet.git" # mode of the repository $server_git_repo_mode = '0755' # user of the repository $server_git_repo_user = $user # group of the repository $server_git_repo_group = $user # Override these if you need your own hooks $server_post_hook_content = 'puppet/server/post-receive.erb' $server_post_hook_name = 'post-receive' $server_custom_trusted_oid_mapping = undef # PuppetDB config $server_puppetdb_host = undef $server_puppetdb_port = 8081 $server_puppetdb_swf = false # Do you use storeconfigs? (note: not required) # - undef if you don't # - active_record for 2.X style db # - puppetdb for puppetdb $server_storeconfigs_backend = undef # Passenger config $server_app_root = "${dir}/rack" $server_ssl_dir = $ssldir $server_package = undef $server_version = undef if $aio_package { $client_package = ['puppet-agent'] } elsif $::osfamily == 'Debian' { $client_package = $deb_naio_package ? { true => ['puppet'], default => ['puppet-common', 'puppet'] } } elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) { if (versioncmp($::puppetversion, '5.0') > 0) { $client_package = ['puppet5'] } else { $client_package = ['puppet4'] } } else { $client_package = ['puppet'] } $puppetrun_cmd = "${puppet_cmd} kick" $puppetca_cmd = "${puppet_cmd} cert" # Puppet service name $service_name = 'puppet' # Puppet onedshot systemd service and timer name $systemd_unit_name = 'puppet-run' # Mechanisms to manage and reload/restart the agent # If supported on the OS, reloading is prefered since it does not kill a currently active puppet run case $::osfamily { 'Debian' : { $agent_restart_command = "/usr/sbin/service ${service_name} reload" if ($::operatingsystem == 'Debian' or $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '15.04') >= 0) { $unavailable_runmodes = [] } else { $unavailable_runmodes = ['systemd.timer'] } } 'Redhat' : { # PSBM is a CentOS 6 based distribution # it reports its $osreleasemajor as 2, not 6. # thats why we're matching for '2' in both parts # Amazon Linux is like RHEL6 but reports its osreleasemajor as 2017. $osreleasemajor = regsubst($::operatingsystemrelease, '^(\d+)\..*$', '\1') # workaround for the possibly missing operatingsystemmajrelease $agent_restart_command = $osreleasemajor ? { /^(2|5|6|2017)$/ => "/sbin/service ${service_name} reload", '7' => "/usr/bin/systemctl reload-or-restart ${service_name}", default => undef, } $unavailable_runmodes = $osreleasemajor ? { /^(2|5|6|2017)$/ => ['systemd.timer'], default => [], } } 'Windows': { $agent_restart_command = undef $unavailable_runmodes = ['cron', 'systemd.timer'] } 'Archlinux': { $agent_restart_command = "/usr/bin/systemctl reload-or-restart ${service_name}" $unavailable_runmodes = ['cron'] } default : { $agent_restart_command = undef $unavailable_runmodes = ['systemd.timer'] } } # Foreman parameters $lower_fqdn = downcase($::fqdn) $server_foreman = true $server_foreman_facts = true $server_puppet_basedir = $aio_package ? { true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet', false => undef, } $server_foreman_url = "https://${lower_fqdn}" $server_foreman_ssl_ca = undef $server_foreman_ssl_cert = undef $server_foreman_ssl_key = undef # Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser $server_parser = 'current' # Timeout for cached environments, changed in puppet 3.7.x $server_environment_timeout = undef # puppet server configuration file $server_jvm_config = $::osfamily ? { 'RedHat' => '/etc/sysconfig/puppetserver', 'Debian' => '/etc/default/puppetserver', default => '/etc/default/puppetserver', } $server_jvm_java_bin = '/usr/bin/java' if versioncmp($::puppetversion, '5.0.0') < 0 { $server_jvm_extra_args = '-XX:MaxPermSize=256m' } else { $server_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } $server_jvm_cli_args = undef # This is some very trivial "tuning". See the puppet reference: # https://docs.puppet.com/puppetserver/latest/tuning_guide.html if ($::memorysize_mb =~ String) { $mem_in_mb = scanf($::memorysize_mb, '%i')[0] } else { $mem_in_mb = 0 + $::memorysize_mb } if $mem_in_mb >= 3072 { $server_jvm_min_heap_size = '2G' $server_jvm_max_heap_size = '2G' $server_max_active_instances = min(abs($::processorcount), 4) } elsif $mem_in_mb >= 1024 { $server_max_active_instances = 1 $server_jvm_min_heap_size = '1G' $server_jvm_max_heap_size = '1G' } else { # VMs with 1GB RAM and a crash kernel enabled usually have an effective 992MB RAM $server_max_active_instances = 1 $server_jvm_min_heap_size = '768m' $server_jvm_max_heap_size = '768m' } $server_ssl_dir_manage = true $server_ssl_key_manage = true $server_default_manifest = false $server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp' $server_default_manifest_content = '' # lint:ignore:empty_string_assignment $server_max_requests_per_instance = 0 $server_max_queued_requests = 0 $server_max_retry_delay = 1800 $server_idle_timeout = 1200000 $server_web_idle_timeout = 30000 $server_connect_timeout = 120000 $server_ca_auth_required = true $server_admin_api_whitelist = [ 'localhost', $lower_fqdn ] $server_ca_client_whitelist = [ 'localhost', $lower_fqdn ] $server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA' ] $server_ssl_protocols = [ 'TLSv1.2' ] $server_ssl_chain_filepath = "${server_ssl_dir}/ca/ca_crt.pem" $server_check_for_updates = true $server_environment_class_cache_enabled = false $server_allow_header_cert_info = false # Puppetserver >= 2.2 Which auth.conf shall we use? $server_use_legacy_auth_conf = false # For Puppetserver, certain configuration parameters are version specific. We assume a particular version here. - if versioncmp($::puppetversion, '5.1.0') >= 0 { + if versioncmp($::puppetversion, '5.3.0') >= 0 { + $server_puppetserver_version = '5.3.0' + } elsif versioncmp($::puppetversion, '5.1.0') >= 0 { $server_puppetserver_version = '5.1.0' } elsif versioncmp($::puppetversion, '5.0.0') >= 0 { $server_puppetserver_version = '5.0.0' } else { $server_puppetserver_version = '2.7.0' } # For Puppetserver 5, use JRuby 9k? $server_puppetserver_jruby9k = false # this switch also controls Ruby profiling, by default disabled for Puppetserver 2.x, enabled for 5.x $server_puppetserver_metrics = versioncmp($::puppetversion, '5.0.0') >= 0 # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false $server_metrics_graphite_host = '127.0.0.1' $server_metrics_graphite_port = 2003 $server_metrics_server_id = $lower_fqdn $server_metrics_graphite_interval = 5 $server_metrics_allowed = undef # For Puppetserver 5, should the /puppet/experimental route be enabled? $server_puppetserver_experimental = true # Normally agents can only fetch their own catalogs. If you want some nodes to be able to fetch *any* catalog, add them here. $server_puppetserver_trusted_agents = [] } diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index 612d239..15bc548 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -1,876 +1,905 @@ require 'spec_helper' describe 'puppet::server::puppetserver' do on_os_under_test.each do |os, facts| next if facts[:osfamily] == 'windows' next if facts[:osfamily] == 'Archlinux' context "on #{os}" do let :pre_condition do "class {'puppet': server_implementation => 'puppetserver'}" end let(:facts) do facts end let(:default_params) do { :java_bin => '/usr/bin/java', :config => '/etc/default/puppetserver', :jvm_min_heap_size => '2G', :jvm_max_heap_size => '2G', :jvm_extra_args => '', :jvm_cli_args => false, # In reality defaults to undef :server_ca_auth_required => true, :server_ca_client_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_admin_api_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_ruby_load_paths => [ '/some/path', ], :server_ssl_protocols => [ 'TLSv1.2', ], :server_cipher_suites => [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ], :server_max_active_instances => 2, :server_max_requests_per_instance => 0, :server_max_queued_requests => 0, :server_max_retry_delay => 1800, :server_http => false, :server_http_allow => [], :server_ca => true, :server_puppetserver_version => '2.4.99', :server_use_legacy_auth_conf => false, :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/puppetlabs/server/data/puppetserver', :server_puppetserver_rundir => '/var/run/puppetlabs/puppetserver', :server_puppetserver_logdir => '/var/log/puppetlabs/puppetserver', :server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', :server_dir => '/etc/puppetlabs/puppet', :codedir => '/etc/puppetlabs/code', :server_idle_timeout => 1200000, :server_web_idle_timeout => 30000, :server_connect_timeout => 120000, :server_check_for_updates => true, :server_environment_class_cache_enabled => false, :server_jruby9k => false, :server_metrics => true, :metrics_jmx_enable => true, :metrics_graphite_enable => true, :metrics_graphite_host => 'graphitehost.example.com', :metrics_graphite_port => 2003, :metrics_server_id => 'puppetserver.example.com', :metrics_graphite_interval => 5, :metrics_allowed => ['single.element.array'], :server_experimental => true, :server_ip => '0.0.0.0', :server_port => '8140', :server_http_port => '8139', :server_ssl_ca_crl => '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem', :server_ssl_ca_cert => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', :server_ssl_cert => '/etc/puppetlabs/puppet/ssl/certs/puppetserver123.example.com.pem', :server_ssl_cert_key => '/etc/puppetlabs/puppet/ssl/private_keys/puppetserver123.example.com.pem', :server_ssl_chain => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', :server_crl_enable => true, :server_trusted_agents => [], :allow_header_cert_info => false, :compile_mode => 'off', # In reality defaults to undef } end describe 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled').with_ensure('present') } it { should contain_file_line('ca_disabled'). with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}). without_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'', ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') } it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java' ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(/^# Settings related to the puppet-admin HTTP API$/). without_content(/^puppet-admin: \{$/). without_content(/^\s+client-whitelist: \[$/). without_content(/^\s+"localhost"\,$/). without_content(/^\s+"puppetserver123.example.com"\,$/). with({}) # So we can use a trailing dot on each with_content line } it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-host:\s0\.0\.0\.0/). with_content(/ssl-port:\s8140/). without_content(/ host:\s/). without_content(/ port:\s8139/). with({}) } it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(/allow-header-cert-info: false/). with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/). with_content(/^\s+name: "certificate_status"/). with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/). with_content(/^\s+name: "certificate_statuses"/). with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/). with_content(/^\s+name: "environment-cache"/). with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/). with_content(/^\s+name: "jruby-pool"/). with({}) # So we can use a trailing dot on each with_content line } end describe 'server_puppetserver_vardir' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/puppetlabs/server/data/puppetserver\n]) end end context 'with custom server_puppetserver_vardir' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/custom/puppetlabs/server/data/puppetserver', ) end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/custom/puppetlabs/server/data/puppetserver\n]) end end end describe 'use-legacy-auth-conf' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have use-legacy-auth-conf: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: false\n]) end end context 'when use-legacy-auth-conf = true' do let(:params) do default_params.merge( :server_use_legacy_auth_conf => true, :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have use-legacy-auth-conf: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: true\n]) end end end describe 'environment-class-cache-enabled' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have environment-class-cache-enabled: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: false\n]) end end context 'when environment-class-cache-enabled = true' do let(:params) do default_params.merge( :server_environment_class_cache_enabled => true, :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have environment-class-cache-enabled: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: true\n]) end end context 'when server_puppetserver_version < 2.4' do let(:params) do default_params.merge( :server_puppetserver_version => '2.2.2', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should not have a environment-class-cache-enabled setting in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).not_to include('environment-class-cache-enabled') end end end describe 'server_max_requests_per_instance' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 0\n]) end end context 'custom server_max_requests_per_instance' do let(:params) do default_params.merge(:server_max_requests_per_instance => 123456) end it 'should have custom max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 123456\n]) end end end describe 'server_max_queued_requests' do context 'when server_puppetserver_version >= 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', ) end it 'should have max-queued-requests: 0' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-queued-requests: 0\n}) end end context 'when server_puppetserver_version >= 5.0 with custom server_max_queued_requests' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', :server_max_queued_requests => 100, ) end it 'should have custom max-queued-requests: 100' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-queued-requests: 100\n}) end end context 'when server_puppetserver_version < 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '2.7.0', ) end it 'should not have max-queued-requests' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ max-queued-requests: (.*)$}) end end end describe 'server_max_retry_delay' do context 'when server_puppetserver_version >= 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', ) end it 'should have max-retry-delay: 1800' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-retry-delay: 1800\n}) end end context 'when server_puppetserver_version >= 5.0 custom server_max_retry_delay' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', :server_max_retry_delay => 100 ) end it 'should have custom max-retry-delay: 100' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-retry-delay: 100\n}) end end context 'when server_puppetserver_version < 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '2.7.0', ) end it 'should not have max-retry-delay' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ max-retry-delay: (.*)$}) end end end describe 'versioned-code-service' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file_line('versioned_code_service') } end context 'when server_puppetserver_version >= 2.3 and < 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.3.1', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end context 'when server_puppetserver_version < 2.3' do let(:params) do default_params.merge( :server_puppetserver_version => '2.2.2', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should not have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end end describe 'bootstrap.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should_not contain_file_line('ca_enabled') } it { should_not contain_file_line('ca_disabled') } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do default_params.merge( :server_puppetserver_version => '2.4.98', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } it { should contain_file_line('ca_disabled'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } unless facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\''). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end end describe 'ca.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } unless facts[:osfamily] == 'FreeBSD' it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\''). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end context 'when server_puppetserver_version >= 2.5 and server_ca => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_ca => false, ) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do default_params.merge( :server_puppetserver_version => '2.4.98', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file('/etc/custom/puppetserver/services.d') } it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') } end context 'when server_puppetserver_version >= 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.1.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}). with_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } end end describe 'product.conf' do context 'when server_puppetserver_version >= 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_check_for_updates => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf'). with_content(/^\s+check-for-updates: false/) } end context 'when server_puppetserver_version < 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.6.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf').with_ensure('absent') } end end describe 'server_metrics' do context 'when server_puppetserver_version < 5.0 and server_metrics => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } end context 'when server_puppetserver_version < 5.0 and server_metrics => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } end context 'when server_puppetserver_version >= 5.0 and server_metrics => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf'). with_content(%r{^( *)metrics-allowed: \[\n( *)"single.element.array",\n( *)\]}). with_content(%r{^( *)server-id: "puppetserver.example.com"}). with_content(%r{^( *)jmx: \{\n( *)enabled: true}). with_content(%r{^( *)graphite: \{\n( *)enabled: true}). with_content(%r{^( *)host: "graphitehost.example.com"}). with_content(%r{^( *)port: 2003}). with_content(%r{^( *)update-interval-seconds: 5}) } end context 'when server_puppetserver_version >= 5.0 and server_metrics => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf').with_ensure('absent') } end end describe 'server_experimental' do context 'when server_puppetserver_version < 5.0 and server_experimental => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version < 5.0 and server_experimental => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end describe 'puppet tasks information' do context 'when server_puppetserver_version < 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } end context 'when server_puppetserver_version >= 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.1.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } end end + describe 'puppet facts upload' do + context 'when server_puppetserver_version >= 5.3' do + let(:params) do + default_params.merge( + :server_puppetserver_version => '5.3.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) + end + + it { + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) + } + end + + context 'when server_puppetserver_version < 5.3' do + let(:params) do + default_params.merge( + :server_puppetserver_version => '5.2.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) + end + + it { + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + without_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) + } + end + end describe 'server_trusted_agents' do context 'when set' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_trusted_agents => ['jenkins', 'octocatalog-diff'], ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^ allow: \["jenkins", "octocatalog-diff", "\$1"\]$}) } end end unless facts[:osfamily] == 'FreeBSD' describe 'server_jruby9k' do context 'when server_puppetserver_version < 5.0 and server_jruby9k => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => true, ) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version < 5.0 and server_jruby9k => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => false, ) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => true, ) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => false, ) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['rm JRUBY_JAR']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end end describe 'with extra_args parameter' do let :params do default_params.merge( :jvm_extra_args => ['-XX:foo=bar', '-XX:bar=foo'], ) end if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', 'set JAVA_BIN /usr/bin/java', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'with cli_args parameter' do let :params do default_params.merge(:jvm_cli_args => '-Djava.io.tmpdir=/var/puppettmp') end if facts[:osfamily] != 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java', 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'with jvm_config file parameter' do let :params do default_params.merge(:config => '/etc/custom/puppetserver') end if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm').with_context('/files/etc/rc.conf') } else it { should contain_augeas('puppet::server::puppetserver::jvm'). with_context('/files/etc/custom/puppetserver'). with_incl('/etc/custom/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'gem-path' do context 'when server_puppetserver_version > 2.7 but < 5.3' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', ) end it 'should have gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems"] in config' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems"]\n]) end end context 'when server_puppetserver_version >= 5.3' do let(:params) do default_params.merge( :server_puppetserver_version => '5.3.0', ) end if facts[:osfamily] == 'FreeBSD' it 'should have gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"] in config' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ gem-path: [${jruby-puppet.gem-home}, "/var/puppet/server/data/puppetserver/vendored-jruby-gems"]\n]) end else it 'should have gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"] in config' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"]\n]) end end end end describe 'when server_puppetserver_version < 2.2' do let(:params) do default_params.merge(:server_puppetserver_version => '2.1.0') end it { should raise_error(Puppet::Error, /puppetserver <2.2 is not supported by this module version/) } end end end end diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index 0d44e0c..d44e465 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -1,290 +1,303 @@ authorization: { version: 1 allow-header-cert-info: <%= @server_http || @allow_header_cert_info %> rules: [ { # Allow nodes to retrieve their own catalog match-request: { path: "^/puppet/v3/catalog/([^/]+)$" type: regex method: [get, post] } allow: <%= @server_trusted_agents << '$1' %> sort-order: 500 name: "puppetlabs catalog" }, { # Allow nodes to retrieve the certificate they requested earlier match-request: { path: "/puppet-ca/v1/certificate/" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs certificate" }, { # Allow all nodes to access the certificate revocation list match-request: { path: "/puppet-ca/v1/certificate_revocation_list/ca" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs crl" }, { # Allow nodes to request a new certificate match-request: { path: "/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow-unauthenticated: true sort-order: 500 name: "puppetlabs csr" }, { # Allow unauthenticated access to the status service endpoint match-request: { path: "/status/v1/services" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status service" }, <%- if @server_ca -%> { match-request: { path: "/puppet-ca/v1/certificate_status/" type: path method: [ get, put, delete ] } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] <%- end -%> sort-order: 200 name: "certificate_status" }, { match-request: { path: "/puppet-ca/v1/certificate_statuses/" type: path method: get } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] <%- end -%> sort-order: 200 name: "certificate_statuses" }, <%- end -%> { match-request: { path: "/puppet-admin-api/v1/environment-cache" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "environment-cache" }, { match-request: { path: "/puppet-admin-api/v1/jruby-pool" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "jruby-pool" }, { match-request: { path: "/puppet/v3/environments" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environments" }, { match-request: { path: "/puppet/v3/environment_classes" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environment classes" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) < 0 -%> { match-request: { path: "/puppet/v3/resource_type" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs resource type" }, { # Allow nodes to access all file services; this is necessary for # pluginsync, file serving from modules, and file serving from # custom mount points (see fileserver.conf). Note that the `/file` # prefix matches requests to file_metadata, file_content, and # file_bucket_file paths. match-request: { path: "/puppet/v3/file" type: path } allow: "*" sort-order: 500 name: "puppetlabs file" }, <%- else -%> { # Allow nodes to access all file_bucket_files. Note that access for # the 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_bucket_file" type: path method: [get, head, post, put] } allow: "*" sort-order: 500 name: "puppetlabs file bucket file" }, { # Allow nodes to access all file_content. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_content" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file content" }, { # Allow nodes to access all file_metadata. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_metadata" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file metadata" }, <%- end -%> { # Allow nodes to retrieve only their own node definition match-request: { path: "^/puppet/v3/node/([^/]+)$" type: regex method: get } allow: "$1" sort-order: 500 name: "puppetlabs node" }, { # Allow nodes to store only their own reports match-request: { path: "^/puppet/v3/report/([^/]+)$" type: regex method: put } allow: "$1" sort-order: 500 name: "puppetlabs report" }, +<%- if scope.function_versioncmp([@server_puppetserver_version, '5.3']) >= 0 -%> + { + # Allow nodes to update their own facts + match-request: { + path: "^/puppet/v3/facts/([^/]+)$" + type: regex + method: put + } + allow: "$1" + sort-order: 500 + name: "puppetlabs facts" + }, +<%- end -%> { match-request: { path: "/puppet/v3/status" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status" }, { match-request: { path: "/puppet/v3/static_file_content" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs static file content" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.1']) >= 0 -%> { match-request: { path: "/puppet/v3/tasks" type: path } allow: "*" sort-order: 500 name: "puppet tasks information" }, <%- end -%> <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 && @server_experimental -%> { # Allow all users access to the experimental endpoint # which currently only provides a dashboard web ui. match-request: { path: "/puppet/experimental" type: path } allow-unauthenticated: true sort-order: 500 name: "puppetlabs experimental" }, <%- end -%> { # Deny everything else. This ACL is not strictly # necessary, but illustrates the default policy match-request: { path: "/" type: path } deny: "*" sort-order: 999 name: "puppetlabs deny all" } ] }