diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index 8f2bd9c..f99d1cb 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -1,71 +1,51 @@ # Puppet agent configuration # @api private class puppet::agent::config inherits puppet::config { puppet::config::agent{ 'classfile': value => $puppet::classfile; 'localconfig': value => '$vardir/localconfig'; 'default_schedules': value => false; 'report': value => $puppet::report; 'masterport': value => $puppet::port; 'environment': value => $puppet::environment; 'splay': value => $puppet::splay; 'splaylimit': value => $puppet::splaylimit; 'runinterval': value => $puppet::runinterval; 'noop': value => $puppet::agent_noop; 'usecacheonfailure': value => $puppet::usecacheonfailure; } if $puppet::http_connect_timeout != undef { puppet::config::agent { 'http_connect_timeout': value => $puppet::http_connect_timeout; } } if $puppet::http_read_timeout != undef { puppet::config::agent { 'http_read_timeout': value => $puppet::http_read_timeout; } } if $puppet::prerun_command { puppet::config::agent { 'prerun_command': value => $puppet::prerun_command; } } if $puppet::postrun_command { puppet::config::agent { 'postrun_command': value => $puppet::postrun_command; } } unless $puppet::pluginsync { if versioncmp($facts['puppetserver'], '6.0.0') >= 0 { fail('pluginsync is no longer a setting in Puppet 6') } else { puppet::config::agent { 'pluginsync': value => $puppet::pluginsync, } } } $puppet::agent_additional_settings.each |$key,$value| { puppet::config::agent { $key: value => $value } } - - if $puppet::runmode == 'service' { - $should_start = 'yes' - } else { - $should_start = 'no' - } - - if $facts['os']['family'] == 'Debian' { - augeas {'puppet::set_start': - context => '/files/etc/default/puppet', - changes => "set START ${should_start}", - incl => '/etc/default/puppet', - lens => 'Shellvars.lns', - } - if $puppet::remove_lock { - file {'/var/lib/puppet/state/agent_disabled.lock': - ensure => absent, - } - } - } } diff --git a/manifests/init.pp b/manifests/init.pp index ad9d59d..2dc0aab 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,754 +1,751 @@ # == Class: puppet # # This class installs and configures the puppet agent. # # === Parameters: # # $show_diff:: Show and report changed files with diff output # # $ca_server:: Use a different ca server. Should be either # a string with the location of the ca_server # or 'false'. # # == Advanced puppet parameters # # $version:: Specify a specific version of a package to # install. The version should be the exact # match for your distro. # You can also use certain values like 'latest'. # Note that when you specify exact versions you # should also override $server_version since # that defaults to $version. # # $manage_packages:: Should this module install packages or not. # Can also install only server packages with value # of 'server' or only agent packages with 'agent'. # # $port:: Override the port of the master we connect to. # # $pluginsync:: Enable pluginsync. # # $splay:: Switch to enable a random amount of time # to sleep before each run. # # $splaylimit:: The maximum time to delay before runs. # Defaults to being the same as the run interval. # This setting can be a time interval in seconds # (30 or 30s), minutes (30m), hours (6h), days (2d), # or years (5y). # # $runinterval:: Set up the interval (in seconds) to run # the puppet agent. # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $usecacheonfailure:: Switch to enable use of cached catalog on # failure of run. # # $runmode:: Select the mode to setup the puppet agent. # # $run_hour:: The hour at which to run the puppet agent # when runmode is cron or systemd.timer. # # $run_minute:: The minute at which to run the puppet agent # when runmode is cron or systemd.timer. # # $cron_cmd:: Specify command to launch when runmode is # set 'cron'. # # $systemd_cmd:: Specify command to launch when runmode is # set 'systemd.timer'. # # $systemd_randomizeddelaysec:: Adds a random delay between 0 and this value # (in seconds) to the timer. Only relevant when # runmode is 'systemd.timer'. # # $module_repository:: Use a different puppet module repository # # $ca_port:: Puppet CA port # # $ca_crl_filepath:: Path to CA CRL file, dynamically resolves based on # $::server_ca status. # # $dns_alt_names:: Use additional DNS names when generating a # certificate. Defaults to an empty Array. # # $hiera_config:: The hiera configuration file. # # $syslogfacility:: Facility name to use when logging to syslog # # $use_srv_records:: Whether DNS SRV records will be used to resolve # the Puppet master # # $srv_domain:: Search domain for SRV records # # $additional_settings:: A hash of additional main settings. # # $http_connect_timeout:: The maximum amount of time an agent waits # when establishing an HTTP connection. # # $http_read_timeout:: The time an agent waits for one block to be # read from an HTTP connection. If nothing is # read after the elapsed interval then the # connection will be closed. # # $user:: Override the name of the puppet user. # # $group:: Override the name of the puppet group. # # $dir:: Override the puppet directory. # # $codedir:: Override the puppet code directory. # # $vardir:: Override the puppet var directory. # # $logdir:: Override the log directory. # # $rundir:: Override the PID directory. # # $ssldir:: Override where SSL certificates are kept. # # $sharedir:: Override the system data directory. # # $package_provider:: The provider used to install the agent. # Defaults to chocolatey on Windows # Defaults to undef elsewhere # # $package_source:: The location of the file to be used by the # agent's package resource. # Defaults to undef. If 'windows' or 'msi' are # used as the provider then this setting is # required. # $package_install_options:: Flags that should be passed to the package manager # during installation. Defaults to undef. May be # a string or a hash, see Puppet Package resource # documentation for the provider matching your package manager # # $unavailable_runmodes:: Runmodes that are not available for the # current system. This module will not try # to disable these modes. Default is [] # on Linux, ['cron', 'systemd.timer'] on # Windows and ['systemd.timer'] on other # systems. # # $auth_template:: Use a custom template for /etc/puppetlabs/puppet/auth.conf # # $pluginsource:: URL to retrieve Puppet plugins from during pluginsync # # $pluginfactsource:: URL to retrieve Puppet facts from during pluginsync # # $classfile:: The file in which puppet agent stores a list # of the classes associated with the retrieved # configuration. # # == puppet::agent parameters # # $agent:: Should a puppet agent be installed # # $agent_noop:: Run the agent in noop mode. # # $puppetmaster:: Hostname of your puppetmaster (server # directive in puppet.conf) # # $prerun_command:: A command which gets excuted before each Puppet run # # $postrun_command:: A command which gets excuted after each Puppet run # # $environment:: Default environment of the Puppet agent # # $agent_additional_settings:: A hash of additional agent settings. # Example: {stringify_facts => true} # # $client_certname:: The node's certificate name, and the unique # identifier it uses when requesting catalogs. # # $report:: Send reports to the Puppet Master # # == advanced agent parameters # # $service_name:: The name of the puppet agent service. # # $agent_restart_command:: The command which gets excuted on puppet service restart # # $client_package:: Install a custom package to provide # the puppet client # # $systemd_unit_name:: The name of the puppet systemd units. # -# $remove_lock:: Remove the agent lock when running. -# # $dir_owner:: Owner of the base puppet directory, used when # puppet::server is false. # # $dir_group:: Group of the base puppet directory, used when # puppet::server is false. # # == puppet::server parameters # # $server:: Should a puppet master be installed as well as the client # # $server_ip:: Bind ip address of the puppetmaster # # $server_port:: Puppet master port # # $server_ca:: Provide puppet CA # # $server_ca_crl_sync:: Sync puppet CA crl file to compile masters, Puppet CA Must be the Puppetserver # for the compile masters. Defaults to false. # # $server_crl_enable:: Turn on crl checking. Defaults to true when server_ca is true. Otherwise # Defaults to false. Note unless you are using an external CA. It is recommended # to set this to true. See $server_ca_crl_sync to enable syncing from CA Puppet Master # # $server_reports:: List of report types to include on the puppetmaster # # $server_external_nodes:: External nodes classifier executable # # $server_trusted_external_command:: The external trusted facts script to use. # (Puppet >= 6.11 only). # # $server_git_repo:: Use git repository as a source of modules # # $server_environments_owner:: The owner of the environments directory # # $server_environments_group:: The group owning the environments directory # # $server_environments_mode:: Environments directory mode. # # $server_common_modules_path:: Common modules paths # # $server_git_repo_path:: Git repository path # # $server_git_repo_mode:: Git repository mode # # $server_git_repo_group:: Git repository group # # $server_git_repo_user:: Git repository user # # $server_git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $server_storeconfigs:: Whether to enable storeconfigs # # $server_certname:: The name to use when handling certificates. # # === Advanced server parameters: # # $server_strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $server_additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $server_manage_user:: Whether to manage the server user resource # # $server_user:: Name of the puppetmaster user. # # $server_group:: Name of the puppetmaster group. # # $server_dir:: Puppet configuration directory # # $server_http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. # # $server_http_port:: Puppet master HTTP port; defaults to 8139. # # $server_config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $server_foreman:: Should foreman integration be installed # # $server_foreman_url:: Foreman URL # # $server_foreman_ssl_ca:: SSL CA of the Foreman server # # $server_foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $server_foreman_ssl_key:: Key for authenticating against Foreman server # # $server_puppet_basedir:: Where is the puppet code base located # # $server_request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $server_environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $server_envs_dir:: Directory that holds puppet environments # # $server_envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $server_jvm_java_bin:: Set the default java to use. # # $server_jvm_config:: Specify the puppetserver jvm configuration file. # # $server_jvm_min_heap_size:: Specify the minimum jvm heap space. # # $server_jvm_max_heap_size:: Specify the maximum jvm heap space. # # $server_jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $server_jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $server_jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $server_default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $server_default_manifest_path:: A string setting the path to the default_manifest # # $server_default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $server_package:: Custom package name for puppet master # # $server_version:: Custom package version for puppet master # # $server_ssl_dir:: SSL directory # # $server_ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $server_ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $server_puppetserver_vardir:: The path of the puppetserver var dir # # $server_puppetserver_rundir:: The path of the puppetserver run dir # # $server_puppetserver_logdir:: The path of the puppetserver log dir # # $server_puppetserver_dir:: The path of the puppetserver config dir # # $server_puppetserver_version:: The version of puppetserver installed (or being installed) # Unfortunately, different versions of puppetserver need # configuring differently. The default is derived from the # installed puppet version. Generally it's not needed to # override this but when upgrading it might be. # # $server_max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $server_max_requests_per_instance:: Max number of requests a jruby instances will handle. Defaults to 0 (disabled) # # $server_max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a # JRuby from the pool. (Puppetserver 5.x only) # Defaults to 0 (disabled) for Puppetserver >= 5.0 # # $server_max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on # 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) # Defaults to 1800 for Puppetserver >= 5.0 # # $server_multithreaded:: Use multithreaded jruby. (Puppetserver >= 6.8 only). Defaults to false. # # $server_idle_timeout:: How long the server will wait for a response on an existing connection # # $server_connect_timeout:: How long the server will wait for a response to a connection attempt # # $server_ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $server_ssl_chain_filepath:: Path to certificate chain for puppetserver # Only used when $ca is true # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $server_cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $server_ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $server_ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $server_admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $server_ca_client_self_delete:: Adds a rule to auth.conf, that allows a client to delete its own certificate # Defaults to false # # $server_use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # Note that Puppetserver 7 has dropped this option. # # $server_check_for_updates:: Should the puppetserver phone home to check for available updates? # Defaults to true # # $server_post_hook_content:: Which template to use for git post hook # # $server_post_hook_name:: Name of a git hook # # $server_environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the # environment_classes API. # Defaults to false # # $server_allow_header_cert_info:: Enable client authentication over HTTP Headers # Defaults to false, is also activated by the $server_http setting # # $server_web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has # completed. # Defaults to 30000, using the Jetty default of 30s # # $server_puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $server_puppetserver_metrics:: Enable puppetserver http-client metrics # Defaults to false because that's the Puppet Inc. default behaviour. # # $server_puppetserver_profiler:: Enable JRuby profiling. # Defaults to false because that's the Puppet Inc. default behaviour. # # $server_metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $server_metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $server_metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $server_metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $server_metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $server_metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $server_metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $server_puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $server_puppetserver_auth_template:: Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf # # $server_puppetserver_trusted_agents:: Certificate names of puppet agents that are allowed to fetch *all* catalogs # Defaults to [] and all agents are only allowed to fetch their own catalogs. # # $server_puppetserver_trusted_certificate_extensions:: An array of hashes of certificate extensions and values to be used in auth.conf # A puppet client certificate containing valid extension(s) will be allowed to fetch # *any* catalog. # Defaults to [] and no certificate extensions are recognised as being allowed # to fetch *any* catalog. # Example: [{ 'pp_authorization' => 'catalog' }] # Any client certificate containing the `pp_authorization` extension with value `catalog` # will be permitted to fetch any catalog. # Complicated example: [ # { '1.3.6.1.4.1.34380.1.3.1' => 'catalog' }, # { '1.3.6.1.4.1.34380.1.1.13' => 'jenkins_server', '1.3.6.1.4.1.34380.1.1.24' => 'prod' } # ] # Clients presenting a certificate with `pp_authorization = catalog` *or* with `pp_role` # *and* `pp_apptier` extensions set # correctly will be authorized to fetch any catalog. # NB. If server_ca == false, use oids instead of extension shortnames. # See https://tickets.puppetlabs.com/browse/SERVER-1689 # # $server_compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. # Defaults to undef (off). # # $server_parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # $server_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for unencrypted HTTP traffic. If not provided, the webserver # defaults to the number of virtual cores on the host divided by 8, with a minimum # of 1 and maximum of 4. # # $server_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for unencrypted HTTPS traffic. If not provided, # the webserver defaults to the minimum of: virtual cores on the host divided by 2 # or max-threads divided by 16, with a minimum of 1. # # $server_max_threads:: This sets the maximum number of threads assigned to responding to HTTP and/or # HTTPS requests for a single webserver, effectively changing how many # concurrent requests can be made at one time. If not provided, the # webserver defaults to 200. # # $server_ssl_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for encrypted HTTPS traffic. If not provided, defaults to # the number of virtual cores on the host divided by 8, with a minimum of 1 and maximum of 4. # # $server_ssl_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for encrypted HTTPS traffic. Defaults to the number of # virtual cores on the host divided by 2, with a minimum of 1 and maximum of 4. # The number of selector threads actually used by Jetty is twice the number of selectors # requested. For example, if a value of 3 is specified for the ssl-selector-threads setting, # Jetty will actually use 6 selector threads. # # $server_ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $server_ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # Defaults to false # # $server_ca_enable_infra_crl:: Enable the separate CRL for Puppet infrastructure nodes # Defaults to false # # $server_max_open_files:: Increase the max open files limit for Puppetserver. # Defaults to undef # # $server_versioned_code_id:: The path to an executable script that Puppet Server invokes to generate a code_id # Defaults to undef # # $server_versioned_code_content:: Contains the path to an executable script that Puppet Server # invokes when on static_file_content requests. # Defaults to undef # # === Usage: # # * Simple usage: # # include puppet # # * Installing a puppetmaster # # class {'puppet': # server => true, # } # # * Advanced usage: # # class {'puppet': # agent_noop => true, # version => '6.11.0-1', # } # class puppet ( String $version = $puppet::params::version, String $user = $puppet::params::user, String $group = $puppet::params::group, Stdlib::Absolutepath $dir = $puppet::params::dir, Stdlib::Absolutepath $codedir = $puppet::params::codedir, Stdlib::Absolutepath $vardir = $puppet::params::vardir, Stdlib::Absolutepath $logdir = $puppet::params::logdir, Stdlib::Absolutepath $rundir = $puppet::params::rundir, Stdlib::Absolutepath $ssldir = $puppet::params::ssldir, Stdlib::Absolutepath $sharedir = $puppet::params::sharedir, Variant[Boolean, Enum['server', 'agent']] $manage_packages = $puppet::params::manage_packages, Optional[String] $dir_owner = $puppet::params::dir_owner, Optional[String] $dir_group = $puppet::params::dir_group, Optional[String] $package_provider = $puppet::params::package_provider, Optional[Variant[String,Hash]] $package_install_options = $puppet::params::package_install_options, Optional[Variant[Stdlib::Absolutepath, Stdlib::HTTPUrl]] $package_source = $puppet::params::package_source, Integer[0, 65535] $port = $puppet::params::port, Boolean $pluginsync = $puppet::params::pluginsync, Boolean $splay = $puppet::params::splay, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $splaylimit = $puppet::params::splaylimit, Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::params::autosign, Array[String] $autosign_entries = $puppet::params::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $puppet::params::autosign_mode, Optional[String] $autosign_content = $puppet::params::autosign_content, Optional[String] $autosign_source = $puppet::params::autosign_source, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $runinterval = $puppet::params::runinterval, Boolean $usecacheonfailure = $puppet::params::usecacheonfailure, Enum['cron', 'service', 'systemd.timer', 'none', 'unmanaged'] $runmode = $puppet::params::runmode, Optional[Integer[0,23]] $run_hour = undef, Optional[Integer[0,59]] $run_minute = undef, Array[Enum['cron', 'service', 'systemd.timer', 'none']] $unavailable_runmodes = $puppet::params::unavailable_runmodes, Optional[String] $cron_cmd = $puppet::params::cron_cmd, Optional[String] $systemd_cmd = $puppet::params::systemd_cmd, Integer[0] $systemd_randomizeddelaysec = $puppet::params::systemd_randomizeddelaysec, Boolean $agent_noop = $puppet::params::agent_noop, Boolean $show_diff = $puppet::params::show_diff, Optional[Stdlib::HTTPUrl] $module_repository = $puppet::params::module_repository, Optional[Integer[0]] $http_connect_timeout = $puppet::params::http_connect_timeout, Optional[Integer[0]] $http_read_timeout = $puppet::params::http_read_timeout, Optional[Variant[String, Boolean]] $ca_server = $puppet::params::ca_server, Optional[Integer[0, 65535]] $ca_port = $puppet::params::ca_port, Optional[String] $ca_crl_filepath = $puppet::params::ca_crl_filepath, Optional[String] $prerun_command = $puppet::params::prerun_command, Optional[String] $postrun_command = $puppet::params::postrun_command, Array[String] $dns_alt_names = $puppet::params::dns_alt_names, Boolean $use_srv_records = $puppet::params::use_srv_records, Optional[String] $srv_domain = $puppet::params::srv_domain, String $pluginsource = $puppet::params::pluginsource, String $pluginfactsource = $puppet::params::pluginfactsource, Hash[String, Data] $additional_settings = $puppet::params::additional_settings, Hash[String, Data] $agent_additional_settings = $puppet::params::agent_additional_settings, Optional[String] $agent_restart_command = $puppet::params::agent_restart_command, String $classfile = $puppet::params::classfile, String $hiera_config = $puppet::params::hiera_config, String $auth_template = $puppet::params::auth_template, Boolean $allow_any_crl_auth = $puppet::params::allow_any_crl_auth, Array[String] $auth_allowed = $puppet::params::auth_allowed, Variant[String, Array[String]] $client_package = $puppet::params::client_package, Boolean $agent = $puppet::params::agent, - Boolean $remove_lock = $puppet::params::remove_lock, Boolean $report = $puppet::params::report, Variant[String, Boolean] $client_certname = $puppet::params::client_certname, Optional[String] $puppetmaster = $puppet::params::puppetmaster, String $systemd_unit_name = $puppet::params::systemd_unit_name, String $service_name = $puppet::params::service_name, Optional[String] $syslogfacility = $puppet::params::syslogfacility, String $environment = $puppet::params::environment, Boolean $server = $puppet::params::server, Array[String] $server_admin_api_whitelist = $puppet::params::server_admin_api_whitelist, Boolean $server_manage_user = $puppet::params::manage_user, String $server_user = $puppet::params::user, String $server_group = $puppet::params::group, String $server_dir = $puppet::params::dir, String $server_ip = $puppet::params::ip, Integer $server_port = $puppet::params::port, Boolean $server_ca = $puppet::params::server_ca, Boolean $server_ca_crl_sync = $puppet::params::server_ca_crl_sync, Optional[Boolean] $server_crl_enable = $puppet::params::server_crl_enable, Boolean $server_ca_auth_required = $puppet::params::server_ca_auth_required, Boolean $server_ca_client_self_delete = $puppet::params::server_ca_client_self_delete, Array[String] $server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $server_custom_trusted_oid_mapping = $puppet::params::server_custom_trusted_oid_mapping, Boolean $server_http = $puppet::params::server_http, Integer $server_http_port = $puppet::params::server_http_port, String $server_reports = $puppet::params::server_reports, Optional[Stdlib::Absolutepath] $server_puppetserver_dir = $puppet::params::server_puppetserver_dir, Optional[Stdlib::Absolutepath] $server_puppetserver_vardir = $puppet::params::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $server_puppetserver_rundir = $puppet::params::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $server_puppetserver_logdir = $puppet::params::server_puppetserver_logdir, Optional[Pattern[/^[\d]\.[\d]+\.[\d]+$/]] $server_puppetserver_version = $puppet::params::server_puppetserver_version, Variant[Undef, String[0], Stdlib::Absolutepath] $server_external_nodes = $puppet::params::server_external_nodes, Optional[Stdlib::Absolutepath] $server_trusted_external_command = $puppet::params::server_trusted_external_command, Array[String] $server_cipher_suites = $puppet::params::server_cipher_suites, Optional[String] $server_config_version = $puppet::params::server_config_version, Integer[0] $server_connect_timeout = $puppet::params::server_connect_timeout, Boolean $server_git_repo = $puppet::params::server_git_repo, Boolean $server_default_manifest = $puppet::params::server_default_manifest, Stdlib::Absolutepath $server_default_manifest_path = $puppet::params::server_default_manifest_path, String $server_default_manifest_content = $puppet::params::server_default_manifest_content, String $server_environments_owner = $puppet::params::server_environments_owner, Optional[String] $server_environments_group = $puppet::params::server_environments_group, Pattern[/^[0-9]{3,4}$/] $server_environments_mode = $puppet::params::server_environments_mode, Stdlib::Absolutepath $server_envs_dir = $puppet::params::server_envs_dir, Optional[Stdlib::Absolutepath] $server_envs_target = $puppet::params::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $server_common_modules_path = $puppet::params::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $server_git_repo_mode = $puppet::params::server_git_repo_mode, Stdlib::Absolutepath $server_git_repo_path = $puppet::params::server_git_repo_path, String $server_git_repo_group = $puppet::params::server_git_repo_group, String $server_git_repo_user = $puppet::params::server_git_repo_user, Hash[String, String] $server_git_branch_map = $puppet::params::server_git_branch_map, Integer[0] $server_idle_timeout = $puppet::params::server_idle_timeout, String $server_post_hook_content = $puppet::params::server_post_hook_content, String $server_post_hook_name = $puppet::params::server_post_hook_name, Boolean $server_storeconfigs = $puppet::params::server_storeconfigs, Array[Stdlib::Absolutepath] $server_ruby_load_paths = $puppet::params::server_ruby_load_paths, Stdlib::Absolutepath $server_ssl_dir = $puppet::params::server_ssl_dir, Boolean $server_ssl_dir_manage = $puppet::params::server_ssl_dir_manage, Boolean $server_ssl_key_manage = $puppet::params::server_ssl_key_manage, Array[String] $server_ssl_protocols = $puppet::params::server_ssl_protocols, Optional[Stdlib::Absolutepath] $server_ssl_chain_filepath = $puppet::params::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $server_package = $puppet::params::server_package, Optional[String] $server_version = $puppet::params::server_version, String $server_certname = $puppet::params::server_certname, Integer[0] $server_request_timeout = $puppet::params::server_request_timeout, Boolean $server_strict_variables = $puppet::params::server_strict_variables, Hash[String, Data] $server_additional_settings = $puppet::params::server_additional_settings, Boolean $server_foreman = $puppet::params::server_foreman, Stdlib::HTTPUrl $server_foreman_url = $puppet::params::server_foreman_url, Optional[Stdlib::Absolutepath] $server_foreman_ssl_ca = $puppet::params::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $server_foreman_ssl_cert = $puppet::params::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $server_foreman_ssl_key = $puppet::params::server_foreman_ssl_key, Boolean $server_foreman_facts = $puppet::params::server_foreman_facts, Optional[Stdlib::Absolutepath] $server_puppet_basedir = $puppet::params::server_puppet_basedir, Enum['current', 'future'] $server_parser = $puppet::params::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $server_environment_timeout = $puppet::params::server_environment_timeout, String $server_jvm_java_bin = $puppet::params::server_jvm_java_bin, String $server_jvm_config = $puppet::params::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_min_heap_size = $puppet::params::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_max_heap_size = $puppet::params::server_jvm_max_heap_size, Optional[Variant[String,Array[String]]] $server_jvm_extra_args = $puppet::params::server_jvm_extra_args, Optional[String] $server_jvm_cli_args = $puppet::params::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $server_jruby_gem_home = $puppet::params::server_jruby_gem_home, Integer[1] $server_max_active_instances = $puppet::params::server_max_active_instances, Integer[0] $server_max_requests_per_instance = $puppet::params::server_max_requests_per_instance, Integer[0] $server_max_queued_requests = $puppet::params::server_max_queued_requests, Integer[0] $server_max_retry_delay = $puppet::params::server_max_retry_delay, Boolean $server_multithreaded = $puppet::params::server_multithreaded, Boolean $server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf, Boolean $server_check_for_updates = $puppet::params::server_check_for_updates, Boolean $server_environment_class_cache_enabled = $puppet::params::server_environment_class_cache_enabled, Boolean $server_allow_header_cert_info = $puppet::params::server_allow_header_cert_info, Integer[0] $server_web_idle_timeout = $puppet::params::server_web_idle_timeout, Boolean $server_puppetserver_jruby9k = $puppet::params::server_puppetserver_jruby9k, Boolean $server_puppetserver_metrics = false, Boolean $server_puppetserver_profiler = false, Boolean $server_metrics_jmx_enable = $puppet::params::server_metrics_jmx_enable, Boolean $server_metrics_graphite_enable = $puppet::params::server_metrics_graphite_enable, String $server_metrics_graphite_host = $puppet::params::server_metrics_graphite_host, Integer $server_metrics_graphite_port = $puppet::params::server_metrics_graphite_port, String $server_metrics_server_id = $puppet::params::server_metrics_server_id, Integer $server_metrics_graphite_interval = $puppet::params::server_metrics_graphite_interval, Optional[Array] $server_metrics_allowed = $puppet::params::server_metrics_allowed, Boolean $server_puppetserver_experimental = $puppet::params::server_puppetserver_experimental, Optional[String[1]] $server_puppetserver_auth_template = $puppet::params::server_puppetserver_auth_template, Array[String] $server_puppetserver_trusted_agents = $puppet::params::server_puppetserver_trusted_agents, Array[Hash] $server_puppetserver_trusted_certificate_extensions = $puppet::params::server_puppetserver_trusted_certificate_extensions, Optional[Enum['off', 'jit', 'force']] $server_compile_mode = $puppet::params::server_compile_mode, Optional[Integer[1]] $server_acceptor_threads = undef, Optional[Integer[1]] $server_selector_threads = undef, Optional[Integer[1]] $server_ssl_acceptor_threads = undef, Optional[Integer[1]] $server_ssl_selector_threads = undef, Optional[Integer[1]] $server_max_threads = undef, Boolean $server_ca_allow_sans = $puppet::params::server_ca_allow_sans, Boolean $server_ca_allow_auth_extensions = $puppet::params::server_ca_allow_auth_extensions, Boolean $server_ca_enable_infra_crl = $puppet::params::server_ca_enable_infra_crl, Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files, Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef, Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef, ) inherits puppet::params { contain puppet::config if $agent == true { contain puppet::agent } if $server == true { contain puppet::server } # Ensure the server is running before the agent needs it, and that # certificates are generated in the server config (if enabled) if $server == true and $agent == true { Class['puppet::server'] -> Class['puppet::agent::service'] } } diff --git a/manifests/params.pp b/manifests/params.pp index 2c81362..865f64a 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,442 +1,441 @@ # Default parameters # @api private class puppet::params { # Basic config $version = 'present' $manage_user = true $user = 'puppet' $group = 'puppet' $ip = '0.0.0.0' $port = 8140 $pluginsync = true $splay = false $splaylimit = 1800 $runinterval = 1800 $runmode = 'service' $report = true # Not defined here as the commands depend on module parameter "dir" $cron_cmd = undef $systemd_cmd = undef $agent_noop = false $show_diff = false $module_repository = undef $hiera_config = '$confdir/hiera.yaml' $usecacheonfailure = true $ca_server = undef $ca_port = undef $ca_crl_filepath = undef $server_crl_enable = undef $prerun_command = undef $postrun_command = undef $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false if defined('$::domain') { $srv_domain = $facts['networking']['domain'] } else { $srv_domain = undef } # lint:ignore:puppet_url_without_modules $pluginsource = 'puppet:///plugins' $pluginfactsource = 'puppet:///pluginfacts' # lint:endignore $classfile = '$statedir/classes.txt' $syslogfacility = undef $environment = $::environment # aio_agent_version is a core fact that's empty on non-AIO $aio_package = fact('aio_agent_version') =~ String[1] $systemd_randomizeddelaysec = 0 case $facts['os']['family'] { 'Windows' : { # Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end $dir_prefix = 'C:/ProgramData/PuppetLabs/puppet' $dir = "${dir_prefix}/etc" $codedir = "${dir_prefix}/etc" $logdir = "${dir_prefix}/var/log" $rundir = "${dir_prefix}/var/run" $ssldir = "${dir_prefix}/etc/ssl" $vardir = "${dir_prefix}/var" $sharedir = "${dir_prefix}/share" $bindir = "${dir_prefix}/bin" $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } /^(FreeBSD|DragonFly)$/ : { $dir = '/usr/local/etc/puppet' $codedir = '/usr/local/etc/puppet' $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/puppet/ssl' $vardir = '/var/puppet' $sharedir = '/usr/local/share/puppet' $bindir = '/usr/local/bin' $root_group = undef $server_puppetserver_dir = '/usr/local/etc/puppetserver' $server_puppetserver_vardir = '/var/puppet/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetserver' $server_puppetserver_logdir = '/var/log/puppetserver' if fact('ruby') { $ruby_gem_dir = regsubst($facts['ruby']['version'], '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$facts['ruby']['sitedir'], "${ruby_gem_dir}/facter-${facts['facterversion']}/lib"] } else { # On FreeBSD 11 the ruby fact doesn't resolve - at least in facterdb # lint:ignore:legacy_facts $ruby_gem_dir = regsubst($facts['rubyversion'], '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$facts['rubysitedir'], "${ruby_gem_dir}/facter-${facts['facterversion']}/lib"] # lint:endignore } $server_jruby_gem_home = '/var/puppet/server/data/puppetserver/jruby-gems' } 'Archlinux' : { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/usr/bin' $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } default : { if $aio_package { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/opt/puppetlabs/bin' $server_puppetserver_dir = '/etc/puppetlabs/puppetserver' $server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetlabs/puppetserver' $server_puppetserver_logdir = '/var/log/puppetlabs/puppetserver' $server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby'] $server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems' } else { $dir = '/etc/puppet' $codedir = $facts['os']['family'] ? { 'Debian' => '/etc/puppet/code', default => '/etc/puppet', } $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/lib/puppet/ssl' $vardir = '/var/lib/puppet' $sharedir = '/usr/share/puppet' $bindir = '/usr/bin' $server_puppetserver_dir = '/etc/puppetserver' $server_puppetserver_vardir = $vardir $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = '/var/lib/puppet/jruby-gems' } $root_group = undef } } $http_connect_timeout = undef $http_read_timeout = undef $autosign = "${dir}/autosign.conf" $autosign_entries = [] $autosign_mode = '0664' $autosign_content = undef $autosign_source = undef $puppet_cmd = "${bindir}/puppet" $puppetserver_cmd = "${bindir}/puppetserver" $manage_packages = true if $facts['os']['family'] == 'Windows' { $dir_owner = undef $dir_group = undef } else { $dir_owner = 'root' $dir_group = $root_group } $package_provider = $facts['os']['family'] ? { 'windows' => 'chocolatey', default => undef, } $package_source = undef $package_install_options = undef # Need your own config templates? Specify here: $auth_template = 'puppet/auth.conf.erb' # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false # Authenticated nodes to allow $auth_allowed = ['$1'] # Will this host be a puppet agent ? $agent = true - $remove_lock = true $client_certname = $::clientcert if defined('$::puppetmaster') { $puppetmaster = $::puppetmaster } else { $puppetmaster = undef } # Hashes containing additional settings $additional_settings = {} $agent_additional_settings = {} $server_additional_settings = {} # Will this host be a puppetmaster? $server = false $server_ca = true $server_ca_crl_sync = false $server_reports = 'foreman' $server_external_nodes = "${dir}/node.rb" $server_trusted_external_command = undef $server_request_timeout = 60 $server_certname = $::clientcert $server_strict_variables = false $server_http = false $server_http_port = 8139 # Need a new master template for the server? $server_template = 'puppet/server/puppet.conf.erb' # Template for server settings in [main] $server_main_template = 'puppet/server/puppet.conf.main.erb' # The script that is run to determine the reported manifest version. Undef # means we determine it in server.pp $server_config_version = undef # Set 'false' for static environments, or 'true' for git-based workflow $server_git_repo = false # Git branch to puppet env mapping for the post receive hook $server_git_branch_map = {} # Owner of the environments dir: for cases external service needs write # access to manage it. $server_environments_owner = $user $server_environments_group = $root_group $server_environments_mode = '0755' # Where we store our puppet environments $server_envs_dir = "${codedir}/environments" $server_envs_target = undef # Modules in this directory would be shared across all environments $server_common_modules_path = unique(["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules']) # Dynamic environments config, ignore if the git_repo is 'false' # Path to the repository $server_git_repo_path = "${vardir}/puppet.git" # mode of the repository $server_git_repo_mode = '0755' # user of the repository $server_git_repo_user = $user # group of the repository $server_git_repo_group = $user # Override these if you need your own hooks $server_post_hook_content = 'puppet/server/post-receive.erb' $server_post_hook_name = 'post-receive' $server_custom_trusted_oid_mapping = undef $server_storeconfigs = false $puppet_major = regsubst($::puppetversion, '^(\d+)\..*$', '\1') if ($facts['os']['family'] =~ /(FreeBSD|DragonFly)/ and versioncmp($puppet_major, '5') >= 0) { $server_package = "puppetserver${puppet_major}" } else { $server_package = undef } $server_ssl_dir = $ssldir $server_version = undef if $aio_package { $client_package = ['puppet-agent'] } elsif ($facts['os']['family'] =~ /(FreeBSD|DragonFly)/) { $client_package = ["puppet${puppet_major}"] } else { $client_package = ['puppet'] } # Puppet service name $service_name = 'puppet' # Puppet onedshot systemd service and timer name $systemd_unit_name = 'puppet-run' # Mechanisms to manage and reload/restart the agent # If supported on the OS, reloading is prefered since it does not kill a currently active puppet run case $facts['os']['family'] { 'Debian' : { $agent_restart_command = "/usr/sbin/service ${service_name} reload" $unavailable_runmodes = [] } 'Redhat' : { # PSBM is a CentOS 6 based distribution # it reports its $osreleasemajor as 2, not 6. # thats why we're matching for '2' in both parts # Amazon Linux is like RHEL6 but reports its osreleasemajor as 2017 or 2018. $agent_restart_command = $facts['os']['release']['major'] ? { /^(2|5|6|2017|2018)$/ => "/sbin/service ${service_name} reload", '7' => "/usr/bin/systemctl reload-or-restart ${service_name}", default => undef, } $unavailable_runmodes = $facts['os']['release']['major'] ? { /^(2|5|6|2017|2018)$/ => ['systemd.timer'], default => [], } } 'Windows': { $agent_restart_command = undef $unavailable_runmodes = ['cron', 'systemd.timer'] } 'Archlinux': { $agent_restart_command = "/usr/bin/systemctl reload-or-restart ${service_name}" $unavailable_runmodes = ['cron'] } default : { $agent_restart_command = undef $unavailable_runmodes = ['systemd.timer'] } } # Foreman parameters $lower_fqdn = downcase($facts['networking']['fqdn']) $server_foreman = true $server_foreman_facts = true $server_puppet_basedir = $aio_package ? { true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet', false => undef, } $server_foreman_url = "https://${lower_fqdn}" $server_foreman_ssl_ca = undef $server_foreman_ssl_cert = undef $server_foreman_ssl_key = undef # Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser $server_parser = 'current' # Timeout for cached environments, changed in puppet 3.7.x $server_environment_timeout = undef # puppet server configuration file $server_jvm_config = $facts['os']['family'] ? { 'RedHat' => '/etc/sysconfig/puppetserver', 'Debian' => '/etc/default/puppetserver', default => '/etc/default/puppetserver', } $server_jvm_java_bin = '/usr/bin/java' $server_jvm_extra_args = undef $server_jvm_cli_args = undef # This is some very trivial "tuning". See the puppet reference: # https://docs.puppet.com/puppetserver/latest/tuning_guide.html $mem_in_mb = $facts['memory']['system']['total_bytes'] / 1024 / 1024 if $mem_in_mb >= 3072 { $server_jvm_min_heap_size = '2G' $server_jvm_max_heap_size = '2G' $server_max_active_instances = min(abs($facts['processors']['count']), 4) } elsif $mem_in_mb >= 1024 { $server_max_active_instances = 1 $server_jvm_min_heap_size = '1G' $server_jvm_max_heap_size = '1G' } else { # VMs with 1GB RAM and a crash kernel enabled usually have an effective 992MB RAM $server_max_active_instances = 1 $server_jvm_min_heap_size = '768m' $server_jvm_max_heap_size = '768m' } $server_ssl_dir_manage = true $server_ssl_key_manage = true $server_default_manifest = false $server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp' $server_default_manifest_content = '' # lint:ignore:empty_string_assignment $server_max_requests_per_instance = 0 $server_max_queued_requests = 0 $server_max_retry_delay = 1800 $server_multithreaded = false $server_idle_timeout = 1200000 $server_web_idle_timeout = 30000 $server_connect_timeout = 120000 $server_ca_auth_required = true $server_ca_client_self_delete = false $server_admin_api_whitelist = [ 'localhost', $lower_fqdn ] $server_ca_client_whitelist = [ 'localhost', $lower_fqdn ] $server_cipher_suites = [ 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', ] $server_ssl_protocols = [ 'TLSv1.2' ] $server_ssl_chain_filepath = undef $server_check_for_updates = true $server_environment_class_cache_enabled = false $server_allow_header_cert_info = false $server_ca_allow_sans = false $server_ca_allow_auth_extensions = false $server_ca_enable_infra_crl = false $server_max_open_files = undef $server_puppetserver_version = undef # Puppetserver 5.x Which auth.conf shall we use? $server_use_legacy_auth_conf = false # For Puppetserver 5, use JRuby 9k? $server_puppetserver_jruby9k = false # this switch also controls Ruby profiling, by default disabled for Puppetserver 2.x, enabled for 5.x $server_puppetserver_metrics = undef # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false $server_metrics_graphite_host = '127.0.0.1' $server_metrics_graphite_port = 2003 $server_metrics_server_id = $lower_fqdn $server_metrics_graphite_interval = 5 $server_metrics_allowed = undef # For Puppetserver 5, should the /puppet/experimental route be enabled? $server_puppetserver_experimental = true # For custom auth.conf settings allow passing in a template $server_puppetserver_auth_template = undef # Normally agents can only fetch their own catalogs. If you want some nodes to be able to fetch *any* catalog, add them here. $server_puppetserver_trusted_agents = [] $server_puppetserver_trusted_certificate_extensions = [] } diff --git a/spec/classes/puppet_agent_spec.rb b/spec/classes/puppet_agent_spec.rb index c17967f..8ece8ef 100644 --- a/spec/classes/puppet_agent_spec.rb +++ b/spec/classes/puppet_agent_spec.rb @@ -1,434 +1,404 @@ require 'spec_helper' describe 'puppet' do on_supported_os.each do |os, facts| context "on #{os}" do case facts[:osfamily] when 'FreeBSD' puppet_major = facts[:puppetversion].to_i bindir = '/usr/local/bin' client_package = "puppet#{puppet_major}" confdir = '/usr/local/etc/puppet' package_provider = nil when 'windows' bindir = 'C:/ProgramData/PuppetLabs/puppet/bin' client_package = 'puppet-agent' confdir = 'C:/ProgramData/PuppetLabs/puppet/etc' package_provider = 'chocolatey' when 'Archlinux' bindir = '/usr/bin' client_package = 'puppet' confdir = '/etc/puppetlabs/puppet' package_provider = nil else bindir = '/opt/puppetlabs/bin' client_package = 'puppet-agent' confdir = '/etc/puppetlabs/puppet' package_provider = nil end let(:facts) do # Cron/systemd timers are based on the IP - make it consistent override_facts(facts, networking: {ip: '192.0.2.100'}) end let :params do { agent: true } end describe 'with no custom parameters' do # For windows we specify a package provider which doesn't compile if facts[:osfamily] != 'windows' it { is_expected.to compile.with_all_deps } end # install it do is_expected.to contain_class('puppet::agent::install') .with_manage_packages(true) .with_package_name([client_package]) .with_package_version('present') .with_package_provider(package_provider) .with_package_source(nil) .that_notifies(['Class[puppet::agent::config]', 'Class[puppet::agent::service]']) end it do is_expected.to contain_package(client_package) .with_ensure('present') .with_provider(package_provider) .with_source(nil) .with_install_options(nil) end # config it { is_expected.to contain_class('puppet::agent::config').that_notifies('Class[puppet::agent::service]') } it { is_expected.to contain_file(confdir).with_ensure('directory') } it { is_expected.to contain_concat("#{confdir}/puppet.conf") } it { is_expected.to contain_concat__fragment('puppet.conf_agent').with_content(/^\[agent\]/) } it { is_expected.to contain_puppet__config__agent('report').with_value('true') } it { is_expected.not_to contain_puppet__config__agent('prerun_command') } it { is_expected.not_to contain_puppet__config__agent('postrun_command') } - if facts[:osfamily] == 'Debian' - it do - is_expected.to contain_augeas('puppet::set_start') - .with_context('/files/etc/default/puppet') - .with_changes('set START yes') - .with_incl('/etc/default/puppet') - .with_lens('Shellvars.lns') - end - it { is_expected.to contain_file('/var/lib/puppet/state/agent_disabled.lock').with_ensure(:absent) } - end - # service it { is_expected.to contain_class('puppet::agent::service') } it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(true) } it do is_expected.to contain_service('puppet') .with_ensure('running') .with_name('puppet') .with_hasstatus('true') .with_enable('true') end it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(false) } if os =~ /\A(windows|archlinux)/ it { is_expected.not_to contain_cron('puppet') } else it { is_expected.to contain_cron('puppet').with_ensure('absent') } end it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) } case os when /\Adebian-/, /\A(redhat|centos|scientific)-(7|8)/, /\Afedora-/, /\Aubuntu-/, /\Aarchlinux-/ it do is_expected.to contain_service('puppet-run.timer') .with_ensure(false) .with_provider('systemd') .with_name('puppet-run.timer') .with_enable(false) end it { is_expected.to contain_file('/etc/systemd/system/puppet-run.timer').with_ensure(:absent) } it { is_expected.to contain_file('/etc/systemd/system/puppet-run.service').with_ensure(:absent) } else it { is_expected.not_to contain_service('puppet-run.timer') } it { is_expected.not_to contain_file('/etc/systemd/system/puppet-run.timer') } it { is_expected.not_to contain_file('/etc/systemd/system/puppet-run.service') } end end describe 'set prerun_command will be included in config' do let :params do super().merge(prerun_command: '/my/prerun') end it { is_expected.to contain_puppet__config__agent('prerun_command').with_value('/my/prerun') } end describe 'set postrun_command will be included in config' do let :params do super().merge(postrun_command: '/my/postrun') end it { is_expected.to contain_puppet__config__agent('postrun_command').with_value('/my/postrun') } end describe 'with additional settings' do let :params do super().merge(agent_additional_settings: { 'ignoreschedules' => true }) end it { is_expected.to contain_puppet__config__agent('ignoreschedules').with_value('true') } end context 'manage_packages' do describe 'when manage_packages => false' do let :params do super().merge(manage_packages: false) end it { is_expected.not_to contain_package(client_package) } end describe "when manage_packages => 'agent'" do let :params do super().merge(manage_packages: 'agent') end it { is_expected.to contain_package(client_package) } end describe "when manage_packages => 'server'" do let :params do super().merge(manage_packages: 'server') end it { is_expected.not_to contain_package(client_package) } end end context 'runmode' do describe 'when runmode => cron' do let :params do super().merge(runmode: 'cron') end case os when /\A(windows|archlinux)/ it { is_expected.to raise_error(Puppet::Error, /Runmode of cron not supported on #{facts[:kernel]} operating systems!/) } when /\Adebian-/, /\A(redhat|centos|scientific)-(7|8)/, /\Afedora-/, /\Aubuntu-/ it { is_expected.to compile.with_all_deps } it { is_expected.to contain_concat__fragment('puppet.conf_agent') } - if facts[:osfamily] == 'Debian' - it do - is_expected.to contain_augeas('puppet::set_start') - .with_context('/files/etc/default/puppet') - .with_changes('set START no') - .with_incl('/etc/default/puppet') - .with_lens('Shellvars.lns') - end - it { is_expected.to contain_file('/var/lib/puppet/state/agent_disabled.lock').with_ensure(:absent) } - end - it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(true) } it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) } it do is_expected.to contain_service('puppet') .with_ensure('stopped') .with_name('puppet') .with_hasstatus('true') .with_enable('false') end it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) } it { is_expected.to contain_service('puppet-run.timer').with_ensure(false) } it do is_expected.to contain_cron('puppet') .with_command("#{bindir}/puppet agent --config #{confdir}/puppet.conf --onetime --no-daemonize") .with_user('root') .with_minute(%w[10 40]) .with_hour('*') end else it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(true) } it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) } it { is_expected.not_to contain_service('puppet-run.timer') } it do is_expected.to contain_cron('puppet') .with_command("#{bindir}/puppet agent --config #{confdir}/puppet.conf --onetime --no-daemonize") .with_user('root') .with_minute(%w[10 40]) .with_hour('*') end end end describe 'when runmode => cron with specified time' do let :params do super().merge(runmode: 'cron', run_hour: 22, run_minute: 01 ) end case os when /\A(windows|archlinux)/ it { is_expected.to raise_error(Puppet::Error, /Runmode of cron not supported on #{facts[:kernel]} operating systems!/) } when /\Adebian-/, /\A(redhat|centos|scientific)-(7|8)/, /\Afedora-/, /\Aubuntu-/ it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(true) } it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) } it do is_expected.to contain_service('puppet') .with_ensure('stopped') .with_name('puppet') .with_hasstatus('true') .with_enable('false') end it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) } it { is_expected.to contain_service('puppet-run.timer').with_ensure(false) } it do is_expected.to contain_cron('puppet') .with_command("#{bindir}/puppet agent --config #{confdir}/puppet.conf --onetime --no-daemonize") .with_user('root') .with_minute('1') .with_hour('22') end else it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(true) } it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) } it { is_expected.not_to contain_service('puppet-run.timer') } it do is_expected.to contain_cron('puppet') .with_command("#{bindir}/puppet agent --config #{confdir}/puppet.conf --onetime --no-daemonize") .with_user('root') .with_minute('1') .with_hour('22') end end end describe 'when runmode => systemd.timer' do let :params do super().merge(runmode: 'systemd.timer') end case os when /\Adebian-/, /\A(redhat|centos|scientific)-(7|8)/, /\Afedora-/, /\Aubuntu-/, /\Aarchlinux-/ it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(true) } it { is_expected.to contain_service('puppet-run.timer').with_ensure(true) } it do is_expected.to contain_file('/etc/systemd/system/puppet-run.timer') .with_content(/.*OnCalendar\=\*-\*-\* \*\:10,40:00.*/) end it do is_expected.to contain_file('/etc/systemd/system/puppet-run.timer') .with_content(/^RandomizedDelaySec\=0$/) end it do is_expected.to contain_file('/etc/systemd/system/puppet-run.service') .with_content(%r{^ExecStart=#{bindir}/puppet agent --config #{confdir}/puppet.conf --onetime --no-daemonize --detailed-exitcode --no-usecacheonfailure$}) end it do is_expected.to contain_service('puppet-run.timer') .with_provider('systemd') .with_ensure(true) .with_name('puppet-run.timer') .with_enable(true) end else it { is_expected.to raise_error(Puppet::Error, /Runmode of systemd.timer not supported on #{facts[:kernel]} operating systems!/) } end end describe 'when runmode => systemd.timer with configured time' do let :params do super().merge(runmode: 'systemd.timer', run_hour: 22, run_minute: 01 ) end case os when /\Adebian-/, /\A(redhat|centos|scientific)-(7|8)/, /\Afedora-/, /\Aubuntu-/, /\Aarchlinux-/ it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(true) } it { is_expected.to contain_service('puppet-run.timer').with_ensure(true) } it do is_expected.to contain_file('/etc/systemd/system/puppet-run.timer') .with_content(/.*OnCalendar\=\*-\*-\* 22:1:00.*/) end it do is_expected.to contain_file('/etc/systemd/system/puppet-run.timer') .with_content(/^RandomizedDelaySec\=0$/) end it do is_expected.to contain_file('/etc/systemd/system/puppet-run.service') .with_content(%r{^ExecStart=#{bindir}/puppet agent --config #{confdir}/puppet.conf --onetime --no-daemonize --detailed-exitcode --no-usecacheonfailure$}) end it do is_expected.to contain_service('puppet-run.timer') .with_provider('systemd') .with_ensure(true) .with_name('puppet-run.timer') .with_enable(true) end else it { is_expected.to raise_error(Puppet::Error, /Runmode of systemd.timer not supported on #{facts[:kernel]} operating systems!/) } end end describe 'when runmode => none' do let :params do super().merge(runmode: 'none') end # For windows we specify a package provider which doesn't compile if facts[:osfamily] != 'windows' it { is_expected.to compile.with_all_deps } end it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) } case os when /\Adebian-/, /\A(redhat|centos|scientific)-(7|8)/, /\Afedora-/, /\Aubuntu-/, /\Aarchlinux-/ it { is_expected.to contain_service('puppet-run.timer').with_ensure(false) } else it { is_expected.not_to contain_service('puppet-run.timer') } end end describe 'when runmode => unmanaged' do let :params do super().merge(runmode: 'unmanaged') end # For windows we specify a package provider which doesn't compile if facts[:osfamily] != 'windows' it { is_expected.to compile.with_all_deps } end it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(false) } it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) } it { is_expected.not_to contain_cron('puppet') } it { is_expected.not_to contain_service('puppet') } it { is_expected.not_to contain_service('puppet-run.timer') } end end describe 'when unavailable_runmodes => ["cron"]' do let :params do super().merge(unavailable_runmodes: ['cron']) end it { is_expected.not_to contain_cron('puppet') } end describe 'with custom service_name' do let :params do super().merge(service_name: 'pe-puppet') end it { is_expected.to contain_service('puppet').with_name('pe-puppet') } end - context 'with remove_lock => false' do - let :params do - super().merge(remove_lock: false) - end - - it { should_not contain_file('/var/lib/puppet/state/agent_disabled.lock') } - end - context 'with report => false' do let :params do super().merge(report: false) end it { is_expected.to contain_puppet__config__agent('report').with_value('false') } end end end end