diff --git a/manifests/server.pp b/manifests/server.pp index e260ec9..d601114 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,475 +1,475 @@ # == Class: puppet::server # # Sets up a puppet master. # # == puppet::server parameters # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $hiera_config:: The hiera configuration file. # # $user:: Name of the puppetmaster user. # # $group:: Name of the puppetmaster group. # # $dir:: Puppet configuration directory # # $ip:: Bind ip address of the puppetmaster # # $port:: Puppet master port # # $ca:: Provide puppet CA # # $ca_crl_filepath:: Path to ca_crl file # # $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to # be agents of the CA master (MOM) defaults to false # # $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults # to false # # $http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. Note that # the HTTP puppet master denies access from all clients by default, # allowed clients must be specified with $http_allow. # # $http_port:: Puppet master HTTP port; defaults to 8139. # # $http_allow:: Array of allowed clients for the HTTP puppet master. Passed # to Apache's 'Allow' directive. # # $reports:: List of report types to include on the puppetmaster # # $implementation:: Puppet master implementation, either "master" (traditional # Ruby) or "puppetserver" (JVM-based) # # $passenger:: If set to true, we will configure apache with # passenger. If set to false, we will enable the # default puppetmaster service unless # service_fallback is set to false. See 'Advanced # server parameters' for more information. # Only applicable when server_implementation is "master". # # $external_nodes:: External nodes classifier executable # # $git_repo:: Use git repository as a source of modules # # $dynamic_environments:: Use $environment in the modulepath # Deprecated when $directory_environments is true, # set $environments to [] instead. # # $directory_environments:: Enable directory environments, defaulting to true # with Puppet 3.6.0 or higher # # $environments:: Environments to setup (creates directories). # Applies only when $dynamic_environments # is false # # $environments_owner:: The owner of the environments directory # # $environments_group:: The group owning the environments directory # # $environments_mode:: Environments directory mode. # # $envs_dir:: Directory that holds puppet environments # # $envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $common_modules_path:: Common modules paths (only when # $git_repo_path and $dynamic_environments # are false) # # $git_repo_path:: Git repository path # # $git_repo_mode:: Git repository mode # # $git_repo_group:: Git repository group # # $git_repo_user:: Git repository user # # $git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $post_hook_content:: Which template to use for git post hook # # $post_hook_name:: Name of a git hook # # $storeconfigs_backend:: Do you use storeconfigs? (note: not required) # false if you don't, "active_record" for 2.X # style db, "puppetdb" for puppetdb # # $app_root:: Directory where the application lives # # $ssl_dir:: SSL directory # # $package:: Custom package name for puppet master # # $version:: Custom package version for puppet master # # $certname:: The name to use when handling certificates. # # $strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and # --vardir. The default is an empty array. # # $puppetdb_host:: PuppetDB host # # $puppetdb_port:: PuppetDB port # # $puppetdb_swf:: PuppetDB soft_write_failure # # $parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # === Advanced server parameters: # # $httpd_service:: Apache/httpd service name to notify # on configuration changes. Defaults # to 'httpd' based on the default # apache module included with foreman-installer. # # $service_fallback:: If passenger is not used, do we want to fallback # to using the puppetmaster service? Set to false # if you disabled passenger and you do NOT want to # use the puppetmaster service. Defaults to true. # # $passenger_min_instances:: The PassengerMinInstances parameter. Sets the # minimum number of application processes to run. # Defaults to the number of processors on your # system. # # $passenger_pre_start:: Pre-start the first passenger worker instance # process during httpd start. # # $passenger_ruby:: The PassengerRuby parameter. Sets the Ruby # interpreter for serving the puppetmaster rack # application. # # $config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $foreman:: Should foreman integration be installed # # $foreman_url:: Foreman URL # # $foreman_ssl_ca:: SSL CA of the Foreman server # # $foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $foreman_ssl_key:: Key for authenticating against Foreman server # # $puppet_basedir:: Where is the puppet code base located # # $enc_api:: What version of enc script to deploy. Valid # values are 'v2' for latest, and 'v1' # for Foreman =< 1.2 # # $report_api:: What version of report processor to deploy. # Valid values are 'v2' for latest, and 'v1' # for Foreman =< 1.2 # # $request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $ca_proxy:: The actual server that handles puppet CA. # Setting this to anything non-empty causes # the apache vhost to set up a proxy for all # certificates pointing to the value. # # $jvm_java_bin:: Set the default java to use. # # $jvm_config:: Specify the puppetserver jvm configuration file. # # $jvm_min_heap_size:: Specify the minimum jvm heap space. # # $jvm_max_heap_size:: Specify the maximum jvm heap space. # # $jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $default_manifest_path:: A string setting the path to the default_manifest # # $default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $puppetserver_vardir:: The path of the puppetserver var dir # # $puppetserver_dir:: The path of the puppetserver config dir # # $puppetserver_version:: The version of puppetserver 2 installed (or being installed) # Unfortunately, different versions of puppetserver need configuring differently, # and there's no easy way of determining which version is being installed. # Defaults to '2.3.1' but can be overriden if you're installing an older version. # # $max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) # # $idle_timeout:: How long the server will wait for a response on an existing connection # # $connect_timeout:: How long the server will wait for a response to a connection attempt # # $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. # Defaults to the Jetty default of 30s # # $ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $ssl_chain_filepath:: Path to certificate chain for puppetserver # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # # $allow_header_cert_info:: Allow client authentication over HTTP Headers # Defaults to false, is also activated by the $http setting # # $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? # Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # class puppet::server( Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign, Array[String] $autosign_entries = $::puppet::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $::puppet::autosign_mode, Optional[String] $autosign_content = $::puppet::autosign_content, Optional[String] $autosign_source = $::puppet::autosign_source, String $hiera_config = $::puppet::hiera_config, Array[String] $admin_api_whitelist = $::puppet::server_admin_api_whitelist, String $user = $::puppet::server_user, String $group = $::puppet::server_group, String $dir = $::puppet::server_dir, Stdlib::Absolutepath $codedir = $::puppet::codedir, Integer $port = $::puppet::server_port, String $ip = $::puppet::server_ip, Boolean $ca = $::puppet::server_ca, Optional[String] $ca_crl_filepath = $::puppet::ca_crl_filepath, Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync, Optional[Boolean] $crl_enable = $::puppet::server_crl_enable, Boolean $ca_auth_required = $::puppet::server_ca_auth_required, Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist, Boolean $http = $::puppet::server_http, Integer $http_port = $::puppet::server_http_port, Array[String] $http_allow = $::puppet::server_http_allow, String $reports = $::puppet::server_reports, Enum['master', 'puppetserver'] $implementation = $::puppet::server_implementation, Boolean $passenger = $::puppet::server_passenger, Stdlib::Absolutepath $puppetserver_vardir = $::puppet::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $puppetserver_rundir = $::puppet::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $puppetserver_logdir = $::puppet::server_puppetserver_logdir, Stdlib::Absolutepath $puppetserver_dir = $::puppet::server_puppetserver_dir, Pattern[/^[\d]\.[\d]+\.[\d]+$/] $puppetserver_version = $::puppet::server_puppetserver_version, Boolean $service_fallback = $::puppet::server_service_fallback, Integer[0] $passenger_min_instances = $::puppet::server_passenger_min_instances, Boolean $passenger_pre_start = $::puppet::server_passenger_pre_start, Optional[String] $passenger_ruby = $::puppet::server_passenger_ruby, String $httpd_service = $::puppet::server_httpd_service, Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $::puppet::server_external_nodes, Array[String] $cipher_suites = $::puppet::server_cipher_suites, Optional[String] $config_version = $::puppet::server_config_version, Integer[0] $connect_timeout = $::puppet::server_connect_timeout, Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout, Boolean $git_repo = $::puppet::server_git_repo, Boolean $dynamic_environments = $::puppet::server_dynamic_environments, Boolean $directory_environments = $::puppet::server_directory_environments, Boolean $default_manifest = $::puppet::server_default_manifest, Stdlib::Absolutepath $default_manifest_path = $::puppet::server_default_manifest_path, String $default_manifest_content = $::puppet::server_default_manifest_content, Array[String] $environments = $::puppet::server_environments, String $environments_owner = $::puppet::server_environments_owner, Optional[String] $environments_group = $::puppet::server_environments_group, Pattern[/^[0-9]{3,4}$/] $environments_mode = $::puppet::server_environments_mode, Stdlib::Absolutepath $envs_dir = $::puppet::server_envs_dir, Optional[Stdlib::Absolutepath] $envs_target = $::puppet::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $::puppet::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $::puppet::server_git_repo_mode, Stdlib::Absolutepath $git_repo_path = $::puppet::server_git_repo_path, String $git_repo_group = $::puppet::server_git_repo_group, String $git_repo_user = $::puppet::server_git_repo_user, Hash[String, String] $git_branch_map = $::puppet::server_git_branch_map, Integer[0] $idle_timeout = $::puppet::server_idle_timeout, String $post_hook_content = $::puppet::server_post_hook_content, String $post_hook_name = $::puppet::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $storeconfigs_backend = $::puppet::server_storeconfigs_backend, Stdlib::Absolutepath $app_root = $::puppet::server_app_root, Array[Stdlib::Absolutepath] $ruby_load_paths = $::puppet::server_ruby_load_paths, Stdlib::Absolutepath $ssl_dir = $::puppet::server_ssl_dir, Boolean $ssl_dir_manage = $::puppet::server_ssl_dir_manage, Boolean $ssl_key_manage = $::puppet::server_ssl_key_manage, Array[String] $ssl_protocols = $::puppet::server_ssl_protocols, Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $::puppet::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $package = $::puppet::server_package, Optional[String] $version = $::puppet::server_version, String $certname = $::puppet::server_certname, Enum['v2', 'v1'] $enc_api = $::puppet::server_enc_api, Enum['v2', 'v1'] $report_api = $::puppet::server_report_api, Integer[0] $request_timeout = $::puppet::server_request_timeout, Optional[String] $ca_proxy = $::puppet::server_ca_proxy, Boolean $strict_variables = $::puppet::server_strict_variables, Hash[String, Data] $additional_settings = $::puppet::server_additional_settings, Array[String] $rack_arguments = $::puppet::server_rack_arguments, Boolean $foreman = $::puppet::server_foreman, Stdlib::HTTPUrl $foreman_url = $::puppet::server_foreman_url, Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $::puppet::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $foreman_ssl_key = $::puppet::server_foreman_ssl_key, Boolean $server_foreman_facts = $::puppet::server_foreman_facts, Optional[Stdlib::Absolutepath] $puppet_basedir = $::puppet::server_puppet_basedir, Optional[String] $puppetdb_host = $::puppet::server_puppetdb_host, Integer[0, 65535] $puppetdb_port = $::puppet::server_puppetdb_port, Boolean $puppetdb_swf = $::puppet::server_puppetdb_swf, Enum['current', 'future'] $parser = $::puppet::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $::puppet::server_environment_timeout, String $jvm_java_bin = $::puppet::server_jvm_java_bin, String $jvm_config = $::puppet::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $::puppet::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $::puppet::server_jvm_max_heap_size, String $jvm_extra_args = $::puppet::server_jvm_extra_args, Optional[String] $jvm_cli_args = $::puppet::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $jruby_gem_home = $::puppet::server_jruby_gem_home, Integer[1] $max_active_instances = $::puppet::server_max_active_instances, Integer[0] $max_requests_per_instance = $::puppet::server_max_requests_per_instance, Boolean $use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $::puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $::puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $::puppet::server_allow_header_cert_info, Boolean $puppetserver_jruby9k = $::puppet::server_puppetserver_jruby9k, Boolean $puppetserver_metrics = $::puppet::server_puppetserver_metrics, Boolean $puppetserver_experimental = $::puppet::server_puppetserver_experimental, ) { if $implementation == 'master' and $ip != $puppet::params::ip { notify { 'ip_not_supported': message => "Bind IP address is unsupported for the ${implementation} implementation.", loglevel => 'warning', } } if $ca { - $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" - $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" - $ssl_chain = $ssl_chain_filepath - $_crl_enable = pick($crl_enable, true) + $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" + $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" + $ssl_chain = $ssl_chain_filepath + $crl_enable_real = pick($crl_enable, true) } else { - $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" - $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") - $ssl_chain = false - $_crl_enable = pick($crl_enable, false) + $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" + $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") + $ssl_chain = false + $crl_enable_real = pick($crl_enable, false) } $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" if $config_version == undef { if $git_repo { $config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long" } else { $config_version_cmd = undef } } else { $config_version_cmd = $config_version } if $implementation == 'master' { $pm_service = !$passenger and $service_fallback $ps_service = undef $rack_service = $passenger } elsif $implementation == 'puppetserver' { $pm_service = undef $ps_service = true $rack_service = false } class { '::puppet::server::install': } ~> class { '::puppet::server::config': } ~> class { '::puppet::server::service': app_root => $app_root, httpd_service => $httpd_service, puppetmaster => $pm_service, puppetserver => $ps_service, rack => $rack_service, } -> Class['puppet::server'] Class['puppet::config'] ~> Class['puppet::server::service'] } diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index d9a6f4d..3c6153a 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -1,275 +1,284 @@ # == Class: puppet::server::puppetserver # # Configures the puppetserver jvm configuration file using augeas. # # === Parameters: # # * `java_bin` # Path to the java executable to use # # * `config` # Path to the jvm configuration file. # This file is usually either /etc/default/puppetserver or # /etc/sysconfig/puppetserver depending on your *nix flavor. # # * `jvm_min_heap_size` # Translates into the -Xms option and is added to the JAVA_ARGS # # * `jvm_max_heap_size` # Translates into the -Xmx option and is added to the JAVA_ARGS # # * `jvm_extra_args` # Custom options to pass through to the java binary. These get added to # the end of the JAVA_ARGS variable # # * `jvm_cli_args` # Custom options to pass through to the java binary when using a # puppetserver subcommand, (eg puppetserver gem). These get used # in the JAVA_ARGS_CLI variable. # # * `server_puppetserver_dir` # Puppetserver config directory # # * `server_puppetserver_vardir` # Puppetserver var directory # # * `server_jruby_gem_home` # Puppetserver jruby gemhome # # * `server_cipher_suites` # Puppetserver array of acceptable ciphers # # * `server_ssl_protocols` # Puppetserver array of acceptable ssl protocols # # * `server_max_active_instances` # Puppetserver number of max jruby instances # # * `server_max_requests_per_instance` # Puppetserver number of max requests per jruby instance # # === Example # # @example # # # configure memory for java < 8 # class {'::puppet::server::puppetserver': # jvm_min_heap_size => '1G', # jvm_max_heap_size => '3G', # jvm_extra_args => '-XX:MaxPermSize=256m', # } # class puppet::server::puppetserver ( $config = $::puppet::server::jvm_config, $java_bin = $::puppet::server::jvm_java_bin, $jvm_extra_args = $::puppet::server::jvm_extra_args, $jvm_cli_args = $::puppet::server::jvm_cli_args, $jvm_min_heap_size = $::puppet::server::jvm_min_heap_size, $jvm_max_heap_size = $::puppet::server::jvm_max_heap_size, $server_puppetserver_dir = $::puppet::server::puppetserver_dir, $server_puppetserver_vardir = $::puppet::server::puppetserver_vardir, $server_puppetserver_rundir = $::puppet::server::puppetserver_rundir, $server_puppetserver_logdir = $::puppet::server::puppetserver_logdir, $server_jruby_gem_home = $::puppet::server::jruby_gem_home, $server_ruby_load_paths = $::puppet::server::ruby_load_paths, $server_cipher_suites = $::puppet::server::cipher_suites, $server_max_active_instances = $::puppet::server::max_active_instances, $server_max_requests_per_instance = $::puppet::server::max_requests_per_instance, $server_ssl_protocols = $::puppet::server::ssl_protocols, + $server_ssl_ca_crl = $::puppet::server::ssl_ca_crl, + $server_ssl_ca_cert = $::puppet::server::ssl_ca_cert, + $server_ssl_cert = $::puppet::server::ssl_cert, + $server_ssl_cert_key = $::puppet::server::ssl_cert_key, + $server_ssl_chain = $::puppet::server::ssl_chain, + $server_crl_enable = $::puppet::server::crl_enable_real, + $server_ip = $::puppet::server::ip, + $server_port = $::puppet::server::port, $server_http = $::puppet::server::http, $server_http_allow = $::puppet::server::http_allow, + $server_http_port = $::puppet::server::http_port, $server_ca = $::puppet::server::ca, $server_dir = $::puppet::server::dir, $codedir = $::puppet::server::codedir, $server_idle_timeout = $::puppet::server::idle_timeout, $server_web_idle_timeout = $::puppet::server::web_idle_timeout, $server_connect_timeout = $::puppet::server::connect_timeout, $server_ca_auth_required = $::puppet::server::ca_auth_required, $server_ca_client_whitelist = $::puppet::server::ca_client_whitelist, $server_admin_api_whitelist = $::puppet::server::admin_api_whitelist, $server_puppetserver_version = $::puppet::server::puppetserver_version, $server_use_legacy_auth_conf = $::puppet::server::use_legacy_auth_conf, $server_check_for_updates = $::puppet::server::check_for_updates, $server_environment_class_cache_enabled = $::puppet::server::environment_class_cache_enabled, $server_jruby9k = $::puppet::server::puppetserver_jruby9k, $server_metrics = $::puppet::server::puppetserver_metrics, $server_experimental = $::puppet::server::puppetserver_experimental, ) { include ::puppet::server if !(empty($server_http_allow)) { fail('setting $server_http_allow is not supported for puppetserver as it would have no effect') } $puppetserver_package = pick($::puppet::server::package, 'puppetserver') $jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args] $jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' ')) if $::osfamily == 'FreeBSD' { augeas { 'puppet::server::puppetserver::jvm': context => '/files/etc/rc.conf', changes => [ "set puppetserver_java_opts '\"${jvm_cmd}\"'" ], } } else { if $jvm_cli_args { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", "set JAVA_ARGS_CLI '\"${jvm_cli_args}\"'", ] } else { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", ] } augeas { 'puppet::server::puppetserver::jvm': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $changes, } if versioncmp($server_puppetserver_version, '2.4.99') == 0 { $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg,${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" } elsif versioncmp($server_puppetserver_version, '2.5') >= 0 { $bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" } else { # 2.4 $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg" } augeas { 'puppet::server::puppetserver::bootstrap': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'", } if versioncmp($server_puppetserver_version, '5.0') >= 0 { $jruby_jar_changes = $server_jruby9k ? { true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'", default => 'rm JRUBY_JAR' } augeas { 'puppet::server::puppetserver::jruby_jar': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $jruby_jar_changes, } } } # 2.4.99 configures for both 2.4 and 2.5 making upgrades and new installations easier when the # precise version available isn't known if versioncmp($server_puppetserver_version, '2.4.99') >= 0 { $servicesd = "${server_puppetserver_dir}/services.d" file { $servicesd: ensure => directory, } file { "${servicesd}/ca.cfg": ensure => file, content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'), } unless $::osfamily == 'FreeBSD' { file { '/opt/puppetlabs/server/apps/puppetserver/config': ensure => directory, } file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d': ensure => directory, } } } if versioncmp($server_puppetserver_version, '2.5') < 0 { $bootstrapcfg = "${server_puppetserver_dir}/bootstrap.cfg" file { $bootstrapcfg: ensure => file, } $ca_enabled_ensure = $server_ca ? { true => present, default => absent, } $ca_disabled_ensure = $server_ca ? { false => present, default => absent, } file_line { 'ca_enabled': ensure => $ca_enabled_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service', require => File[$bootstrapcfg], } file_line { 'ca_disabled': ensure => $ca_disabled_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service', require => File[$bootstrapcfg], } if versioncmp($server_puppetserver_version, '2.3') >= 0 { $versioned_code_service_ensure = present } else { $versioned_code_service_ensure = absent } file_line { 'versioned_code_service': ensure => $versioned_code_service_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service', require => File[$bootstrapcfg], } } if versioncmp($server_puppetserver_version, '2.2') < 0 { $ca_conf_ensure = file } else { $ca_conf_ensure = absent } file { "${server_puppetserver_dir}/conf.d/ca.conf": ensure => $ca_conf_ensure, content => template('puppet/server/puppetserver/conf.d/ca.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/puppetserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/puppetserver.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/webserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/webserver.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/auth.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/auth.conf.erb'), } $product_conf = "${server_puppetserver_dir}/conf.d/product.conf" if versioncmp($server_puppetserver_version, '2.7') >= 0 { $product_conf_ensure = file hocon_setting { 'server_check_for_updates': ensure => present, path => $product_conf, setting => 'product.check-for-updates', value => $server_check_for_updates, require => File[$product_conf], } } else { $product_conf_ensure = absent } file { $product_conf: ensure => $product_conf_ensure, } } diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb index ee93887..9637181 100644 --- a/spec/classes/puppet_server_config_spec.rb +++ b/spec/classes/puppet_server_config_spec.rb @@ -1,830 +1,919 @@ require 'spec_helper' describe 'puppet::server::config' do before :each do @cacrl = Tempfile.new('cacrl') File.open(@cacrl, 'w') { |f| f.write "This is my CRL File" } Puppet.settings[:cacrl] = @cacrl.path end on_os_under_test.each do |os, facts| next if unsupported_puppetmaster_osfamily(facts[:osfamily]) context "on #{os}" do if Puppet.version < '4.0' codedir = '/etc/puppet' confdir = '/etc/puppet' conf_file = '/etc/puppet/puppet.conf' environments_dir = '/etc/puppet/environments' logdir = '/var/log/puppet' rundir = '/var/run/puppet' vardir = '/var/lib/puppet' puppetserver_vardir = '/var/lib/puppet' puppetserver_logdir = '/var/log/puppet' puppetserver_rundir = '/var/run/puppet' ssldir = '/var/lib/puppet/ssl' sharedir = '/usr/share/puppet' etcdir = '/etc/puppet' puppetcacmd = '/usr/bin/puppet cert' additional_facts = {} else codedir = '/etc/puppetlabs/code' confdir = '/etc/puppetlabs/puppet' conf_file = '/etc/puppetlabs/puppet/puppet.conf' environments_dir = '/etc/puppetlabs/code/environments' logdir = '/var/log/puppetlabs/puppet' rundir = '/var/run/puppetlabs' vardir = '/opt/puppetlabs/puppet/cache' puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' puppetserver_logdir = '/var/log/puppetlabs/puppetserver' puppetserver_rundir = '/var/run/puppetlabs/puppetserver' ssldir = '/etc/puppetlabs/puppet/ssl' sharedir = '/opt/puppetlabs/puppet' etcdir = '/etc/puppetlabs/puppet' puppetcacmd = '/opt/puppetlabs/bin/puppet cert' additional_facts = {:rubysitedir => '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0'} end if facts[:osfamily] == 'FreeBSD' codedir = '/usr/local/etc/puppet' confdir = '/usr/local/etc/puppet' conf_file = '/usr/local/etc/puppet/puppet.conf' environments_dir = '/usr/local/etc/puppet/environments' logdir = '/var/log/puppet' rundir = '/var/run/puppet' vardir = '/var/puppet' puppetserver_vardir = '/var/puppet/server/data/puppetserver' puppetserver_logdir = '/var/log/puppetserver' puppetserver_rundir = '/var/run/puppetserver' ssldir = '/var/puppet/ssl' sharedir = '/usr/local/share/puppet' etcdir = '/usr/local/etc/puppet' puppetcacmd = '/usr/local/bin/puppet cert' additional_facts = {} end let(:facts) do facts.merge({:clientcert => 'puppetmaster.example.com'}).merge(additional_facts) end describe 'with no custom parameters' do let :pre_condition do "class {'puppet': server => true}" end it 'should set up SSL permissions' do should contain_file("#{ssldir}/private_keys").with({ :group => 'puppet', :mode => '0750', }) should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem").with({ :group => 'puppet', :mode => '0640', }) should contain_exec('puppet_server_config-create_ssl_dir').with({ :creates => ssldir, :command => "/bin/mkdir -p #{ssldir}", :umask => '0022', }) should contain_exec('puppet_server_config-generate_ca_cert').with({ :creates => "#{ssldir}/certs/puppetmaster.example.com.pem", :command => "#{puppetcacmd} --generate puppetmaster.example.com --allow-dns-alt-names", :umask => '0022', :require => ["Concat[#{conf_file}]", "Exec[puppet_server_config-create_ssl_dir]"], }) end context 'with non-AIO packages', :if => (Puppet.version < '4.0' || facts[:osfamily] == 'FreeBSD') do it 'CA cert generation should notify the Apache service' do should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[httpd]') end end context 'with AIO packages', :if => (Puppet.version > '4.0' && facts[:osfamily] != 'FreeBSD') do it 'CA cert generation should notify the puppetserver service' do should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') end end it 'should set up the ENC' do should contain_class('foreman::puppetmaster').with({ :foreman_url => "https://foo.example.com", :receive_facts => true, :puppet_home => puppetserver_vardir, :puppet_etcdir => etcdir, # Since this is managed inside the foreman module it does not # make sense to test it here #:puppet_basedir => '/usr/lib/ruby/site_ruby/1.9/puppet', :timeout => 60, }) end it 'should set up the environments' do should contain_file(environments_dir).with({ :ensure => 'directory', :owner => 'puppet', :group => nil, :mode => '0755', }) should contain_file(sharedir).with_ensure('directory') should contain_file("#{codedir}/environments/common").with({ :ensure => 'directory', :owner => 'puppet', :group => nil, :mode => '0755', }) should contain_file("#{sharedir}/modules").with({ :ensure => 'directory', :owner => 'puppet', :group => nil, :mode => '0755', }) should contain_puppet__server__env('development') should contain_puppet__server__env('production') end it 'should configure puppet' do should contain_puppet__config__main("logdir").with({'value' => "#{logdir}"}) should contain_puppet__config__main("rundir").with({'value' => "#{rundir}"}) should contain_puppet__config__main("ssldir").with({'value' => "#{ssldir}"}) should contain_puppet__config__main("privatekeydir").with({'value' => '$ssldir/private_keys { group = service }'}) should contain_puppet__config__main("hostprivkey").with({'value' => '$privatekeydir/$certname.pem { mode = 640 }'}) should contain_puppet__config__main("reports").with({'value' => 'foreman'}) if Puppet.version >= '3.6' should contain_puppet__config__main("environmentpath").with({'value' => "#{codedir}/environments"}) should contain_puppet__config__main("basemodulepath").with({ 'value' => ["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules"], 'joiner' => ':'}) end should contain_puppet__config__agent('classfile').with({'value' => '$statedir/classes.txt'}) should contain_puppet__config__master('external_nodes').with({'value' => "#{etcdir}\/node.rb"}) should contain_puppet__config__master('node_terminus').with({'value' => 'exec'}) should contain_puppet__config__master('ca').with({'value' => 'true'}) should contain_puppet__config__master('ssldir').with({'value' => "#{ssldir}"}) should contain_puppet__config__master('parser').with({'value' => 'current'}) should contain_puppet__config__master("autosign").with({'value' => "#{etcdir}\/autosign.conf \{ mode = 0664 \}"}) should contain_concat(conf_file) should_not contain_puppet__config__master('storeconfigs') should contain_file("#{etcdir}/autosign.conf") end context 'on Puppet < 4.0.0', :if => (Puppet.version < '4.0.0') do it 'should set configtimeout' do should contain_puppet__config__agent('configtimeout').with({'value' => '120'}) end end context 'on Puppet >= 4.0.0', :if => (Puppet.version >= '4.0.0') do it 'should not set configtimeout' do should_not contain_puppet__config__agent('configtimeout') end end it 'should not configure PuppetDB' do should_not contain_class('puppetdb') should_not contain_class('puppetdb::master::config') end end describe "when autosign => true" do let :pre_condition do "class {'puppet': server => true, autosign => true, }" end it 'should contain puppet.conf [main] with autosign = true' do should contain_puppet__config__master('autosign').with({'value' => true}) end end describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do let :pre_condition do "class {'puppet': server => true, autosign => '/somedir/custom_autosign', autosign_mode => '664', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 664 }' do should contain_puppet__config__master('autosign').with({'value' => "/somedir/custom_autosign { mode = 664 }"}) end end describe "when autosign_entries is not set" do let :pre_condition do "class {'puppet': server => true, }" end it 'should contain autosign.conf with out content set' do should contain_file("#{confdir}/autosign.conf") should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_entries set to ['foo.bar']" do let :pre_condition do "class {'puppet': server => true, autosign_entries => ['foo.bar'], }" end it 'should contain autosign.conf with content set' do should contain_file("#{confdir}/autosign.conf") should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do let :pre_condition do "class {'puppet': server => true, autosign_content => 'foo.bar', autosign_entries => ['foo.bar'], }" end it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) } end describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do let :pre_condition do "class {'puppet': server => true, autosign_source => 'puppet:///foo/bar', autosign_entries => ['foo.bar'], }" end it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) } end describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_content set to 'foo.bar'" do let :pre_condition do "class {'puppet': server => true, autosign => '#{confdir}/custom_autosign.sh', autosign_mode => '775', autosign_content => 'foo.bar', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do should contain_puppet__config__master('autosign').with({'value' => "#{confdir}/custom_autosign.sh { mode = 775 }"}) end it 'should contain custom_autosign.sh with content set' do should contain_file("#{confdir}/custom_autosign.sh") should contain_file("#{confdir}/custom_autosign.sh").with_content(/foo.bar/) end end describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_source set to 'puppet:///foo/bar'" do let :pre_condition do "class {'puppet': server => true, autosign => '#{confdir}/custom_autosign.sh', autosign_mode => '775', autosign_source => 'puppet:///foo/bar', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do should contain_puppet__config__master('autosign').with({'value' => "#{confdir}/custom_autosign.sh { mode = 775 }"}) end it 'should contain custom_autosign.sh with content set' do should contain_file("#{confdir}/custom_autosign.sh") should contain_file("#{confdir}/custom_autosign.sh").with_source('puppet:///foo/bar') end end describe "when hiera_config => '$confdir/hiera.yaml'" do let :pre_condition do "class {'puppet': server => true, hiera_config => '/etc/puppet/hiera/production/hiera.yaml', }" end it 'should contain puppet.conf [main] with non-default hiera_config' do should contain_puppet__config__main("hiera_config").with({'value' => '/etc/puppet/hiera/production/hiera.yaml'}) end end describe 'without foreman' do let :pre_condition do "class {'puppet': server => true, server_reports => 'store', server_external_nodes => '', }" end it 'should contain an empty external_nodes' do should_not contain_puppet__config__master('external_nodes') end end describe 'without external_nodes' do let :pre_condition do "class {'puppet': server => true, server_external_nodes => '', }" end it 'should not contain external_nodes' do should_not contain_puppet__config__master('external_nodes') should_not contain_puppet__config__master('node_terminus') end end describe 'with server_default_manifest => true and undef content' do let :pre_condition do 'class { "::puppet": server_default_manifest => true, server => true }' end it 'should contain default_manifest setting in puppet.conf' do should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'}) end it 'should_not contain default manifest /etc/puppet/manifests/default_manifest.pp' do should_not contain_file('/etc/puppet/manifests/default_manifest.pp') end end describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do let :pre_condition do 'class { "::puppet": server_default_manifest => true, server_default_manifest_content => "include foo", server => true }' end it 'should contain default_manifest setting in puppet.conf' do should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'}) end it 'should contain default manifest /etc/puppet/manifests/default_manifest.pp' do should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content(/include foo/) end end describe 'with git repo' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, }" end it 'should set up the environments directory' do should contain_file(environments_dir).with({ :ensure => 'directory', :owner => 'puppet', }) end it 'should create the git repo' do should contain_file(vardir).with({ :ensure => 'directory', :owner => 'puppet', }) should contain_git__repo('puppet_repo').with({ :bare => true, :target => "#{vardir}/puppet.git", :user => 'puppet', :require => %r{File\[#{environments_dir}\]}, }) should contain_file("#{vardir}/puppet.git/hooks/post-receive").with({ :owner => 'puppet', :mode => '0755', :require => %r{Git::Repo\[puppet_repo\]}, :content => %r{BRANCH_MAP = \{[^a-zA-Z=>]\}}, }) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } context 'with directory environments' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_directory_environments => true, }" end it 'should configure puppet.conf' do should_not contain_puppet__config__master('config_version') should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"}) end end context 'with config environments' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_directory_environments => false, }" end it 'should configure puppet.conf' do should contain_puppet__config__master('manifest').with({'value' => "#{environments_dir}/\$environment/manifests/site.pp"}) should contain_puppet__config__master('modulepath').with({'value' => "#{environments_dir}/\$environment/modules"}) should contain_puppet__config__master('config_version').with({'value' => "git --git-dir #{environments_dir}/\$environment/.git describe --all --long"}) end end end describe 'with dynamic environments' do context 'with directory environments' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => true, server_environments_owner => 'apache', }" end it 'should set up the environments directory' do should contain_file(environments_dir).with({ :ensure => 'directory', :owner => 'apache', }) end it 'should configure puppet.conf' do should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"}) should contain_puppet__config__main('basemodulepath').with({'value' => ["#{environments_dir}/common","#{codedir}/modules","#{sharedir}/modules"]}) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } end context 'with no common modules directory' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => true, server_environments_owner => 'apache', server_common_modules_path => '', }" end it 'should configure puppet.conf' do should_not contain_puppet__config__main('basemodulepath') end end context 'with config environments' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => false, server_environments_owner => 'apache', }" end it 'should set up the environments directory' do should contain_file(environments_dir).with({ :ensure => 'directory', :owner => 'apache', }) end it 'should configure puppet.conf' do should contain_puppet__config__master('manifest').with({'value' => "#{environments_dir}/\$environment/manifests/site.pp"}) should contain_puppet__config__master('modulepath').with({'value' => "#{environments_dir}/\$environment/modules"}) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } end end describe 'with SSL path overrides' do let :pre_condition do "class {'puppet': server => true, server_foreman_ssl_ca => '/etc/example/ca.pem', server_foreman_ssl_cert => '/etc/example/cert.pem', server_foreman_ssl_key => '/etc/example/key.pem', }" end it 'should pass SSL parameters to the ENC' do should contain_class('foreman::puppetmaster').with({ :ssl_ca => '/etc/example/ca.pem', :ssl_cert => '/etc/example/cert.pem', :ssl_key => '/etc/example/key.pem', }) end end describe 'with a PuppetDB host set' do let :pre_condition do "class {'puppet': server => true, server_puppetdb_host => 'mypuppetdb.example.com', server_storeconfigs_backend => 'puppetdb', }" end it 'should configure PuppetDB' do should compile.with_all_deps should contain_class('puppetdb::master::config').with({ :puppetdb_server => 'mypuppetdb.example.com', :puppetdb_port => 8081, :puppetdb_soft_write_failure => false, :manage_storeconfigs => false, :restart_puppet => false, }) end end describe 'with a puppet git branch map' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_git_branch_map => { 'a' => 'b', 'c' => 'd' } }" end it 'should add the branch map to the post receive hook' do should contain_file("#{vardir}/puppet.git/hooks/post-receive"). with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) end end describe 'with additional settings' do let :pre_condition do "class {'puppet': server => true, server_additional_settings => {stringify_facts => true}, }" end it 'should configure puppet.conf' do should contain_puppet__config__master('stringify_facts').with({'value' => true}) end end describe 'directory environments default' do let :pre_condition do "class {'puppet': server => true, }" end context 'on old Puppet', :if => (Puppet.version < '3.6.0') do it 'should be disabled' do should_not contain_puppet__config__main('environmentpath') end end context 'on Puppet 3.6.0+', :if => (Puppet.version >= '3.6.0') do it 'should be enabled' do should contain_puppet__config__main('environmentpath').with({'value' => "#{environments_dir}"}) end end end describe 'with server_parser => future' do let :pre_condition do "class {'puppet': server => true, server_parser => 'future', }" end it 'should configure future parser' do should contain_puppet__config__master('parser').with({'value' => "future"}) end end describe 'with server_environment_timeout set' do let :pre_condition do "class {'puppet': server => true, server_environment_timeout => '10m', }" end it 'should configure environment_timeout accordingly' do should contain_puppet__config__master('environment_timeout').with({'value' => "10m"}) end end describe 'with no ssldir managed for master' do let :pre_condition do "class {'puppet': server => true, server_ssl_dir_manage => false}" end it 'should not contain ssl_dir configuration setting in the master section' do should_not contain_puppet__config__master('ssl_dir') end end describe 'with ssl key management disabled for server' do let :pre_condition do "class {'puppet': server => true, server_certname => 'servercert', server_ssl_key_manage => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end it 'should not contain a default ssl key definition' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') end end describe 'with nondefault CA settings' do context 'with server_ca => false' do let :pre_condition do "class {'puppet': server => true, server_ca => false, }" end it 'should create the ssl directory' do should contain_exec('puppet_server_config-create_ssl_dir') end it 'should not generate CA certificates' do should_not contain_exec('puppet_server_config-generate_ca_cert') end end end describe 'with server_implementation => "puppetserver"', :if => (Puppet.version >= '4.0.0') do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver' }" end it 'should configure puppet.conf' do should contain_puppet__config__master("vardir").with_value(puppetserver_vardir) should contain_puppet__config__master("logdir").with_value(puppetserver_logdir) should contain_puppet__config__master("rundir").with_value(puppetserver_rundir) end end describe 'with server_ca_crl_sync => true' do context 'with server_ca => false and running "puppet apply"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end context 'with server_ca => false: running "puppet agent -t"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end let(:facts) do facts.merge({:servername => 'myserver' }) end it 'should sync the crl from the ca' do should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem'). with_content("This is my CRL File") end end context 'with server_ca => true: running "puppet agent -t"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => true, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end let(:facts) do facts.merge({:servername => 'myserver' }) end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end end describe 'allow crl checking' do context 'as ca' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the ca_crl.pem file' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-crl-path: #{ssldir}\/ca\/ca_crl.pem/) end end context 'as non-ca with default' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => false, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the ca_crl.pem file' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). without_content(/ssl-crl-path: #{ssldir}\/crl.pem/) end end context 'as non-ca with default' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => false, server_crl_enable => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the ca_crl.pem file' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-crl-path: #{ssldir}\/crl.pem/) end end end describe 'with ssl_chain_filepath overwritten' do - let :pre_condition do + let :pre_condition do "class {'puppet': - server => true, - server_implementation => 'puppetserver', - server_ca => true, - server_puppetserver_dir => '/etc/custom/puppetserver', - server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', - server_ssl_chain_filepath => '/etc/example/certchain.pem', + server => true, + server_implementation => 'puppetserver', + server_ca => true, + server_puppetserver_dir => '/etc/custom/puppetserver', + server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', + server_ssl_chain_filepath => '/etc/example/certchain.pem', }" end it 'should use the server_ssl_chain_filepath file' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-cert-chain: \/etc\/example\/certchain.pem/) end end + + describe 'with server_ip parameter given to the puppet class' do + let :pre_condition do + "class {'puppet': + server => true, + server_implementation => 'puppetserver', + server_puppetserver_dir => '/etc/custom/puppetserver', + server_ip => '127.0.0.1', + }" + end + + it 'should put the correct ip address in webserver.conf' do + should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').with_content(/ssl-host:\s127\.0\.0\.1/) + end + end + + describe 'with server_certname parameter' do + let :pre_condition do + "class {'puppet': + server => true, + server_implementation => 'puppetserver', + server_puppetserver_dir => '/etc/custom/puppetserver', + server_certname => 'puppetserver43.example.com', + server_ssl_dir => '/etc/custom/puppet/ssl', + }" + end + + it 'should put the correct ssl key path in webserver.conf' do + should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). + with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) + end + + it 'should put the correct ssl cert path in webserver.conf' do + should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). + with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) + end + end + + describe 'with server_http parameter set to true for the puppet class' do + let :pre_condition do + "class {'puppet': + server => true, + server_implementation => 'puppetserver', + server_puppetserver_dir => '/etc/custom/puppetserver', + server_http => true, + }" + end + + it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). + with_content(/ host:\s0\.0\.0\.0/). + with_content(/ port:\s8139/). + with({}) + } + + it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(/allow-header-cert-info: true/). + with({}) + } + end + + describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do + let :pre_condition do + "class {'puppet': + server => true, + server_implementation => 'puppetserver', + server_puppetserver_dir => '/etc/custom/puppetserver', + server_allow_header_cert_info => true, + }" + end + + it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(/allow-header-cert-info: true/). + with({}) + } + end + + describe 'with server_http_allow parameter set for the puppet class' do + let :pre_condition do + "class {'puppet': + server => true, + server_implementation => 'puppetserver', + server_puppetserver_dir => '/etc/custom/puppetserver', + server_http => true, + server_http_allow => ['1.2.3.4'], + }" + end + + it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) } + end end end end diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index 23459ff..9054d3e 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -1,844 +1,761 @@ require 'spec_helper' describe 'puppet::server::puppetserver' do on_os_under_test.each do |os, facts| next if facts[:osfamily] == 'windows' next if facts[:osfamily] == 'Archlinux' context "on #{os}" do let :pre_condition do "class {'puppet': server_implementation => 'puppetserver'}" end if Puppet.version < '4.0' additional_facts = {} else additional_facts = {:rubysitedir => '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0'} end let(:facts) do facts.merge(additional_facts) end let(:default_params) do { :java_bin => '/usr/bin/java', :config => '/etc/default/puppetserver', :jvm_min_heap_size => '2G', :jvm_max_heap_size => '2G', :jvm_extra_args => '', :jvm_cli_args => false, # In reality defaults to undef :server_ca_auth_required => true, :server_ca_client_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_admin_api_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_ruby_load_paths => [ '/some/path', ], :server_ssl_protocols => [ 'TLSv1.2', ], :server_cipher_suites => [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ], :server_max_active_instances => 2, :server_max_requests_per_instance => 0, :server_http => false, :server_http_allow => [], :server_ca => true, :server_puppetserver_version => '2.4.99', :server_use_legacy_auth_conf => false, :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/puppetlabs/server/data/puppetserver', :server_puppetserver_rundir => '/var/run/puppetlabs/puppetserver', :server_puppetserver_logdir => '/var/log/puppetlabs/puppetserver', :server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', :server_dir => '/etc/puppetlabs/puppet', :codedir => '/etc/puppetlabs/code', :server_idle_timeout => 1200000, :server_web_idle_timeout => 30000, :server_connect_timeout => 120000, :server_check_for_updates => true, :server_environment_class_cache_enabled => false, :server_jruby9k => false, :server_metrics => true, :server_experimental => true, + :server_ip => '0.0.0.0', + :server_port => '8140', + :server_http_port => '8139', + :server_ssl_ca_crl => '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem', + :server_ssl_ca_cert => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', + :server_ssl_cert => '/etc/puppetlabs/puppet/ssl/certs/puppetserver123.example.com.pem', + :server_ssl_cert_key => '/etc/puppetlabs/puppet/ssl/private_keys/puppetserver123.example.com.pem', + :server_ssl_chain => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', + :server_crl_enable => true, } end describe 'with default parameters' do let(:params) do default_params.merge({ :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled').with_ensure('present') } it { should contain_file_line('ca_disabled'). with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'', ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') } it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') } it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf') } it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-host:\s0\.0\.0\.0/). with_content(/ssl-port:\s8140/). without_content(/ host:\s/). without_content(/ port:\s8139/). with({}) } it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(/allow-header-cert-info: false/). with({}) } end describe 'server_puppetserver_vardir' do context 'with default parameters' do let(:params) do default_params.merge({ :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/puppetlabs/server/data/puppetserver\n]) end end context 'with custom server_puppetserver_vardir' do let(:params) do default_params.merge({ :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/custom/puppetlabs/server/data/puppetserver', }) end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/custom/puppetlabs/server/data/puppetserver\n]) end end end describe 'use-legacy-auth-conf' do context 'with default parameters' do let(:params) do default_params.merge({ :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have use-legacy-auth-conf: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: false\n]) end end context 'when use-legacy-auth-conf = true' do let(:params) do default_params.merge({ :server_use_legacy_auth_conf => true, :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have use-legacy-auth-conf: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: true\n]) end end context 'when server_puppetserver_version < 2.2' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.1.2', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should not have a use-legacy-auth-conf setting in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).not_to include('use-legacy-auth-conf') end end end describe 'environment-class-cache-enabled' do context 'with default parameters' do let(:params) do default_params.merge({ :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have environment-class-cache-enabled: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: false\n]) end end context 'when environment-class-cache-enabled = true' do let(:params) do default_params.merge({ :server_environment_class_cache_enabled => true, :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have environment-class-cache-enabled: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: true\n]) end end context 'when server_puppetserver_version < 2.4' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.2.2', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should not have a environment-class-cache-enabled setting in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).not_to include('environment-class-cache-enabled') end end end describe 'server_max_requests_per_instance' do context 'with default parameters' do let(:params) do default_params.merge({ :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 0\n]) end end context 'custom server_max_requests_per_instance' do let(:params) do default_params.merge({ :server_max_requests_per_instance => 123456, }) end it 'should have custom max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 123456\n]) end end end describe 'versioned-code-service' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it { should_not contain_file_line('versioned_code_service') } end context 'when server_puppetserver_version >= 2.3 and < 2.5' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.3.1', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end context 'when server_puppetserver_version < 2.3' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.2.2', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should not have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end end describe 'bootstrap.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should_not contain_file_line('ca_enabled') } it { should_not contain_file_line('ca_disabled') } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.4.98', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } it { should contain_file_line('ca_disabled'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } unless facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\''). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end end describe 'ca.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } unless facts[:osfamily] == 'FreeBSD' it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\''). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end context 'when server_puppetserver_version >= 2.5 and server_ca => false' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_ca => false, }) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.4.98', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it { should_not contain_file('/etc/custom/puppetserver/services.d') } it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') } end end describe 'server_ca related settings' do context 'when server_puppetserver_version >= 2.2' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.2.0', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/). with_content(/^\s+name: "certificate_status"/). with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/). with_content(/^\s+name: "certificate_statuses"/). with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/). with_content(/^\s+name: "environment-cache"/). with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/). with_content(/^\s+name: "jruby-pool"/). with({}) # So we can use a trailing dot on each with_content line } it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf'). with_ensure('absent'). with({}) # So we can use a trailing dot on each with_content line } it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(/^# Settings related to the puppet-admin HTTP API$/). without_content(/^puppet-admin: \{$/). without_content(/^\s+client-whitelist: \[$/). without_content(/^\s+"localhost"\,$/). without_content(/^\s+"puppetserver123.example.com"\,$/). with({}) # So we can use a trailing dot on each with_content line } end context 'when server_puppetserver_version < 2.2' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.1.1', :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/). without_content(/^\s+name: "certificate_status"/). without_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/). without_content(/^\s+name: "certificate_statuses"/). without_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/). without_content(/^\s+name: "environment-cache"/). without_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/). without_content(/^\s+name: "jruby-pool"/). with({}) # So we can use a trailing dot on each with_content line } it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf'). with_content(/^\s+authorization-required: true$/). with_content(/^\s+client-whitelist: \[$/). with_content(/^\s+"localhost"\,$/). with_content(/^\s+"puppetserver123.example.com"\,$/). with({}) # So we can use a trailing dot on each with_content line } it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(/^# Settings related to the puppet-admin HTTP API$/). with_content(/^puppet-admin: \{$/). with_content(/^\s+client-whitelist: \[$/). with_content(/^\s+"localhost"\,$/). with_content(/^\s+"puppetserver123.example.com"\,$/). with({}) # So we can use a trailing dot on each with_content line } end end describe 'product.conf' do context 'when server_puppetserver_version >= 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_check_for_updates => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf'). with_ensure('file') } it { should contain_hocon_setting('server_check_for_updates'). with_path('/etc/custom/puppetserver/conf.d/product.conf'). with_setting('product.check-for-updates'). with_value(false) } end context 'when server_puppetserver_version < 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.6.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf'). with_ensure('absent') } it { should_not contain_hocon_setting('server_check_for_updates') } end end describe 'server_metrics' do context 'when server_puppetserver_version < 5.0 and server_metrics => true' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => true, }) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } end context 'when server_puppetserver_version < 5.0 and server_metrics => false' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => false, }) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } end context 'when server_puppetserver_version >= 5.0 and server_metrics => true' do let(:params) do default_params.merge({ :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => true, }) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } end context 'when server_puppetserver_version >= 5.0 and server_metrics => false' do let(:params) do default_params.merge({ :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => false, }) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } end end describe 'server_experimental' do context 'when server_puppetserver_version < 5.0 and server_experimental => true' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => true, }) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version < 5.0 and server_experimental => false' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => false, }) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => true' do let(:params) do default_params.merge({ :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => true, }) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => false' do let(:params) do default_params.merge({ :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => false, }) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end unless facts[:osfamily] == 'FreeBSD' describe 'server_jruby9k' do context 'when server_puppetserver_version < 5.0 and server_jruby9k => true' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => true, }) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version < 5.0 and server_jruby9k => false' do let(:params) do default_params.merge({ :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => false, }) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => true' do let(:params) do default_params.merge({ :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => true, }) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => false' do let(:params) do default_params.merge({ :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => false, }) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['rm JRUBY_JAR']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end end describe 'with extra_args parameter' do let :params do default_params.merge({ :jvm_extra_args => ['-XX:foo=bar', '-XX:bar=foo'], }) end if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', 'set JAVA_BIN /usr/bin/java', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'with cli_args parameter' do let :params do default_params.merge({ :jvm_cli_args => '-Djava.io.tmpdir=/var/puppettmp', }) end if facts[:osfamily] != 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java', 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'with jvm_config file parameter' do let :params do default_params.merge({ :config => '/etc/custom/puppetserver', }) end if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_augeas('puppet::server::puppetserver::jvm'). with_context('/files/etc/custom/puppetserver'). with_incl('/etc/custom/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end - - describe 'with server_ip parameter given to the puppet class' do - let(:params) do - default_params.merge({ - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) - end - - let :pre_condition do - "class {'puppet': server_ip => '127.0.0.1', server_implementation => 'puppetserver'}" - end - - it 'should put the correct ip address in webserver.conf' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').with_content(/ssl-host:\s127\.0\.0\.1/) - end - end - - describe 'with server_certname parameter given to the puppet class' do - let(:params) do - default_params.merge({ - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) - end - - let :pre_condition do - "class {'puppet': server_certname => 'puppetserver43.example.com', server_implementation => 'puppetserver', server_ssl_dir => '/etc/custom/puppet/ssl'}" - end - - it 'should put the correct ssl key path in webserver.conf' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) - end - - it 'should put the correct ssl cert path in webserver.conf' do - should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) - end - end - - describe 'with server_http parameter set to true for the puppet class' do - let(:params) do - default_params.merge({ - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) - end - - let :pre_condition do - "class {'puppet': server_http => true, server_implementation => 'puppetserver'}" - end - - it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). - with_content(/ host:\s0\.0\.0\.0/). - with_content(/ port:\s8139/). - with({}) - } - - it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). - with_content(/allow-header-cert-info: true/). - with({}) - } - end - - describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do - let(:params) do - default_params.merge({ - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) - end - - let :pre_condition do - "class {'puppet': server_allow_header_cert_info => true, server_implementation => 'puppetserver'}" - end - - it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). - with_content(/allow-header-cert-info: true/). - with({}) - } - end - - describe 'with server_http_allow parameter set for the puppet class' do - let(:params) do - default_params.merge({ - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) - end - - let :pre_condition do - "class {'puppet': server => true, server_http => true, server_http_allow => ['1.2.3.4'], server_implementation => 'puppetserver'}" - end - - it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) } - end end end end diff --git a/templates/server/puppetserver/conf.d/webserver.conf.erb b/templates/server/puppetserver/conf.d/webserver.conf.erb index e8a8938..f8c20c6 100644 --- a/templates/server/puppetserver/conf.d/webserver.conf.erb +++ b/templates/server/puppetserver/conf.d/webserver.conf.erb @@ -1,20 +1,20 @@ webserver: { - access-log-config: <%= scope.lookupvar('puppet::server::puppetserver_dir') %>/request-logging.xml + access-log-config: <%= @server_puppetserver_dir %>/request-logging.xml client-auth: want -<%- if scope.lookupvar('puppet::server::http') -%> - host: <%= scope.lookupvar('puppet::server::ip') %> - port: <%= scope.lookupvar('puppet::server::http_port') %> +<%- if @server_http -%> + host: <%= @server_ip %> + port: <%= @server_http_port %> <%- end -%> - ssl-host: <%= scope.lookupvar('puppet::server::ip') %> - ssl-port: <%= scope.lookupvar('puppet::server::port') %> - ssl-cert: <%= scope.lookupvar('puppet::server::ssl_cert') %> - ssl-key: <%= scope.lookupvar('puppet::server::ssl_cert_key') %> - ssl-ca-cert: <%= scope.lookupvar('puppet::server::ssl_ca_cert') %> -<%- if scope.lookupvar('puppet::server::_crl_enable') -%> - ssl-crl-path: <%= scope.lookupvar('puppet::server::ssl_ca_crl') %> + ssl-host: <%= @server_ip %> + ssl-port: <%= @server_port %> + ssl-cert: <%= @server_ssl_cert %> + ssl-key: <%= @server_ssl_cert_key %> + ssl-ca-cert: <%= @server_ssl_ca_cert %> +<%- if @server_crl_enable -%> + ssl-crl-path: <%= @server_ssl_ca_crl %> <%- end -%> -<%- if scope.lookupvar('puppet::server::ca') -%> - ssl-cert-chain: <%= scope.lookupvar('puppet::server::ssl_chain') %> +<%- if @server_ca -%> + ssl-cert-chain: <%= @server_ssl_chain %> <%- end -%> idle-timeout-milliseconds: <%= @server_web_idle_timeout %> }