diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index 15bc548..719652f 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -1,905 +1,905 @@ require 'spec_helper' describe 'puppet::server::puppetserver' do on_os_under_test.each do |os, facts| next if facts[:osfamily] == 'windows' next if facts[:osfamily] == 'Archlinux' context "on #{os}" do let :pre_condition do "class {'puppet': server_implementation => 'puppetserver'}" end let(:facts) do facts end let(:default_params) do { :java_bin => '/usr/bin/java', :config => '/etc/default/puppetserver', :jvm_min_heap_size => '2G', :jvm_max_heap_size => '2G', :jvm_extra_args => '', :jvm_cli_args => false, # In reality defaults to undef :server_ca_auth_required => true, :server_ca_client_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_admin_api_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_ruby_load_paths => [ '/some/path', ], :server_ssl_protocols => [ 'TLSv1.2', ], :server_cipher_suites => [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ], :server_max_active_instances => 2, :server_max_requests_per_instance => 0, :server_max_queued_requests => 0, :server_max_retry_delay => 1800, :server_http => false, :server_http_allow => [], :server_ca => true, :server_puppetserver_version => '2.4.99', :server_use_legacy_auth_conf => false, :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/puppetlabs/server/data/puppetserver', :server_puppetserver_rundir => '/var/run/puppetlabs/puppetserver', :server_puppetserver_logdir => '/var/log/puppetlabs/puppetserver', :server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', :server_dir => '/etc/puppetlabs/puppet', :codedir => '/etc/puppetlabs/code', :server_idle_timeout => 1200000, :server_web_idle_timeout => 30000, :server_connect_timeout => 120000, :server_check_for_updates => true, :server_environment_class_cache_enabled => false, :server_jruby9k => false, :server_metrics => true, :metrics_jmx_enable => true, :metrics_graphite_enable => true, :metrics_graphite_host => 'graphitehost.example.com', :metrics_graphite_port => 2003, :metrics_server_id => 'puppetserver.example.com', :metrics_graphite_interval => 5, :metrics_allowed => ['single.element.array'], :server_experimental => true, :server_ip => '0.0.0.0', :server_port => '8140', :server_http_port => '8139', :server_ssl_ca_crl => '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem', :server_ssl_ca_cert => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', :server_ssl_cert => '/etc/puppetlabs/puppet/ssl/certs/puppetserver123.example.com.pem', :server_ssl_cert_key => '/etc/puppetlabs/puppet/ssl/private_keys/puppetserver123.example.com.pem', :server_ssl_chain => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', :server_crl_enable => true, :server_trusted_agents => [], :allow_header_cert_info => false, :compile_mode => 'off', # In reality defaults to undef } end describe 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled').with_ensure('present') } it { should contain_file_line('ca_disabled'). with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}). without_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'', ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') } it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java' ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(/^# Settings related to the puppet-admin HTTP API$/). without_content(/^puppet-admin: \{$/). without_content(/^\s+client-whitelist: \[$/). without_content(/^\s+"localhost"\,$/). without_content(/^\s+"puppetserver123.example.com"\,$/). with({}) # So we can use a trailing dot on each with_content line } it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-host:\s0\.0\.0\.0/). with_content(/ssl-port:\s8140/). without_content(/ host:\s/). without_content(/ port:\s8139/). with({}) } it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(/allow-header-cert-info: false/). - with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/). - with_content(/^\s+name: "certificate_status"/). - with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/). - with_content(/^\s+name: "certificate_statuses"/). + with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status"/). + with_content(/^\s+name: "puppetlabs cert status"/). + with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses"/). + with_content(/^\s+name: "puppetlabs cert statuses"/). with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/). with_content(/^\s+name: "environment-cache"/). with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/). with_content(/^\s+name: "jruby-pool"/). with({}) # So we can use a trailing dot on each with_content line } end describe 'server_puppetserver_vardir' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/puppetlabs/server/data/puppetserver\n]) end end context 'with custom server_puppetserver_vardir' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/custom/puppetlabs/server/data/puppetserver', ) end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/custom/puppetlabs/server/data/puppetserver\n]) end end end describe 'use-legacy-auth-conf' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have use-legacy-auth-conf: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: false\n]) end end context 'when use-legacy-auth-conf = true' do let(:params) do default_params.merge( :server_use_legacy_auth_conf => true, :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have use-legacy-auth-conf: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: true\n]) end end end describe 'environment-class-cache-enabled' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have environment-class-cache-enabled: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: false\n]) end end context 'when environment-class-cache-enabled = true' do let(:params) do default_params.merge( :server_environment_class_cache_enabled => true, :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have environment-class-cache-enabled: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: true\n]) end end context 'when server_puppetserver_version < 2.4' do let(:params) do default_params.merge( :server_puppetserver_version => '2.2.2', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should not have a environment-class-cache-enabled setting in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).not_to include('environment-class-cache-enabled') end end end describe 'server_max_requests_per_instance' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 0\n]) end end context 'custom server_max_requests_per_instance' do let(:params) do default_params.merge(:server_max_requests_per_instance => 123456) end it 'should have custom max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 123456\n]) end end end describe 'server_max_queued_requests' do context 'when server_puppetserver_version >= 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', ) end it 'should have max-queued-requests: 0' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-queued-requests: 0\n}) end end context 'when server_puppetserver_version >= 5.0 with custom server_max_queued_requests' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', :server_max_queued_requests => 100, ) end it 'should have custom max-queued-requests: 100' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-queued-requests: 100\n}) end end context 'when server_puppetserver_version < 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '2.7.0', ) end it 'should not have max-queued-requests' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ max-queued-requests: (.*)$}) end end end describe 'server_max_retry_delay' do context 'when server_puppetserver_version >= 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', ) end it 'should have max-retry-delay: 1800' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-retry-delay: 1800\n}) end end context 'when server_puppetserver_version >= 5.0 custom server_max_retry_delay' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', :server_max_retry_delay => 100 ) end it 'should have custom max-retry-delay: 100' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-retry-delay: 100\n}) end end context 'when server_puppetserver_version < 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '2.7.0', ) end it 'should not have max-retry-delay' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ max-retry-delay: (.*)$}) end end end describe 'versioned-code-service' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file_line('versioned_code_service') } end context 'when server_puppetserver_version >= 2.3 and < 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.3.1', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end context 'when server_puppetserver_version < 2.3' do let(:params) do default_params.merge( :server_puppetserver_version => '2.2.2', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should not have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end end describe 'bootstrap.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should_not contain_file_line('ca_enabled') } it { should_not contain_file_line('ca_disabled') } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do default_params.merge( :server_puppetserver_version => '2.4.98', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } it { should contain_file_line('ca_disabled'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } unless facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\''). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end end describe 'ca.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } unless facts[:osfamily] == 'FreeBSD' it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\''). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end context 'when server_puppetserver_version >= 2.5 and server_ca => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_ca => false, ) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do default_params.merge( :server_puppetserver_version => '2.4.98', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file('/etc/custom/puppetserver/services.d') } it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') } end context 'when server_puppetserver_version >= 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.1.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}). with_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } end end describe 'product.conf' do context 'when server_puppetserver_version >= 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_check_for_updates => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf'). with_content(/^\s+check-for-updates: false/) } end context 'when server_puppetserver_version < 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.6.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf').with_ensure('absent') } end end describe 'server_metrics' do context 'when server_puppetserver_version < 5.0 and server_metrics => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } end context 'when server_puppetserver_version < 5.0 and server_metrics => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } end context 'when server_puppetserver_version >= 5.0 and server_metrics => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf'). with_content(%r{^( *)metrics-allowed: \[\n( *)"single.element.array",\n( *)\]}). with_content(%r{^( *)server-id: "puppetserver.example.com"}). with_content(%r{^( *)jmx: \{\n( *)enabled: true}). with_content(%r{^( *)graphite: \{\n( *)enabled: true}). with_content(%r{^( *)host: "graphitehost.example.com"}). with_content(%r{^( *)port: 2003}). with_content(%r{^( *)update-interval-seconds: 5}) } end context 'when server_puppetserver_version >= 5.0 and server_metrics => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf').with_ensure('absent') } end end describe 'server_experimental' do context 'when server_puppetserver_version < 5.0 and server_experimental => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version < 5.0 and server_experimental => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_experimental => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end describe 'puppet tasks information' do context 'when server_puppetserver_version < 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } end context 'when server_puppetserver_version >= 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.1.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } end end describe 'puppet facts upload' do context 'when server_puppetserver_version >= 5.3' do let(:params) do default_params.merge( :server_puppetserver_version => '5.3.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) } end context 'when server_puppetserver_version < 5.3' do let(:params) do default_params.merge( :server_puppetserver_version => '5.2.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) } end end describe 'server_trusted_agents' do context 'when set' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_trusted_agents => ['jenkins', 'octocatalog-diff'], ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^ allow: \["jenkins", "octocatalog-diff", "\$1"\]$}) } end end unless facts[:osfamily] == 'FreeBSD' describe 'server_jruby9k' do context 'when server_puppetserver_version < 5.0 and server_jruby9k => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => true, ) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version < 5.0 and server_jruby9k => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => false, ) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => true, ) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => false, ) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['rm JRUBY_JAR']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end end describe 'with extra_args parameter' do let :params do default_params.merge( :jvm_extra_args => ['-XX:foo=bar', '-XX:bar=foo'], ) end if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', 'set JAVA_BIN /usr/bin/java', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'with cli_args parameter' do let :params do default_params.merge(:jvm_cli_args => '-Djava.io.tmpdir=/var/puppettmp') end if facts[:osfamily] != 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java', 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'with jvm_config file parameter' do let :params do default_params.merge(:config => '/etc/custom/puppetserver') end if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm').with_context('/files/etc/rc.conf') } else it { should contain_augeas('puppet::server::puppetserver::jvm'). with_context('/files/etc/custom/puppetserver'). with_incl('/etc/custom/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'gem-path' do context 'when server_puppetserver_version > 2.7 but < 5.3' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', ) end it 'should have gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems"] in config' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems"]\n]) end end context 'when server_puppetserver_version >= 5.3' do let(:params) do default_params.merge( :server_puppetserver_version => '5.3.0', ) end if facts[:osfamily] == 'FreeBSD' it 'should have gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"] in config' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ gem-path: [${jruby-puppet.gem-home}, "/var/puppet/server/data/puppetserver/vendored-jruby-gems"]\n]) end else it 'should have gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"] in config' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ gem-path: [${jruby-puppet.gem-home}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"]\n]) end end end end describe 'when server_puppetserver_version < 2.2' do let(:params) do default_params.merge(:server_puppetserver_version => '2.1.0') end it { should raise_error(Puppet::Error, /puppetserver <2.2 is not supported by this module version/) } end end end end diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb index c03ea64..5383854 100644 --- a/templates/auth.conf.erb +++ b/templates/auth.conf.erb @@ -1,140 +1,161 @@ # This is the default auth.conf file, which implements the default rules # used by the puppet master. (That is, the rules below will still apply # even if this file is deleted.) # # The ACLs are evaluated in top-down order. More specific stanzas should # be towards the top of the file and more general ones at the bottom; # otherwise, the general rules may "steal" requests that should be # governed by the specific rules. # -# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html +# See https://puppet.com/docs/puppet/latest/config_file_auth.html # for a more complete description of auth.conf's behavior. # # Supported syntax: # Each stanza in auth.conf starts with a path to match, followed # by optional modifiers, and finally, a series of allow or deny # directives. # # Example Stanza # --------------------------------- # path /path/to/resource # simple prefix match # # path ~ regex # alternately, regex match # [environment envlist] # [method methodlist] # [auth[enthicated] {yes|no|on|off|any}] # allow [host|backreference|*|regex] # deny [host|backreference|*|regex] # allow_ip [ip|cidr|ip_wildcard|*] # deny_ip [ip|cidr|ip_wildcard|*] # # The path match can either be a simple prefix match or a regular # expression. `path /file` would match both `/file_metadata` and # `/file_content`. Regex matches allow the use of backreferences # in the allow/deny directives. # # The regex syntax is the same as for Ruby regex, and captures backreferences # for use in the `allow` and `deny` lines of that stanza # # Examples: # # path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. # allow * # Allow all authenticated nodes (since auth # # defaults to `yes`). # # path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by # allow $1 # certname), but not any other node's catalog. # # path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to # auth yes # access the "extra_files" # allow /^(.+)\.example\.com$/ # mount point; note this must # allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, # # since it is more specific. # # environment:: restrict an ACL to a comma-separated list of environments # method:: restrict an ACL to a comma-separated list of HTTP methods # auth:: restrict an ACL to an authenticated or unauthenticated request # the default when unspecified is to restrict the ACL to authenticated requests # (ie exactly as if auth yes was present). # +# CONTROLLING FILE ACCESS (previously in fileserver.conf) + +# In previous versions of Puppet, you controlled file access by adding +# rules to fileserver.conf. In Puppet 5 with Puppet Server, you can control +# file access in auth.conf by controlling the /file_metadata(s)/, +# /file_content(s)/, and /static_file_content/ paths. See the +# Puppet Server documentation at +# https://puppet.com/docs/puppetserver/latest/config_file_auth.html. +# +# If you are not using Puppet Server, or are using Puppet Server but with the +# "jruby-puppet.use-legacy-auth-conf" setting set to "true", you could set the +# desired file access in a new rule in this file. For example: +# +# path ~ ^/file_(metadata|content)s?/extra_files/ +# auth yes +# allow /^(.+)\.example\.com$/ +# allow_ip 192.168.100.0/24 +# +# If added to auth.conf BEFORE the default "path /file" rule, this rule +# will add stricter restrictions to the extra_files mount point. + ### Authenticated ACLs - these rules apply only when the client ### has a valid certificate and is thus authenticated path /puppet/v3/environments method find allow * <% if @puppetversion.to_f < 5.0 -%> path /puppet/v3/resource_type method search allow * <% end -%> # allow nodes to retrieve their own catalog path ~ ^/puppet/v3/catalog/([^/]+)$ method find allow <%= @auth_allowed.join(', ') %> # allow nodes to retrieve their own node definition path ~ ^/puppet/v3/node/([^/]+)$ method find allow <%= @auth_allowed.join(', ') %> # allow all nodes to store their own reports path ~ ^/puppet/v3/report/([^/]+)$ method save allow <%= @auth_allowed.join(', ') %> # Allow all nodes to access all file services; this is necessary for # pluginsync, file serving from modules, and file serving from custom # mount points (see fileserver.conf). Note that the `/file` prefix matches # requests to both the file_metadata and file_content paths. See "Examples" # above if you need more granular access control for custom mount points. path /puppet/v3/file allow * path /puppet/v3/status method find allow * # allow all nodes to access the certificates services path /puppet-ca/v1/certificate_revocation_list/ca <% if @allow_any_crl_auth -%> auth any <% end -%> method find allow * ### Unauthenticated ACLs, for clients without valid certificates; authenticated ### clients can also access these paths, though they rarely need to. # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master's certificate path /puppet-ca/v1/certificate/ca auth any method find allow * # allow nodes to retrieve the certificate they requested earlier path /puppet-ca/v1/certificate/ auth any method find allow * # allow nodes to request a new certificate path /puppet-ca/v1/certificate_request auth any method find, save allow * - <% if scope.lookupvar('::puppet::listen') -%> + path /run auth any method save allow <%= if (!@listen_to.empty?) then @listen_to.join(",") elsif ( @puppetmaster and !@puppetmaster.empty? ) then @puppetmaster else @fqdn end %> <% end -%> # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / auth any diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index d44e465..a703faf 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -1,303 +1,303 @@ authorization: { version: 1 allow-header-cert-info: <%= @server_http || @allow_header_cert_info %> rules: [ { # Allow nodes to retrieve their own catalog match-request: { path: "^/puppet/v3/catalog/([^/]+)$" type: regex method: [get, post] } allow: <%= @server_trusted_agents << '$1' %> sort-order: 500 name: "puppetlabs catalog" }, { # Allow nodes to retrieve the certificate they requested earlier match-request: { path: "/puppet-ca/v1/certificate/" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs certificate" }, { # Allow all nodes to access the certificate revocation list match-request: { path: "/puppet-ca/v1/certificate_revocation_list/ca" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs crl" }, { # Allow nodes to request a new certificate match-request: { path: "/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow-unauthenticated: true sort-order: 500 name: "puppetlabs csr" }, - { - # Allow unauthenticated access to the status service endpoint - match-request: { - path: "/status/v1/services" - type: path - method: get - } - allow-unauthenticated: true - sort-order: 500 - name: "puppetlabs status service" - }, <%- if @server_ca -%> { match-request: { - path: "/puppet-ca/v1/certificate_status/" + path: "/puppet-ca/v1/certificate_status" type: path - method: [ get, put, delete ] + method: [get, put, delete] } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] <%- end -%> - sort-order: 200 - name: "certificate_status" + sort-order: 500 + name: "puppetlabs cert status" }, { match-request: { - path: "/puppet-ca/v1/certificate_statuses/" + path: "/puppet-ca/v1/certificate_statuses" type: path method: get } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] <%- end -%> - sort-order: 200 - name: "certificate_statuses" + sort-order: 500 + name: "puppetlabs cert statuses" }, <%- end -%> + { + # Allow unauthenticated access to the status service endpoint + match-request: { + path: "/status/v1/services" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - full" + }, { match-request: { path: "/puppet-admin-api/v1/environment-cache" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "environment-cache" }, { match-request: { path: "/puppet-admin-api/v1/jruby-pool" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "jruby-pool" }, { match-request: { path: "/puppet/v3/environments" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environments" }, { match-request: { path: "/puppet/v3/environment_classes" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environment classes" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) < 0 -%> { match-request: { path: "/puppet/v3/resource_type" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs resource type" }, { # Allow nodes to access all file services; this is necessary for # pluginsync, file serving from modules, and file serving from # custom mount points (see fileserver.conf). Note that the `/file` # prefix matches requests to file_metadata, file_content, and # file_bucket_file paths. match-request: { path: "/puppet/v3/file" type: path } allow: "*" sort-order: 500 name: "puppetlabs file" }, <%- else -%> { # Allow nodes to access all file_bucket_files. Note that access for # the 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_bucket_file" type: path method: [get, head, post, put] } allow: "*" sort-order: 500 name: "puppetlabs file bucket file" }, { # Allow nodes to access all file_content. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_content" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file content" }, { # Allow nodes to access all file_metadata. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_metadata" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file metadata" }, <%- end -%> { # Allow nodes to retrieve only their own node definition match-request: { path: "^/puppet/v3/node/([^/]+)$" type: regex method: get } allow: "$1" sort-order: 500 name: "puppetlabs node" }, { # Allow nodes to store only their own reports match-request: { path: "^/puppet/v3/report/([^/]+)$" type: regex method: put } allow: "$1" sort-order: 500 name: "puppetlabs report" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.3']) >= 0 -%> { # Allow nodes to update their own facts match-request: { path: "^/puppet/v3/facts/([^/]+)$" type: regex method: put } allow: "$1" sort-order: 500 name: "puppetlabs facts" }, <%- end -%> { match-request: { path: "/puppet/v3/status" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status" }, { match-request: { path: "/puppet/v3/static_file_content" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs static file content" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.1']) >= 0 -%> { match-request: { path: "/puppet/v3/tasks" type: path } allow: "*" sort-order: 500 name: "puppet tasks information" }, <%- end -%> <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 && @server_experimental -%> { # Allow all users access to the experimental endpoint # which currently only provides a dashboard web ui. match-request: { path: "/puppet/experimental" type: path } allow-unauthenticated: true sort-order: 500 name: "puppetlabs experimental" }, <%- end -%> { # Deny everything else. This ACL is not strictly # necessary, but illustrates the default policy match-request: { path: "/" type: path } deny: "*" sort-order: 999 name: "puppetlabs deny all" } ] } diff --git a/templates/server/puppetserver/conf.d/metrics.conf.erb b/templates/server/puppetserver/conf.d/metrics.conf.erb index 042cfd6..2a77b3f 100644 --- a/templates/server/puppetserver/conf.d/metrics.conf.erb +++ b/templates/server/puppetserver/conf.d/metrics.conf.erb @@ -1,58 +1,61 @@ # settings related to metrics metrics: { # a server id that will be used as part of the namespace for metrics produced # by this server server-id: "<%= @metrics_server_id %>" registries: { puppetserver: { # specify metrics to allow in addition to those in the default list <% if @metrics_allowed -%> metrics-allowed: [ <%- @metrics_allowed.each do |allowed_host| -%> "<%= allowed_host %>", <%- end -%> ] <%- else -%> #metrics-allowed: ["compiler.compile.production"] <% end -%> + reporters: { # enable or disable JMX metrics reporter jmx: { enabled: <%= @metrics_jmx_enable %> } # enable or disable Graphite metrics reporter graphite: { enabled: <%= @metrics_graphite_enable %> } } + } } # this section is used to configure settings for reporters that will send # the metrics to various destinations for external viewing reporters: { graphite: { # graphite host host: "<%= @metrics_graphite_host %>" # graphite metrics port port: <%= @metrics_graphite_port %> # how often to send metrics to graphite update-interval-seconds: <%= @metrics_graphite_interval %> } } metrics-webservice: { jolokia: { # Enable or disable the Jolokia-based metrics/v2 endpoint. # Default is true. # enabled: false # Configure any of the settings listed at: # https://jolokia.org/reference/html/agents.html#war-agent-installation servlet-init-params: { # Specify a custom security policy: # https://jolokia.org/reference/html/security.html # policyLocation: "file:///etc/puppetlabs/puppetserver/jolokia-access.xml" } } } + } diff --git a/templates/server/puppetserver/conf.d/puppetserver.conf.erb b/templates/server/puppetserver/conf.d/puppetserver.conf.erb index 9adf1eb..6c6a179 100644 --- a/templates/server/puppetserver/conf.d/puppetserver.conf.erb +++ b/templates/server/puppetserver/conf.d/puppetserver.conf.erb @@ -1,120 +1,122 @@ # configuration for the JRuby interpreters jruby-puppet: { # Where the puppet-agent dependency places puppet, facter, etc... # Puppet server expects to load Puppet from this location ruby-load-path: [ <%- @server_ruby_load_paths.each do |ruby_load_path| -%> <%= ruby_load_path %>, <%- end -%> ] # This setting determines where JRuby will install gems. It is used for loading gems, # and also by the `puppetserver gem` command line tool. gem-home: <%= @server_jruby_gem_home %> <%- if scope.function_versioncmp([@server_puppetserver_version, '2.7']) >= 0 -%> # This setting defines the complete "GEM_PATH" for jruby. If set, it should include # the gem-home directory as well as any other directories that gems can be loaded # from (including the vendored gems directory for gems that ship with puppetserver) gem-path: [<%= @server_gem_paths.join(', ') %>] <%- end -%> # PLEASE NOTE: Use caution when modifying the below settings. Modifying # these settings will change the value of the corresponding Puppet settings # for Puppet Server, but not for the Puppet CLI tools. This likely will not # be a problem with master-var-dir, master-run-dir, or master-log-dir unless # some critical setting in puppet.conf is interpolating the value of one # of the corresponding settings, but it is important that any changes made to # master-conf-dir and master-code-dir are also made to the corresponding Puppet # settings when running the Puppet CLI tools. See # https://docs.puppetlabs.com/puppetserver/latest/puppet_conf_setting_diffs.html#overriding-puppet-settings-in-puppet-server # for more information. # (optional) path to puppet conf dir; if not specified, will use # the puppet default master-conf-dir: <%= @server_dir %> # (optional) path to puppet code dir; if not specified, will use # the puppet default master-code-dir: <%= @codedir %> # (optional) path to puppet var dir; if not specified, will use # the puppet default master-var-dir: <%= @server_puppetserver_vardir %> # (optional) path to puppet run dir; if not specified, will use # the puppet default master-run-dir: <%= @server_puppetserver_rundir %> # (optional) path to puppet log dir; if not specified, will use # the puppet default master-log-dir: <%= @server_puppetserver_logdir %> # (optional) maximum number of JRuby instances to allow max-active-instances: <%= @server_max_active_instances %> # (optional) the number of HTTP requests a given JRuby instance will handle in its lifetime. max-requests-per-instance: <%= @server_max_requests_per_instance %> <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 -%> # (optional) The maximum number of requests that may be queued waiting to borrow a JRuby from the pool. max-queued-requests: <%= @server_max_queued_requests %> # (optional) Sets the upper limit for the random sleep set as a Retry-After header on 503 responses returned when max-queued-requests is enabled. max-retry-delay: <%= @server_max_retry_delay %> + <%- end -%> # (optional) Authorize access to Puppet master endpoints via rules # specified in the legacy Puppet auth.conf file (if true) or via rules # specified in the Puppet Server HOCON-formatted auth.conf (if false or not # specified). use-legacy-auth-conf: <%= @server_use_legacy_auth_conf %> <%- if scope.function_versioncmp([@server_puppetserver_version, '2.3']) >= 0 -%> # (optional) enable or disable environment class cache environment-class-cache-enabled: <%= @server_environment_class_cache_enabled %> <%- end -%> <%- if @compile_mode %> + compile-mode: <%= @compile_mode %> <%- end -%> } -# settings related to HTTP client requests made by Puppet Server +# settings related to HTTPS client requests made by Puppet Server http-client: { - # A list of acceptable protocols for making HTTP requests + # A list of acceptable protocols for making HTTPS requests ssl-protocols: [ <%- @server_ssl_protocols.each do |protocol| -%> <%= protocol %>, <%- end -%> ] - # A list of acceptable cipher suites for making HTTP requests + # A list of acceptable cipher suites for making HTTPS requests cipher-suites: [ <%- @server_cipher_suites.each do |cipher| -%> <%= cipher %>, <%- end -%> ] <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 -%> # Whether to enable http-client metrics; defaults to 'true'. metrics-enabled: <%= @server_metrics %> <%- end -%> # The amount of time, in milliseconds, that an outbound HTTP connection # will wait for data to be available before closing the socket. If not # defined, defaults to 20 minutes. If 0, the timeout is infinite and if # negative, the value is undefined by the application and governed by the # system default behavior. idle-timeout-milliseconds: <%= @server_idle_timeout %> # The amount of time, in milliseconds, that an outbound HTTP connection will # wait to connect before giving up. Defaults to 2 minutes if not set. If 0, # the timeout is infinite and if negative, the value is undefined in the # application and governed by the system default behavior. connect-timeout-milliseconds: <%= @server_connect_timeout %> } # settings related to profiling the puppet Ruby code profiler: { # enable or disable profiling for the Ruby code; enabled: <%= @server_metrics %> }