diff --git a/.fixtures.yml b/.fixtures.yml index 6bdb6c3..36536e3 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,15 +1,14 @@ fixtures: repositories: - apache: 'https://github.com/puppetlabs/puppetlabs-apache.git' - concat: 'https://github.com/puppetlabs/puppetlabs-concat.git' - extlib: 'https://github.com/voxpupuli/puppet-extlib.git' - foreman: 'https://github.com/theforeman/puppet-foreman.git' - git: 'https://github.com/theforeman/puppet-git.git' - hocon: 'https://github.com/puppetlabs/puppetlabs-hocon.git' - inifile: 'https://github.com/puppetlabs/puppetlabs-inifile.git' - puppet_authorization: 'https://github.com/puppetlabs/puppetlabs-puppet_authorization.git' - puppetdb: 'https://github.com/puppetlabs/puppetlabs-puppetdb.git' - stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git' + apache: 'https://github.com/puppetlabs/puppetlabs-apache.git' + concat: 'https://github.com/puppetlabs/puppetlabs-concat.git' + extlib: 'https://github.com/voxpupuli/puppet-extlib.git' + foreman: 'https://github.com/theforeman/puppet-foreman.git' + git: 'https://github.com/theforeman/puppet-git.git' + hocon: 'https://github.com/puppetlabs/puppetlabs-hocon.git' + inifile: 'https://github.com/puppetlabs/puppetlabs-inifile.git' + puppetdb: 'https://github.com/puppetlabs/puppetlabs-puppetdb.git' + stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git' symlinks: puppet: "#{source_dir}" diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index 3d19f81..42f89ec 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -1,713 +1,417 @@ # == Class: puppet::server::puppetserver # # Configures the puppetserver jvm configuration file using augeas. # # === Parameters: # # * `java_bin` # Path to the java executable to use # # * `config` # Path to the jvm configuration file. # This file is usually either /etc/default/puppetserver or # /etc/sysconfig/puppetserver depending on your *nix flavor. # # * `jvm_min_heap_size` # Translates into the -Xms option and is added to the JAVA_ARGS # # * `jvm_max_heap_size` # Translates into the -Xmx option and is added to the JAVA_ARGS # # * `jvm_extra_args` # Custom options to pass through to the java binary. These get added to # the end of the JAVA_ARGS variable # # * `jvm_cli_args` # Custom options to pass through to the java binary when using a # puppetserver subcommand, (eg puppetserver gem). These get used # in the JAVA_ARGS_CLI variable. # # * `server_puppetserver_dir` # Puppetserver config directory # # * `server_puppetserver_vardir` # Puppetserver var directory # # * `server_jruby_gem_home` # Puppetserver jruby gemhome # # * `server_cipher_suites` # Puppetserver array of acceptable ciphers # # * `server_ssl_protocols` # Puppetserver array of acceptable ssl protocols # # * `server_max_active_instances` # Puppetserver number of max jruby instances # # * `server_max_requests_per_instance` # Puppetserver number of max requests per jruby instance # # * `server_max_queued_requests` # The maximum number of requests that may be queued waiting # to borrow a JRuby from the pool. # # * `server_max_retry_delay` # Sets the upper limit for the random sleep set as a Retry-After # header on 503 responses returned when max-queued-requests is enabled. # # === Example # # @example # # # configure memory for java < 8 # class {'::puppet::server::puppetserver': # jvm_min_heap_size => '1G', # jvm_max_heap_size => '3G', # jvm_extra_args => '-XX:MaxPermSize=256m', # } # class puppet::server::puppetserver ( $config = $::puppet::server::jvm_config, $java_bin = $::puppet::server::jvm_java_bin, $jvm_extra_args = $::puppet::server::jvm_extra_args, $jvm_cli_args = $::puppet::server::jvm_cli_args, $jvm_min_heap_size = $::puppet::server::jvm_min_heap_size, $jvm_max_heap_size = $::puppet::server::jvm_max_heap_size, $server_puppetserver_dir = $::puppet::server::puppetserver_dir, $server_puppetserver_vardir = $::puppet::server::puppetserver_vardir, $server_puppetserver_rundir = $::puppet::server::puppetserver_rundir, $server_puppetserver_logdir = $::puppet::server::puppetserver_logdir, $server_jruby_gem_home = $::puppet::server::jruby_gem_home, $server_ruby_load_paths = $::puppet::server::ruby_load_paths, $server_cipher_suites = $::puppet::server::cipher_suites, $server_max_active_instances = $::puppet::server::max_active_instances, $server_max_requests_per_instance = $::puppet::server::max_requests_per_instance, $server_max_queued_requests = $::puppet::server::max_queued_requests, $server_max_retry_delay = $::puppet::server::max_retry_delay, $server_ssl_protocols = $::puppet::server::ssl_protocols, $server_ssl_ca_crl = $::puppet::server::ssl_ca_crl, $server_ssl_ca_cert = $::puppet::server::ssl_ca_cert, $server_ssl_cert = $::puppet::server::ssl_cert, $server_ssl_cert_key = $::puppet::server::ssl_cert_key, $server_ssl_chain = $::puppet::server::ssl_chain, $server_crl_enable = $::puppet::server::crl_enable_real, $server_ip = $::puppet::server::ip, $server_port = $::puppet::server::port, $server_http = $::puppet::server::http, $server_http_allow = $::puppet::server::http_allow, $server_http_port = $::puppet::server::http_port, $server_ca = $::puppet::server::ca, $server_dir = $::puppet::server::dir, $codedir = $::puppet::server::codedir, $server_idle_timeout = $::puppet::server::idle_timeout, $server_web_idle_timeout = $::puppet::server::web_idle_timeout, $server_connect_timeout = $::puppet::server::connect_timeout, $server_ca_auth_required = $::puppet::server::ca_auth_required, $server_ca_client_whitelist = $::puppet::server::ca_client_whitelist, $server_admin_api_whitelist = $::puppet::server::admin_api_whitelist, $server_puppetserver_version = $::puppet::server::puppetserver_version, $server_use_legacy_auth_conf = $::puppet::server::use_legacy_auth_conf, $server_check_for_updates = $::puppet::server::check_for_updates, $server_environment_class_cache_enabled = $::puppet::server::environment_class_cache_enabled, $server_jruby9k = $::puppet::server::puppetserver_jruby9k, $server_metrics = $::puppet::server::puppetserver_metrics, $metrics_jmx_enable = $::puppet::server::metrics_jmx_enable, $metrics_graphite_enable = $::puppet::server::metrics_graphite_enable, $metrics_graphite_host = $::puppet::server::metrics_graphite_host, $metrics_graphite_port = $::puppet::server::metrics_graphite_port, $metrics_server_id = $::puppet::server::metrics_server_id, $metrics_graphite_interval = $::puppet::server::metrics_graphite_interval, $metrics_allowed = $::puppet::server::metrics_allowed, $server_experimental = $::puppet::server::puppetserver_experimental, $server_trusted_agents = $::puppet::server::puppetserver_trusted_agents, $allow_header_cert_info = $::puppet::server::allow_header_cert_info, $compile_mode = $::puppet::server::compile_mode, ) { include ::puppet::server if versioncmp($server_puppetserver_version, '2.2') < 0 { fail('puppetserver <2.2 is not supported by this module version') } if !(empty($server_http_allow)) { fail('setting $server_http_allow is not supported for puppetserver as it would have no effect') } $puppetserver_package = pick($::puppet::server::package, 'puppetserver') $jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args] $jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' ')) if $::osfamily == 'FreeBSD' { augeas { 'puppet::server::puppetserver::jvm': context => '/files/etc/rc.conf', changes => [ "set puppetserver_java_opts '\"${jvm_cmd}\"'" ], } } else { if $jvm_cli_args { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", "set JAVA_ARGS_CLI '\"${jvm_cli_args}\"'", ] } else { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", ] } augeas { 'puppet::server::puppetserver::jvm': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $changes, } if versioncmp($server_puppetserver_version, '2.4.99') == 0 { $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg,${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" } elsif versioncmp($server_puppetserver_version, '2.5') >= 0 { $bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" } else { # 2.4 $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg" } augeas { 'puppet::server::puppetserver::bootstrap': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'", } if versioncmp($server_puppetserver_version, '5.0') >= 0 { $jruby_jar_changes = $server_jruby9k ? { true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'", default => 'rm JRUBY_JAR' } augeas { 'puppet::server::puppetserver::jruby_jar': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $jruby_jar_changes, } } } # 2.4.99 configures for both 2.4 and 2.5 making upgrades and new installations easier when the # precise version available isn't known if versioncmp($server_puppetserver_version, '2.4.99') >= 0 { $servicesd = "${server_puppetserver_dir}/services.d" file { $servicesd: ensure => directory, } file { "${servicesd}/ca.cfg": ensure => file, content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'), } unless $::osfamily == 'FreeBSD' { file { '/opt/puppetlabs/server/apps/puppetserver/config': ensure => directory, } file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d': ensure => directory, } } } if versioncmp($server_puppetserver_version, '2.5') < 0 { $bootstrapcfg = "${server_puppetserver_dir}/bootstrap.cfg" file { $bootstrapcfg: ensure => file, } $ca_enabled_ensure = $server_ca ? { true => present, default => absent, } $ca_disabled_ensure = $server_ca ? { false => present, default => absent, } file_line { 'ca_enabled': ensure => $ca_enabled_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service', require => File[$bootstrapcfg], } file_line { 'ca_disabled': ensure => $ca_disabled_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service', require => File[$bootstrapcfg], } if versioncmp($server_puppetserver_version, '2.3') >= 0 { $versioned_code_service_ensure = present } else { $versioned_code_service_ensure = absent } file_line { 'versioned_code_service': ensure => $versioned_code_service_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service', require => File[$bootstrapcfg], } } file { "${server_puppetserver_dir}/conf.d/ca.conf": ensure => absent, } file { "${server_puppetserver_dir}/conf.d/puppetserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/puppetserver.conf.erb'), } - $auth_conf = "${server_puppetserver_dir}/conf.d/auth.conf" - - file { $auth_conf: + file { "${server_puppetserver_dir}/conf.d/auth.conf": ensure => file, - } - - hocon_setting { 'authorization.version': - ensure => present, - path => $auth_conf, - setting => 'authorization.version', - value => 1, - require => File[$auth_conf], - } - - hocon_setting { 'authorization.allow-header-cert-info': - ensure => present, - path => $auth_conf, - setting => 'authorization.allow-header-cert-info', - value => $allow_header_cert_info or $server_http, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs catalog': - match_request_path => '^/puppet/v3/catalog/([^/]+)$', - match_request_type => 'regex', - match_request_method => ['get', 'post'], - allow => flatten(['$1', $server_trusted_agents]), - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs certificate': - match_request_path => '/puppet-ca/v1/certificate/', - match_request_type => 'path', - match_request_method => 'get', - allow_unauthenticated => true, - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs crl': - match_request_path => '/puppet-ca/v1/certificate_revocation_list/ca', - match_request_type => 'path', - match_request_method => 'get', - allow_unauthenticated => true, - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs csr': - match_request_path => '/puppet-ca/v1/certificate_request', - match_request_type => 'path', - match_request_method => ['get', 'put'], - allow_unauthenticated => true, - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs environments': - match_request_path => '/puppet/v3/environments', - match_request_type => 'path', - match_request_method => 'get', - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs environment classes': - match_request_path => '/puppet/v3/environment_classes', - match_request_type => 'path', - match_request_method => 'get', - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs node': - match_request_path => '^/puppet/v3/node/([^/]+)$', - match_request_type => 'regex', - match_request_method => 'get', - allow => '$1', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs report': - match_request_path => '^/puppet/v3/report/([^/]+)$', - match_request_type => 'regex', - match_request_method => 'put', - allow => '$1', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs status': - match_request_path => '/puppet/v3/status', - match_request_type => 'path', - match_request_method => 'get', - allow_unauthenticated => true, - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs static file content': - match_request_path => '/puppet/v3/static_file_content', - match_request_type => 'path', - match_request_method => 'get', - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'environment-cache': - match_request_path => '/puppet-admin-api/v1/environment-cache', - match_request_type => 'path', - match_request_method => 'delete', - allow => $server_admin_api_whitelist, - sort_order => 200, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'jruby-pool': - match_request_path => '/puppet-admin-api/v1/jruby-pool', - match_request_type => 'path', - match_request_method => 'delete', - allow => $server_admin_api_whitelist, - sort_order => 200, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs deny all': - match_request_path => '/', - match_request_type => 'path', - deny => '*', - sort_order => 999, - path => $auth_conf, - require => File[$auth_conf], - } - - $auth_conf_setting_ensure = $server_ca ? { - true => present, - default => absent, - } - - if $server_ca_auth_required { - puppet_authorization::rule { 'certificate_status': - ensure => $auth_conf_setting_ensure, - match_request_path => '/puppet-ca/v1/certificate_status/', - match_request_type => 'path', - match_request_method => [ 'get', 'put', 'delete' ], - allow => $server_ca_client_whitelist, - sort_order => 200, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'certificate_statuses': - ensure => $auth_conf_setting_ensure, - match_request_path => '/puppet-ca/v1/certificate_statuses/', - match_request_type => 'path', - match_request_method => 'get', - allow => $server_ca_client_whitelist, - sort_order => 200, - path => $auth_conf, - require => File[$auth_conf], - } - } else { - puppet_authorization::rule { 'certificate_status': - ensure => $auth_conf_setting_ensure, - match_request_path => '/puppet-ca/v1/certificate_status/', - match_request_type => 'path', - match_request_method => [ 'get', 'put', 'delete' ], - allow_unauthenticated => true, - sort_order => 200, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'certificate_statuses': - ensure => $auth_conf_setting_ensure, - match_request_path => '/puppet-ca/v1/certificate_statuses/', - match_request_type => 'path', - match_request_method => 'get', - allow_unauthenticated => true, - sort_order => 200, - path => $auth_conf, - require => File[$auth_conf], - } - } - - $is_puppetserver2 = versioncmp($server_puppetserver_version, '5.0') < 0 - $is_puppetserver5 = versioncmp($server_puppetserver_version, '5.0') >= 0 - - $auth_conf_puppetserver_2_settings_ensure = $is_puppetserver2 ? { - true => present, - default => absent, - } - - $auth_conf_puppetserver_5_settings_ensure = $is_puppetserver5 ? { - true => present, - default => absent, - } - - puppet_authorization::rule { 'puppetlabs file bucket file': - ensure => $auth_conf_puppetserver_5_settings_ensure, - match_request_path => '/puppet/v3/file_bucket_file', - match_request_type => 'path', - match_request_method => ['get', 'head', 'post', 'put'], - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs file content': - ensure => $auth_conf_puppetserver_5_settings_ensure, - match_request_path => '/puppet/v3/file_content', - match_request_type => 'path', - match_request_method => ['get', 'post'], - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs file metadata': - ensure => $auth_conf_puppetserver_5_settings_ensure, - match_request_path => '/puppet/v3/file_metadata', - match_request_type => 'path', - match_request_method => ['get', 'post'], - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - if $is_puppetserver2 or ($is_puppetserver5 and !$server_experimental) { - $auth_conf_experimental_ensure = absent - } else { - $auth_conf_experimental_ensure = present - } - - puppet_authorization::rule { 'puppetlabs experimental': - ensure => $auth_conf_experimental_ensure, - match_request_path => '/puppet/experimental', - match_request_type => 'path', - allow_unauthenticated => true, - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs resource type': - ensure => $auth_conf_puppetserver_2_settings_ensure, - match_request_path => '/puppet/v3/resource_type', - match_request_type => 'path', - match_request_method => ['get', 'post'], - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - puppet_authorization::rule { 'puppetlabs file': - ensure => $auth_conf_puppetserver_2_settings_ensure, - match_request_path => '/puppet/v3/file', - match_request_type => 'path', - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], - } - - if versioncmp($server_puppetserver_version, '5.1') >= 0 { - $auth_conf_tasks_ensure = present - } else { - $auth_conf_tasks_ensure = absent - } - - puppet_authorization::rule { 'puppet tasks information': - ensure => $auth_conf_tasks_ensure, - match_request_path => '/puppet/v3/tasks', - match_request_type => 'path', - allow => '*', - sort_order => 500, - path => $auth_conf, - require => File[$auth_conf], + content => template('puppet/server/puppetserver/conf.d/auth.conf.erb'), } $webserver_conf = "${server_puppetserver_dir}/conf.d/webserver.conf" file { $webserver_conf: ensure => file, } $webserver_general_settings = { 'webserver.access-log-config' => "${server_puppetserver_dir}/request-logging.xml", 'webserver.client-auth' => 'want', 'webserver.ssl-host' => $server_ip, 'webserver.ssl-port' => $server_port, 'webserver.ssl-cert' => $server_ssl_cert, 'webserver.ssl-key' => $server_ssl_cert_key, 'webserver.ssl-ca-cert' => $server_ssl_ca_cert, 'webserver.idle-timeout-milliseconds' => $server_web_idle_timeout, 'webserver.ssl-protocols' => $server_ssl_protocols, 'webserver.cipher-suites' => $server_cipher_suites, } $webserver_general_settings.each |$setting, $value| { hocon_setting { $setting: ensure => present, path => $webserver_conf, setting => $setting, value => $value, require => File[$webserver_conf], } } $webserver_http_settings_ensure = $server_http ? { true => present, default => absent, } $webserver_http_settings = { 'webserver.host' => $server_ip, 'webserver.port' => $server_http_port, } $webserver_http_settings.each |$setting, $value| { hocon_setting { $setting: ensure => $webserver_http_settings_ensure, path => $webserver_conf, setting => $setting, value => $value, require => File[$webserver_conf], } } $webserver_crl_settings_ensure = $server_crl_enable ? { true => present, default => absent, } hocon_setting { 'webserver.ssl-crl-path': ensure => $webserver_crl_settings_ensure, path => $webserver_conf, setting => 'webserver.ssl-crl-path', value => $server_ssl_ca_crl, require => File[$webserver_conf], } $webserver_ca_settings_ensure = $server_ca ? { true => present, default => absent, } hocon_setting { 'webserver.ssl-cert-chain': ensure => $webserver_ca_settings_ensure, path => $webserver_conf, setting => 'webserver.ssl-cert-chain', value => $server_ssl_chain, require => File[$webserver_conf], } $product_conf = "${server_puppetserver_dir}/conf.d/product.conf" if versioncmp($server_puppetserver_version, '2.7') >= 0 { $product_conf_ensure = file hocon_setting { 'product.check-for-updates': ensure => present, path => $product_conf, setting => 'product.check-for-updates', value => $server_check_for_updates, require => File[$product_conf], } } else { $product_conf_ensure = absent } file { $product_conf: ensure => $product_conf_ensure, } if versioncmp($server_puppetserver_version, '5.0') >= 0 { $metrics_conf = "${server_puppetserver_dir}/conf.d/metrics.conf" $metrics_conf_ensure = $server_metrics ? { true => file, default => absent } file { $metrics_conf: ensure => $metrics_conf_ensure, } $metrics_general_settings = { 'metrics.server-id' => $metrics_server_id, 'metrics.registries.puppetserver.reporters.jmx.enabled' => $metrics_jmx_enable, 'metrics.registries.puppetserver.reporters.graphite.enabled' => $metrics_graphite_enable, 'metrics.reporters.graphite.host' => $metrics_graphite_host, 'metrics.reporters.graphite.port' => $metrics_graphite_port, 'metrics.reporters.graphite.update-interval-seconds' => $metrics_graphite_interval, } $metrics_general_settings.each |$setting, $value| { hocon_setting { $setting: ensure => present, path => $metrics_conf, setting => $setting, value => $value, require => File[$metrics_conf], } } $metrics_allowed_settings = $metrics_allowed ? { undef => absent, default => present, } hocon_setting { 'metrics.registries.puppetserver.metrics-allowed': ensure => $metrics_allowed_settings, path => $metrics_conf, setting => 'metrics.registries.puppetserver.metrics-allowed', value => $metrics_allowed, type => 'array', require => File[$metrics_conf], } } } diff --git a/metadata.json b/metadata.json index 4d62d25..fe531d1 100644 --- a/metadata.json +++ b/metadata.json @@ -1,126 +1,122 @@ { "name": "theforeman-puppet", "version": "9.1.1", "author": "theforeman", "summary": "Puppet agent and server configuration", "license": "GPL-3.0+", "source": "git://github.com/theforeman/puppet-puppet", "project_page": "https://github.com/theforeman/puppet-puppet", "issues_url": "https://github.com/theforeman/puppet-puppet/issues", "description": "Module for installing the Puppet agent and Puppet server", "tags": [ "foreman", "puppet", "puppetmaster", "puppet-server" ], "dependencies": [ { "name": "puppetlabs/apache", "version_requirement": ">= 1.2.0 < 4.0.0" }, - { - "name": "puppetlabs/puppet_authorization", - "version_requirement": ">= 0.3.0 < 1.0.0" - }, { "name": "puppetlabs/concat", "version_requirement": ">= 1.0.0 < 5.0.0" }, { "name": "puppetlabs/hocon", "version_requirement": ">= 1.0.0 < 2.0.0" }, { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.13.0 < 5.0.0" }, { "name": "puppet/extlib", "version_requirement": ">= 0.11.3 < 3.0.0" } ], "requirements": [ { "name": "puppet", "version_requirement": ">= 4.6.1 < 6.0.0" } ], "operatingsystem_support": [ { "operatingsystem": "RedHat", "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "Scientific", "operatingsystemrelease": [ "6", "7" ] }, { "operatingsystem": "Fedora", "operatingsystemrelease": [ "26" ] }, { "operatingsystem": "Debian", "operatingsystemrelease": [ "8", "9" ] }, { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "14.04", "16.04", "18.04" ] }, { "operatingsystem": "FreeBSD", "operatingsystemrelease": [ "10", "11" ] }, { "operatingsystem": "DragonFly", "operatingsystemrelease": [ "4" ] }, { "operatingsystem": "Archlinux" }, { "operatingsystem": "SLES", "operatingsystemrelease": [ "11", "12" ] }, { "operatingsystem": "windows", "operatingsystemrelease": [ "7", "8", "2008 R2", "2012", "2012 R2" ] } ] } diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb index bb286ff..a9648d3 100644 --- a/spec/classes/puppet_server_config_spec.rb +++ b/spec/classes/puppet_server_config_spec.rb @@ -1,938 +1,936 @@ require 'spec_helper' describe 'puppet::server::config' do before :each do @cacrl = Tempfile.new('cacrl') File.open(@cacrl, 'w') { |f| f.write "This is my CRL File" } Puppet.settings[:cacrl] = @cacrl.path end on_os_under_test.each do |os, facts| next if unsupported_puppetmaster_osfamily(facts[:osfamily]) context "on #{os}" do if facts[:osfamily] == 'FreeBSD' codedir = '/usr/local/etc/puppet' confdir = '/usr/local/etc/puppet' conf_file = '/usr/local/etc/puppet/puppet.conf' environments_dir = '/usr/local/etc/puppet/environments' logdir = '/var/log/puppet' rundir = '/var/run/puppet' vardir = '/var/puppet' puppetserver_vardir = '/var/puppet/server/data/puppetserver' puppetserver_logdir = '/var/log/puppetserver' puppetserver_rundir = '/var/run/puppetserver' ssldir = '/var/puppet/ssl' sharedir = '/usr/local/share/puppet' etcdir = '/usr/local/etc/puppet' puppetcacmd = '/usr/local/bin/puppet cert' else codedir = '/etc/puppetlabs/code' confdir = '/etc/puppetlabs/puppet' conf_file = '/etc/puppetlabs/puppet/puppet.conf' environments_dir = '/etc/puppetlabs/code/environments' logdir = '/var/log/puppetlabs/puppet' rundir = '/var/run/puppetlabs' vardir = '/opt/puppetlabs/puppet/cache' puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' puppetserver_logdir = '/var/log/puppetlabs/puppetserver' puppetserver_rundir = '/var/run/puppetlabs/puppetserver' ssldir = '/etc/puppetlabs/puppet/ssl' sharedir = '/opt/puppetlabs/puppet' etcdir = '/etc/puppetlabs/puppet' puppetcacmd = '/opt/puppetlabs/bin/puppet cert' end let(:facts) do facts.merge({:clientcert => 'puppetmaster.example.com'}) end describe 'with no custom parameters' do let :pre_condition do "class {'puppet': server => true}" end it 'should set up SSL permissions' do should contain_file("#{ssldir}/private_keys"). \ with_group('puppet'). \ with_mode('0750') should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem"). \ with_group('puppet'). \ with_mode('0640') should contain_exec('puppet_server_config-create_ssl_dir'). \ with_creates(ssldir). \ with_command("/bin/mkdir -p #{ssldir}"). \ with_umask('0022') should contain_exec('puppet_server_config-generate_ca_cert'). \ with_creates("#{ssldir}/certs/puppetmaster.example.com.pem"). \ with_command("#{puppetcacmd} --generate puppetmaster.example.com --allow-dns-alt-names"). \ with_umask('0022'). \ that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) should contain_puppet__config__main('environmentpath').with_value(environments_dir) end context 'with non-AIO packages', if: facts[:osfamily] == 'FreeBSD' do it 'CA cert generation should notify the Apache service' do should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[httpd]') end end context 'with AIO packages', unless: facts[:osfamily] == 'FreeBSD' do it 'CA cert generation should notify the puppetserver service' do should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') end end it 'should set up the ENC' do should contain_class('foreman::puppetmaster'). with_foreman_url("https://foo.example.com"). with_receive_facts(true). with_puppet_home(puppetserver_vardir). with_puppet_etcdir(etcdir). with_timeout(60) # Since this is managed inside the foreman module it does not # make sense to test it here #with_puppet_basedir('/usr/lib/ruby/site_ruby/1.9/puppet'). end it 'should set up the environments' do should contain_file(environments_dir). with_ensure('directory'). with_owner('puppet'). with_group(nil). with_mode('0755') should contain_file(sharedir).with_ensure('directory') should contain_file("#{codedir}/environments/common"). with_ensure('directory'). with_owner('puppet'). with_group(nil). with_mode('0755') should contain_file("#{sharedir}/modules"). with_ensure('directory'). with_owner('puppet'). with_group(nil). with_mode('0755') should contain_puppet__server__env('development') should contain_puppet__server__env('production') end it 'should configure puppet' do should contain_puppet__config__main("logdir").with({'value' => "#{logdir}"}) should contain_puppet__config__main("rundir").with({'value' => "#{rundir}"}) should contain_puppet__config__main("ssldir").with({'value' => "#{ssldir}"}) should contain_puppet__config__main("privatekeydir").with({'value' => '$ssldir/private_keys { group = service }'}) should contain_puppet__config__main("hostprivkey").with({'value' => '$privatekeydir/$certname.pem { mode = 640 }'}) should contain_puppet__config__main("reports").with({'value' => 'foreman'}) should contain_puppet__config__main("environmentpath").with({'value' => "#{codedir}/environments"}) should contain_puppet__config__main("basemodulepath").with({ 'value' => ["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"], 'joiner' => ':'}) should contain_puppet__config__agent('classfile').with({'value' => '$statedir/classes.txt'}) should contain_puppet__config__master('external_nodes').with({'value' => "#{etcdir}\/node.rb"}) should contain_puppet__config__master('node_terminus').with({'value' => 'exec'}) should contain_puppet__config__master('ca').with({'value' => 'true'}) should contain_puppet__config__master('ssldir').with({'value' => "#{ssldir}"}) should contain_puppet__config__master('parser').with({'value' => 'current'}) should contain_puppet__config__master("autosign").with({'value' => "#{etcdir}\/autosign.conf \{ mode = 0664 \}"}) should contain_concat(conf_file) should_not contain_puppet__config__master('storeconfigs') should contain_file("#{etcdir}/autosign.conf") end it 'should not set configtimeout' do should_not contain_puppet__config__agent('configtimeout') end it 'should not configure PuppetDB' do should_not contain_class('puppetdb') should_not contain_class('puppetdb::master::config') end end describe "when autosign => true" do let :pre_condition do "class {'puppet': server => true, autosign => true, }" end it 'should contain puppet.conf [main] with autosign = true' do should contain_puppet__config__master('autosign').with_value(true) end end describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do let :pre_condition do "class {'puppet': server => true, autosign => '/somedir/custom_autosign', autosign_mode => '664', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 664 }' do should contain_puppet__config__master('autosign').with_value("/somedir/custom_autosign { mode = 664 }") end end describe "when autosign_entries is not set" do let :pre_condition do "class {'puppet': server => true, }" end it 'should contain autosign.conf with out content set' do should contain_file("#{confdir}/autosign.conf") should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_entries set to ['foo.bar']" do let :pre_condition do "class {'puppet': server => true, autosign_entries => ['foo.bar'], }" end it 'should contain autosign.conf with content set' do should contain_file("#{confdir}/autosign.conf") should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do let :pre_condition do "class {'puppet': server => true, autosign_content => 'foo.bar', autosign_entries => ['foo.bar'], }" end it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) } end describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do let :pre_condition do "class {'puppet': server => true, autosign_source => 'puppet:///foo/bar', autosign_entries => ['foo.bar'], }" end it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) } end describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_content set to 'foo.bar'" do let :pre_condition do "class {'puppet': server => true, autosign => '#{confdir}/custom_autosign.sh', autosign_mode => '775', autosign_content => 'foo.bar', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do should contain_puppet__config__master('autosign').with_value("#{confdir}/custom_autosign.sh { mode = 775 }") end it 'should contain custom_autosign.sh with content set' do should contain_file("#{confdir}/custom_autosign.sh") should contain_file("#{confdir}/custom_autosign.sh").with_content(/foo.bar/) end end describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_source set to 'puppet:///foo/bar'" do let :pre_condition do "class {'puppet': server => true, autosign => '#{confdir}/custom_autosign.sh', autosign_mode => '775', autosign_source => 'puppet:///foo/bar', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do should contain_puppet__config__master('autosign').with_value("#{confdir}/custom_autosign.sh { mode = 775 }") end it 'should contain custom_autosign.sh with content set' do should contain_file("#{confdir}/custom_autosign.sh") should contain_file("#{confdir}/custom_autosign.sh").with_source('puppet:///foo/bar') end end describe "when hiera_config => '$confdir/hiera.yaml'" do let :pre_condition do "class {'puppet': server => true, hiera_config => '/etc/puppet/hiera/production/hiera.yaml', }" end it 'should contain puppet.conf [main] with non-default hiera_config' do should contain_puppet__config__main("hiera_config").with_value('/etc/puppet/hiera/production/hiera.yaml') end end describe 'without foreman' do let :pre_condition do "class {'puppet': server => true, server_reports => 'store', server_external_nodes => '', }" end it 'should contain an empty external_nodes' do should_not contain_puppet__config__master('external_nodes') end end describe 'without external_nodes' do let :pre_condition do "class {'puppet': server => true, server_external_nodes => '', }" end it 'should not contain external_nodes' do should_not contain_puppet__config__master('external_nodes') should_not contain_puppet__config__master('node_terminus') end end describe 'with server_default_manifest => true and undef content' do let :pre_condition do 'class { "::puppet": server_default_manifest => true, server => true }' end it 'should contain default_manifest setting in puppet.conf' do should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') end it 'should_not contain default manifest /etc/puppet/manifests/default_manifest.pp' do should_not contain_file('/etc/puppet/manifests/default_manifest.pp') end end describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do let :pre_condition do 'class { "::puppet": server_default_manifest => true, server_default_manifest_content => "include foo", server => true }' end it 'should contain default_manifest setting in puppet.conf' do should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'}) end it 'should contain default manifest /etc/puppet/manifests/default_manifest.pp' do should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content(/include foo/) end end describe 'with git repo' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, }" end it 'should set up the environments directory' do should contain_file(environments_dir). \ with_ensure('directory'). \ with_owner('puppet') end it 'should create the puppet user' do shell = case facts[:osfamily] when /^(FreeBSD|DragonFly)$/ '/usr/local/bin/git-shell' else '/usr/bin/git-shell' end should contain_user('puppet'). with_shell(shell). that_requires('Class[git]') end it 'should create the git repo' do should contain_file(vardir). with_ensure('directory'). with_owner('puppet') should contain_git__repo('puppet_repo'). with_bare(true). with_target("#{vardir}/puppet.git"). with_user('puppet'). that_requires("File[#{environments_dir}]") should contain_file("#{vardir}/puppet.git/hooks/post-receive"). with_owner('puppet'). \ with_mode('0755'). \ with_require(%r{Git::Repo\[puppet_repo\]}). \ with_content(%r{BRANCH_MAP = \{[^a-zA-Z=>]\}}) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } context 'with directory environments' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_directory_environments => true, }" end it 'should configure puppet.conf' do should_not contain_puppet__config__master('config_version') should contain_puppet__config__main('environmentpath').with_value(environments_dir) end end context 'with config environments' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_directory_environments => false, }" end it 'should configure puppet.conf' do should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") should contain_puppet__config__master('config_version').with_value("git --git-dir #{environments_dir}/\$environment/.git describe --all --long") end end end describe 'with dynamic environments' do context 'with directory environments' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => true, server_environments_owner => 'apache', }" end it 'should set up the environments directory' do should contain_file(environments_dir). \ with_ensure('directory'). \ with_owner('apache') end it 'should configure puppet.conf' do should contain_puppet__config__main('environmentpath').with_value(environments_dir) should contain_puppet__config__main('basemodulepath').with_value(["#{environments_dir}/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"]) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } end context 'with no common modules directory' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => true, server_environments_owner => 'apache', server_common_modules_path => '', }" end it 'should configure puppet.conf' do should_not contain_puppet__config__main('basemodulepath') end end context 'with config environments' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => false, server_environments_owner => 'apache', }" end it 'should set up the environments directory' do should contain_file(environments_dir). \ with_ensure('directory'). \ with_owner('apache') end it 'should configure puppet.conf' do should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } end end describe 'with SSL path overrides' do let :pre_condition do "class {'puppet': server => true, server_foreman_ssl_ca => '/etc/example/ca.pem', server_foreman_ssl_cert => '/etc/example/cert.pem', server_foreman_ssl_key => '/etc/example/key.pem', }" end it 'should pass SSL parameters to the ENC' do should contain_class('foreman::puppetmaster'). with_ssl_ca('/etc/example/ca.pem'). with_ssl_cert('/etc/example/cert.pem'). with_ssl_key('/etc/example/key.pem') end end describe 'with a PuppetDB host set' do let :pre_condition do "class {'puppet': server => true, server_puppetdb_host => 'mypuppetdb.example.com', server_storeconfigs_backend => 'puppetdb', }" end it 'should configure PuppetDB' do should compile.with_all_deps should contain_class('puppetdb::master::config'). with_puppetdb_server('mypuppetdb.example.com'). with_puppetdb_port(8081). with_puppetdb_soft_write_failure(false). with_manage_storeconfigs(false). with_restart_puppet(false) end end describe 'with a puppet git branch map' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_git_branch_map => { 'a' => 'b', 'c' => 'd' } }" end it 'should add the branch map to the post receive hook' do should contain_file("#{vardir}/puppet.git/hooks/post-receive"). with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) end end describe 'with additional settings' do let :pre_condition do "class {'puppet': server => true, server_additional_settings => {stringify_facts => true}, }" end it 'should configure puppet.conf' do should contain_puppet__config__master('stringify_facts').with_value(true) end end describe 'with server_parser => future' do let :pre_condition do "class {'puppet': server => true, server_parser => 'future', }" end it 'should configure future parser' do should contain_puppet__config__master('parser').with_value('future') end end describe 'with server_environment_timeout set' do let :pre_condition do "class {'puppet': server => true, server_environment_timeout => '10m', }" end it 'should configure environment_timeout accordingly' do should contain_puppet__config__master('environment_timeout').with_value('10m') end end describe 'with no ssldir managed for master' do let :pre_condition do "class {'puppet': server => true, server_ssl_dir_manage => false}" end it 'should not contain ssl_dir configuration setting in the master section' do should_not contain_puppet__config__master('ssl_dir') end end describe 'with ssl key management disabled for server' do let :pre_condition do "class {'puppet': server => true, server_certname => 'servercert', server_ssl_key_manage => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end it 'should not contain a default ssl key definition' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') end end describe 'with nondefault CA settings' do let :pre_condition do "class {'puppet': server => true, server_ca => false, }" end it 'should create the ssl directory' do should contain_exec('puppet_server_config-create_ssl_dir') end it 'should not generate CA certificates' do should_not contain_exec('puppet_server_config-generate_ca_cert') end end describe 'with server_implementation => "puppetserver"' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver' }" end it 'should configure puppet.conf' do should contain_puppet__config__master("vardir").with_value(puppetserver_vardir) should contain_puppet__config__master("logdir").with_value(puppetserver_logdir) should contain_puppet__config__master("rundir").with_value(puppetserver_rundir) end end describe 'with server_ca_crl_sync => true' do context 'with server_ca => false and running "puppet apply"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end context 'with server_ca => false: running "puppet agent -t"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end let(:facts) do facts.merge({:servername => 'myserver' }) end it 'should sync the crl from the ca' do should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem'). with_content("This is my CRL File") end end context 'with server_ca => true: running "puppet agent -t"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => true, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end let(:facts) do facts.merge({:servername => 'myserver' }) end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end end describe 'allow crl checking' do context 'as ca' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the ca_crl.pem file' do should contain_hocon_setting('webserver.ssl-crl-path'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-crl-path'). with_value("#{ssldir}/ca/ca_crl.pem"). with_ensure('present') end end context 'as non-ca with default' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => false, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the ca_crl.pem file' do should contain_hocon_setting('webserver.ssl-crl-path'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-crl-path'). with_ensure('absent') end end context 'as non-ca with server_crl_enable' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => false, server_crl_enable => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the crl.pem file' do should contain_hocon_setting('webserver.ssl-crl-path'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-crl-path'). with_value("#{ssldir}/crl.pem"). with_ensure('present') end end end describe 'with ssl_protocols overwritten' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_ssl_protocols => ['TLSv1.1', 'TLSv1.2'], }" end it 'should set the ssl protocols' do should contain_hocon_setting('webserver.ssl-protocols'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-protocols'). with_value(['TLSv1.1', 'TLSv1.2']). with_ensure('present') end end describe 'with cipher-suites overwritten' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_cipher_suites => ['TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA'], }" end it 'should set the cipher suite' do should contain_hocon_setting('webserver.cipher-suites'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.cipher-suites'). with_value(['TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA']). with_ensure('present') end end describe 'with ssl_chain_filepath overwritten' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', server_ssl_chain_filepath => '/etc/example/certchain.pem', }" end it 'should use the server_ssl_chain_filepath file' do should contain_hocon_setting('webserver.ssl-cert-chain'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-cert-chain'). with_value('/etc/example/certchain.pem'). with_ensure('present') end end describe 'with server_ip parameter given to the puppet class' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_ip => '127.0.0.1', }" end it 'should put the correct ip address in webserver.conf' do should contain_hocon_setting('webserver.ssl-host'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-host'). with_value('127.0.0.1'). with_ensure('present') end end describe 'with server_certname parameter' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_certname => 'puppetserver43.example.com', server_ssl_dir => '/etc/custom/puppet/ssl', }" end it 'should put the correct ssl key path in webserver.conf' do should contain_hocon_setting('webserver.ssl-key'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-key'). with_value('/etc/custom/puppet/ssl/private_keys/puppetserver43.example.com.pem'). with_ensure('present') end it 'should put the correct ssl cert path in webserver.conf' do should contain_hocon_setting('webserver.ssl-cert'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-cert'). with_value('/etc/custom/puppet/ssl/certs/puppetserver43.example.com.pem'). with_ensure('present') end end describe 'with server_http parameter set to true for the puppet class' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_http => true, }" end it do should contain_hocon_setting('webserver.host'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.host'). with_value('0.0.0.0') end - it { should contain_hocon_setting('authorization.allow-header-cert-info'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf'). - with_setting('authorization.allow-header-cert-info'). - with_value(true) + it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(/allow-header-cert-info: true/). + with({}) } end describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_allow_header_cert_info => true, }" end - it { should contain_hocon_setting('authorization.allow-header-cert-info'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf'). - with_setting('authorization.allow-header-cert-info'). - with_value(true) + it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(/allow-header-cert-info: true/). + with({}) } end describe 'with server_http_allow parameter set for the puppet class' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_http => true, server_http_allow => ['1.2.3.4'], }" end it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) } end end end end diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index df064e3..a573865 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -1,895 +1,871 @@ require 'spec_helper' describe 'puppet::server::puppetserver' do on_os_under_test.each do |os, facts| next if facts[:osfamily] == 'windows' next if facts[:osfamily] == 'Archlinux' context "on #{os}" do let :pre_condition do "class {'puppet': server_implementation => 'puppetserver'}" end let(:facts) do facts end let(:default_params) do { :java_bin => '/usr/bin/java', :config => '/etc/default/puppetserver', :jvm_min_heap_size => '2G', :jvm_max_heap_size => '2G', :jvm_extra_args => '', :jvm_cli_args => false, # In reality defaults to undef :server_ca_auth_required => true, :server_ca_client_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_admin_api_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_ruby_load_paths => [ '/some/path', ], :server_ssl_protocols => [ 'TLSv1.2', ], :server_cipher_suites => [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ], :server_max_active_instances => 2, :server_max_requests_per_instance => 0, :server_max_queued_requests => 0, :server_max_retry_delay => 1800, :server_http => false, :server_http_allow => [], :server_ca => true, :server_puppetserver_version => '2.4.99', :server_use_legacy_auth_conf => false, :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/puppetlabs/server/data/puppetserver', :server_puppetserver_rundir => '/var/run/puppetlabs/puppetserver', :server_puppetserver_logdir => '/var/log/puppetlabs/puppetserver', :server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', :server_dir => '/etc/puppetlabs/puppet', :codedir => '/etc/puppetlabs/code', :server_idle_timeout => 1200000, :server_web_idle_timeout => 30000, :server_connect_timeout => 120000, :server_check_for_updates => true, :server_environment_class_cache_enabled => false, :server_jruby9k => false, :server_metrics => true, :metrics_jmx_enable => true, :metrics_graphite_enable => true, :metrics_graphite_host => 'graphitehost.example.com', :metrics_graphite_port => 2003, :metrics_server_id => 'puppetserver.example.com', :metrics_graphite_interval => 5, :metrics_allowed => ['single.element.array'], :server_experimental => true, :server_ip => '0.0.0.0', :server_port => '8140', :server_http_port => '8139', :server_ssl_ca_crl => '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem', :server_ssl_ca_cert => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', :server_ssl_cert => '/etc/puppetlabs/puppet/ssl/certs/puppetserver123.example.com.pem', :server_ssl_cert_key => '/etc/puppetlabs/puppet/ssl/private_keys/puppetserver123.example.com.pem', :server_ssl_chain => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', :server_crl_enable => true, :server_trusted_agents => [], :allow_header_cert_info => false, :compile_mode => 'off', # In reality defaults to undef } end describe 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled').with_ensure('present') } it { should contain_file_line('ca_disabled'). with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}). without_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'', ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') } it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java' ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(/^# Settings related to the puppet-admin HTTP API$/). without_content(/^puppet-admin: \{$/). without_content(/^\s+client-whitelist: \[$/). without_content(/^\s+"localhost"\,$/). without_content(/^\s+"puppetserver123.example.com"\,$/). with({}) # So we can use a trailing dot on each with_content line } it { should contain_hocon_setting('webserver.ssl-host'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-host'). with_value('0.0.0.0'). with_ensure('present') } it { should contain_hocon_setting('webserver.ssl-port'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-port'). with_value('8140'). with_ensure('present') } it { should contain_hocon_setting('webserver.host').with_ensure('absent') } it { should contain_hocon_setting('webserver.port').with_ensure('absent') } - - it { - should contain_hocon_setting('authorization.allow-header-cert-info'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf'). - with_setting('authorization.allow-header-cert-info'). - with_value(false) - } - it { - should contain_puppet_authorization__rule('certificate_status'). - with_match_request_path('/puppet-ca/v1/certificate_status/'). - with_ensure('present') - } - it { - should contain_puppet_authorization__rule('certificate_statuses'). - with_match_request_path('/puppet-ca/v1/certificate_statuses/'). - with_ensure('present') - } - it { - should contain_puppet_authorization__rule('environment-cache'). - with_match_request_path('/puppet-admin-api/v1/environment-cache') - } it { - should contain_puppet_authorization__rule('jruby-pool'). - with_match_request_path('/puppet-admin-api/v1/jruby-pool') + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(/allow-header-cert-info: false/). + with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/). + with_content(/^\s+name: "certificate_status"/). + with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/). + with_content(/^\s+name: "certificate_statuses"/). + with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/). + with_content(/^\s+name: "environment-cache"/). + with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/). + with_content(/^\s+name: "jruby-pool"/). + with({}) # So we can use a trailing dot on each with_content line } end describe 'server_puppetserver_vardir' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/puppetlabs/server/data/puppetserver\n]) end end context 'with custom server_puppetserver_vardir' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/custom/puppetlabs/server/data/puppetserver', ) end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/custom/puppetlabs/server/data/puppetserver\n]) end end end describe 'use-legacy-auth-conf' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have use-legacy-auth-conf: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: false\n]) end end context 'when use-legacy-auth-conf = true' do let(:params) do default_params.merge( :server_use_legacy_auth_conf => true, :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have use-legacy-auth-conf: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: true\n]) end end end describe 'environment-class-cache-enabled' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have environment-class-cache-enabled: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: false\n]) end end context 'when environment-class-cache-enabled = true' do let(:params) do default_params.merge( :server_environment_class_cache_enabled => true, :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have environment-class-cache-enabled: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: true\n]) end end context 'when server_puppetserver_version < 2.4' do let(:params) do default_params.merge( :server_puppetserver_version => '2.2.2', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should not have a environment-class-cache-enabled setting in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).not_to include('environment-class-cache-enabled') end end end describe 'server_max_requests_per_instance' do context 'with default parameters' do let(:params) do default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 0\n]) end end context 'custom server_max_requests_per_instance' do let(:params) do default_params.merge(:server_max_requests_per_instance => 123456) end it 'should have custom max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 123456\n]) end end end describe 'server_max_queued_requests' do context 'when server_puppetserver_version >= 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', ) end it 'should have max-queued-requests: 0' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-queued-requests: 0\n}) end end context 'when server_puppetserver_version >= 5.0 with custom server_max_queued_requests' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', :server_max_queued_requests => 100, ) end it 'should have custom max-queued-requests: 100' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-queued-requests: 100\n}) end end context 'when server_puppetserver_version < 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '2.7.0', ) end it 'should not have max-queued-requests' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ max-queued-requests: (.*)$}) end end end describe 'server_max_retry_delay' do context 'when server_puppetserver_version >= 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', ) end it 'should have max-retry-delay: 1800' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-retry-delay: 1800\n}) end end context 'when server_puppetserver_version >= 5.0 custom server_max_retry_delay' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '5.0.0', :server_max_retry_delay => 100 ) end it 'should have custom max-retry-delay: 100' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ max-retry-delay: 100\n}) end end context 'when server_puppetserver_version < 5.0 with default parameters' do let(:params) do default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_version => '2.7.0', ) end it 'should not have max-retry-delay' do should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ max-retry-delay: (.*)$}) end end end describe 'versioned-code-service' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file_line('versioned_code_service') } end context 'when server_puppetserver_version >= 2.3 and < 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.3.1', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end context 'when server_puppetserver_version < 2.3' do let(:params) do default_params.merge( :server_puppetserver_version => '2.2.2', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it 'should not have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end end describe 'bootstrap.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should_not contain_file_line('ca_enabled') } it { should_not contain_file_line('ca_disabled') } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do default_params.merge( :server_puppetserver_version => '2.4.98', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } it { should contain_file_line('ca_disabled'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } unless facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\''). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end end describe 'ca.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } unless facts[:osfamily] == 'FreeBSD' it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap'). with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\''). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end context 'when server_puppetserver_version >= 2.5 and server_ca => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.5.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_ca => false, ) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do default_params.merge( :server_puppetserver_version => '2.4.98', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should_not contain_file('/etc/custom/puppetserver/services.d') } it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') } end context 'when server_puppetserver_version >= 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.1.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}). with_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } end end describe 'product.conf' do context 'when server_puppetserver_version >= 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_check_for_updates => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf'). with_ensure('file') } it { should contain_hocon_setting('product.check-for-updates'). with_path('/etc/custom/puppetserver/conf.d/product.conf'). with_setting('product.check-for-updates'). with_value(false). with_ensure('present') } end context 'when server_puppetserver_version < 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.6.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf').with_ensure('absent') } it { should_not contain_hocon_setting('product.check-for-updates') } end end describe 'server_metrics' do context 'when server_puppetserver_version < 5.0 and server_metrics => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } end context 'when server_puppetserver_version < 5.0 and server_metrics => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } end context 'when server_puppetserver_version >= 5.0 and server_metrics => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => true, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf').with_ensure('file') } it { should contain_hocon_setting('metrics.server-id'). with_path('/etc/custom/puppetserver/conf.d/metrics.conf'). with_setting('metrics.server-id'). with_value('puppetserver.example.com'). with_ensure('present') } it { should contain_hocon_setting('metrics.reporters.graphite.host'). with_path('/etc/custom/puppetserver/conf.d/metrics.conf'). with_setting('metrics.reporters.graphite.host'). with_value('graphitehost.example.com'). with_ensure('present') } it { should contain_hocon_setting('metrics.registries.puppetserver.metrics-allowed'). with_path('/etc/custom/puppetserver/conf.d/metrics.conf'). with_setting('metrics.registries.puppetserver.metrics-allowed'). with_value(['single.element.array']). with_type('array'). with_ensure('present') } end context 'when server_puppetserver_version >= 5.0 and server_metrics => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_metrics => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf').with_ensure('absent') } end end describe 'server_experimental' do context 'when server_puppetserver_version < 5.0 and server_experimental => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_experimental => true, + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_experimental => true, ) end - it { - should contain_puppet_authorization__rule('puppetlabs experimental'). - with_ensure('absent'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf') + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version < 5.0 and server_experimental => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_experimental => false, + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_experimental => false, ) end - it { - should contain_puppet_authorization__rule('puppetlabs experimental'). - with_ensure('absent'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf') + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_experimental => true, + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_experimental => true, ) end - it { - should contain_puppet_authorization__rule('puppetlabs experimental'). - with_ensure('present'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf'). - with_match_request_path('/puppet/experimental') + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_experimental => false, + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_experimental => false, ) end it { - should contain_puppet_authorization__rule('puppetlabs experimental'). - with_ensure('absent'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf') + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end describe 'puppet tasks information' do context 'when server_puppetserver_version < 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end - + it { - should contain_puppet_authorization__rule('puppet tasks information'). - with_ensure('absent'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf') + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + without_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } end context 'when server_puppetserver_version >= 5.1' do let(:params) do default_params.merge( :server_puppetserver_version => '5.1.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end - + it { - should contain_puppet_authorization__rule('puppet tasks information'). - with_ensure('present'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf') + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } end end describe 'server_trusted_agents' do context 'when set' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_trusted_agents => ['jenkins', 'octocatalog-diff'], ) end it { - should contain_puppet_authorization__rule('puppetlabs catalog'). - with_ensure('present'). - with_path('/etc/custom/puppetserver/conf.d/auth.conf'). - with_allow(['$1', 'jenkins', 'octocatalog-diff']) + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(%r{^ allow: \["jenkins", "octocatalog-diff", "\$1"\]$}) } end end unless facts[:osfamily] == 'FreeBSD' describe 'server_jruby9k' do context 'when server_puppetserver_version < 5.0 and server_jruby9k => true' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => true, ) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version < 5.0 and server_jruby9k => false' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => false, ) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => true' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => true, ) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => false' do let(:params) do default_params.merge( :server_puppetserver_version => '5.0.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_jruby9k => false, ) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['rm JRUBY_JAR']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end end describe 'with extra_args parameter' do let :params do default_params.merge( :jvm_extra_args => ['-XX:foo=bar', '-XX:bar=foo'], ) end if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', 'set JAVA_BIN /usr/bin/java', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'with cli_args parameter' do let :params do default_params.merge(:jvm_cli_args => '-Djava.io.tmpdir=/var/puppettmp') end if facts[:osfamily] != 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm'). with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java', 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'', ]). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'with jvm_config file parameter' do let :params do default_params.merge(:config => '/etc/custom/puppetserver') end if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm').with_context('/files/etc/rc.conf') } else it { should contain_augeas('puppet::server::puppetserver::jvm'). with_context('/files/etc/custom/puppetserver'). with_incl('/etc/custom/puppetserver'). with_lens('Shellvars.lns'). with({}) } end end describe 'when server_puppetserver_version < 2.2' do let(:params) do default_params.merge(:server_puppetserver_version => '2.1.0') end it { should raise_error(Puppet::Error, /puppetserver <2.2 is not supported by this module version/) } end end end end diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb new file mode 100644 index 0000000..2f0a13d --- /dev/null +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -0,0 +1,279 @@ +authorization: { + version: 1 + allow-header-cert-info: <%= @server_http || @allow_header_cert_info %> + rules: [ + { + # Allow nodes to retrieve their own catalog + match-request: { + path: "^/puppet/v3/catalog/([^/]+)$" + type: regex + method: [get, post] + } + allow: <%= @server_trusted_agents << '$1' %> + sort-order: 500 + name: "puppetlabs catalog" + }, + { + # Allow nodes to retrieve the certificate they requested earlier + match-request: { + path: "/puppet-ca/v1/certificate/" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs certificate" + }, + { + # Allow all nodes to access the certificate revocation list + match-request: { + path: "/puppet-ca/v1/certificate_revocation_list/ca" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs crl" + }, + { + # Allow nodes to request a new certificate + match-request: { + path: "/puppet-ca/v1/certificate_request" + type: path + method: [get, put] + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs csr" + }, +<%- if @server_ca -%> + { + match-request: { + path: "/puppet-ca/v1/certificate_status/" + type: path + method: [ get, put, delete ] + } +<%- if @server_ca_auth_required == false -%> + allow-unauthenticated: true +<%- else -%> + allow: [ +<%- @server_ca_client_whitelist.each do |client| -%> + "<%= client %>", +<%- end -%> + ] +<%- end -%> + sort-order: 200 + name: "certificate_status" + }, + { + match-request: { + path: "/puppet-ca/v1/certificate_statuses/" + type: path + method: get + } +<%- if @server_ca_auth_required == false -%> + allow-unauthenticated: true +<%- else -%> + allow: [ +<%- @server_ca_client_whitelist.each do |client| -%> + "<%= client %>", +<%- end -%> + ] +<%- end -%> + sort-order: 200 + name: "certificate_statuses" + }, +<%- end -%> + { + match-request: { + path: "/puppet-admin-api/v1/environment-cache" + type: path + method: delete + } + allow: [ +<%- @server_admin_api_whitelist.each do |client| -%> + "<%= client %>", +<%- end -%> + ] + sort-order: 200 + name: "environment-cache" + }, + { + match-request: { + path: "/puppet-admin-api/v1/jruby-pool" + type: path + method: delete + } + allow: [ +<%- @server_admin_api_whitelist.each do |client| -%> + "<%= client %>", +<%- end -%> + ] + sort-order: 200 + name: "jruby-pool" + }, + { + match-request: { + path: "/puppet/v3/environments" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs environments" + }, + { + match-request: { + path: "/puppet/v3/environment_classes" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs environment classes" + }, +<%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) < 0 -%> + { + match-request: { + path: "/puppet/v3/resource_type" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs resource type" + }, + { + # Allow nodes to access all file services; this is necessary for + # pluginsync, file serving from modules, and file serving from + # custom mount points (see fileserver.conf). Note that the `/file` + # prefix matches requests to file_metadata, file_content, and + # file_bucket_file paths. + match-request: { + path: "/puppet/v3/file" + type: path + } + allow: "*" + sort-order: 500 + name: "puppetlabs file" + }, +<%- else -%> + { + # Allow nodes to access all file_bucket_files. Note that access for + # the 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_bucket_file" + type: path + method: [get, head, post, put] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file bucket file" + }, + { + # Allow nodes to access all file_content. Note that access for the + # 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_content" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file content" + }, + { + # Allow nodes to access all file_metadata. Note that access for the + # 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_metadata" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file metadata" + }, +<%- end -%> + { + # Allow nodes to retrieve only their own node definition + match-request: { + path: "^/puppet/v3/node/([^/]+)$" + type: regex + method: get + } + allow: "$1" + sort-order: 500 + name: "puppetlabs node" + }, + { + # Allow nodes to store only their own reports + match-request: { + path: "^/puppet/v3/report/([^/]+)$" + type: regex + method: put + } + allow: "$1" + sort-order: 500 + name: "puppetlabs report" + }, + { + match-request: { + path: "/puppet/v3/status" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status" + }, + { + match-request: { + path: "/puppet/v3/static_file_content" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs static file content" + }, +<%- if scope.function_versioncmp([@server_puppetserver_version, '5.1']) >= 0 -%> + { + match-request: { + path: "/puppet/v3/tasks" + type: path + } + allow: "*" + sort-order: 500 + name: "puppet tasks information" + }, +<%- end -%> +<%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 && @server_experimental -%> + { + # Allow all users access to the experimental endpoint + # which currently only provides a dashboard web ui. + match-request: { + path: "/puppet/experimental" + type: path + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs experimental" + }, +<%- end -%> + { + # Deny everything else. This ACL is not strictly + # necessary, but illustrates the default policy + match-request: { + path: "/" + type: path + } + deny: "*" + sort-order: 999 + name: "puppetlabs deny all" + } + ] +}