diff --git a/README.md b/README.md index b9a88d9..53946a8 100644 --- a/README.md +++ b/README.md @@ -1,194 +1,180 @@ [![Puppet Forge](https://img.shields.io/puppetforge/v/theforeman/puppet.svg)](https://forge.puppetlabs.com/theforeman/puppet) [![Build Status](https://travis-ci.org/theforeman/puppet-puppet.svg?branch=master)](https://travis-ci.org/theforeman/puppet-puppet) # Puppet module for installing the Puppet agent and master Installs and configures the Puppet agent and optionally a Puppet master (when `server` is true). Part of the [Foreman installer](https://github.com/theforeman/foreman-installer) or to be used as a Puppet module. When using Puppet Server (version 2.2.x is the lowest version, this module supports), the module supports and assumes you will be installing the latest version. If you know you'll be installing an earlier or specific version, you will need to override `server_puppetserver_version`. More information in the Puppet Server section below. Many puppet.conf options for agents, masters and other are parameterized, with class documentation provided at the top of the manifests. In addition, there are hash parameters for each configuration section that can be used to supply any options that are not explicitly supported. ## Environments support -The module helps configure Puppet environments using directory environments on -Puppet 3.6+ and config environments on older versions. These are set up under -/etc/puppet/environments/ - change `server_environments` to define the list to -create, or use `puppet::server::env` for more control. When using directory -environments with R10K you need to set the `server_environments` parameter to an -empty array ie. `[]` to prevent `r10k deploy environments` from reporting an -error caused by the creation of top level environment directory(s). +The module helps configure Puppet environments using directory environments. +These are set up under /etc/puppetlabs/code/environments. ## Git repo support Environments can be backed by git by setting `server_git_repo` to true, which sets up `/var/lib/puppet/puppet.git` where each branch maps to one environment. Avoid using 'master' as this name isn't permitted. On each push to the repo, a hook updates `/etc/puppet/environments` with the contents of the branch. Requires [theforeman/git](https://forge.puppetlabs.com/theforeman/git). ## Foreman integration With the 3.0.0 release the Foreman integration became optional. It will still by default install the Foreman integration when `server` is true, so if you wish to run a Puppet master without Foreman, it can be disabled by setting `server_foreman` to false. Requires [theforeman/foreman](https://forge.puppetlabs.com/theforeman/foreman). ## PuppetDB integration The Puppet master can be configured to export catalogs and reports to a PuppetDB instance, using the puppetlabs/puppetdb module. Use its `puppetdb::server` class to install the PuppetDB server and this module to configure the Puppet master to connect to PuppetDB. Requires [puppetlabs/puppetdb](https://forge.puppetlabs.com/puppetlabs/puppetdb) Please see the notes about using puppetlabs/puppetdb 5.x with older versions of Puppet (< 4.x) and PuppetDB (< 3.x) with newer releases of the module and set the values via hiera or an extra include of `puppetdb::globals` with `puppetdb_version` defined. # Installation Available from GitHub (via cloning or tarball), [Puppet Forge](https://forge.puppetlabs.com/theforeman/puppet) or as part of the Foreman installer. # Usage As a parameterized class, all the configurable options can be overridden from your wrapper classes or even your ENC (if it supports param classes). For example: # Agent and cron (or daemon): class { '::puppet': runmode => 'cron' } # Agent and puppetmaster: class { '::puppet': server => true } # You want to use git? class { '::puppet': server => true server_git_repo => true } # Maybe you're using gitolite, new hooks, and a different port? class { '::puppet': server => true server_port => 8141, server_git_repo => true, server_git_repo_path => '/var/lib/gitolite/repositories/puppet.git', server_post_hook_name => 'post-receive.puppet', server_post_hook_content => 'puppetserver/post-hook.puppet', } # Configure master without Foreman integration class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', } - # The same example as above but overriding `server_environments` for R10K - class { '::puppet': - server => true, - server_foreman => false, - server_reports => 'store', - server_external_nodes => '', - server_environments => [], - } - # Want to integrate with an existing PuppetDB? class { '::puppet': server => true, server_puppetdb_host => 'mypuppetdb.example.com', server_reports => 'puppetdb,foreman', server_storeconfigs_backend => 'puppetdb', } Look in _init.pp_ for what can be configured this way, see Contributing if anything doesn't work. To use this in standalone mode, edit a file (e.g. install.pp), put in a class resource, as per the examples above, and the execute _puppet apply_ e.g: cat > install.pp < true } EOF puppet apply install.pp --modulepath /path_to/extracted_tarball # Advanced scenarios An HTTP (non-SSL) puppetmaster instance can be set up (standalone or in addition to the SSL instance) by setting the `server_http` parameter to `true`. This is useful for reverse proxy or load balancer scenarios where the proxy/load balancer takes care of SSL termination. The HTTP puppetmaster instance expects the `X-Client-Verify`, `X-SSL-Client-DN` and `X-SSL-Subject` HTTP headers to have been set on the front end server. The listening port can be configured by setting `server_http_port` (which defaults to 8139). For puppetserver, this HTTP instance accepts **ALL** connections and no further restrictions can be configured. **Note that running an HTTP puppetmaster is a huge security risk when improperly configured. Allowed hosts should be tightly controlled; anyone with access to an allowed host can access all client catalogues and client certificates.** # Configure an HTTP puppetmaster vhost in addition to the standard SSL vhost class { '::puppet': server => true, server_http => true, server_http_port => 8130, # default: 8139 } ## Puppet Server configuration Puppet Server requires slightly different configuration between different versions, which this module supports. It's recommended that you set the `server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version you have installed. By default the module will configure for the latest version available. Currently supported values and configuration behaviours are: * `5.1.0` (default for Puppet >= 5.1) - configures CRL reload service and `/puppet/v3/tasks` route * `5.0.0` (default for Puppet 5.0.x) - configures metrics service and `/puppet/experimental` route * `2.7.x` (default for Puppet < 5) - creates `product.conf` * `2.5.x`, `2.6.x` - configures the certificate authority in `ca.cfg` * `2.4.99` - configures for both 2.4 and 2.5, with `bootstrap.cfg` and `ca.cfg` * `2.3.x`, `2.4.x` - configures the certificate authority and versioned-code-service in `bootstrap.cfg` * `2.2.x` - configures the certificate authority in `bootstrap.cfg` # Contributing * Fork the project * Commit and push until you are happy with your contribution # More info See https://theforeman.org or at #theforeman irc channel on freenode Copyright (c) 2010-2012 Ohad Levy This program and entire repository is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . diff --git a/manifests/init.pp b/manifests/init.pp index 09ab9f6..e120ad6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,739 +1,723 @@ # == Class: puppet # # This class installs and configures the puppet agent. # # === Parameters: # # $version:: Specify a specific version of a package to # install. The version should be the exact # match for your distro. # You can also use certain values like 'latest'. # Note that when you specify exact versions you # should also override $server_version since # that defaults to $version. # # $manage_packages:: Should this module install packages or not. # Can also install only server packages with value # of 'server' or only agent packages with 'agent'. # # $port:: Override the port of the master we connect to. # # $listen:: Should the puppet agent listen for connections. # # $listen_to:: An array of servers allowed to initiate a puppet run. # If $listen = true one of three things will happen: # 1) if $listen_to is not empty then this array # will be used. # 2) if $listen_to is empty and $puppetmaster is # defined then only $puppetmaster will be # allowed. # 3) if $puppetmaster is not defined or empty, # $fqdn will be used. # # $pluginsync:: Enable pluginsync. # # $splay:: Switch to enable a random amount of time # to sleep before each run. # # $splaylimit:: The maximum time to delay before runs. # Defaults to being the same as the run interval. # This setting can be a time interval in seconds # (30 or 30s), minutes (30m), hours (6h), days (2d), # or years (5y). # # $runinterval:: Set up the interval (in seconds) to run # the puppet agent. # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $usecacheonfailure:: Switch to enable use of cached catalog on # failure of run. # # $runmode:: Select the mode to setup the puppet agent. # # $cron_cmd:: Specify command to launch when runmode is # set 'cron'. # # $systemd_cmd:: Specify command to launch when runmode is # set 'systemd.timer'. # # $systemd_randomizeddelaysec:: Adds a random delay between 0 and this value # (in seconds) to the timer. Only relevant when # runmode is 'systemd.timer'. # # $show_diff:: Show and report changed files with diff output # # $module_repository:: Use a different puppet module repository # # $configtimeout:: How long the client should wait for the # configuration to be retrieved before # considering it a failure. # # $ca_server:: Use a different ca server. Should be either # a string with the location of the ca_server # or 'false'. # # $ca_port:: Puppet CA port # # $ca_crl_filepath:: Path to CA CRL file, dynamically resolves based on # $::server_ca status. # # $dns_alt_names:: Use additional DNS names when generating a # certificate. Defaults to an empty Array. # # $hiera_config:: The hiera configuration file. # # $syslogfacility:: Facility name to use when logging to syslog # # $use_srv_records:: Whether DNS SRV records will be used to resolve # the Puppet master # # $srv_domain:: Search domain for SRV records # # $additional_settings:: A hash of additional main settings. # # == Advanced puppet parameters # # $user:: Override the name of the puppet user. # # $group:: Override the name of the puppet group. # # $dir:: Override the puppet directory. # # $codedir:: Override the puppet code directory. # # $vardir:: Override the puppet var directory. # # $logdir:: Override the log directory. # # $rundir:: Override the PID directory. # # $ssldir:: Override where SSL certificates are kept. # # $sharedir:: Override the system data directory. # # $package_provider:: The provider used to install the agent. # Defaults to chocolatey on Windows # Defaults to undef elsewhere # # $package_source:: The location of the file to be used by the # agent's package resource. # Defaults to undef. If 'windows' or 'msi' are # used as the provider then this setting is # required. # # $unavailable_runmodes:: Runmodes that are not available for the # current system. This module will not try # to disable these modes. Default is [] # on Linux, ['cron', 'systemd.timer'] on # Windows and ['systemd.timer'] on other # systems. # # $auth_template:: Use a custom template for the auth # configuration. # # $use_srv_records:: Whether DNS SRV records will be used to resolve # the Puppet master # # $srv_domain:: Search domain for SRV records # # $pluginsource:: URL to retrieve Puppet plugins from during pluginsync # # $pluginfactsource:: URL to retrieve Puppet facts from during pluginsync # # $classfile:: The file in which puppet agent stores a list # of the classes associated with the retrieved # configuration. # # == puppet::agent parameters # # $agent:: Should a puppet agent be installed # # $agent_noop:: Run the agent in noop mode. # # $puppetmaster:: Hostname of your puppetmaster (server # directive in puppet.conf) # # $prerun_command:: A command which gets excuted before each Puppet run # # $postrun_command:: A command which gets excuted after each Puppet run # # $environment:: Default environment of the Puppet agent # # $agent_additional_settings:: A hash of additional agent settings. # Example: {stringify_facts => true} # # $client_certname:: The node's certificate name, and the unique # identifier it uses when requesting catalogs. # # $report:: Send reports to the Puppet Master # # == advanced agent parameters # # $service_name:: The name of the puppet agent service. # # $agent_restart_command:: The command which gets excuted on puppet service restart # # $client_package:: Install a custom package to provide # the puppet client # # $systemd_unit_name:: The name of the puppet systemd units. # # $remove_lock:: Remove the agent lock when running. # # $dir_owner:: Owner of the base puppet directory, used when # puppet::server is false. # # $dir_group:: Group of the base puppet directory, used when # puppet::server is false. # # == puppet::server parameters # # $server:: Should a puppet master be installed as well as the client # # $server_ip:: Bind ip address of the puppetmaster # # $server_port:: Puppet master port # # $server_ca:: Provide puppet CA # # $server_ca_crl_sync:: Sync puppet CA crl file to compile masters, Puppet CA Must be the Puppetserver # for the compile masters. Defaults to false. # # $server_crl_enable:: Turn on crl checking. Defaults to true when server_ca is true. Otherwise # Defaults to false. Note unless you are using an external CA. It is recommended # to set this to true. See $server_ca_crl_sync to enable syncing from CA Puppet Master # # $server_reports:: List of report types to include on the puppetmaster # # $server_external_nodes:: External nodes classifier executable # # $server_git_repo:: Use git repository as a source of modules # -# $server_dynamic_environments:: Use $environment in the modulepath -# Deprecated when $server_directory_environments is true, -# set $server_environments to [] instead. -# -# $server_directory_environments:: Enable directory environments, defaulting to true -# with Puppet 3.6.0 or higher -# -# $server_environments:: Environments to setup (creates directories). -# Applies only when $server_dynamic_environments -# is false -# # $server_environments_owner:: The owner of the environments directory # # $server_environments_group:: The group owning the environments directory # # $server_environments_mode:: Environments directory mode. # -# $server_common_modules_path:: Common modules paths (only when -# $server_git_repo_path and $server_dynamic_environments -# are false) +# $server_common_modules_path:: Common modules paths # # $server_git_repo_path:: Git repository path # # $server_git_repo_mode:: Git repository mode # # $server_git_repo_group:: Git repository group # # $server_git_repo_user:: Git repository user # # $server_git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $server_storeconfigs_backend:: Do you use storeconfigs? (note: not required) # false if you don't, "active_record" for 2.X # style db, "puppetdb" for puppetdb # # $server_certname:: The name to use when handling certificates. # # $server_strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $server_additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $server_puppetdb_host:: PuppetDB host # # $server_puppetdb_port:: PuppetDB port # # $server_puppetdb_swf:: PuppetDB soft_write_failure # # === Advanced server parameters: # # $server_manage_user:: Whether to manage the server user resource # # $server_user:: Name of the puppetmaster user. # # $server_group:: Name of the puppetmaster group. # # $server_dir:: Puppet configuration directory # # $server_http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. # # $server_http_port:: Puppet master HTTP port; defaults to 8139. # # $server_config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $server_foreman:: Should foreman integration be installed # # $server_foreman_url:: Foreman URL # # $server_foreman_ssl_ca:: SSL CA of the Foreman server # # $server_foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $server_foreman_ssl_key:: Key for authenticating against Foreman server # # $server_puppet_basedir:: Where is the puppet code base located # # $server_enc_api:: What version of enc script to deploy. # # $server_report_api:: What version of report processor to deploy. # # $server_request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $server_environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $server_envs_dir:: Directory that holds puppet environments # # $server_envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $server_ca_proxy:: The actual server that handles puppet CA. # Setting this to anything non-empty causes # the apache vhost to set up a proxy for all # certificates pointing to the value. # # $server_jvm_java_bin:: Set the default java to use. # # $server_jvm_config:: Specify the puppetserver jvm configuration file. # # $server_jvm_min_heap_size:: Specify the minimum jvm heap space. # # $server_jvm_max_heap_size:: Specify the maximum jvm heap space. # # $server_jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $server_jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $server_jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $server_default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $server_default_manifest_path:: A string setting the path to the default_manifest # # $server_default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $server_package:: Custom package name for puppet master # # $server_version:: Custom package version for puppet master # # $server_ssl_dir:: SSL directory # # $server_ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $server_ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $server_puppetserver_vardir:: The path of the puppetserver var dir # # $server_puppetserver_rundir:: The path of the puppetserver run dir # # $server_puppetserver_logdir:: The path of the puppetserver log dir # # $server_puppetserver_dir:: The path of the puppetserver config dir # # $server_puppetserver_version:: The version of puppetserver 2 installed (or being installed) # Unfortunately, different versions of puppetserver need # configuring differently. The default is derived from the # installed puppet version. Generally it's not needed to # override this but when upgrading it might be. # # $server_max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $server_max_requests_per_instance:: Max number of requests a jruby instances will handle. Defaults to 0 (disabled) # # $server_max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a # JRuby from the pool. (Puppetserver 5.x only) # Defaults to 0 (disabled) for Puppetserver >= 5.0 # # $server_max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on # 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) # Defaults to 1800 for Puppetserver >= 5.0 # # $server_idle_timeout:: How long the server will wait for a response on an existing connection # # $server_connect_timeout:: How long the server will wait for a response to a connection attempt # # $server_ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $server_ssl_chain_filepath:: Path to certificate chain for puppetserver # Only used when $ca is true # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $server_cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $server_ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $server_ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $server_admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $server_use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # # $server_check_for_updates:: Should the puppetserver phone home to check for available updates? # Defaults to true # # $server_post_hook_content:: Which template to use for git post hook # # $server_post_hook_name:: Name of a git hook # # $server_environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the # environment_classes API. # Defaults to false # # $server_allow_header_cert_info:: Enable client authentication over HTTP Headers # Defaults to false, is also activated by the $server_http setting # # $server_web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has # completed. # Defaults to 30000, using the Jetty default of 30s # # $server_puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $server_puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? # Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # $server_metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $server_metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $server_metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $server_metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $server_metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $server_metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $server_metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $server_puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $server_puppetserver_trusted_agents:: Certificate names of puppet agents that are allowed to fetch *all* catalogs # Defaults to [] and all agents are only allowed to fetch their own catalogs. # # $server_compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. # Defaults to undef (off). # # $server_parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # $server_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for unencrypted HTTP traffic. If not provided, the webserver # defaults to the number of virtual cores on the host divided by 8, with a minimum # of 1 and maximum of 4. # # $server_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for unencrypted HTTPS traffic. If not provided, # the webserver defaults to the minimum of: virtual cores on the host divided by 2 # or max-threads divided by 16, with a minimum of 1. # # $server_max_threads:: This sets the maximum number of threads assigned to responding to HTTP and/or # HTTPS requests for a single webserver, effectively changing how many # concurrent requests can be made at one time. If not provided, the # webserver defaults to 200. # # $server_ssl_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for encrypted HTTPS traffic. If not provided, defaults to # the number of virtual cores on the host divided by 8, with a minimum of 1 and maximum of 4. # # $server_ssl_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for encrypted HTTPS traffic. Defaults to the number of # virtual cores on the host divided by 2, with a minimum of 1 and maximum of 4. # The number of selector threads actually used by Jetty is twice the number of selectors # requested. For example, if a value of 3 is specified for the ssl-selector-threads setting, # Jetty will actually use 6 selector threads. # # $server_ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $server_ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # # === Usage: # # * Simple usage: # # include puppet # # * Installing a puppetmaster # # class {'puppet': # server => true, # } # # * Advanced usage: # # class {'puppet': # agent_noop => true, # version => '2.7.20-1', # } # class puppet ( String $version = $puppet::params::version, String $user = $puppet::params::user, String $group = $puppet::params::group, Stdlib::Absolutepath $dir = $puppet::params::dir, Stdlib::Absolutepath $codedir = $puppet::params::codedir, Stdlib::Absolutepath $vardir = $puppet::params::vardir, Stdlib::Absolutepath $logdir = $puppet::params::logdir, Stdlib::Absolutepath $rundir = $puppet::params::rundir, Stdlib::Absolutepath $ssldir = $puppet::params::ssldir, Stdlib::Absolutepath $sharedir = $puppet::params::sharedir, Variant[Boolean, Enum['server', 'agent']] $manage_packages = $puppet::params::manage_packages, Optional[String] $dir_owner = $puppet::params::dir_owner, Optional[String] $dir_group = $puppet::params::dir_group, Optional[String] $package_provider = $puppet::params::package_provider, Optional[Variant[Stdlib::Absolutepath, Stdlib::HTTPUrl]] $package_source = $puppet::params::package_source, Integer[0, 65535] $port = $puppet::params::port, Boolean $listen = $puppet::params::listen, Array[String] $listen_to = $puppet::params::listen_to, Boolean $pluginsync = $puppet::params::pluginsync, Boolean $splay = $puppet::params::splay, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $splaylimit = $puppet::params::splaylimit, Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::params::autosign, Array[String] $autosign_entries = $puppet::params::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $puppet::params::autosign_mode, Optional[String] $autosign_content = $puppet::params::autosign_content, Optional[String] $autosign_source = $puppet::params::autosign_source, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $runinterval = $puppet::params::runinterval, Boolean $usecacheonfailure = $puppet::params::usecacheonfailure, Enum['cron', 'service', 'systemd.timer', 'none'] $runmode = $puppet::params::runmode, Array[Enum['cron', 'service', 'systemd.timer', 'none']] $unavailable_runmodes = $puppet::params::unavailable_runmodes, Optional[String] $cron_cmd = $puppet::params::cron_cmd, Optional[String] $systemd_cmd = $puppet::params::systemd_cmd, Integer[0] $systemd_randomizeddelaysec = $puppet::params::systemd_randomizeddelaysec, Boolean $agent_noop = $puppet::params::agent_noop, Boolean $show_diff = $puppet::params::show_diff, Optional[Stdlib::HTTPUrl] $module_repository = $puppet::params::module_repository, Optional[Integer[0]] $configtimeout = $puppet::params::configtimeout, Optional[Variant[String, Boolean]] $ca_server = $puppet::params::ca_server, Optional[Integer[0, 65535]] $ca_port = $puppet::params::ca_port, Optional[String] $ca_crl_filepath = $puppet::params::ca_crl_filepath, Optional[String] $prerun_command = $puppet::params::prerun_command, Optional[String] $postrun_command = $puppet::params::postrun_command, Array[String] $dns_alt_names = $puppet::params::dns_alt_names, Boolean $use_srv_records = $puppet::params::use_srv_records, Optional[String] $srv_domain = $puppet::params::srv_domain, String $pluginsource = $puppet::params::pluginsource, String $pluginfactsource = $puppet::params::pluginfactsource, Hash[String, Data] $additional_settings = $puppet::params::additional_settings, Hash[String, Data] $agent_additional_settings = $puppet::params::agent_additional_settings, Optional[String] $agent_restart_command = $puppet::params::agent_restart_command, String $classfile = $puppet::params::classfile, String $hiera_config = $puppet::params::hiera_config, String $auth_template = $puppet::params::auth_template, Boolean $allow_any_crl_auth = $puppet::params::allow_any_crl_auth, Array[String] $auth_allowed = $puppet::params::auth_allowed, Variant[String, Array[String]] $client_package = $puppet::params::client_package, Boolean $agent = $puppet::params::agent, Boolean $remove_lock = $puppet::params::remove_lock, Boolean $report = $puppet::params::report, Variant[String, Boolean] $client_certname = $puppet::params::client_certname, Optional[String] $puppetmaster = $puppet::params::puppetmaster, String $systemd_unit_name = $puppet::params::systemd_unit_name, String $service_name = $puppet::params::service_name, Optional[String] $syslogfacility = $puppet::params::syslogfacility, String $environment = $puppet::params::environment, Boolean $server = $puppet::params::server, Array[String] $server_admin_api_whitelist = $puppet::params::server_admin_api_whitelist, Boolean $server_manage_user = $puppet::params::manage_user, String $server_user = $puppet::params::user, String $server_group = $puppet::params::group, String $server_dir = $puppet::params::dir, String $server_ip = $puppet::params::ip, Integer $server_port = $puppet::params::port, Boolean $server_ca = $puppet::params::server_ca, Boolean $server_ca_crl_sync = $puppet::params::server_ca_crl_sync, Optional[Boolean] $server_crl_enable = $puppet::params::server_crl_enable, Boolean $server_ca_auth_required = $puppet::params::server_ca_auth_required, Array[String] $server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $server_custom_trusted_oid_mapping = $puppet::params::server_custom_trusted_oid_mapping, Boolean $server_http = $puppet::params::server_http, Integer $server_http_port = $puppet::params::server_http_port, String $server_reports = $puppet::params::server_reports, Optional[Stdlib::Absolutepath] $server_puppetserver_dir = $puppet::params::server_puppetserver_dir, Optional[Stdlib::Absolutepath] $server_puppetserver_vardir = $puppet::params::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $server_puppetserver_rundir = $puppet::params::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $server_puppetserver_logdir = $puppet::params::server_puppetserver_logdir, Pattern[/^[\d]\.[\d]+\.[\d]+$/] $server_puppetserver_version = $puppet::params::server_puppetserver_version, Variant[Undef, String[0], Stdlib::Absolutepath] $server_external_nodes = $puppet::params::server_external_nodes, Array[String] $server_cipher_suites = $puppet::params::server_cipher_suites, Optional[String] $server_config_version = $puppet::params::server_config_version, Integer[0] $server_connect_timeout = $puppet::params::server_connect_timeout, Boolean $server_git_repo = $puppet::params::server_git_repo, - Boolean $server_dynamic_environments = $puppet::params::server_dynamic_environments, - Boolean $server_directory_environments = $puppet::params::server_directory_environments, Boolean $server_default_manifest = $puppet::params::server_default_manifest, Stdlib::Absolutepath $server_default_manifest_path = $puppet::params::server_default_manifest_path, String $server_default_manifest_content = $puppet::params::server_default_manifest_content, - Array[String] $server_environments = $puppet::params::server_environments, String $server_environments_owner = $puppet::params::server_environments_owner, Optional[String] $server_environments_group = $puppet::params::server_environments_group, Pattern[/^[0-9]{3,4}$/] $server_environments_mode = $puppet::params::server_environments_mode, Stdlib::Absolutepath $server_envs_dir = $puppet::params::server_envs_dir, Optional[Stdlib::Absolutepath] $server_envs_target = $puppet::params::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $server_common_modules_path = $puppet::params::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $server_git_repo_mode = $puppet::params::server_git_repo_mode, Stdlib::Absolutepath $server_git_repo_path = $puppet::params::server_git_repo_path, String $server_git_repo_group = $puppet::params::server_git_repo_group, String $server_git_repo_user = $puppet::params::server_git_repo_user, Hash[String, String] $server_git_branch_map = $puppet::params::server_git_branch_map, Integer[0] $server_idle_timeout = $puppet::params::server_idle_timeout, String $server_post_hook_content = $puppet::params::server_post_hook_content, String $server_post_hook_name = $puppet::params::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $server_storeconfigs_backend = $puppet::params::server_storeconfigs_backend, Array[Stdlib::Absolutepath] $server_ruby_load_paths = $puppet::params::server_ruby_load_paths, Stdlib::Absolutepath $server_ssl_dir = $puppet::params::server_ssl_dir, Boolean $server_ssl_dir_manage = $puppet::params::server_ssl_dir_manage, Boolean $server_ssl_key_manage = $puppet::params::server_ssl_key_manage, Array[String] $server_ssl_protocols = $puppet::params::server_ssl_protocols, Optional[Stdlib::Absolutepath] $server_ssl_chain_filepath = $puppet::params::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $server_package = $puppet::params::server_package, Optional[String] $server_version = $puppet::params::server_version, String $server_certname = $puppet::params::server_certname, Enum['v2'] $server_enc_api = $puppet::params::server_enc_api, Enum['v2'] $server_report_api = $puppet::params::server_report_api, Integer[0] $server_request_timeout = $puppet::params::server_request_timeout, Optional[String] $server_ca_proxy = $puppet::params::server_ca_proxy, Boolean $server_strict_variables = $puppet::params::server_strict_variables, Hash[String, Data] $server_additional_settings = $puppet::params::server_additional_settings, Boolean $server_foreman = $puppet::params::server_foreman, Stdlib::HTTPUrl $server_foreman_url = $puppet::params::server_foreman_url, Optional[Stdlib::Absolutepath] $server_foreman_ssl_ca = $puppet::params::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $server_foreman_ssl_cert = $puppet::params::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $server_foreman_ssl_key = $puppet::params::server_foreman_ssl_key, Boolean $server_foreman_facts = $puppet::params::server_foreman_facts, Optional[Stdlib::Absolutepath] $server_puppet_basedir = $puppet::params::server_puppet_basedir, Optional[String] $server_puppetdb_host = $puppet::params::server_puppetdb_host, Integer[0, 65535] $server_puppetdb_port = $puppet::params::server_puppetdb_port, Boolean $server_puppetdb_swf = $puppet::params::server_puppetdb_swf, Enum['current', 'future'] $server_parser = $puppet::params::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $server_environment_timeout = $puppet::params::server_environment_timeout, String $server_jvm_java_bin = $puppet::params::server_jvm_java_bin, String $server_jvm_config = $puppet::params::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_min_heap_size = $puppet::params::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_max_heap_size = $puppet::params::server_jvm_max_heap_size, Variant[String,Array[String]] $server_jvm_extra_args = $puppet::params::server_jvm_extra_args, Optional[String] $server_jvm_cli_args = $puppet::params::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $server_jruby_gem_home = $puppet::params::server_jruby_gem_home, Integer[1] $server_max_active_instances = $puppet::params::server_max_active_instances, Integer[0] $server_max_requests_per_instance = $puppet::params::server_max_requests_per_instance, Integer[0] $server_max_queued_requests = $puppet::params::server_max_queued_requests, Integer[0] $server_max_retry_delay = $puppet::params::server_max_retry_delay, Boolean $server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf, Boolean $server_check_for_updates = $puppet::params::server_check_for_updates, Boolean $server_environment_class_cache_enabled = $puppet::params::server_environment_class_cache_enabled, Boolean $server_allow_header_cert_info = $puppet::params::server_allow_header_cert_info, Integer[0] $server_web_idle_timeout = $puppet::params::server_web_idle_timeout, Boolean $server_puppetserver_jruby9k = $puppet::params::server_puppetserver_jruby9k, Boolean $server_puppetserver_metrics = $puppet::params::server_puppetserver_metrics, Boolean $server_metrics_jmx_enable = $::puppet::params::server_metrics_jmx_enable, Boolean $server_metrics_graphite_enable = $::puppet::params::server_metrics_graphite_enable, String $server_metrics_graphite_host = $::puppet::params::server_metrics_graphite_host, Integer $server_metrics_graphite_port = $::puppet::params::server_metrics_graphite_port, String $server_metrics_server_id = $::puppet::params::server_metrics_server_id, Integer $server_metrics_graphite_interval = $::puppet::params::server_metrics_graphite_interval, Optional[Array] $server_metrics_allowed = $::puppet::params::server_metrics_allowed, Boolean $server_puppetserver_experimental = $puppet::params::server_puppetserver_experimental, Array[String] $server_puppetserver_trusted_agents = $puppet::params::server_puppetserver_trusted_agents, Optional[Enum['off', 'jit', 'force']] $server_compile_mode = $puppet::params::server_compile_mode, Optional[Integer[1]] $server_acceptor_threads = undef, Optional[Integer[1]] $server_selector_threads = undef, Optional[Integer[1]] $server_ssl_acceptor_threads = undef, Optional[Integer[1]] $server_ssl_selector_threads = undef, Optional[Integer[1]] $server_max_threads = undef, Boolean $server_ca_allow_sans = $puppet::params::server_ca_allow_sans, Boolean $server_ca_allow_auth_extensions = $puppet::params::server_ca_allow_auth_extensions, ) inherits puppet::params { contain puppet::config if $agent == true { contain puppet::agent } if $server == true { contain puppet::server } # Ensure the server is running before the agent needs it, and that # certificates are generated in the server config (if enabled) if $server == true and $agent == true { Class['puppet::server'] -> Class['puppet::agent::service'] } } diff --git a/manifests/params.pp b/manifests/params.pp index 94213ab..0491a50 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,467 +1,460 @@ # Default parameters class puppet::params { # Basic config $version = 'present' $manage_user = true $user = 'puppet' $group = 'puppet' $ip = '0.0.0.0' $port = 8140 $listen = false $listen_to = [] $pluginsync = true $splay = false $splaylimit = 1800 $runinterval = 1800 $runmode = 'service' $report = true # Not defined here as the commands depend on module parameter "dir" $cron_cmd = undef $systemd_cmd = undef $agent_noop = false $show_diff = false $module_repository = undef $hiera_config = '$confdir/hiera.yaml' $usecacheonfailure = true $ca_server = undef $ca_port = undef $ca_crl_filepath = undef $server_crl_enable = undef $prerun_command = undef $postrun_command = undef $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false if defined('$::domain') { $srv_domain = $::domain } else { $srv_domain = undef } # lint:ignore:puppet_url_without_modules $pluginsource = 'puppet:///plugins' $pluginfactsource = 'puppet:///pluginfacts' # lint:endignore $classfile = '$statedir/classes.txt' $syslogfacility = undef $environment = $::environment $aio_package = ($::osfamily == 'Windows' or $::rubysitedir =~ /\/opt\/puppetlabs\/puppet/) $deb_naio_package = ($::osfamily == 'Debian') $systemd_randomizeddelaysec = 0 case $::osfamily { 'Windows' : { # Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end $dir_prefix = 'C:/ProgramData/PuppetLabs/puppet' $dir = "${dir_prefix}/etc" $codedir = "${dir_prefix}/etc" $logdir = "${dir_prefix}/var/log" $rundir = "${dir_prefix}/var/run" $ssldir = "${dir_prefix}/etc/ssl" $vardir = "${dir_prefix}/var" $sharedir = "${dir_prefix}/share" $bindir = "${dir_prefix}/bin" $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } /^(FreeBSD|DragonFly)$/ : { $dir = '/usr/local/etc/puppet' $codedir = '/usr/local/etc/puppet' $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/puppet/ssl' $vardir = '/var/puppet' $sharedir = '/usr/local/share/puppet' $bindir = '/usr/local/bin' $root_group = undef $server_puppetserver_dir = '/usr/local/etc/puppetserver' $server_puppetserver_vardir = '/var/puppet/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetserver' $server_puppetserver_logdir = '/var/log/puppetserver' $ruby_gem_dir = regsubst($::rubyversion, '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$::rubysitedir, "${ruby_gem_dir}/facter-${::facterversion}/lib"] $server_jruby_gem_home = '/var/puppet/server/data/puppetserver/jruby-gems' } 'Archlinux' : { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/usr/bin' $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } default : { if $aio_package { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/opt/puppetlabs/bin' $server_puppetserver_dir = '/etc/puppetlabs/puppetserver' $server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetlabs/puppetserver' $server_puppetserver_logdir = '/var/log/puppetlabs/puppetserver' $server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby'] $server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems' } else { $dir = '/etc/puppet' $codedir = $deb_naio_package ? { true => '/etc/puppet/code', false => '/etc/puppet', } $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/lib/puppet/ssl' $vardir = '/var/lib/puppet' $sharedir = '/usr/share/puppet' $bindir = '/usr/bin' $server_puppetserver_dir = '/etc/puppetserver' $server_puppetserver_vardir = $vardir $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = '/var/lib/puppet/jruby-gems' } $root_group = undef } } $configtimeout = undef $autosign = "${dir}/autosign.conf" $autosign_entries = [] $autosign_mode = '0664' $autosign_content = undef $autosign_source = undef $puppet_cmd = "${bindir}/puppet" $puppetserver_cmd = "${bindir}/puppetserver" $manage_packages = true if $::osfamily == 'Windows' { $dir_owner = undef $dir_group = undef } elsif $aio_package or $::osfamily == 'Suse' { $dir_owner = 'root' $dir_group = $root_group } else { $dir_owner = $user $dir_group = $group } $package_provider = $::osfamily ? { 'windows' => 'chocolatey', default => undef, } $package_source = undef # Need your own config templates? Specify here: $auth_template = 'puppet/auth.conf.erb' # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false # Authenticated nodes to allow $auth_allowed = ['$1'] # Will this host be a puppet agent ? $agent = true $remove_lock = true $client_certname = $::clientcert if defined('$::puppetmaster') { $puppetmaster = $::puppetmaster } else { $puppetmaster = undef } # Hashes containing additional settings $additional_settings = {} $agent_additional_settings = {} $server_additional_settings = {} # Will this host be a puppetmaster? $server = false $server_ca = true $server_ca_crl_sync = false $server_reports = 'foreman' $server_external_nodes = "${dir}/node.rb" $server_enc_api = 'v2' $server_report_api = 'v2' $server_request_timeout = 60 $server_ca_proxy = undef $server_certname = $::clientcert $server_strict_variables = false $server_http = false $server_http_port = 8139 # Need a new master template for the server? $server_template = 'puppet/server/puppet.conf.erb' # Template for server settings in [main] $server_main_template = 'puppet/server/puppet.conf.main.erb' # The script that is run to determine the reported manifest version. Undef # means we determine it in server.pp $server_config_version = undef # Set 'false' for static environments, or 'true' for git-based workflow $server_git_repo = false # Git branch to puppet env mapping for the post receive hook $server_git_branch_map = {} - # Static environments config, ignore if the git_repo or dynamic_environments is 'true' - # What environments do we have - $server_environments = ['development', 'production'] - # Dynamic environments config (deprecated when directory_environments is true) - $server_dynamic_environments = false - # Directory environments config - $server_directory_environments = true # Owner of the environments dir: for cases external service needs write # access to manage it. $server_environments_owner = $user $server_environments_group = $root_group $server_environments_mode = '0755' # Where we store our puppet environments $server_envs_dir = "${codedir}/environments" $server_envs_target = undef # Modules in this directory would be shared across all environments $server_common_modules_path = unique(["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules']) # Dynamic environments config, ignore if the git_repo is 'false' # Path to the repository $server_git_repo_path = "${vardir}/puppet.git" # mode of the repository $server_git_repo_mode = '0755' # user of the repository $server_git_repo_user = $user # group of the repository $server_git_repo_group = $user # Override these if you need your own hooks $server_post_hook_content = 'puppet/server/post-receive.erb' $server_post_hook_name = 'post-receive' $server_custom_trusted_oid_mapping = undef # PuppetDB config $server_puppetdb_host = undef $server_puppetdb_port = 8081 $server_puppetdb_swf = false # Do you use storeconfigs? (note: not required) # - undef if you don't # - active_record for 2.X style db # - puppetdb for puppetdb $server_storeconfigs_backend = undef $server_ssl_dir = $ssldir $server_package = undef $server_version = undef if $aio_package { $client_package = ['puppet-agent'] } elsif $::osfamily == 'Debian' { $client_package = $deb_naio_package ? { true => ['puppet'], default => ['puppet-common', 'puppet'] } } elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) { if (versioncmp($::puppetversion, '5.0') > 0) { $client_package = ['puppet5'] } else { $client_package = ['puppet4'] } } else { $client_package = ['puppet'] } # Puppet service name $service_name = 'puppet' # Puppet onedshot systemd service and timer name $systemd_unit_name = 'puppet-run' # Mechanisms to manage and reload/restart the agent # If supported on the OS, reloading is prefered since it does not kill a currently active puppet run case $::osfamily { 'Debian' : { $agent_restart_command = "/usr/sbin/service ${service_name} reload" if ($::operatingsystem == 'Debian' or $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '15.04') >= 0) { $unavailable_runmodes = [] } else { $unavailable_runmodes = ['systemd.timer'] } } 'Redhat' : { # PSBM is a CentOS 6 based distribution # it reports its $osreleasemajor as 2, not 6. # thats why we're matching for '2' in both parts # Amazon Linux is like RHEL6 but reports its osreleasemajor as 2017. $osreleasemajor = regsubst($::operatingsystemrelease, '^(\d+)\..*$', '\1') # workaround for the possibly missing operatingsystemmajrelease $agent_restart_command = $osreleasemajor ? { /^(2|5|6|2017)$/ => "/sbin/service ${service_name} reload", '7' => "/usr/bin/systemctl reload-or-restart ${service_name}", default => undef, } $unavailable_runmodes = $osreleasemajor ? { /^(2|5|6|2017)$/ => ['systemd.timer'], default => [], } } 'Windows': { $agent_restart_command = undef $unavailable_runmodes = ['cron', 'systemd.timer'] } 'Archlinux': { $agent_restart_command = "/usr/bin/systemctl reload-or-restart ${service_name}" $unavailable_runmodes = ['cron'] } default : { $agent_restart_command = undef $unavailable_runmodes = ['systemd.timer'] } } # Foreman parameters $lower_fqdn = downcase($::fqdn) $server_foreman = true $server_foreman_facts = true $server_puppet_basedir = $aio_package ? { true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet', false => undef, } $server_foreman_url = "https://${lower_fqdn}" $server_foreman_ssl_ca = undef $server_foreman_ssl_cert = undef $server_foreman_ssl_key = undef # Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser $server_parser = 'current' # Timeout for cached environments, changed in puppet 3.7.x $server_environment_timeout = undef # puppet server configuration file $server_jvm_config = $::osfamily ? { 'RedHat' => '/etc/sysconfig/puppetserver', 'Debian' => '/etc/default/puppetserver', default => '/etc/default/puppetserver', } $server_jvm_java_bin = '/usr/bin/java' if versioncmp($::puppetversion, '5.0.0') < 0 { $server_jvm_extra_args = '-XX:MaxPermSize=256m' } else { $server_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } $server_jvm_cli_args = undef # This is some very trivial "tuning". See the puppet reference: # https://docs.puppet.com/puppetserver/latest/tuning_guide.html if ($::memorysize_mb =~ String) { $mem_in_mb = scanf($::memorysize_mb, '%i')[0] } else { $mem_in_mb = 0 + $::memorysize_mb } if $mem_in_mb >= 3072 { $server_jvm_min_heap_size = '2G' $server_jvm_max_heap_size = '2G' $server_max_active_instances = min(abs($::processorcount), 4) } elsif $mem_in_mb >= 1024 { $server_max_active_instances = 1 $server_jvm_min_heap_size = '1G' $server_jvm_max_heap_size = '1G' } else { # VMs with 1GB RAM and a crash kernel enabled usually have an effective 992MB RAM $server_max_active_instances = 1 $server_jvm_min_heap_size = '768m' $server_jvm_max_heap_size = '768m' } $server_ssl_dir_manage = true $server_ssl_key_manage = true $server_default_manifest = false $server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp' $server_default_manifest_content = '' # lint:ignore:empty_string_assignment $server_max_requests_per_instance = 0 $server_max_queued_requests = 0 $server_max_retry_delay = 1800 $server_idle_timeout = 1200000 $server_web_idle_timeout = 30000 $server_connect_timeout = 120000 $server_ca_auth_required = true $server_admin_api_whitelist = [ 'localhost', $lower_fqdn ] $server_ca_client_whitelist = [ 'localhost', $lower_fqdn ] $server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA' ] $server_ssl_protocols = [ 'TLSv1.2' ] $server_ssl_chain_filepath = "${server_ssl_dir}/ca/ca_crt.pem" $server_check_for_updates = true $server_environment_class_cache_enabled = false $server_allow_header_cert_info = false $server_ca_allow_sans = false $server_ca_allow_auth_extensions = false # Puppetserver >= 2.2 Which auth.conf shall we use? $server_use_legacy_auth_conf = false # For Puppetserver, certain configuration parameters are version specific. We assume a particular version here. if versioncmp($::puppetversion, '5.5.7') >= 0 { $server_puppetserver_version = '5.3.6' } elsif versioncmp($::puppetversion, '5.5.0') >= 0 { $server_puppetserver_version = '5.3.0' } elsif versioncmp($::puppetversion, '5.1.0') >= 0 { $server_puppetserver_version = '5.1.0' } elsif versioncmp($::puppetversion, '5.0.0') >= 0 { $server_puppetserver_version = '5.0.0' } else { $server_puppetserver_version = '2.7.0' } # For Puppetserver 5, use JRuby 9k? $server_puppetserver_jruby9k = false # this switch also controls Ruby profiling, by default disabled for Puppetserver 2.x, enabled for 5.x $server_puppetserver_metrics = versioncmp($::puppetversion, '5.0.0') >= 0 # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false $server_metrics_graphite_host = '127.0.0.1' $server_metrics_graphite_port = 2003 $server_metrics_server_id = $lower_fqdn $server_metrics_graphite_interval = 5 $server_metrics_allowed = undef # For Puppetserver 5, should the /puppet/experimental route be enabled? $server_puppetserver_experimental = true # Normally agents can only fetch their own catalogs. If you want some nodes to be able to fetch *any* catalog, add them here. $server_puppetserver_trusted_agents = [] } diff --git a/manifests/server.pp b/manifests/server.pp index 97977be..7d46efb 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,451 +1,435 @@ # == Class: puppet::server # # Sets up a puppet master. # # == puppet::server parameters # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $hiera_config:: The hiera configuration file. # # $manage_user:: Whether to manage the puppet user resource # # $user:: Name of the puppetmaster user. # # $group:: Name of the puppetmaster group. # # $dir:: Puppet configuration directory # # $ip:: Bind ip address of the puppetmaster # # $port:: Puppet master port # # $ca:: Provide puppet CA # # $ca_crl_filepath:: Path to ca_crl file # # $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to # be agents of the CA master (MOM) defaults to false # # $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults # to false # # $http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. # # $http_port:: Puppet master HTTP port; defaults to 8139. # # $reports:: List of report types to include on the puppetmaster # # $external_nodes:: External nodes classifier executable # # $git_repo:: Use git repository as a source of modules # -# $dynamic_environments:: Use $environment in the modulepath -# Deprecated when $directory_environments is true, -# set $environments to [] instead. -# -# $directory_environments:: Enable directory environments, defaulting to true -# with Puppet 3.6.0 or higher -# -# $environments:: Environments to setup (creates directories). -# Applies only when $dynamic_environments -# is false -# # $environments_owner:: The owner of the environments directory # # $environments_group:: The group owning the environments directory # # $environments_mode:: Environments directory mode. # # $envs_dir:: Directory that holds puppet environments # # $envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # -# $common_modules_path:: Common modules paths (only when -# $git_repo_path and $dynamic_environments -# are false) +# $common_modules_path:: Common modules paths # # $git_repo_path:: Git repository path # # $git_repo_mode:: Git repository mode # # $git_repo_group:: Git repository group # # $git_repo_user:: Git repository user # # $git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $post_hook_content:: Which template to use for git post hook # # $post_hook_name:: Name of a git hook # # $storeconfigs_backend:: Do you use storeconfigs? (note: not required) # false if you don't, "active_record" for 2.X # style db, "puppetdb" for puppetdb # # $ssl_dir:: SSL directory # # $package:: Custom package name for puppet master # # $version:: Custom package version for puppet master # # $certname:: The name to use when handling certificates. # # $strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $puppetdb_host:: PuppetDB host # # $puppetdb_port:: PuppetDB port # # $puppetdb_swf:: PuppetDB soft_write_failure # # $parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # === Advanced server parameters: # # $config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $foreman:: Should foreman integration be installed # # $foreman_url:: Foreman URL # # $foreman_ssl_ca:: SSL CA of the Foreman server # # $foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $foreman_ssl_key:: Key for authenticating against Foreman server # # $puppet_basedir:: Where is the puppet code base located # # $enc_api:: What version of enc script to deploy. Valid # values are 'v2' for latest, and 'v1' # for Foreman =< 1.2 # # $report_api:: What version of report processor to deploy. # Valid values are 'v2' for latest, and 'v1' # for Foreman =< 1.2 # # $request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $ca_proxy:: The actual server that handles puppet CA. # Setting this to anything non-empty causes # the apache vhost to set up a proxy for all # certificates pointing to the value. # # $jvm_java_bin:: Set the default java to use. # # $jvm_config:: Specify the puppetserver jvm configuration file. # # $jvm_min_heap_size:: Specify the minimum jvm heap space. # # $jvm_max_heap_size:: Specify the maximum jvm heap space. # # $jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $default_manifest_path:: A string setting the path to the default_manifest # # $default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $puppetserver_vardir:: The path of the puppetserver var dir # # $puppetserver_dir:: The path of the puppetserver config dir # # $puppetserver_version:: The version of puppetserver 2 installed (or being installed) # Unfortunately, different versions of puppetserver need configuring differently, # and there's no easy way of determining which version is being installed. # Defaults to '2.3.1' but can be overriden if you're installing an older version. # # $max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) # # $idle_timeout:: How long the server will wait for a response on an existing connection # # $connect_timeout:: How long the server will wait for a response to a connection attempt # # $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. # Defaults to the Jetty default of 30s # # $ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $ssl_chain_filepath:: Path to certificate chain for puppetserver # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # # $allow_header_cert_info:: Allow client authentication over HTTP Headers # Defaults to false, is also activated by the $http setting # # $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? # Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # # $metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $puppetserver_trusted_agents:: Certificate names of agents that are allowed to fetch *all* catalogs. Defaults to empty array # # # $ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # Defaults to false # class puppet::server( Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign, Array[String] $autosign_entries = $::puppet::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $::puppet::autosign_mode, Optional[String] $autosign_content = $::puppet::autosign_content, Optional[String] $autosign_source = $::puppet::autosign_source, String $hiera_config = $::puppet::hiera_config, Array[String] $admin_api_whitelist = $::puppet::server_admin_api_whitelist, Boolean $manage_user = $::puppet::server_manage_user, String $user = $::puppet::server_user, String $group = $::puppet::server_group, String $dir = $::puppet::server_dir, Stdlib::Absolutepath $codedir = $::puppet::codedir, Integer $port = $::puppet::server_port, String $ip = $::puppet::server_ip, Boolean $ca = $::puppet::server_ca, Optional[String] $ca_crl_filepath = $::puppet::ca_crl_filepath, Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync, Optional[Boolean] $crl_enable = $::puppet::server_crl_enable, Boolean $ca_auth_required = $::puppet::server_ca_auth_required, Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $::puppet::server_custom_trusted_oid_mapping, Boolean $http = $::puppet::server_http, Integer $http_port = $::puppet::server_http_port, String $reports = $::puppet::server_reports, Stdlib::Absolutepath $puppetserver_vardir = $::puppet::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $puppetserver_rundir = $::puppet::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $puppetserver_logdir = $::puppet::server_puppetserver_logdir, Stdlib::Absolutepath $puppetserver_dir = $::puppet::server_puppetserver_dir, Pattern[/^[\d]\.[\d]+\.[\d]+$/] $puppetserver_version = $::puppet::server_puppetserver_version, Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $::puppet::server_external_nodes, Array[String] $cipher_suites = $::puppet::server_cipher_suites, Optional[String] $config_version = $::puppet::server_config_version, Integer[0] $connect_timeout = $::puppet::server_connect_timeout, Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout, Boolean $git_repo = $::puppet::server_git_repo, - Boolean $dynamic_environments = $::puppet::server_dynamic_environments, - Boolean $directory_environments = $::puppet::server_directory_environments, Boolean $default_manifest = $::puppet::server_default_manifest, Stdlib::Absolutepath $default_manifest_path = $::puppet::server_default_manifest_path, String $default_manifest_content = $::puppet::server_default_manifest_content, - Array[String] $environments = $::puppet::server_environments, String $environments_owner = $::puppet::server_environments_owner, Optional[String] $environments_group = $::puppet::server_environments_group, Pattern[/^[0-9]{3,4}$/] $environments_mode = $::puppet::server_environments_mode, Stdlib::Absolutepath $envs_dir = $::puppet::server_envs_dir, Optional[Stdlib::Absolutepath] $envs_target = $::puppet::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $::puppet::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $::puppet::server_git_repo_mode, Stdlib::Absolutepath $git_repo_path = $::puppet::server_git_repo_path, String $git_repo_group = $::puppet::server_git_repo_group, String $git_repo_user = $::puppet::server_git_repo_user, Hash[String, String] $git_branch_map = $::puppet::server_git_branch_map, Integer[0] $idle_timeout = $::puppet::server_idle_timeout, String $post_hook_content = $::puppet::server_post_hook_content, String $post_hook_name = $::puppet::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $storeconfigs_backend = $::puppet::server_storeconfigs_backend, Array[Stdlib::Absolutepath] $ruby_load_paths = $::puppet::server_ruby_load_paths, Stdlib::Absolutepath $ssl_dir = $::puppet::server_ssl_dir, Boolean $ssl_dir_manage = $::puppet::server_ssl_dir_manage, Boolean $ssl_key_manage = $::puppet::server_ssl_key_manage, Array[String] $ssl_protocols = $::puppet::server_ssl_protocols, Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $::puppet::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $package = $::puppet::server_package, Optional[String] $version = $::puppet::server_version, String $certname = $::puppet::server_certname, Enum['v2', 'v1'] $enc_api = $::puppet::server_enc_api, Enum['v2', 'v1'] $report_api = $::puppet::server_report_api, Integer[0] $request_timeout = $::puppet::server_request_timeout, Optional[String] $ca_proxy = $::puppet::server_ca_proxy, Boolean $strict_variables = $::puppet::server_strict_variables, Hash[String, Data] $additional_settings = $::puppet::server_additional_settings, Boolean $foreman = $::puppet::server_foreman, Stdlib::HTTPUrl $foreman_url = $::puppet::server_foreman_url, Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $::puppet::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $foreman_ssl_key = $::puppet::server_foreman_ssl_key, Boolean $server_foreman_facts = $::puppet::server_foreman_facts, Optional[Stdlib::Absolutepath] $puppet_basedir = $::puppet::server_puppet_basedir, Optional[String] $puppetdb_host = $::puppet::server_puppetdb_host, Integer[0, 65535] $puppetdb_port = $::puppet::server_puppetdb_port, Boolean $puppetdb_swf = $::puppet::server_puppetdb_swf, Enum['current', 'future'] $parser = $::puppet::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $::puppet::server_environment_timeout, String $jvm_java_bin = $::puppet::server_jvm_java_bin, String $jvm_config = $::puppet::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $::puppet::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $::puppet::server_jvm_max_heap_size, Variant[String,Array[String]] $jvm_extra_args = $::puppet::server_jvm_extra_args, Optional[String] $jvm_cli_args = $::puppet::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $jruby_gem_home = $::puppet::server_jruby_gem_home, Integer[1] $max_active_instances = $::puppet::server_max_active_instances, Integer[0] $max_requests_per_instance = $::puppet::server_max_requests_per_instance, Integer[0] $max_queued_requests = $puppet::server_max_queued_requests, Integer[0] $max_retry_delay = $puppet::server_max_retry_delay, Boolean $use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $::puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $::puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $::puppet::server_allow_header_cert_info, Boolean $puppetserver_jruby9k = $::puppet::server_puppetserver_jruby9k, Boolean $puppetserver_metrics = $::puppet::server_puppetserver_metrics, Boolean $metrics_jmx_enable = $::puppet::server_metrics_jmx_enable, Boolean $metrics_graphite_enable = $::puppet::server_metrics_graphite_enable, String $metrics_graphite_host = $::puppet::server_metrics_graphite_host, Integer $metrics_graphite_port = $::puppet::server_metrics_graphite_port, String $metrics_server_id = $::puppet::server_metrics_server_id, Integer $metrics_graphite_interval = $::puppet::server_metrics_graphite_interval, Variant[Undef, Array] $metrics_allowed = $::puppet::server_metrics_allowed, Boolean $puppetserver_experimental = $::puppet::server_puppetserver_experimental, Array[String] $puppetserver_trusted_agents = $::puppet::server_puppetserver_trusted_agents, Optional[Enum['off', 'jit', 'force']] $compile_mode = $::puppet::server_compile_mode, Optional[Integer[1]] $selector_threads = $::puppet::server_selector_threads, Optional[Integer[1]] $acceptor_threads = $::puppet::server_acceptor_threads, Optional[Integer[1]] $ssl_selector_threads = $::puppet::server_ssl_selector_threads, Optional[Integer[1]] $ssl_acceptor_threads = $::puppet::server_ssl_acceptor_threads, Optional[Integer[1]] $max_threads = $::puppet::server_max_threads, Boolean $ca_allow_sans = $::puppet::server_ca_allow_sans, Boolean $ca_allow_auth_extensions = $::puppet::server_ca_allow_auth_extensions, ) { if $ca { $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" $ssl_chain = $ssl_chain_filepath $crl_enable_real = pick($crl_enable, true) } else { $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") $ssl_chain = false $crl_enable_real = pick($crl_enable, false) } $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" if $config_version == undef { if $git_repo { $config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long" } else { $config_version_cmd = undef } } else { $config_version_cmd = $config_version } contain puppet::server::install contain puppet::server::config contain puppet::server::service Class['puppet::server::install'] ~> Class['puppet::server::config'] Class['puppet::config', 'puppet::server::config'] ~> Class['puppet::server::service'] } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 640cc66..4974022 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,323 +1,303 @@ # Set up the puppet server config class puppet::server::config inherits puppet::config { contain 'puppet::server::puppetserver' unless empty($::puppet::server::puppetserver_vardir) { puppet::config::master { 'vardir': value => $::puppet::server::puppetserver_vardir; } } unless empty($::puppet::server::puppetserver_rundir) { puppet::config::master { 'rundir': value => $::puppet::server::puppetserver_rundir; } } unless empty($::puppet::server::puppetserver_logdir) { puppet::config::master { 'logdir': value => $::puppet::server::puppetserver_logdir; } } # Mirror the relationship, as defined() is parse-order dependent # Ensures puppetmasters certs are generated before the proxy is needed if defined(Class['foreman_proxy::config']) and $foreman_proxy::ssl { Class['puppet::server::config'] ~> Class['foreman_proxy::config'] Class['puppet::server::config'] ~> Class['foreman_proxy::service'] } # And before Foreman's cert-using service needs it if defined(Class['foreman::service']) and $foreman::ssl { Class['puppet::server::config'] -> Class['foreman::service'] } ## General configuration $ca_server = $::puppet::ca_server $ca_port = $::puppet::ca_port $server_storeconfigs_backend = $::puppet::server::storeconfigs_backend $server_external_nodes = $::puppet::server::external_nodes $server_environment_timeout = $::puppet::server::environment_timeout if $server_external_nodes and $server_external_nodes != '' { class{ '::puppet::server::enc': enc_path => $server_external_nodes, } } $autosign = ($::puppet::server::autosign =~ Boolean)? { true => $::puppet::server::autosign, false => "${::puppet::server::autosign} { mode = ${::puppet::server::autosign_mode} }" } puppet::config::main { 'reports': value => $::puppet::server::reports; + 'environmentpath': value => $puppet::server::envs_dir; } if $::puppet::server::hiera_config and !empty($::puppet::server::hiera_config){ puppet::config::main { 'hiera_config': value => $::puppet::server::hiera_config; } } - if $puppet::server::directory_environments { - puppet::config::main { - 'environmentpath': value => $puppet::server::envs_dir; - } - } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { puppet::config::main { 'basemodulepath': value => $puppet::server::common_modules_path, joiner => ':'; } } if $puppet::server::default_manifest { puppet::config::main { 'default_manifest': value => $puppet::server::default_manifest_path; } } puppet::config::master { 'autosign': value => $autosign; 'ca': value => $::puppet::server::ca; 'certname': value => $::puppet::server::certname; 'parser': value => $::puppet::server::parser; 'strict_variables': value => $::puppet::server::strict_variables; } if $::puppet::server::ssl_dir_manage { puppet::config::master { 'ssldir': value => $::puppet::server::ssl_dir; } } if $server_environment_timeout { puppet::config::master { 'environment_timeout': value => $server_environment_timeout; } } if $server_storeconfigs_backend { puppet::config::master { 'storeconfigs': value => true; 'storeconfigs_backend': value => $server_storeconfigs_backend; } } - if !$::puppet::server::directory_environments and ($::puppet::server::git_repo or $::puppet::server::dynamic_environments) { - puppet::config::master { - 'manifest': value => "${::puppet::server::envs_dir}/\$environment/manifests/site.pp"; - 'modulepath': value => "${::puppet::server::envs_dir}/\$environment/modules"; - } - if $::puppet::server::config_version_cmd { - puppet::config::master { - 'config_version': value => $::puppet::server::config_version_cmd; - } - } - } $::puppet::server_additional_settings.each |$key,$value| { puppet::config::master { $key: value => $value } } file { "${puppet::vardir}/reports": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', } if '/usr/share/puppet/modules' in $puppet::server::common_modules_path { # Create Foreman share dir which does not depend on Puppet version exec { 'mkdir -p /usr/share/puppet/modules': creates => '/usr/share/puppet/modules', path => ['/usr/bin', '/bin'], } } ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${::puppet::server::ssl_dir}/private_keys": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', require => Exec['puppet_server_config-create_ssl_dir'], } if $puppet::server::ssl_key_manage { file { "${::puppet::server::ssl_dir}/private_keys/${::puppet::server::certname}.pem": owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0640', } } if $puppet::server::custom_trusted_oid_mapping { $_custom_trusted_oid_mapping = { oid_mapping => $puppet::server::custom_trusted_oid_mapping, } file { "${::puppet::dir}/custom_trusted_oid_mapping.yaml": ensure => file, owner => 'root', group => $::puppet::params::root_group, mode => '0644', content => to_yaml($_custom_trusted_oid_mapping), } } # If the ssl dir is not the default dir, it needs to be created before running # the generate ca cert or it will fail. exec {'puppet_server_config-create_ssl_dir': creates => $::puppet::server::ssl_dir, command => "/bin/mkdir -p ${::puppet::server::ssl_dir}", umask => '0022', } # Generate a new CA and host cert if our host cert doesn't exist if $::puppet::server::ca { if versioncmp($::puppetversion, '6.0') > 0 { $command = "${::puppet::puppetserver_cmd} ca setup" } else { $command = "${::puppet::puppet_cmd} cert --generate ${::puppet::server::certname} --allow-dns-alt-names" } exec {'puppet_server_config-generate_ca_cert': creates => $::puppet::server::ssl_cert, command => $command, umask => '0022', require => [ Concat["${::puppet::server::dir}/puppet.conf"], Exec['puppet_server_config-create_ssl_dir'], ], } } elsif $::puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca master if defined('$::servername') { file { $::puppet::server::ssl_ca_crl: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0644', content => file($::settings::cacrl, $::settings::hostcrl, '/dev/null'), } } } # autosign file if $::puppet::server_ca and !($puppet::server::autosign =~ Boolean) { if $::puppet::server::autosign_content or $::puppet::server::autosign_source { if !empty($::puppet::server::autosign_entries) { fail('Cannot set both autosign_content/autosign_source and autosign_entries') } $autosign_content = $::puppet::server::autosign_content } elsif !empty($::puppet::server::autosign_entries) { $autosign_content = template('puppet/server/autosign.conf.erb') } else { $autosign_content = undef } file { $::puppet::server::autosign: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => $::puppet::server::autosign_mode, content => $autosign_content, source => $::puppet::server::autosign_source, } } # only manage this file if we provide content if $::puppet::server::default_manifest and $::puppet::server::default_manifest_content != '' { file { $::puppet::server::default_manifest_path: ensure => file, owner => $puppet::user, group => $puppet::group, mode => '0644', content => $::puppet::server::default_manifest_content, } } ## Environments # location where our puppet environments are located if $::puppet::server::envs_target and $::puppet::server::envs_target != '' { $ensure = 'link' } else { $ensure = 'directory' } file { $::puppet::server::envs_dir: ensure => $ensure, owner => $::puppet::server::environments_owner, group => $::puppet::server::environments_group, mode => $::puppet::server::environments_mode, target => $::puppet::server::envs_target, force => true, } if $::puppet::server::git_repo { # need to chown the $vardir before puppet does it, or else # we can't write puppet.git/ on the first run include ::git git::repo { 'puppet_repo': bare => true, target => $::puppet::server::git_repo_path, mode => $::puppet::server::git_repo_mode, user => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, require => File[$::puppet::server::envs_dir], } $git_branch_map = $::puppet::server::git_branch_map # git post hook to auto generate an environment per branch file { "${::puppet::server::git_repo_path}/hooks/${::puppet::server::post_hook_name}": content => template($::puppet::server::post_hook_content), owner => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, mode => $::puppet::server::git_repo_mode, require => Git::Repo['puppet_repo'], } + } + file { $puppet::sharedir: + ensure => directory, } - elsif ! $::puppet::server::dynamic_environments { - file { $puppet::sharedir: - ensure => directory, - } - if $::puppet::server::common_modules_path and $::puppet::server::common_modules_path != '' { - file { $::puppet::server::common_modules_path: - ensure => directory, - owner => $::puppet::server_environments_owner, - group => $::puppet::server_environments_group, - mode => $::puppet::server_environments_mode, - } + if $::puppet::server::common_modules_path and !empty($::puppet::server::common_modules_path) { + file { $::puppet::server::common_modules_path: + ensure => directory, + owner => $::puppet::server_environments_owner, + group => $::puppet::server_environments_group, + mode => $::puppet::server_environments_mode, } - - # setup empty directories for our environments - puppet::server::env {$::puppet::server::environments: } } ## Foreman if $::puppet::server::foreman { # Include foreman components for the puppetmaster # ENC script, reporting script etc. class { 'foreman::puppetmaster': foreman_url => $::puppet::server::foreman_url, receive_facts => $::puppet::server::server_foreman_facts, puppet_home => $::puppet::server::puppetserver_vardir, puppet_basedir => $::puppet::server::puppet_basedir, puppet_etcdir => $puppet::dir, enc_api => $::puppet::server::enc_api, report_api => $::puppet::server::report_api, timeout => $::puppet::server::request_timeout, ssl_ca => pick($::puppet::server::foreman_ssl_ca, $::puppet::server::ssl_ca_cert), ssl_cert => pick($::puppet::server::foreman_ssl_cert, $::puppet::server::ssl_cert), ssl_key => pick($::puppet::server::foreman_ssl_key, $::puppet::server::ssl_cert_key), } contain foreman::puppetmaster } ## PuppetDB if $::puppet::server::puppetdb_host { class { '::puppetdb::master::config': puppetdb_server => $::puppet::server::puppetdb_host, puppetdb_port => $::puppet::server::puppetdb_port, puppetdb_soft_write_failure => $::puppet::server::puppetdb_swf, manage_storeconfigs => false, restart_puppet => false, } Class['puppetdb::master::puppetdb_conf'] ~> Class['puppet::server::service'] } } diff --git a/manifests/server/env.pp b/manifests/server/env.pp deleted file mode 100644 index 6a91870..0000000 --- a/manifests/server/env.pp +++ /dev/null @@ -1,94 +0,0 @@ -# Set up a puppet environment -define puppet::server::env ( - $basedir = $::puppet::server::envs_dir, - $config_version = $::puppet::server::config_version_cmd, - $manifest = undef, - $manifestdir = undef, - $modulepath = undef, - $templatedir = undef, - $environment_timeout = $::puppet::server::environment_timeout, - $directory_environments = $::puppet::server::directory_environments, - $owner = $::puppet::server::environments_owner, - $group = $::puppet::server::environments_group, - $mode = $::puppet::server::environments_mode, -) { - - $default_modulepath = ["${basedir}/${name}/modules", $::puppet::server::common_modules_path] - if $modulepath == undef { - $custom_modulepath = false - $real_modulepath = $default_modulepath - } else { - $custom_modulepath = ($modulepath != $default_modulepath) - $real_modulepath = $modulepath - } - - file { "${basedir}/${name}": - ensure => directory, - owner => $owner, - group => $group, - mode => $mode, - } - - file { "${basedir}/${name}/modules": - ensure => directory, - owner => $owner, - group => $group, - mode => $mode, - } - - if $directory_environments { - file { "${basedir}/${name}/manifests": - ensure => directory, - owner => $owner, - group => $group, - mode => $mode, - } - - if $manifest or $config_version or $custom_modulepath or $environment_timeout { - file { "${basedir}/${name}/environment.conf": - ensure => file, - owner => $owner, - group => $group, - mode => '0644', - content => template('puppet/server/environment.conf.erb'), - } - } - } else { - if $manifest { - puppet::config::environment{"${name}_manifest": - key => 'manifest', - env => $name, - value => $manifest, - } - } - if $manifestdir { - puppet::config::environment{"${name}_manifestdir": - key => 'manifestdir', - env => $name, - value => $manifestdir, - } - } - if $real_modulepath { - puppet::config::environment{"${name}_modulepath": - key => 'modulepath', - env => $name, - value => $real_modulepath, - joiner => ':', - } - } - if $templatedir { - puppet::config::environment{"${name}_templatedir": - key => 'templatedir', - env => $name, - value => $templatedir, - } - } - if $config_version { - puppet::config::environment{"${name}_config_version": - key => 'config_version', - env => $name, - value => $config_version, - } - } - } -} diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb index c38be05..568beab 100644 --- a/spec/classes/puppet_server_spec.rb +++ b/spec/classes/puppet_server_spec.rb @@ -1,760 +1,675 @@ require 'spec_helper' describe 'puppet' do on_os_under_test.each do |os, facts| context "on #{os}", unless: unsupported_puppetmaster_osfamily(facts[:osfamily]) do if facts[:osfamily] == 'FreeBSD' codedir = '/usr/local/etc/puppet' conf_d_dir = '/usr/local/etc/puppetserver/conf.d' conf_file = '/usr/local/etc/puppet/puppet.conf' confdir = '/usr/local/etc/puppet' environments_dir = '/usr/local/etc/puppet/environments' etcdir = '/usr/local/etc/puppet' if facts[:puppetversion] >= '6.0' puppetcacmd = '/usr/local/bin/puppetserver ca setup' else puppetcacmd = '/usr/local/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names' end puppetserver_logdir = '/var/log/puppetserver' puppetserver_rundir = '/var/run/puppetserver' puppetserver_vardir = '/var/puppet/server/data/puppetserver' sharedir = '/usr/local/share/puppet' ssldir = '/var/puppet/ssl' vardir = '/var/puppet' else codedir = '/etc/puppetlabs/code' conf_d_dir = '/etc/puppetlabs/puppetserver/conf.d' conf_file = '/etc/puppetlabs/puppet/puppet.conf' confdir = '/etc/puppetlabs/puppet' environments_dir = '/etc/puppetlabs/code/environments' etcdir = '/etc/puppetlabs/puppet' if facts[:puppetversion] >= '6.0' puppetcacmd = '/opt/puppetlabs/bin/puppetserver ca setup' else puppetcacmd = '/opt/puppetlabs/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names' end puppetserver_logdir = '/var/log/puppetlabs/puppetserver' puppetserver_rundir = '/var/run/puppetlabs/puppetserver' puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' sharedir = '/opt/puppetlabs/puppet' ssldir = '/etc/puppetlabs/puppet/ssl' vardir = '/opt/puppetlabs/puppet/cache' end let(:facts) { facts } let(:params) do { server: true, server_certname: 'puppetmaster.example.com' } end describe 'with no custom parameters' do it { should compile.with_all_deps } # install it { should contain_class('puppet::server::install') } it { should contain_user('puppet') } it { should contain_package('puppetserver') } # config it { should contain_class('puppet::server::config') } it { should contain_puppet__config__main('reports').with_value('foreman') } it { should contain_puppet__config__main('hiera_config').with_value('$confdir/hiera.yaml') } - it { should contain_puppet__config__main('environmentpath').with_value("#{codedir}/environments") } + it { should contain_puppet__config__main('environmentpath').with_value(environments_dir) } it do should contain_puppet__config__main('basemodulepath') - .with_value(["#{codedir}/environments/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) + .with_value(["#{environments_dir}/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) .with_joiner(':') end it { should_not contain_puppet__config__main('default_manifest') } it { should contain_puppet__config__master('autosign').with_value("#{etcdir}\/autosign.conf \{ mode = 0664 \}") } it { should contain_puppet__config__master('ca').with_value('true') } it { should contain_puppet__config__master('certname').with_value('puppetmaster.example.com') } it { should contain_puppet__config__master('parser').with_value('current') } it { should contain_puppet__config__master('strict_variables').with_value('false') } it { should contain_puppet__config__master('ssldir').with_value(ssldir) } it { should_not contain_puppet__config__master('environment_timeout') } it { should_not contain_puppet__config__master('storeconfigs') } it { should_not contain_puppet__config__master('storeconfigs_backend') } it { should_not contain_puppet__config__master('manifest') } it { should_not contain_puppet__config__master('modulepath') } it { should_not contain_puppet__config__master('config_version') } it { should contain_puppet__config__master('external_nodes').with_value("#{etcdir}\/node.rb") } it { should contain_puppet__config__master('node_terminus').with_value('exec') } it { should contain_puppet__config__master('logdir').with_value(puppetserver_logdir) } it { should contain_puppet__config__master('rundir').with_value(puppetserver_rundir) } it { should contain_puppet__config__master('vardir').with_value(puppetserver_vardir) } it 'should set up SSL permissions' do should contain_file("#{ssldir}/private_keys") \ .with_group('puppet') \ .with_mode('0750') should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem") \ .with_group('puppet') \ .with_mode('0640') should contain_exec('puppet_server_config-create_ssl_dir') \ .with_creates(ssldir) \ .with_command("/bin/mkdir -p #{ssldir}") \ .with_umask('0022') should contain_exec('puppet_server_config-generate_ca_cert') \ .with_creates("#{ssldir}/certs/puppetmaster.example.com.pem") \ .with_command(puppetcacmd) \ .with_umask('0022') \ .that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) end - it { should contain_puppet__config__main('environmentpath').with_value(environments_dir) } it { should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') } it 'should set up the environments' do should contain_file(environments_dir) .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_file(sharedir).with_ensure('directory') should contain_file("#{codedir}/environments/common") .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_file("#{sharedir}/modules") .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') - - should contain_puppet__server__env('development') - should contain_puppet__server__env('production') end it { should contain_concat(conf_file) } it { should_not contain_puppet__config__agent('configtimeout') } it { should_not contain_class('puppetdb') } it { should_not contain_class('puppetdb::master::config') } it { should_not contain_file("#{confdir}/custom_trusted_oid_mapping.yaml") } it { should contain_file("#{confdir}/autosign.conf") } it { should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) } it { should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) } it 'should set up the ENC' do should contain_class('foreman::puppetmaster') .with_foreman_url('https://foo.example.com') .with_receive_facts(true) .with_puppet_home(puppetserver_vardir) .with_puppet_etcdir(etcdir) .with_timeout(60) .with_puppet_basedir('/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet') end # service it { should contain_class('puppet::server::service') } it { should contain_class('puppet::server::puppetserver') } end describe 'with uppercase hostname' do let(:facts) do super().merge( fqdn: 'PUPPETMASTER.example.com', # clientcert is always lowercase by Puppet design clientcert: 'puppetmaster.example.com' ) end it { should compile.with_all_deps } it 'should use lowercase certificates' do should contain_class('puppet::server::puppetserver') .with_server_ssl_cert("#{ssldir}/certs/puppetmaster.example.com.pem") .with_server_ssl_cert_key("#{ssldir}/private_keys/puppetmaster.example.com.pem") end end describe 'with ip parameter' do let(:params) do super().merge(server_ip: '127.0.0.1') end it { should compile.with_all_deps } it { should contain_class('puppet::server').with_ip('127.0.0.1') } it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/host: 127.0.0.1/) } it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-host: 127.0.0.1/) } end context 'manage_packages' do tests = { false => false, 'agent' => false, 'server' => true } tests.each do |value, expected| describe "when manage_packages => #{value.inspect}" do let(:params) do super().merge(manage_packages: value) end it { should compile.with_all_deps } if expected it { should contain_package('puppetserver') } else it { should_not contain_package('puppetserver') } end end end end describe 'when autosign => true' do let(:params) do super().merge(autosign: true) end it { should contain_puppet__config__master('autosign').with_value(true) } end describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do let(:params) do super().merge( autosign: '/somedir/custom_autosign', autosign_mode: '664' ) end it { should contain_puppet__config__master('autosign').with_value('/somedir/custom_autosign { mode = 664 }') } end describe "when autosign_entries set to ['foo.bar']" do let(:params) do super().merge(autosign_entries: ['foo.bar']) end it 'should contain autosign.conf with content set' do should contain_file("#{confdir}/autosign.conf") should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do let(:params) do super().merge( autosign_content: 'foo.bar', autosign_entries: ['foo.bar'] ) end it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content/autosign_source and autosign_entries}) } end describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do let(:params) do super().merge( autosign_source: 'puppet:///foo/bar', autosign_entries: ['foo.bar'] ) end it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content\/autosign_source and autosign_entries}) } end context 'when autosign => /usr/local/bin/custom_autosign.sh, autosign_mode => 775' do let(:params) do super().merge( autosign: '/usr/local/bin/custom_autosign.sh', autosign_mode: '775' ) end describe "when autosign_content set to 'foo.bar'" do let(:params) do super().merge(autosign_content: 'foo.bar') end it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } it { should contain_file('/usr/local/bin/custom_autosign.sh').with_content('foo.bar') } end describe "autosign_source set to 'puppet:///foo/bar'" do let(:params) do super().merge(autosign_source: 'puppet:///foo/bar') end it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } it { should contain_file('/usr/local/bin/custom_autosign.sh').with_source('puppet:///foo/bar') } end end describe "when hiera_config => '/etc/puppet/hiera/production/hiera.yaml'" do let(:params) do super().merge(hiera_config: '/etc/puppet/hiera/production/hiera.yaml') end it { should contain_puppet__config__main('hiera_config').with_value('/etc/puppet/hiera/production/hiera.yaml') } end describe 'without foreman' do let(:params) do super().merge( server_foreman: false, server_reports: 'store', server_external_nodes: '' ) end it { should_not contain_class('foreman::puppetmaster') } it { should_not contain_puppet__config__master('node_terminus') } it { should_not contain_puppet__config__master('external_nodes') } end describe 'with server_default_manifest => true and undef content' do let(:params) do super().merge(server_default_manifest: true) end it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } it { should_not contain_file('/etc/puppet/manifests/default_manifest.pp') } end describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do let(:params) do super().merge( server_default_manifest: true, server_default_manifest_content: 'include foo' ) end it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } it { should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content('include foo') } end describe 'with git repo' do let(:params) do super().merge(server_git_repo: true) end it do should contain_class('puppet::server') .with_git_repo(true) .with_git_repo_path("#{vardir}/puppet.git") .with_post_hook_name('post-receive') end it 'should set up the environments directory' do should contain_file(environments_dir) \ .with_ensure('directory') \ .with_owner('puppet') end it 'should create the puppet user' do shell = case facts[:osfamily] when /^(FreeBSD|DragonFly)$/ '/usr/local/bin/git-shell' else '/usr/bin/git-shell' end should contain_user('puppet') .with_shell(shell) .that_requires('Class[git]') end it do should contain_file(vardir) .with_ensure('directory') .with_owner('puppet') end it do should contain_git__repo('puppet_repo') .with_bare(true) .with_target("#{vardir}/puppet.git") .with_user('puppet') .that_requires("File[#{environments_dir}]") end it do should contain_file("#{vardir}/puppet.git/hooks/post-receive") .with_owner('puppet') \ .with_mode('0755') \ .that_requires('Git::Repo[puppet_repo]') \ .with_content(/BRANCH_MAP = \{[^a-zA-Z=>]\}/) end - it { should_not contain_puppet__server__env('development') } - it { should_not contain_puppet__server__env('production') } - describe 'with a puppet git branch map' do let(:params) do super().merge(server_git_branch_map: { 'a' => 'b', 'c' => 'd' }) end it 'should add the branch map to the post receive hook' do should contain_file("#{vardir}/puppet.git/hooks/post-receive") .with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) end end - - context 'with directory environments' do - let(:params) do - super().merge(server_directory_environments: true) - end - - it 'should configure puppet.conf' do - should_not contain_puppet__config__master('config_version') - - should contain_puppet__config__main('environmentpath').with_value(environments_dir) - end - end - - context 'with config environments' do - let(:params) do - super().merge(server_directory_environments: false) - end - - it 'should configure puppet.conf' do - should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") - should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") - should contain_puppet__config__master('config_version').with_value("git --git-dir #{environments_dir}/\$environment/.git describe --all --long") - end - end end - describe 'with dynamic environments' do - let(:params) do - super().merge(server_dynamic_environments: true) - end - - context 'with directory environments' do - let(:params) do - super().merge( - server_directory_environments: true, - server_environments_owner: 'apache' - ) - end - - it 'should set up the environments directory' do - should contain_file(environments_dir) \ - .with_ensure('directory') \ - .with_owner('apache') - end - - it 'should configure puppet.conf' do - should contain_puppet__config__main('environmentpath').with_value(environments_dir) - should contain_puppet__config__main('basemodulepath').with_value(["#{environments_dir}/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) - end - - it { should_not contain_puppet__server__env('development') } - it { should_not contain_puppet__server__env('production') } - end - - context 'with no common modules directory' do - let(:params) do - super().merge( - server_directory_environments: true, - server_environments_owner: 'apache', - server_common_modules_path: '' - ) - end - - it { should_not contain_puppet__config__main('basemodulepath') } - end - - context 'with config environments' do - let(:params) do - super().merge( - server_directory_environments: false, - server_environments_owner: 'apache' - ) - end - - it 'should set up the environments directory' do - should contain_file(environments_dir) \ - .with_ensure('directory') \ - .with_owner('apache') - end - - it 'should configure puppet.conf' do - should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") - should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") - end + context 'with directory environments owner' do + let(:params) { super().merge(server_environments_owner: 'apache') } + it { should contain_file(environments_dir).with_owner('apache') } + end - it { should_not contain_puppet__server__env('development') } - it { should_not contain_puppet__server__env('production') } - end + context 'with no common modules directory' do + let(:params) { super().merge(server_common_modules_path: '') } + it { should_not contain_puppet__config__main('basemodulepath') } end describe 'with SSL path overrides' do let(:params) do super().merge( server_foreman_ssl_ca: '/etc/example/ca.pem', server_foreman_ssl_cert: '/etc/example/cert.pem', server_foreman_ssl_key: '/etc/example/key.pem' ) end it 'should pass SSL parameters to the ENC' do should contain_class('foreman::puppetmaster') .with_ssl_ca('/etc/example/ca.pem') .with_ssl_cert('/etc/example/cert.pem') .with_ssl_key('/etc/example/key.pem') end end describe 'with a PuppetDB host set' do let(:params) do super().merge( server_puppetdb_host: 'mypuppetdb.example.com', server_storeconfigs_backend: 'puppetdb' ) end it 'should configure PuppetDB' do should compile.with_all_deps should contain_class('puppetdb::master::config') .with_puppetdb_server('mypuppetdb.example.com') .with_puppetdb_port(8081) .with_puppetdb_soft_write_failure(false) .with_manage_storeconfigs(false) .with_restart_puppet(false) end end describe 'with additional settings' do let(:params) do super().merge(server_additional_settings: { 'stringify_facts' => true }) end it 'should configure puppet.conf' do should contain_puppet__config__master('stringify_facts').with_value(true) end end describe 'with server_parser => future' do let(:params) do super().merge(server_parser: 'future') end it { should contain_puppet__config__master('parser').with_value('future') } end describe 'with server_environment_timeout set' do let(:params) do super().merge(server_environment_timeout: '10m') end it { should contain_puppet__config__master('environment_timeout').with_value('10m') } end describe 'with no ssldir managed for master' do let(:params) do super().merge(server_ssl_dir_manage: false) end it { should_not contain_puppet__config__master('ssl_dir') } end describe 'with ssl key management disabled for server' do let(:params) do super().merge( server_certname: 'servercert', server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl', server_ssl_key_manage: false ) end it { should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') } end describe 'with nondefault CA settings' do let(:params) do super().merge(server_ca: false) end it { should contain_exec('puppet_server_config-create_ssl_dir') } it { should_not contain_exec('puppet_server_config-generate_ca_cert') } end describe 'with server_ca_crl_sync => true' do let(:params) do super().merge(server_ca_crl_sync: true) end context 'with server_ca => false and running "puppet apply"' do let(:params) do super().merge( server_ca: false, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end context 'with server_ca => false: running "puppet agent -t"' do let(:params) do super().merge( server_ca: false, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end let(:facts) do facts.merge(servername: 'myserver') end before :context do @cacrl = Tempfile.new('cacrl') File.open(@cacrl, 'w') { |f| f.write 'This is my CRL File' } Puppet.settings[:cacrl] = @cacrl.path end it 'should sync the crl from the ca' do should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') .with_content('This is my CRL File') end end context 'with server_ca => true: running "puppet agent -t"' do let(:params) do super().merge( server_ca: true, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end let(:facts) do facts.merge(servername: 'myserver') end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end end describe 'allow crl checking' do context 'as ca' do let(:params) do super().merge(server_ca: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/ca/ca_crl\.pem}) } end context 'as non-ca' do let(:params) do super().merge(server_ca: false) end it { should contain_file("#{conf_d_dir}/webserver.conf").without_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } context 'server_crl_enable' do let(:params) do super().merge(server_crl_enable: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } end end end describe 'with ssl_protocols overwritten' do let(:params) do super().merge(server_ssl_protocols: ['TLSv1.1', 'TLSv1.2']) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-protocols: \[\n( +)TLSv1.1,\n( +)TLSv1.2,\n( +)\]/) } end describe 'with ssl_protocols overwritten' do let(:params) do super().merge(server_cipher_suites: %w[TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA]) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/cipher-suites: \[\n( +)TLS_RSA_WITH_AES_256_CBC_SHA256,\n( +)TLS_RSA_WITH_AES_256_CBC_SHA,\n( +)\]/) } end describe 'with ssl_chain_filepath overwritten' do let(:params) do super().merge(server_ssl_chain_filepath: '/etc/example/certchain.pem') end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-cert-chain: /etc/example/certchain.pem}) } end describe 'with server_custom_trusted_oid_mapping overwritten' do let(:params) do super().merge(server_custom_trusted_oid_mapping: { '1.3.6.1.4.1.34380.1.2.1.1' => { shortname: 'myshortname', longname: 'My Long Name' }, '1.3.6.1.4.1.34380.1.2.1.2' => { shortname: 'myothershortname' } }) end it 'should have a configured custom_trusted_oid_mapping.yaml' do verify_exact_contents(catalogue, "#{confdir}/custom_trusted_oid_mapping.yaml", [ '---', 'oid_mapping:', ' 1.3.6.1.4.1.34380.1.2.1.1:', ' shortname: myshortname', ' longname: My Long Name', ' 1.3.6.1.4.1.34380.1.2.1.2:', ' shortname: myothershortname' ]) end end describe 'with server_certname parameter' do let(:params) do super().merge( server_certname: 'puppetserver43.example.com', server_ssl_dir: '/etc/custom/puppet/ssl' ) end it 'should put the correct ssl key path in webserver.conf' do should contain_file("#{conf_d_dir}/webserver.conf") .with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) end it 'should put the correct ssl cert path in webserver.conf' do should contain_file("#{conf_d_dir}/webserver.conf") .with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) end end describe 'with server_http parameter set to true for the puppet class' do let(:params) do super().merge(server_http: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ host:\s0\.0\.0\.0/).with_content(/ port:\s8139/) } it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end describe 'with server_allow_header_cert_info => true' do let(:params) do super().merge(server_allow_header_cert_info: true) end it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end end end end diff --git a/spec/defines/puppet_server_env_spec.rb b/spec/defines/puppet_server_env_spec.rb deleted file mode 100644 index 9055d71..0000000 --- a/spec/defines/puppet_server_env_spec.rb +++ /dev/null @@ -1,302 +0,0 @@ -require 'spec_helper' - -describe 'puppet::server::env' do - on_os_under_test.each do |os, facts| - next if facts[:osfamily] == 'windows' - next if facts[:osfamily] == 'Archlinux' - context "on #{os}" do - if facts[:osfamily] == 'FreeBSD' - codedir = '/usr/local/etc/puppet' - confdir = '/usr/local/etc/puppet' - logdir = '/var/log/puppet' - rundir = '/var/run/puppet' - ssldir = '/var/puppet/ssl' - vardir = '/var/puppet' - sharedir = '/usr/local/share/puppet' - else - codedir = '/etc/puppetlabs/code' - confdir = '/etc/puppetlabs/puppet' - logdir = '/var/log/puppetlabs/puppet' - rundir = '/var/run/puppetlabs' - ssldir = '/etc/puppetlabs/puppet/ssl' - vardir = '/opt/puppetlabs/puppet/cache' - sharedir = '/opt/puppetlabs/puppet' - end - - let(:facts) { facts } - - let(:title) { 'foo' } - - context 'with no custom parameters' do - context 'with directory environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => true}" - end - - it 'should only deploy directories' do - should contain_file("#{codedir}/environments").with({ - :ensure => 'directory', - :owner => 'puppet', - :group => nil, - :mode => '0755', - }) - - should contain_file("#{codedir}/environments/foo").with({ - :ensure => 'directory', - :owner => 'puppet', - :group => nil, - :mode => '0755', - }) - - should contain_file("#{codedir}/environments/foo/manifests").with({ - :ensure => 'directory', - :owner => 'puppet', - :group => nil, - :mode => '0755', - }) - - should contain_file("#{codedir}/environments/foo/modules").with({ - :ensure => 'directory', - :owner => 'puppet', - :group => nil, - :mode => '0755', - }) - - should_not contain_file("#{codedir}/environments/foo/environment.conf") - should_not contain_concat__fragment('puppet.conf_foo') - end - end - - context 'with config environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => false}" - end - - it 'should add an env section' do - should contain_file("#{codedir}/environments/foo").with({ - :ensure => 'directory', - :owner => 'puppet', - :group => nil, - :mode => '0755', - }) - - should contain_file("#{codedir}/environments/foo/modules").with({ - :ensure => 'directory', - :owner => 'puppet', - :group => nil, - :mode => '0755', - }) - - should_not contain_puppet__config__environment('foo_manifest') - should_not contain_puppet__config__environment('foo_manifestdir') - should_not contain_puppet__config__environment('foo_templatedir') - should_not contain_puppet__config__environment('foo_config_version') - should contain_puppet__config__environment('foo_modulepath').with({ - 'key' => 'modulepath', - 'value' => ["#{codedir}/environments/foo/modules",["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"]], - 'joiner' => ':', - }) - - should_not contain_file("#{codedir}/environments/foo/environment.conf") - end - end - end - - context 'with server_config_version' do - context 'with directory environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => true, server_config_version => 'bar'}" - end - - it 'should set config_version in environment.conf' do - should contain_file("#{codedir}/environments/foo/environment.conf"). - with_content(%r{\Aconfig_version\s+= bar\n\z}) - end - end - - context 'with config environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => false, server_config_version => 'bar'}" - end - - it 'should add config_version to an env section' do - should_not contain_puppet__config__environment('foo_manifest') - should_not contain_puppet__config__environment('foo_manifestdir') - should_not contain_puppet__config__environment('foo_templatedir') - should contain_puppet__config__environment('foo_modulepath').with({ - 'key' => 'modulepath', - 'value' => ["#{codedir}/environments/foo/modules",["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"]], - 'joiner' => ':', - }) - should contain_puppet__config__environment('foo_config_version').with({ - 'key' => 'config_version', - 'value' => 'bar', - }) - end - end - end - - context 'with config_version' do - let :params do - { - :config_version => 'bar', - } - end - - context 'with directory environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => true}" - end - - it 'should set config_version in environment.conf' do - should contain_file("#{codedir}/environments/foo/environment.conf"). - with_content(%r{\Aconfig_version\s+= bar\n\z}) - end - end - - context 'with config environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => false}" - end - - it 'should add config_version to an env section' do - should_not contain_puppet__config__environment('foo_manifest') - should_not contain_puppet__config__environment('foo_manifestdir') - should_not contain_puppet__config__environment('foo_templatedir') - should contain_puppet__config__environment('foo_modulepath').with({ - 'key' => 'modulepath', - 'value' => ["#{codedir}/environments/foo/modules",["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"]], - 'joiner' => ':', - }) - should contain_puppet__config__environment('foo_config_version').with({ - 'key' => 'config_version', - 'value' => 'bar', - }) - end - end - - context 'with directory environments link' do - let :pre_condition do - "class {'puppet': server => true, server_envs_target => '/foo'}" - end - - it 'should produce a symbolic link "environments" in codedir' do - should contain_file("#{codedir}/environments"). - with_target('/foo'). - with_ensure('link') - end - end - end - - context 'with modulepath' do - let :params do - { - :modulepath => ['/etc/puppet/example/modules', '/etc/puppet/vendor/modules'], - } - end - - context 'with directory environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => true}" - end - - it 'should set modulepath in environment.conf' do - should contain_file("#{codedir}/environments/foo/environment.conf"). - with_content(%r{\Amodulepath\s+= /etc/puppet/example/modules:/etc/puppet/vendor/modules\n}) - end - end - end - - context 'with undef modulepath' do - let :params do - { - :modulepath => Undef.new, - } - end - - context 'with directory environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => true}" - end - - it { should_not contain_file("#{codedir}/environments/foo/environment.conf") } - end - end - - context 'with custom basedir' do - basedir = "#{codedir}/baz_environments" - let :params do - { - :basedir => basedir, - } - end - - context 'with directory environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => true}" - end - - it { should_not contain_file("#{codedir}/environments/foo/environment.conf") } - it { should_not contain_file("#{basedir}/foo/environment.conf") } - end - - context 'with config environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => false}" - end - - it 'should add modulepath with custom basedir to an env section' do - should_not contain_puppet__config__environment('foo_manifest') - should_not contain_puppet__config__environment('foo_manifestdir') - should_not contain_puppet__config__environment('foo_templatedir') - should_not contain_puppet__config__environment('foo_config_version') - should contain_puppet__config__environment('foo_modulepath').with({ - 'key' => 'modulepath', - 'value' => ["#{basedir}/foo/modules",["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"]], - 'joiner' => ':', - }) - end - end - end - - context 'with manifest' do - let :params do - { - :manifest => 'manifests/local.pp', - } - end - - context 'with directory environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => true}" - end - - it 'should set manifest in environment.conf' do - should contain_file("#{codedir}/environments/foo/environment.conf"). - with_content(%r{\Amanifest\s+= manifests/local.pp\n\z}) - end - end - end - - context 'with environment_timeout' do - let :params do - { - :environment_timeout => 'unlimited', - } - end - - context 'with directory environments' do - let :pre_condition do - "class {'puppet': server => true, server_directory_environments => true}" - end - - it 'should set environment_timeout in environment.conf' do - should contain_file("#{codedir}/environments/foo/environment.conf"). - with_content(%r{\Aenvironment_timeout\s+= unlimited\n\z}) - end - end - end - - end - end -end