diff --git a/README.md b/README.md index 341cc7a..45f239b 100644 --- a/README.md +++ b/README.md @@ -1,185 +1,195 @@ [![Puppet Forge](https://img.shields.io/puppetforge/v/theforeman/puppet.svg)](https://forge.puppetlabs.com/theforeman/puppet) [![Build Status](https://travis-ci.org/theforeman/puppet-puppet.svg?branch=master)](https://travis-ci.org/theforeman/puppet-puppet) # Puppet module for installing the Puppet agent and master Installs and configures the Puppet agent and optionally a Puppet master (when `server` is true). Part of the [Foreman installer](https://github.com/theforeman/foreman-installer) or to be used as a Puppet module. When using Puppet Server (version 5.3.6 is the lowest version, this module supports), the module supports and assumes you will be installing the latest version. If you know you'll be installing an earlier or specific version, you will need to override `server_puppetserver_version`. More information in the Puppet Server section below. Many puppet.conf options for agents, masters and other are parameterized, with class documentation provided at the top of the manifests. In addition, there are hash parameters for each configuration section that can be used to supply any options that are not explicitly supported. +## Upgrading from Puppetserver 6 to 7 + +Puppetserver 7 moves the CA files from ssldir to its own. To move the existing +files, `puppetserver ca migrate` can be used but this requires the puppetserver +to be stopped. The module does run this command if needed, but doesn't stop the +service so the application will fail. + +It is recommended to run this command directly after updating the packages. It +leaves a symlink so the old config should continue to work. + ## Environments support The module helps configure Puppet environments using directory environments. These are set up under /etc/puppetlabs/code/environments. ## Git repo support Environments can be backed by git by setting `server_git_repo` to true, which sets up `/var/lib/puppet/puppet.git` where each branch maps to one environment. Avoid using 'master' as this name isn't permitted. On each push to the repo, a hook updates `/etc/puppet/environments` with the contents of the branch. Requires [theforeman/git](https://forge.puppetlabs.com/theforeman/git). ## Foreman integration The Foreman integration is optional, but on by default when `server` is true. It can be disabled by setting `server_foreman` to false. Requires [theforeman/puppetserver_foreman](https://forge.puppetlabs.com/theforeman/puppetserver_foreman). Since version 15.0.0 the integration bits depend on the standalone module where previously it depended on [theforeman/foreman](https://forge.puppetlabs.com/theforeman/foreman) ## PuppetDB integration The Puppet master can be configured to export catalogs and reports to a PuppetDB instance, using the puppetlabs/puppetdb module. Use its `puppetdb::server` class to install the PuppetDB server and this module to configure the Puppet master to connect to PuppetDB. Requires [puppetlabs/puppetdb](https://forge.puppetlabs.com/puppetlabs/puppetdb) ```puppet class { 'puppet': server => true, server_reports => 'puppetdb,foreman', server_storeconfigs => true, } class { 'puppet::server::puppetdb': server => 'mypuppetdb.example.com', } ``` Please also make sure your puppetdb ciphers are compatible with your puppet server ciphers, ie that the two following parameters match: ``` puppet::server::cipher_suites puppetdb::server::cipher_suites ``` # Installation Available from GitHub (via cloning or tarball), [Puppet Forge](https://forge.puppetlabs.com/theforeman/puppet) or as part of the Foreman installer. # Usage As a parameterized class, all the configurable options can be overridden from your wrapper classes or even your ENC (if it supports param classes). For example: # Agent and cron (or daemon): class { '::puppet': runmode => 'cron' } # Agent and puppetmaster: class { '::puppet': server => true } # You want to use git? class { '::puppet': server => true server_git_repo => true } # Maybe you're using gitolite, new hooks, and a different port? class { '::puppet': server => true server_port => 8141, server_git_repo => true, server_git_repo_path => '/var/lib/gitolite/repositories/puppet.git', server_post_hook_name => 'post-receive.puppet', server_post_hook_content => 'puppetserver/post-hook.puppet', } # Configure master without Foreman integration class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', } # Want to integrate with an existing PuppetDB? class { '::puppet': server => true, server_reports => 'puppetdb,foreman', server_storeconfigs => true, } class { 'puppet::server::puppetdb': server => 'mypuppetdb.example.com', } Look in _init.pp_ for what can be configured this way, see Contributing if anything doesn't work. To use this in standalone mode, edit a file (e.g. install.pp), put in a class resource, as per the examples above, and the execute _puppet apply_ e.g: cat > install.pp < true } EOF puppet apply install.pp --modulepath /path_to/extracted_tarball # Advanced scenarios An HTTP (non-SSL) puppetmaster instance can be set up (standalone or in addition to the SSL instance) by setting the `server_http` parameter to `true`. This is useful for reverse proxy or load balancer scenarios where the proxy/load balancer takes care of SSL termination. The HTTP puppetmaster instance expects the `X-Client-Verify`, `X-SSL-Client-DN` and `X-SSL-Subject` HTTP headers to have been set on the front end server. The listening port can be configured by setting `server_http_port` (which defaults to 8139). For puppetserver, this HTTP instance accepts **ALL** connections and no further restrictions can be configured. **Note that running an HTTP puppetmaster is a huge security risk when improperly configured. Allowed hosts should be tightly controlled; anyone with access to an allowed host can access all client catalogues and client certificates.** # Configure an HTTP puppetmaster vhost in addition to the standard SSL vhost class { '::puppet': server => true, server_http => true, server_http_port => 8130, # default: 8139 } ## Puppet Server configuration Puppet Server requires slightly different configuration between different versions, which this module supports. It's recommended that you set the `server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version you have installed. By default the module will configure for the latest version available. # Contributing * Fork the project * Commit and push until you are happy with your contribution # More info See https://theforeman.org or at #theforeman irc channel on freenode Copyright (c) 2010-2012 Ohad Levy This program and entire repository is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . diff --git a/manifests/server.pp b/manifests/server.pp index 02f9e08..c6d7654 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,511 +1,517 @@ # == Class: puppet::server # # Sets up a puppet master. # # == puppet::server parameters # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $hiera_config:: The hiera configuration file. # # $manage_user:: Whether to manage the puppet user resource # # $user:: Name of the puppetmaster user. # # $group:: Name of the puppetmaster group. # # $dir:: Puppet configuration directory # # $ip:: Bind ip address of the puppetmaster # # $port:: Puppet master port # # $ca:: Provide puppet CA # # $ca_crl_filepath:: Path to ca_crl file # # $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to # be agents of the CA master (MOM) defaults to false # # $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults # to false # # $http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. # # $http_port:: Puppet master HTTP port; defaults to 8139. # # $reports:: List of report types to include on the puppetmaster # # $external_nodes:: External nodes classifier executable # # $trusted_external_command:: The external trusted facts script to use. # (Puppet >= 6.11 only). # # $git_repo:: Use git repository as a source of modules # # $environments_owner:: The owner of the environments directory # # $environments_group:: The group owning the environments directory # # $environments_mode:: Environments directory mode. # # $envs_dir:: Directory that holds puppet environments # # $envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $common_modules_path:: Common modules paths # # $git_repo_path:: Git repository path # # $git_repo_mode:: Git repository mode # # $git_repo_group:: Git repository group # # $git_repo_user:: Git repository user # # $git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $post_hook_content:: Which template to use for git post hook # # $post_hook_name:: Name of a git hook # # $storeconfigs:: Whether to enable storeconfigs # # $ssl_dir:: SSL directory # # $package:: Custom package name for puppet master # # $version:: Custom package version for puppet master # # $certname:: The name to use when handling certificates. # # $strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # $max_open_files:: Increase the max open files limit for Puppetserver. # # # === Advanced server parameters: # # $codedir:: Override the puppet code directory. # # $config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $foreman:: Should foreman integration be installed # # $foreman_url:: Foreman URL # # $foreman_ssl_ca:: SSL CA of the Foreman server # # $foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $foreman_ssl_key:: Key for authenticating against Foreman server # # $puppet_basedir:: Where is the puppet code base located # # $compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. # # # $request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $jvm_java_bin:: Set the default java to use. # # $jvm_config:: Specify the puppetserver jvm configuration file. # # $jvm_min_heap_size:: Specify the minimum jvm heap space. # # $jvm_max_heap_size:: Specify the maximum jvm heap space. # # $jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $jruby_gem_home:: Where jruby gems are located for puppetserver # # $default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $default_manifest_path:: A string setting the path to the default_manifest # # $default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $puppetserver_vardir:: The path of the puppetserver var dir # # $puppetserver_rundir:: The path of the puppetserver run dir # # $puppetserver_logdir:: The path of the puppetserver log dir # # $puppetserver_dir:: The path of the puppetserver config dir # # $puppetserver_version:: The version of puppetserver installed (or being installed) # Unfortunately, different versions of puppetserver need configuring differently. # By default we attempt to derive the version from the puppet version itself but # can be overriden if you're installing an older version. # # $max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) # # $max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a # JRuby from the pool. (Puppetserver 5.x only) # Defaults to 0 (disabled) for Puppetserver >= 5.0 # # $max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on # 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) # Defaults to 1800 for Puppetserver >= 5.0 # # $multithreaded:: Use multithreaded jruby. (Puppetserver >= 6.8 only). Defaults to false. # # $idle_timeout:: How long the server will wait for a response on an existing connection # # $connect_timeout:: How long the server will wait for a response to a connection attempt # # $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. # Defaults to the Jetty default of 30s # # $ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $ssl_chain_filepath:: Path to certificate chain for puppetserver # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $ca_client_self_delete:: Adds a rule to auth.conf, that allows a client to self delete its own certificate # Defaults to false # # $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # Note that Puppetserver 7 has dropped support for this. # # $check_for_updates:: Should the puppetserver phone home to check for available updates? # # $environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the # environment_classes API. # # # $allow_header_cert_info:: Allow client authentication over HTTP Headers # Defaults to false, is also activated by the $http setting # # $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $puppetserver_metrics:: Enable puppetserver http-client metrics # Defaults to false because that's the Puppet Inc. default behaviour. # # $puppetserver_profiler:: Enable JRuby profiling. # Defaults to false because that's the Puppet Inc. default behaviour. # # $metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $puppetserver_auth_template:: Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf # # $puppetserver_trusted_agents:: Certificate names of agents that are allowed to fetch *all* catalogs. Defaults to empty array # # $puppetserver_trusted_certificate_extensions:: An array of hashes of certificate extensions and values. # Example: [{ 'pp_authorization' => 'catalog' }] # # $ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # Defaults to false # # $ca_enable_infra_crl:: Enable the separate CRL for Puppet infrastructure nodes # Defaults to false # # $acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for unencrypted HTTP traffic. If not provided, the webserver # defaults to the number of virtual cores on the host divided by 8, with a minimum # of 1 and maximum of 4. # # $selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for unencrypted HTTPS traffic. If not provided, # the webserver defaults to the minimum of: virtual cores on the host divided by 2 # or max-threads divided by 16, with a minimum of 1. # # $max_threads:: This sets the maximum number of threads assigned to responding to HTTP and/or # HTTPS requests for a single webserver, effectively changing how many # concurrent requests can be made at one time. If not provided, the # webserver defaults to 200. # # $ssl_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for encrypted HTTPS traffic. If not provided, defaults to # the number of virtual cores on the host divided by 8, with a minimum of 1 and maximum of 4. # # $ssl_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for encrypted HTTPS traffic. Defaults to the number of # virtual cores on the host divided by 2, with a minimum of 1 and maximum of 4. # The number of selector threads actually used by Jetty is twice the number of selectors # requested. For example, if a value of 3 is specified for the ssl-selector-threads setting, # Jetty will actually use 6 selector threads. # # $versioned_code_id:: The path to an executable script that Puppet Server invokes to generate a code_id # # $versioned_code_content:: Contains the path to an executable script that Puppet Server invokes when an agent makes # a static_file_content API request for the contents of a file resource that # has a source attribute with a puppet:/// URI value. class puppet::server( Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::autosign, Array[String] $autosign_entries = $puppet::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $puppet::autosign_mode, Optional[String] $autosign_content = $puppet::autosign_content, Optional[String] $autosign_source = $puppet::autosign_source, String $hiera_config = $puppet::hiera_config, Array[String] $admin_api_whitelist = $puppet::server_admin_api_whitelist, Boolean $manage_user = $puppet::server_manage_user, String $user = $puppet::server_user, String $group = $puppet::server_group, String $dir = $puppet::server_dir, Stdlib::Absolutepath $codedir = $puppet::codedir, Integer $port = $puppet::server_port, String $ip = $puppet::server_ip, Boolean $ca = $puppet::server_ca, Optional[String] $ca_crl_filepath = $puppet::ca_crl_filepath, Boolean $ca_crl_sync = $puppet::server_ca_crl_sync, Optional[Boolean] $crl_enable = $puppet::server_crl_enable, Boolean $ca_auth_required = $puppet::server_ca_auth_required, Boolean $ca_client_self_delete = $puppet::server_ca_client_self_delete, Array[String] $ca_client_whitelist = $puppet::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $puppet::server_custom_trusted_oid_mapping, Boolean $http = $puppet::server_http, Integer $http_port = $puppet::server_http_port, String $reports = $puppet::server_reports, Stdlib::Absolutepath $puppetserver_vardir = $puppet::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $puppetserver_rundir = $puppet::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $puppetserver_logdir = $puppet::server_puppetserver_logdir, Stdlib::Absolutepath $puppetserver_dir = $puppet::server_puppetserver_dir, Optional[Pattern[/^[\d]\.[\d]+\.[\d]+$/]] $puppetserver_version = $puppet::server_puppetserver_version, Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $puppet::server_external_nodes, Optional[Stdlib::Absolutepath] $trusted_external_command = $puppet::server_trusted_external_command, Array[String] $cipher_suites = $puppet::server_cipher_suites, Optional[String] $config_version = $puppet::server_config_version, Integer[0] $connect_timeout = $puppet::server_connect_timeout, Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout, Boolean $git_repo = $puppet::server_git_repo, Boolean $default_manifest = $puppet::server_default_manifest, Stdlib::Absolutepath $default_manifest_path = $puppet::server_default_manifest_path, String $default_manifest_content = $puppet::server_default_manifest_content, String $environments_owner = $puppet::server_environments_owner, Optional[String] $environments_group = $puppet::server_environments_group, Pattern[/^[0-9]{3,4}$/] $environments_mode = $puppet::server_environments_mode, Stdlib::Absolutepath $envs_dir = $puppet::server_envs_dir, Optional[Stdlib::Absolutepath] $envs_target = $puppet::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $puppet::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $puppet::server_git_repo_mode, Stdlib::Absolutepath $git_repo_path = $puppet::server_git_repo_path, String $git_repo_group = $puppet::server_git_repo_group, String $git_repo_user = $puppet::server_git_repo_user, Hash[String, String] $git_branch_map = $puppet::server_git_branch_map, Integer[0] $idle_timeout = $puppet::server_idle_timeout, String $post_hook_content = $puppet::server_post_hook_content, String $post_hook_name = $puppet::server_post_hook_name, Boolean $storeconfigs = $puppet::server_storeconfigs, Array[Stdlib::Absolutepath] $ruby_load_paths = $puppet::server_ruby_load_paths, Stdlib::Absolutepath $ssl_dir = $puppet::server_ssl_dir, Boolean $ssl_dir_manage = $puppet::server_ssl_dir_manage, Boolean $ssl_key_manage = $puppet::server_ssl_key_manage, Array[String] $ssl_protocols = $puppet::server_ssl_protocols, Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $puppet::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $package = $puppet::server_package, Optional[String] $version = $puppet::server_version, String $certname = $puppet::server_certname, Integer[0] $request_timeout = $puppet::server_request_timeout, Boolean $strict_variables = $puppet::server_strict_variables, Hash[String, Data] $additional_settings = $puppet::server_additional_settings, Boolean $foreman = $puppet::server_foreman, Stdlib::HTTPUrl $foreman_url = $puppet::server_foreman_url, Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $puppet::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $puppet::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $foreman_ssl_key = $puppet::server_foreman_ssl_key, Boolean $server_foreman_facts = $puppet::server_foreman_facts, Optional[Stdlib::Absolutepath] $puppet_basedir = $puppet::server_puppet_basedir, Enum['current', 'future'] $parser = $puppet::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $puppet::server_environment_timeout, String $jvm_java_bin = $puppet::server_jvm_java_bin, String $jvm_config = $puppet::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $puppet::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $puppet::server_jvm_max_heap_size, Optional[Variant[String,Array[String]]] $jvm_extra_args = $puppet::server_jvm_extra_args, Optional[String] $jvm_cli_args = $puppet::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $jruby_gem_home = $puppet::server_jruby_gem_home, Integer[1] $max_active_instances = $puppet::server_max_active_instances, Integer[0] $max_requests_per_instance = $puppet::server_max_requests_per_instance, Integer[0] $max_queued_requests = $puppet::server_max_queued_requests, Integer[0] $max_retry_delay = $puppet::server_max_retry_delay, Boolean $multithreaded = $puppet::server_multithreaded, Boolean $use_legacy_auth_conf = $puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $puppet::server_allow_header_cert_info, Boolean $puppetserver_jruby9k = $puppet::server_puppetserver_jruby9k, Optional[Boolean] $puppetserver_metrics = $puppet::server_puppetserver_metrics, Boolean $puppetserver_profiler = $puppet::server_puppetserver_profiler, Boolean $metrics_jmx_enable = $puppet::server_metrics_jmx_enable, Boolean $metrics_graphite_enable = $puppet::server_metrics_graphite_enable, String $metrics_graphite_host = $puppet::server_metrics_graphite_host, Integer $metrics_graphite_port = $puppet::server_metrics_graphite_port, String $metrics_server_id = $puppet::server_metrics_server_id, Integer $metrics_graphite_interval = $puppet::server_metrics_graphite_interval, Variant[Undef, Array] $metrics_allowed = $puppet::server_metrics_allowed, Boolean $puppetserver_experimental = $puppet::server_puppetserver_experimental, Optional[String[1]] $puppetserver_auth_template = $puppet::server_puppetserver_auth_template, Array[String] $puppetserver_trusted_agents = $puppet::server_puppetserver_trusted_agents, Array[Hash] $puppetserver_trusted_certificate_extensions = $puppet::server_puppetserver_trusted_certificate_extensions, Optional[Enum['off', 'jit', 'force']] $compile_mode = $puppet::server_compile_mode, Optional[Integer[1]] $selector_threads = $puppet::server_selector_threads, Optional[Integer[1]] $acceptor_threads = $puppet::server_acceptor_threads, Optional[Integer[1]] $ssl_selector_threads = $puppet::server_ssl_selector_threads, Optional[Integer[1]] $ssl_acceptor_threads = $puppet::server_ssl_acceptor_threads, Optional[Integer[1]] $max_threads = $puppet::server_max_threads, Boolean $ca_allow_sans = $puppet::server_ca_allow_sans, Boolean $ca_allow_auth_extensions = $puppet::server_ca_allow_auth_extensions, Boolean $ca_enable_infra_crl = $puppet::server_ca_enable_infra_crl, Optional[Integer[1]] $max_open_files = $puppet::server_max_open_files, Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id, Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content, ) { # For Puppetserver, certain configuration parameters are version specific. We # assume a particular version here. if $puppetserver_version { $real_puppetserver_version = $puppetserver_version } elsif versioncmp($facts['puppetversion'], '7.0.0') >= 0 { $real_puppetserver_version = '7.0.0' } elsif versioncmp($facts['puppetversion'], '6.11.0') >= 0 { $real_puppetserver_version = '6.11.0' } elsif versioncmp($facts['puppetversion'], '6.0.0') >= 0 { $real_puppetserver_version = '6.0.0' } else { $real_puppetserver_version = '5.3.6' } + if versioncmp($real_puppetserver_version, '7.0.0') >= 0 { + $cadir = "${puppetserver_dir}/ca" + } else { + $cadir = "${ssl_dir}/ca" + } + if $ca { - $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" - $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" - $ssl_chain = pick($ssl_chain_filepath, "${ssl_dir}/ca/ca_crt.pem") + $ssl_ca_cert = "${cadir}/ca_crt.pem" + $ssl_ca_crl = "${cadir}/ca_crl.pem" + $ssl_chain = pick($ssl_chain_filepath, "${cadir}/ca_crt.pem") $crl_enable_real = pick($crl_enable, true) } else { $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") $ssl_chain = false $crl_enable_real = pick($crl_enable, false) } $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" if $config_version == undef { if $git_repo { $config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long" } else { $config_version_cmd = undef } } else { $config_version_cmd = $config_version } if versioncmp($real_puppetserver_version, '7.0.0') >= 0 { if $use_legacy_auth_conf { fail('The jruby-puppet.use-legacy-auth-conf setting is removed in Puppetserver 7') } } if $jvm_extra_args { $real_jvm_extra_args = $jvm_extra_args } else { $real_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } contain puppet::server::install contain puppet::server::config contain puppet::server::service Class['puppet::server::install'] ~> Class['puppet::server::config'] Class['puppet::config', 'puppet::server::config'] ~> Class['puppet::server::service'] } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index aad058f..42c2469 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,303 +1,316 @@ # Set up the puppet server config # @api private class puppet::server::config inherits puppet::config { contain 'puppet::server::puppetserver' unless empty($puppet::server::puppetserver_vardir) { puppet::config::master { 'vardir': value => $puppet::server::puppetserver_vardir; } } unless empty($puppet::server::puppetserver_rundir) { puppet::config::master { 'rundir': value => $puppet::server::puppetserver_rundir; } } unless empty($puppet::server::puppetserver_logdir) { puppet::config::master { 'logdir': value => $puppet::server::puppetserver_logdir; } } # Mirror the relationship, as defined() is parse-order dependent # Ensures puppetmasters certs are generated before the proxy is needed if defined(Class['foreman_proxy::config']) and $foreman_proxy::ssl { Class['puppet::server::config'] ~> Class['foreman_proxy::config'] Class['puppet::server::config'] ~> Class['foreman_proxy::service'] } # And before Foreman's cert-using service needs it if defined(Class['foreman::service']) and $foreman::ssl { Class['puppet::server::config'] -> Class['foreman::service'] } ## General configuration $ca_server = $puppet::ca_server $ca_port = $puppet::ca_port $server_external_nodes = $puppet::server::external_nodes $server_environment_timeout = $puppet::server::environment_timeout $trusted_external_command = $puppet::server::trusted_external_command if $server_external_nodes and $server_external_nodes != '' { class{ 'puppet::server::enc': enc_path => $server_external_nodes, } } if $trusted_external_command { if versioncmp($puppet::server::real_puppetserver_version, '6.11') < 0 { fail('$server_trusted_external_command is only available for Puppet > 6.11') } puppet::config::master { 'trusted_external_command': value => $trusted_external_command, } } $autosign = ($puppet::server::autosign =~ Boolean)? { true => $puppet::server::autosign, false => "${puppet::server::autosign} { mode = ${puppet::server::autosign_mode} }" } puppet::config::main { 'reports': value => $puppet::server::reports; 'environmentpath': value => $puppet::server::envs_dir; } if $puppet::server::hiera_config and !empty($puppet::server::hiera_config){ puppet::config::main { 'hiera_config': value => $puppet::server::hiera_config; } } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { puppet::config::main { 'basemodulepath': value => $puppet::server::common_modules_path, joiner => ':'; } } if $puppet::server::default_manifest { puppet::config::main { 'default_manifest': value => $puppet::server::default_manifest_path; } } puppet::config::master { 'autosign': value => $autosign; 'ca': value => $puppet::server::ca; 'certname': value => $puppet::server::certname; 'parser': value => $puppet::server::parser; 'strict_variables': value => $puppet::server::strict_variables; 'storeconfigs': value => $puppet::server::storeconfigs; } if $puppet::server::ssl_dir_manage { puppet::config::master { 'ssldir': value => $puppet::server::ssl_dir; } } if $server_environment_timeout { puppet::config::master { 'environment_timeout': value => $server_environment_timeout; } } $puppet::server_additional_settings.each |$key,$value| { puppet::config::master { $key: value => $value } } file { "${puppet::vardir}/reports": ensure => directory, owner => $puppet::server::user, group => $puppet::server::group, mode => '0750', } if '/usr/share/puppet/modules' in $puppet::server::common_modules_path { # Create Foreman share dir which does not depend on Puppet version exec { 'mkdir -p /usr/share/puppet/modules': creates => '/usr/share/puppet/modules', path => ['/usr/bin', '/bin'], } } ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${puppet::server::ssl_dir}/private_keys": ensure => directory, owner => $puppet::server::user, group => $puppet::server::group, mode => '0750', require => Exec['puppet_server_config-create_ssl_dir'], } if $puppet::server::ssl_key_manage { file { "${puppet::server::ssl_dir}/private_keys/${puppet::server::certname}.pem": owner => $puppet::server::user, group => $puppet::server::group, mode => '0640', } } if $puppet::server::custom_trusted_oid_mapping { $_custom_trusted_oid_mapping = { oid_mapping => $puppet::server::custom_trusted_oid_mapping, } file { "${puppet::dir}/custom_trusted_oid_mapping.yaml": ensure => file, owner => 'root', group => $puppet::params::root_group, mode => '0644', content => to_yaml($_custom_trusted_oid_mapping), } } # If the ssl dir is not the default dir, it needs to be created before running # the generate ca cert or it will fail. exec {'puppet_server_config-create_ssl_dir': creates => $puppet::server::ssl_dir, command => "/bin/mkdir -p ${puppet::server::ssl_dir}", umask => '0022', } # Generate a new CA and host cert if our host cert doesn't exist if $puppet::server::ca { if versioncmp($puppet::server::real_puppetserver_version, '6.0') > 0 { $creates = $puppet::server::ssl_ca_cert $command = "${puppet::puppetserver_cmd} ca setup" } else { $creates = $puppet::server::ssl_cert $command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names" } exec {'puppet_server_config-generate_ca_cert': creates => $creates, command => $command, umask => '0022', require => [ Concat["${puppet::server::dir}/puppet.conf"], Exec['puppet_server_config-create_ssl_dir'], ], } + + # In Puppet 7 the cadir was changed from $ssldir/ca to $puppetserver_dir/ca + # This migrates the directory if it was in the old location + # The migration command leaves a symlink in place + if versioncmp($puppet::server::real_puppetserver_version, '7.0') > 0 { + exec { 'migrate Puppetserver cadir': + command => "${puppet::puppetserver_cmd} ca migrate", + creates => $puppet::server::cadir, + onlyif => "test -d '${puppet::server::ssl_dir}/ca' && ! test -L '${puppet::server::ssl_dir}'", + path => $::path, + before => Exec['puppet_server_config-generate_ca_cert'], + } + } } elsif $puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca master if defined('$::servername') { file { $puppet::server::ssl_ca_crl: ensure => file, owner => $puppet::server::user, group => $puppet::server::group, mode => '0644', content => file($::settings::cacrl, $::settings::hostcrl, '/dev/null'), } } } # autosign file if $puppet::server_ca and !($puppet::server::autosign =~ Boolean) { if $puppet::server::autosign_content or $puppet::server::autosign_source { if !empty($puppet::server::autosign_entries) { fail('Cannot set both autosign_content/autosign_source and autosign_entries') } $autosign_content = $puppet::server::autosign_content } elsif !empty($puppet::server::autosign_entries) { $autosign_content = template('puppet/server/autosign.conf.erb') } else { $autosign_content = undef } file { $puppet::server::autosign: ensure => file, owner => $puppet::server::user, group => $puppet::server::group, mode => $puppet::server::autosign_mode, content => $autosign_content, source => $puppet::server::autosign_source, } } # only manage this file if we provide content if $puppet::server::default_manifest and $puppet::server::default_manifest_content != '' { file { $puppet::server::default_manifest_path: ensure => file, owner => $puppet::user, group => $puppet::group, mode => '0644', content => $puppet::server::default_manifest_content, } } ## Environments # location where our puppet environments are located if $puppet::server::envs_target and $puppet::server::envs_target != '' { $ensure = 'link' } else { $ensure = 'directory' } file { $puppet::server::envs_dir: ensure => $ensure, owner => $puppet::server::environments_owner, group => $puppet::server::environments_group, mode => $puppet::server::environments_mode, target => $puppet::server::envs_target, force => true, } if $puppet::server::git_repo { include git if $puppet::server::manage_user { Class['git'] -> User[$puppet::server::user] } file { $puppet::vardir: ensure => directory, owner => 'root', group => 'root', } git::repo { 'puppet_repo': bare => true, target => $puppet::server::git_repo_path, mode => $puppet::server::git_repo_mode, user => $puppet::server::git_repo_user, group => $puppet::server::git_repo_group, require => File[$puppet::vardir, $puppet::server::envs_dir], } $git_branch_map = $puppet::server::git_branch_map # git post hook to auto generate an environment per branch file { "${puppet::server::git_repo_path}/hooks/${puppet::server::post_hook_name}": content => template($puppet::server::post_hook_content), owner => $puppet::server::git_repo_user, group => $puppet::server::git_repo_group, mode => $puppet::server::git_repo_mode, require => Git::Repo['puppet_repo'], } } file { $puppet::sharedir: ensure => directory, } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { file { $puppet::server::common_modules_path: ensure => directory, owner => $puppet::server_environments_owner, group => $puppet::server_environments_group, mode => $puppet::server_environments_mode, } } ## Foreman if $puppet::server::foreman { # Include foreman components for the puppetmaster # ENC script, reporting script etc. class { 'puppetserver_foreman': foreman_url => $puppet::server::foreman_url, enc_upload_facts => $puppet::server::server_foreman_facts, enc_timeout => $puppet::server::request_timeout, puppet_home => $puppet::server::puppetserver_vardir, puppet_basedir => $puppet::server::puppet_basedir, puppet_etcdir => $puppet::dir, ssl_ca => pick($puppet::server::foreman_ssl_ca, $puppet::server::ssl_ca_cert), ssl_cert => pick($puppet::server::foreman_ssl_cert, $puppet::server::ssl_cert), ssl_key => pick($puppet::server::foreman_ssl_key, $puppet::server::ssl_cert_key), } contain puppetserver_foreman } } diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb index cdf9302..f8d859f 100644 --- a/spec/classes/puppet_server_spec.rb +++ b/spec/classes/puppet_server_spec.rb @@ -1,702 +1,702 @@ require 'spec_helper' describe 'puppet' do on_supported_os.each do |os, facts| context "on #{os}", unless: unsupported_puppetmaster_osfamily(facts[:osfamily]) do if facts[:osfamily] == 'FreeBSD' codedir = '/usr/local/etc/puppet' confdir = '/usr/local/etc/puppet' etcdir = '/usr/local/etc/puppet' puppetserver_etcdir = '/usr/local/etc/puppetserver' puppetserver_logdir = '/var/log/puppetserver' puppetserver_rundir = '/var/run/puppetserver' puppetserver_vardir = '/var/puppet/server/data/puppetserver' sharedir = '/usr/local/share/puppet' ssldir = '/var/puppet/ssl' vardir = '/var/puppet' rubydir = %r{^/usr/local/lib/ruby/site_ruby/\d+\.\d+/puppet$} puppetserver_pkg = "puppetserver#{facts[:puppetversion].to_i}" puppetcacmd = if facts[:puppetversion] >= '6.0' '/usr/local/bin/puppetserver ca setup' else '/usr/local/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names' end else codedir = '/etc/puppetlabs/code' confdir = '/etc/puppetlabs/puppet' etcdir = '/etc/puppetlabs/puppet' puppetserver_etcdir = '/etc/puppetlabs/puppetserver' puppetserver_logdir = '/var/log/puppetlabs/puppetserver' puppetserver_rundir = '/var/run/puppetlabs/puppetserver' puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' sharedir = '/opt/puppetlabs/puppet' ssldir = '/etc/puppetlabs/puppet/ssl' vardir = '/opt/puppetlabs/puppet/cache' rubydir = '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet' puppetserver_pkg = 'puppetserver' puppetcacmd = if facts[:puppetversion] >= '6.0' '/opt/puppetlabs/bin/puppetserver ca setup' else '/opt/puppetlabs/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names' end end conf_file = "#{confdir}/puppet.conf" conf_d_dir = "#{puppetserver_etcdir}/conf.d" environments_dir = "#{codedir}/environments" - cadir = "#{ssldir}/ca" + cadir = facts[:puppetversion] >= '7.0' ? "#{puppetserver_etcdir}/ca" : "#{ssldir}/ca" if facts[:puppetversion] >= '6.0' cert_to_create = "#{cadir}/ca_crt.pem" else cert_to_create = "#{ssldir}/certs/puppetmaster.example.com.pem" end let(:facts) { facts } let(:params) do { server: true, server_certname: 'puppetmaster.example.com' } end describe 'with no custom parameters' do it { should compile.with_all_deps } # install it { should contain_class('puppet::server::install') } it { should contain_user('puppet') } it { should contain_package(puppetserver_pkg).with_install_options(nil) } # config it { should contain_class('puppet::server::config') } it { should contain_puppet__config__main('reports').with_value('foreman') } it { should contain_puppet__config__main('hiera_config').with_value('$confdir/hiera.yaml') } it { should contain_puppet__config__main('environmentpath').with_value(environments_dir) } it do should contain_puppet__config__main('basemodulepath') .with_value(["#{environments_dir}/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) .with_joiner(':') end it { should_not contain_puppet__config__main('default_manifest') } it { should contain_puppet__config__master('autosign').with_value("#{etcdir}\/autosign.conf \{ mode = 0664 \}") } it { should contain_puppet__config__master('ca').with_value('true') } it { should contain_puppet__config__master('certname').with_value('puppetmaster.example.com') } it { should contain_puppet__config__master('parser').with_value('current') } it { should contain_puppet__config__master('strict_variables').with_value('false') } it { should contain_puppet__config__master('ssldir').with_value(ssldir) } it { should contain_puppet__config__master('storeconfigs').with_value(false) } it { should_not contain_puppet__config__master('environment_timeout') } it { should_not contain_puppet__config__master('manifest') } it { should_not contain_puppet__config__master('modulepath') } it { should_not contain_puppet__config__master('config_version') } it { should_not contain_puppet__config__master('trusted_external_command') } it { should contain_puppet__config__master('external_nodes').with_value("#{etcdir}\/node.rb") } it { should contain_puppet__config__master('node_terminus').with_value('exec') } it { should contain_puppet__config__master('logdir').with_value(puppetserver_logdir) } it { should contain_puppet__config__master('rundir').with_value(puppetserver_rundir) } it { should contain_puppet__config__master('vardir').with_value(puppetserver_vardir) } it 'should set up SSL permissions' do should contain_file("#{ssldir}/private_keys") \ .with_group('puppet') \ .with_mode('0750') should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem") \ .with_group('puppet') \ .with_mode('0640') should contain_exec('puppet_server_config-create_ssl_dir') \ .with_creates(ssldir) \ .with_command("/bin/mkdir -p #{ssldir}") \ .with_umask('0022') should contain_exec('puppet_server_config-generate_ca_cert') \ .with_creates(cert_to_create) \ .with_command(puppetcacmd) \ .with_umask('0022') \ .that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) end it { should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') } it 'should set up the environments' do should contain_file(environments_dir) .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_file(sharedir).with_ensure('directory') should contain_file("#{codedir}/environments/common") .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_file("#{sharedir}/modules") .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') end it { should contain_concat(conf_file) } it { should_not contain_puppet__config__agent('http_connect_timeout') } it { should_not contain_puppet__config__agent('http_read_timeout') } it { should_not contain_file("#{confdir}/custom_trusted_oid_mapping.yaml") } it { should contain_file("#{confdir}/autosign.conf") } it { should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) } it { should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) } it 'should set up the ENC' do should contain_class('puppetserver_foreman') .with_foreman_url('https://foo.example.com') .with_enc_upload_facts(true) .with_enc_timeout(60) .with_puppet_home(puppetserver_vardir) .with_puppet_etcdir(etcdir) .with_puppet_basedir(rubydir) end # service it { should contain_class('puppet::server::service') } it { should contain_class('puppet::server::puppetserver') } end describe 'with uppercase hostname' do let(:facts) do override_facts(super(), networking: {fqdn: 'PUPPETMASTER.example.com'}, # clientcert is always lowercase by Puppet design clientcert: 'puppetmaster.example.com' ) end it { should compile.with_all_deps } it 'should use lowercase certificates' do should contain_class('puppet::server::puppetserver') .with_server_ssl_cert("#{ssldir}/certs/puppetmaster.example.com.pem") .with_server_ssl_cert_key("#{ssldir}/private_keys/puppetmaster.example.com.pem") end end describe 'with ip parameter' do let(:params) do super().merge(server_ip: '127.0.0.1') end it { should compile.with_all_deps } it { should contain_class('puppet::server').with_ip('127.0.0.1') } it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/host: 127.0.0.1/) } it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-host: 127.0.0.1/) } end context 'manage_packages' do tests = { false => false, 'agent' => false, 'server' => true } tests.each do |value, expected| describe "when manage_packages => #{value.inspect}" do let(:params) do super().merge(manage_packages: value) end it { should compile.with_all_deps } if expected it { should contain_package(puppetserver_pkg) } else it { should_not contain_package(puppetserver_pkg) } end end end end describe 'when autosign => true' do let(:params) do super().merge(autosign: true) end it { should contain_puppet__config__master('autosign').with_value(true) } end describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do let(:params) do super().merge( autosign: '/somedir/custom_autosign', autosign_mode: '664' ) end it { should contain_puppet__config__master('autosign').with_value('/somedir/custom_autosign { mode = 664 }') } end describe "when autosign_entries set to ['foo.bar']" do let(:params) do super().merge(autosign_entries: ['foo.bar']) end it 'should contain autosign.conf with content set' do should contain_file("#{confdir}/autosign.conf") should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do let(:params) do super().merge( autosign_content: 'foo.bar', autosign_entries: ['foo.bar'] ) end it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content/autosign_source and autosign_entries}) } end describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do let(:params) do super().merge( autosign_source: 'puppet:///foo/bar', autosign_entries: ['foo.bar'] ) end it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content\/autosign_source and autosign_entries}) } end context 'when autosign => /usr/local/bin/custom_autosign.sh, autosign_mode => 775' do let(:params) do super().merge( autosign: '/usr/local/bin/custom_autosign.sh', autosign_mode: '775' ) end describe "when autosign_content set to 'foo.bar'" do let(:params) do super().merge(autosign_content: 'foo.bar') end it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } it { should contain_file('/usr/local/bin/custom_autosign.sh').with_content('foo.bar') } end describe "autosign_source set to 'puppet:///foo/bar'" do let(:params) do super().merge(autosign_source: 'puppet:///foo/bar') end it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } it { should contain_file('/usr/local/bin/custom_autosign.sh').with_source('puppet:///foo/bar') } end end describe "when hiera_config => '/etc/puppet/hiera/production/hiera.yaml'" do let(:params) do super().merge(hiera_config: '/etc/puppet/hiera/production/hiera.yaml') end it { should contain_puppet__config__main('hiera_config').with_value('/etc/puppet/hiera/production/hiera.yaml') } end describe 'without foreman' do let(:params) do super().merge( server_foreman: false, server_reports: 'store', server_external_nodes: '' ) end it { should_not contain_class('puppetserver_foreman') } it { should_not contain_puppet__config__master('node_terminus') } it { should_not contain_puppet__config__master('external_nodes') } end describe 'with server_default_manifest => true and undef content' do let(:params) do super().merge(server_default_manifest: true) end it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } it { should_not contain_file('/etc/puppet/manifests/default_manifest.pp') } end describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do let(:params) do super().merge( server_default_manifest: true, server_default_manifest_content: 'include foo' ) end it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } it { should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content('include foo') } end describe 'with git repo' do let(:params) do super().merge(server_git_repo: true) end it { is_expected.to compile.with_all_deps } it do should contain_class('puppet::server') .with_git_repo(true) .with_git_repo_path("#{vardir}/puppet.git") .with_post_hook_name('post-receive') end it 'should set up the environments directory' do should contain_file(environments_dir) \ .with_ensure('directory') \ .with_owner('puppet') end it 'should create the puppet user' do shell = case facts[:osfamily] when /^(FreeBSD|DragonFly)$/ '/usr/local/bin/git-shell' else '/usr/bin/git-shell' end should contain_user('puppet') .with_shell(shell) .that_requires('Class[git]') end it do should contain_file(vardir) .with_ensure('directory') .with_owner('root') end it do should contain_git__repo('puppet_repo') .with_bare(true) .with_target("#{vardir}/puppet.git") .with_user('puppet') .that_requires("File[#{environments_dir}]") end it do should contain_file("#{vardir}/puppet.git/hooks/post-receive") .with_owner('puppet') \ .with_mode('0755') \ .that_requires('Git::Repo[puppet_repo]') \ .with_content(/BRANCH_MAP = \{[^a-zA-Z=>]\}/) end describe 'with a puppet git branch map' do let(:params) do super().merge(server_git_branch_map: { 'a' => 'b', 'c' => 'd' }) end it 'should add the branch map to the post receive hook' do should contain_file("#{vardir}/puppet.git/hooks/post-receive") .with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) end end end context 'with directory environments owner' do let(:params) { super().merge(server_environments_owner: 'apache') } it { should contain_file(environments_dir).with_owner('apache') } end context 'with no common modules directory' do let(:params) { super().merge(server_common_modules_path: '') } it { should_not contain_puppet__config__main('basemodulepath') } end describe 'with SSL path overrides' do let(:params) do super().merge( server_foreman_ssl_ca: '/etc/example/ca.pem', server_foreman_ssl_cert: '/etc/example/cert.pem', server_foreman_ssl_key: '/etc/example/key.pem' ) end it 'should pass SSL parameters to the ENC' do should contain_class('puppetserver_foreman') .with_ssl_ca('/etc/example/ca.pem') .with_ssl_cert('/etc/example/cert.pem') .with_ssl_key('/etc/example/key.pem') end end describe 'with additional settings' do let(:params) do super().merge(server_additional_settings: { 'stringify_facts' => true }) end it 'should configure puppet.conf' do should contain_puppet__config__master('stringify_facts').with_value(true) end end describe 'with server_parser => future' do let(:params) do super().merge(server_parser: 'future') end it { should contain_puppet__config__master('parser').with_value('future') } end describe 'with server_environment_timeout set' do let(:params) do super().merge(server_environment_timeout: '10m') end it { should contain_puppet__config__master('environment_timeout').with_value('10m') } end describe 'with no ssldir managed for master' do let(:params) do super().merge(server_ssl_dir_manage: false) end it { should_not contain_puppet__config__master('ssl_dir') } end describe 'with ssl key management disabled for server' do let(:params) do super().merge( server_certname: 'servercert', server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl', server_ssl_key_manage: false ) end it { should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') } end describe 'with nondefault CA settings' do let(:params) do super().merge(server_ca: false) end it { should contain_exec('puppet_server_config-create_ssl_dir') } it { should_not contain_exec('puppet_server_config-generate_ca_cert') } end describe 'with server_ca_crl_sync => true' do let(:params) do super().merge(server_ca_crl_sync: true) end context 'with server_ca => false and running "puppet apply"' do let(:params) do super().merge( server_ca: false, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end context 'with server_ca => false: running "puppet agent -t"' do let(:params) do super().merge( server_ca: false, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end let(:facts) do facts.merge(servername: 'myserver') end before :context do @cacrl = Tempfile.new('cacrl') File.open(@cacrl, 'w') { |f| f.write 'This is my CRL File' } Puppet.settings[:cacrl] = @cacrl.path end it 'should sync the crl from the ca' do should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') .with_content('This is my CRL File') end end context 'with server_ca => true: running "puppet agent -t"' do let(:params) do super().merge( server_ca: true, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end let(:facts) do facts.merge(servername: 'myserver') end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end end describe 'allow crl checking' do context 'as ca' do let(:params) do super().merge(server_ca: true) end - it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/ca/ca_crl\.pem}) } + it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{cadir}/ca_crl\.pem}) } end context 'as non-ca' do let(:params) do super().merge(server_ca: false) end it { should contain_file("#{conf_d_dir}/webserver.conf").without_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } context 'server_crl_enable' do let(:params) do super().merge(server_crl_enable: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } end end end describe 'with ssl_protocols overwritten' do let(:params) do super().merge(server_ssl_protocols: ['TLSv1.1', 'TLSv1.2']) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-protocols: \[\n( +)TLSv1.1,\n( +)TLSv1.2,\n( +)\]/) } end describe 'with ssl_protocols overwritten' do let(:params) do super().merge(server_cipher_suites: %w[TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA]) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/cipher-suites: \[\n( +)TLS_RSA_WITH_AES_256_CBC_SHA256,\n( +)TLS_RSA_WITH_AES_256_CBC_SHA,\n( +)\]/) } end describe 'with ssl_chain_filepath overwritten' do let(:params) do super().merge(server_ssl_chain_filepath: '/etc/example/certchain.pem') end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-cert-chain: /etc/example/certchain.pem}) } end describe 'with server_custom_trusted_oid_mapping overwritten' do let(:params) do super().merge(server_custom_trusted_oid_mapping: { '1.3.6.1.4.1.34380.1.2.1.1' => { shortname: 'myshortname', longname: 'My Long Name' }, '1.3.6.1.4.1.34380.1.2.1.2' => { shortname: 'myothershortname' } }) end it 'should have a configured custom_trusted_oid_mapping.yaml' do verify_exact_contents(catalogue, "#{confdir}/custom_trusted_oid_mapping.yaml", [ '---', 'oid_mapping:', ' 1.3.6.1.4.1.34380.1.2.1.1:', ' shortname: myshortname', ' longname: My Long Name', ' 1.3.6.1.4.1.34380.1.2.1.2:', ' shortname: myothershortname' ]) end end describe 'with server_certname parameter' do let(:params) do super().merge( server_certname: 'puppetserver43.example.com', server_ssl_dir: '/etc/custom/puppet/ssl' ) end it 'should put the correct ssl key path in webserver.conf' do should contain_file("#{conf_d_dir}/webserver.conf") .with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) end it 'should put the correct ssl cert path in webserver.conf' do should contain_file("#{conf_d_dir}/webserver.conf") .with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) end end describe 'with server_http parameter set to true for the puppet class' do let(:params) do super().merge(server_http: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ host:\s0\.0\.0\.0/).with_content(/ port:\s8139/) } it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end describe 'with server_allow_header_cert_info => true' do let(:params) do super().merge(server_allow_header_cert_info: true) end it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end describe 'server_trusted_external_command' do context 'with default parameters' do it { should_not contain_puppet__config__master('trusted_external_command') } end context 'with puppetversion >= 6.11' do describe 'when server_trusted_external_command => /usr/local/sbin/trusted_external_command' do let(:facts) do super().merge( puppetversion: '6.11.0' ) end let(:params) do super().merge(server_trusted_external_command: '/usr/local/sbin/trusted_external_command' ) end it { should contain_puppet__config__master('trusted_external_command').with_value('/usr/local/sbin/trusted_external_command') } end end context 'with puppetversion < 6.11' do describe 'when server_trusted_external_command => /usr/local/sbin/trusted_external_command' do let(:facts) do super().merge( puppetversion: '6.5.0' ) end let(:params) do super().merge(server_trusted_external_command: '/usr/local/sbin/trusted_external_command' ) end it { is_expected.to raise_error(Puppet::Error, /\$server_trusted_external_command is only available for Puppet > 6\.11/) } end end end end end end