diff --git a/.fixtures.yml b/.fixtures.yml index 0bbc966..c7a3142 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,20 +1,16 @@ fixtures: repositories: augeas_core: repo: 'https://github.com/puppetlabs/puppetlabs-augeas_core' puppet_version: '>= 6.0.0' concat: 'https://github.com/puppetlabs/puppetlabs-concat.git' cron_core: repo: 'https://github.com/puppetlabs/puppetlabs-cron_core' puppet_version: '>= 6.0.0' - extlib: 'https://github.com/voxpupuli/puppet-extlib.git' - foreman: 'https://github.com/theforeman/puppet-foreman.git' - git: 'https://github.com/theforeman/puppet-git.git' - inifile: 'https://github.com/puppetlabs/puppetlabs-inifile.git' - puppetdb: 'https://github.com/puppetlabs/puppetlabs-puppetdb.git' - redis: 'https://github.com/voxpupuli/puppet-redis.git' - stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git' - systemd: 'https://github.com/camptocamp/puppet-systemd.git' - yumrepo_core: - repo: 'https://github.com/puppetlabs/puppetlabs-yumrepo_core' - puppet_version: '>= 6.0.0' + extlib: 'https://github.com/voxpupuli/puppet-extlib.git' + git: 'https://github.com/theforeman/puppet-git.git' + inifile: 'https://github.com/puppetlabs/puppetlabs-inifile.git' + puppetdb: 'https://github.com/puppetlabs/puppetlabs-puppetdb.git' + puppetserver_foreman: 'https://github.com/theforeman/puppet-puppetserver_foreman.git' + stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git' + systemd: 'https://github.com/camptocamp/puppet-systemd.git' diff --git a/README.md b/README.md index 34de1b6..341cc7a 100644 --- a/README.md +++ b/README.md @@ -1,183 +1,185 @@ [![Puppet Forge](https://img.shields.io/puppetforge/v/theforeman/puppet.svg)](https://forge.puppetlabs.com/theforeman/puppet) [![Build Status](https://travis-ci.org/theforeman/puppet-puppet.svg?branch=master)](https://travis-ci.org/theforeman/puppet-puppet) # Puppet module for installing the Puppet agent and master Installs and configures the Puppet agent and optionally a Puppet master (when `server` is true). Part of the [Foreman installer](https://github.com/theforeman/foreman-installer) or to be used as a Puppet module. When using Puppet Server (version 5.3.6 is the lowest version, this module supports), the module supports and assumes you will be installing the latest version. If you know you'll be installing an earlier or specific version, you will need to override `server_puppetserver_version`. More information in the Puppet Server section below. Many puppet.conf options for agents, masters and other are parameterized, with class documentation provided at the top of the manifests. In addition, there are hash parameters for each configuration section that can be used to supply any options that are not explicitly supported. ## Environments support The module helps configure Puppet environments using directory environments. These are set up under /etc/puppetlabs/code/environments. ## Git repo support Environments can be backed by git by setting `server_git_repo` to true, which sets up `/var/lib/puppet/puppet.git` where each branch maps to one environment. Avoid using 'master' as this name isn't permitted. On each push to the repo, a hook updates `/etc/puppet/environments` with the contents of the branch. Requires [theforeman/git](https://forge.puppetlabs.com/theforeman/git). ## Foreman integration -With the 3.0.0 release the Foreman integration became optional. It will still -by default install the Foreman integration when `server` is true, -so if you wish to run a Puppet master without Foreman, it can be disabled by -setting `server_foreman` to false. +The Foreman integration is optional, but on by default when `server` is true. +It can be disabled by setting `server_foreman` to false. -Requires [theforeman/foreman](https://forge.puppetlabs.com/theforeman/foreman). +Requires [theforeman/puppetserver_foreman](https://forge.puppetlabs.com/theforeman/puppetserver_foreman). + +Since version 15.0.0 the integration bits depend on the standalone module where +previously it depended on +[theforeman/foreman](https://forge.puppetlabs.com/theforeman/foreman) ## PuppetDB integration The Puppet master can be configured to export catalogs and reports to a PuppetDB instance, using the puppetlabs/puppetdb module. Use its `puppetdb::server` class to install the PuppetDB server and this module to configure the Puppet master to connect to PuppetDB. Requires [puppetlabs/puppetdb](https://forge.puppetlabs.com/puppetlabs/puppetdb) ```puppet class { 'puppet': server => true, server_reports => 'puppetdb,foreman', server_storeconfigs => true, } class { 'puppet::server::puppetdb': server => 'mypuppetdb.example.com', } ``` Please also make sure your puppetdb ciphers are compatible with your puppet server ciphers, ie that the two following parameters match: ``` puppet::server::cipher_suites puppetdb::server::cipher_suites ``` # Installation Available from GitHub (via cloning or tarball), [Puppet Forge](https://forge.puppetlabs.com/theforeman/puppet) or as part of the Foreman installer. # Usage As a parameterized class, all the configurable options can be overridden from your wrapper classes or even your ENC (if it supports param classes). For example: # Agent and cron (or daemon): class { '::puppet': runmode => 'cron' } # Agent and puppetmaster: class { '::puppet': server => true } # You want to use git? class { '::puppet': server => true server_git_repo => true } # Maybe you're using gitolite, new hooks, and a different port? class { '::puppet': server => true server_port => 8141, server_git_repo => true, server_git_repo_path => '/var/lib/gitolite/repositories/puppet.git', server_post_hook_name => 'post-receive.puppet', server_post_hook_content => 'puppetserver/post-hook.puppet', } # Configure master without Foreman integration class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', } # Want to integrate with an existing PuppetDB? class { '::puppet': server => true, server_reports => 'puppetdb,foreman', server_storeconfigs => true, } class { 'puppet::server::puppetdb': server => 'mypuppetdb.example.com', } Look in _init.pp_ for what can be configured this way, see Contributing if anything doesn't work. To use this in standalone mode, edit a file (e.g. install.pp), put in a class resource, as per the examples above, and the execute _puppet apply_ e.g: cat > install.pp < true } EOF puppet apply install.pp --modulepath /path_to/extracted_tarball # Advanced scenarios An HTTP (non-SSL) puppetmaster instance can be set up (standalone or in addition to the SSL instance) by setting the `server_http` parameter to `true`. This is useful for reverse proxy or load balancer scenarios where the proxy/load balancer takes care of SSL termination. The HTTP puppetmaster instance expects the `X-Client-Verify`, `X-SSL-Client-DN` and `X-SSL-Subject` HTTP headers to have been set on the front end server. The listening port can be configured by setting `server_http_port` (which defaults to 8139). For puppetserver, this HTTP instance accepts **ALL** connections and no further restrictions can be configured. **Note that running an HTTP puppetmaster is a huge security risk when improperly configured. Allowed hosts should be tightly controlled; anyone with access to an allowed host can access all client catalogues and client certificates.** # Configure an HTTP puppetmaster vhost in addition to the standard SSL vhost class { '::puppet': server => true, server_http => true, server_http_port => 8130, # default: 8139 } ## Puppet Server configuration Puppet Server requires slightly different configuration between different versions, which this module supports. It's recommended that you set the `server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version you have installed. By default the module will configure for the latest version available. # Contributing * Fork the project * Commit and push until you are happy with your contribution # More info See https://theforeman.org or at #theforeman irc channel on freenode Copyright (c) 2010-2012 Ohad Levy This program and entire repository is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 1cfa8bc..2b34a04 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,303 +1,303 @@ # Set up the puppet server config # @api private class puppet::server::config inherits puppet::config { contain 'puppet::server::puppetserver' unless empty($puppet::server::puppetserver_vardir) { puppet::config::master { 'vardir': value => $puppet::server::puppetserver_vardir; } } unless empty($puppet::server::puppetserver_rundir) { puppet::config::master { 'rundir': value => $puppet::server::puppetserver_rundir; } } unless empty($puppet::server::puppetserver_logdir) { puppet::config::master { 'logdir': value => $puppet::server::puppetserver_logdir; } } # Mirror the relationship, as defined() is parse-order dependent # Ensures puppetmasters certs are generated before the proxy is needed if defined(Class['foreman_proxy::config']) and $foreman_proxy::ssl { Class['puppet::server::config'] ~> Class['foreman_proxy::config'] Class['puppet::server::config'] ~> Class['foreman_proxy::service'] } # And before Foreman's cert-using service needs it if defined(Class['foreman::service']) and $foreman::ssl { Class['puppet::server::config'] -> Class['foreman::service'] } ## General configuration $ca_server = $puppet::ca_server $ca_port = $puppet::ca_port $server_external_nodes = $puppet::server::external_nodes $server_environment_timeout = $puppet::server::environment_timeout $trusted_external_command = $puppet::server::trusted_external_command if $server_external_nodes and $server_external_nodes != '' { class{ 'puppet::server::enc': enc_path => $server_external_nodes, } } if $trusted_external_command { if versioncmp($::puppetversion, '6.11') < 0 { fail('$server_trusted_external_command is only available for Puppet > 6.11') } puppet::config::master { 'trusted_external_command': value => $trusted_external_command, } } $autosign = ($puppet::server::autosign =~ Boolean)? { true => $puppet::server::autosign, false => "${puppet::server::autosign} { mode = ${puppet::server::autosign_mode} }" } puppet::config::main { 'reports': value => $puppet::server::reports; 'environmentpath': value => $puppet::server::envs_dir; } if $puppet::server::hiera_config and !empty($puppet::server::hiera_config){ puppet::config::main { 'hiera_config': value => $puppet::server::hiera_config; } } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { puppet::config::main { 'basemodulepath': value => $puppet::server::common_modules_path, joiner => ':'; } } if $puppet::server::default_manifest { puppet::config::main { 'default_manifest': value => $puppet::server::default_manifest_path; } } puppet::config::master { 'autosign': value => $autosign; 'ca': value => $puppet::server::ca; 'certname': value => $puppet::server::certname; 'parser': value => $puppet::server::parser; 'strict_variables': value => $puppet::server::strict_variables; 'storeconfigs': value => $puppet::server::storeconfigs; } if $puppet::server::ssl_dir_manage { puppet::config::master { 'ssldir': value => $puppet::server::ssl_dir; } } if $server_environment_timeout { puppet::config::master { 'environment_timeout': value => $server_environment_timeout; } } $puppet::server_additional_settings.each |$key,$value| { puppet::config::master { $key: value => $value } } file { "${puppet::vardir}/reports": ensure => directory, owner => $puppet::server::user, group => $puppet::server::group, mode => '0750', } if '/usr/share/puppet/modules' in $puppet::server::common_modules_path { # Create Foreman share dir which does not depend on Puppet version exec { 'mkdir -p /usr/share/puppet/modules': creates => '/usr/share/puppet/modules', path => ['/usr/bin', '/bin'], } } ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${puppet::server::ssl_dir}/private_keys": ensure => directory, owner => $puppet::server::user, group => $puppet::server::group, mode => '0750', require => Exec['puppet_server_config-create_ssl_dir'], } if $puppet::server::ssl_key_manage { file { "${puppet::server::ssl_dir}/private_keys/${puppet::server::certname}.pem": owner => $puppet::server::user, group => $puppet::server::group, mode => '0640', } } if $puppet::server::custom_trusted_oid_mapping { $_custom_trusted_oid_mapping = { oid_mapping => $puppet::server::custom_trusted_oid_mapping, } file { "${puppet::dir}/custom_trusted_oid_mapping.yaml": ensure => file, owner => 'root', group => $puppet::params::root_group, mode => '0644', content => to_yaml($_custom_trusted_oid_mapping), } } # If the ssl dir is not the default dir, it needs to be created before running # the generate ca cert or it will fail. exec {'puppet_server_config-create_ssl_dir': creates => $puppet::server::ssl_dir, command => "/bin/mkdir -p ${puppet::server::ssl_dir}", umask => '0022', } # Generate a new CA and host cert if our host cert doesn't exist if $puppet::server::ca { if versioncmp($::puppetversion, '6.0') > 0 { $creates = $puppet::server::ssl_ca_cert $command = "${puppet::puppetserver_cmd} ca setup" } else { $creates = $puppet::server::ssl_cert $command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names" } exec {'puppet_server_config-generate_ca_cert': creates => $creates, command => $command, umask => '0022', require => [ Concat["${puppet::server::dir}/puppet.conf"], Exec['puppet_server_config-create_ssl_dir'], ], } } elsif $puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca master if defined('$::servername') { file { $puppet::server::ssl_ca_crl: ensure => file, owner => $puppet::server::user, group => $puppet::server::group, mode => '0644', content => file($::settings::cacrl, $::settings::hostcrl, '/dev/null'), } } } # autosign file if $puppet::server_ca and !($puppet::server::autosign =~ Boolean) { if $puppet::server::autosign_content or $puppet::server::autosign_source { if !empty($puppet::server::autosign_entries) { fail('Cannot set both autosign_content/autosign_source and autosign_entries') } $autosign_content = $puppet::server::autosign_content } elsif !empty($puppet::server::autosign_entries) { $autosign_content = template('puppet/server/autosign.conf.erb') } else { $autosign_content = undef } file { $puppet::server::autosign: ensure => file, owner => $puppet::server::user, group => $puppet::server::group, mode => $puppet::server::autosign_mode, content => $autosign_content, source => $puppet::server::autosign_source, } } # only manage this file if we provide content if $puppet::server::default_manifest and $puppet::server::default_manifest_content != '' { file { $puppet::server::default_manifest_path: ensure => file, owner => $puppet::user, group => $puppet::group, mode => '0644', content => $puppet::server::default_manifest_content, } } ## Environments # location where our puppet environments are located if $puppet::server::envs_target and $puppet::server::envs_target != '' { $ensure = 'link' } else { $ensure = 'directory' } file { $puppet::server::envs_dir: ensure => $ensure, owner => $puppet::server::environments_owner, group => $puppet::server::environments_group, mode => $puppet::server::environments_mode, target => $puppet::server::envs_target, force => true, } if $puppet::server::git_repo { include git if $puppet::server::manage_user { Class['git'] -> User[$puppet::server::user] } file { $puppet::vardir: ensure => directory, owner => 'root', group => 'root', } git::repo { 'puppet_repo': bare => true, target => $puppet::server::git_repo_path, mode => $puppet::server::git_repo_mode, user => $puppet::server::git_repo_user, group => $puppet::server::git_repo_group, require => File[$puppet::vardir, $puppet::server::envs_dir], } $git_branch_map = $puppet::server::git_branch_map # git post hook to auto generate an environment per branch file { "${puppet::server::git_repo_path}/hooks/${puppet::server::post_hook_name}": content => template($puppet::server::post_hook_content), owner => $puppet::server::git_repo_user, group => $puppet::server::git_repo_group, mode => $puppet::server::git_repo_mode, require => Git::Repo['puppet_repo'], } } file { $puppet::sharedir: ensure => directory, } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { file { $puppet::server::common_modules_path: ensure => directory, owner => $puppet::server_environments_owner, group => $puppet::server_environments_group, mode => $puppet::server_environments_mode, } } ## Foreman if $puppet::server::foreman { # Include foreman components for the puppetmaster # ENC script, reporting script etc. - class { 'foreman::puppetmaster': - foreman_url => $puppet::server::foreman_url, - receive_facts => $puppet::server::server_foreman_facts, - puppet_home => $puppet::server::puppetserver_vardir, - puppet_basedir => $puppet::server::puppet_basedir, - puppet_etcdir => $puppet::dir, - timeout => $puppet::server::request_timeout, - ssl_ca => pick($puppet::server::foreman_ssl_ca, $puppet::server::ssl_ca_cert), - ssl_cert => pick($puppet::server::foreman_ssl_cert, $puppet::server::ssl_cert), - ssl_key => pick($puppet::server::foreman_ssl_key, $puppet::server::ssl_cert_key), + class { 'puppetserver_foreman': + foreman_url => $puppet::server::foreman_url, + enc_upload_facts => $puppet::server::server_foreman_facts, + enc_timeout => $puppet::server::request_timeout, + puppet_home => $puppet::server::puppetserver_vardir, + puppet_basedir => $puppet::server::puppet_basedir, + puppet_etcdir => $puppet::dir, + ssl_ca => pick($puppet::server::foreman_ssl_ca, $puppet::server::ssl_ca_cert), + ssl_cert => pick($puppet::server::foreman_ssl_cert, $puppet::server::ssl_cert), + ssl_key => pick($puppet::server::foreman_ssl_key, $puppet::server::ssl_cert_key), } - contain foreman::puppetmaster + contain puppetserver_foreman } } diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb index 8521d8e..c258e41 100644 --- a/spec/classes/puppet_server_spec.rb +++ b/spec/classes/puppet_server_spec.rb @@ -1,703 +1,703 @@ require 'spec_helper' describe 'puppet' do on_supported_os.each do |os, facts| context "on #{os}", unless: unsupported_puppetmaster_osfamily(facts[:osfamily]) do if facts[:osfamily] == 'FreeBSD' puppet_major = facts[:puppetversion].to_i codedir = '/usr/local/etc/puppet' conf_d_dir = '/usr/local/etc/puppetserver/conf.d' conf_file = '/usr/local/etc/puppet/puppet.conf' confdir = '/usr/local/etc/puppet' environments_dir = '/usr/local/etc/puppet/environments' etcdir = '/usr/local/etc/puppet' puppetserver_logdir = '/var/log/puppetserver' puppetserver_rundir = '/var/run/puppetserver' puppetserver_vardir = '/var/puppet/server/data/puppetserver' sharedir = '/usr/local/share/puppet' ssldir = '/var/puppet/ssl' vardir = '/var/puppet' rubydir = %r{^/usr/local/lib/ruby/site_ruby/\d+\.\d+/puppet$} puppetserver_pkg = puppet_major > 4 ? "puppetserver#{puppet_major}" : 'puppetserver' if facts[:puppetversion] >= '6.0' puppetcacmd = '/usr/local/bin/puppetserver ca setup' cert_to_create = "#{ssldir}/ca/ca_crt.pem" else puppetcacmd = '/usr/local/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names' cert_to_create = "#{ssldir}/certs/puppetmaster.example.com.pem" end else codedir = '/etc/puppetlabs/code' conf_d_dir = '/etc/puppetlabs/puppetserver/conf.d' conf_file = '/etc/puppetlabs/puppet/puppet.conf' confdir = '/etc/puppetlabs/puppet' environments_dir = '/etc/puppetlabs/code/environments' etcdir = '/etc/puppetlabs/puppet' puppetserver_logdir = '/var/log/puppetlabs/puppetserver' puppetserver_rundir = '/var/run/puppetlabs/puppetserver' puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' sharedir = '/opt/puppetlabs/puppet' ssldir = '/etc/puppetlabs/puppet/ssl' vardir = '/opt/puppetlabs/puppet/cache' rubydir = '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet' puppetserver_pkg = 'puppetserver' if facts[:puppetversion] >= '6.0' puppetcacmd = '/opt/puppetlabs/bin/puppetserver ca setup' cert_to_create = "#{ssldir}/ca/ca_crt.pem" else puppetcacmd = '/opt/puppetlabs/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names' cert_to_create = "#{ssldir}/certs/puppetmaster.example.com.pem" end end let(:facts) { facts } let(:params) do { server: true, server_certname: 'puppetmaster.example.com' } end describe 'with no custom parameters' do it { should compile.with_all_deps } # install it { should contain_class('puppet::server::install') } it { should contain_user('puppet') } it { should contain_package(puppetserver_pkg).with_install_options(nil) } # config it { should contain_class('puppet::server::config') } it { should contain_puppet__config__main('reports').with_value('foreman') } it { should contain_puppet__config__main('hiera_config').with_value('$confdir/hiera.yaml') } it { should contain_puppet__config__main('environmentpath').with_value(environments_dir) } it do should contain_puppet__config__main('basemodulepath') .with_value(["#{environments_dir}/common", "#{codedir}/modules", "#{sharedir}/modules", '/usr/share/puppet/modules']) .with_joiner(':') end it { should_not contain_puppet__config__main('default_manifest') } it { should contain_puppet__config__master('autosign').with_value("#{etcdir}\/autosign.conf \{ mode = 0664 \}") } it { should contain_puppet__config__master('ca').with_value('true') } it { should contain_puppet__config__master('certname').with_value('puppetmaster.example.com') } it { should contain_puppet__config__master('parser').with_value('current') } it { should contain_puppet__config__master('strict_variables').with_value('false') } it { should contain_puppet__config__master('ssldir').with_value(ssldir) } it { should contain_puppet__config__master('storeconfigs').with_value(false) } it { should_not contain_puppet__config__master('environment_timeout') } it { should_not contain_puppet__config__master('manifest') } it { should_not contain_puppet__config__master('modulepath') } it { should_not contain_puppet__config__master('config_version') } it { should_not contain_puppet__config__master('trusted_external_command') } it { should contain_puppet__config__master('external_nodes').with_value("#{etcdir}\/node.rb") } it { should contain_puppet__config__master('node_terminus').with_value('exec') } it { should contain_puppet__config__master('logdir').with_value(puppetserver_logdir) } it { should contain_puppet__config__master('rundir').with_value(puppetserver_rundir) } it { should contain_puppet__config__master('vardir').with_value(puppetserver_vardir) } it 'should set up SSL permissions' do should contain_file("#{ssldir}/private_keys") \ .with_group('puppet') \ .with_mode('0750') should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem") \ .with_group('puppet') \ .with_mode('0640') should contain_exec('puppet_server_config-create_ssl_dir') \ .with_creates(ssldir) \ .with_command("/bin/mkdir -p #{ssldir}") \ .with_umask('0022') should contain_exec('puppet_server_config-generate_ca_cert') \ .with_creates(cert_to_create) \ .with_command(puppetcacmd) \ .with_umask('0022') \ .that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) end it { should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') } it 'should set up the environments' do should contain_file(environments_dir) .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_file(sharedir).with_ensure('directory') should contain_file("#{codedir}/environments/common") .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') should contain_file("#{sharedir}/modules") .with_ensure('directory') .with_owner('puppet') .with_group(nil) .with_mode('0755') end it { should contain_concat(conf_file) } it { should_not contain_puppet__config__agent('http_connect_timeout') } it { should_not contain_puppet__config__agent('http_read_timeout') } it { should_not contain_file("#{confdir}/custom_trusted_oid_mapping.yaml") } it { should contain_file("#{confdir}/autosign.conf") } it { should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) } it { should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) } it 'should set up the ENC' do - should contain_class('foreman::puppetmaster') + should contain_class('puppetserver_foreman') .with_foreman_url('https://foo.example.com') - .with_receive_facts(true) + .with_enc_upload_facts(true) + .with_enc_timeout(60) .with_puppet_home(puppetserver_vardir) .with_puppet_etcdir(etcdir) - .with_timeout(60) .with_puppet_basedir(rubydir) end # service it { should contain_class('puppet::server::service') } it { should contain_class('puppet::server::puppetserver') } end describe 'with uppercase hostname' do let(:facts) do override_facts(super(), networking: {fqdn: 'PUPPETMASTER.example.com'}, # clientcert is always lowercase by Puppet design clientcert: 'puppetmaster.example.com' ) end it { should compile.with_all_deps } it 'should use lowercase certificates' do should contain_class('puppet::server::puppetserver') .with_server_ssl_cert("#{ssldir}/certs/puppetmaster.example.com.pem") .with_server_ssl_cert_key("#{ssldir}/private_keys/puppetmaster.example.com.pem") end end describe 'with ip parameter' do let(:params) do super().merge(server_ip: '127.0.0.1') end it { should compile.with_all_deps } it { should contain_class('puppet::server').with_ip('127.0.0.1') } it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/host: 127.0.0.1/) } it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-host: 127.0.0.1/) } end context 'manage_packages' do tests = { false => false, 'agent' => false, 'server' => true } tests.each do |value, expected| describe "when manage_packages => #{value.inspect}" do let(:params) do super().merge(manage_packages: value) end it { should compile.with_all_deps } if expected it { should contain_package(puppetserver_pkg) } else it { should_not contain_package(puppetserver_pkg) } end end end end describe 'when autosign => true' do let(:params) do super().merge(autosign: true) end it { should contain_puppet__config__master('autosign').with_value(true) } end describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do let(:params) do super().merge( autosign: '/somedir/custom_autosign', autosign_mode: '664' ) end it { should contain_puppet__config__master('autosign').with_value('/somedir/custom_autosign { mode = 664 }') } end describe "when autosign_entries set to ['foo.bar']" do let(:params) do super().merge(autosign_entries: ['foo.bar']) end it 'should contain autosign.conf with content set' do should contain_file("#{confdir}/autosign.conf") should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do let(:params) do super().merge( autosign_content: 'foo.bar', autosign_entries: ['foo.bar'] ) end it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content/autosign_source and autosign_entries}) } end describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do let(:params) do super().merge( autosign_source: 'puppet:///foo/bar', autosign_entries: ['foo.bar'] ) end it { should raise_error(Puppet::Error, %r{Cannot set both autosign_content\/autosign_source and autosign_entries}) } end context 'when autosign => /usr/local/bin/custom_autosign.sh, autosign_mode => 775' do let(:params) do super().merge( autosign: '/usr/local/bin/custom_autosign.sh', autosign_mode: '775' ) end describe "when autosign_content set to 'foo.bar'" do let(:params) do super().merge(autosign_content: 'foo.bar') end it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } it { should contain_file('/usr/local/bin/custom_autosign.sh').with_content('foo.bar') } end describe "autosign_source set to 'puppet:///foo/bar'" do let(:params) do super().merge(autosign_source: 'puppet:///foo/bar') end it { should contain_puppet__config__master('autosign').with_value('/usr/local/bin/custom_autosign.sh { mode = 775 }') } it { should contain_file('/usr/local/bin/custom_autosign.sh').with_source('puppet:///foo/bar') } end end describe "when hiera_config => '/etc/puppet/hiera/production/hiera.yaml'" do let(:params) do super().merge(hiera_config: '/etc/puppet/hiera/production/hiera.yaml') end it { should contain_puppet__config__main('hiera_config').with_value('/etc/puppet/hiera/production/hiera.yaml') } end describe 'without foreman' do let(:params) do super().merge( server_foreman: false, server_reports: 'store', server_external_nodes: '' ) end - it { should_not contain_class('foreman::puppetmaster') } + it { should_not contain_class('puppetserver_foreman') } it { should_not contain_puppet__config__master('node_terminus') } it { should_not contain_puppet__config__master('external_nodes') } end describe 'with server_default_manifest => true and undef content' do let(:params) do super().merge(server_default_manifest: true) end it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } it { should_not contain_file('/etc/puppet/manifests/default_manifest.pp') } end describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do let(:params) do super().merge( server_default_manifest: true, server_default_manifest_content: 'include foo' ) end it { should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') } it { should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content('include foo') } end describe 'with git repo' do let(:params) do super().merge(server_git_repo: true) end it { is_expected.to compile.with_all_deps } it do should contain_class('puppet::server') .with_git_repo(true) .with_git_repo_path("#{vardir}/puppet.git") .with_post_hook_name('post-receive') end it 'should set up the environments directory' do should contain_file(environments_dir) \ .with_ensure('directory') \ .with_owner('puppet') end it 'should create the puppet user' do shell = case facts[:osfamily] when /^(FreeBSD|DragonFly)$/ '/usr/local/bin/git-shell' else '/usr/bin/git-shell' end should contain_user('puppet') .with_shell(shell) .that_requires('Class[git]') end it do should contain_file(vardir) .with_ensure('directory') .with_owner('root') end it do should contain_git__repo('puppet_repo') .with_bare(true) .with_target("#{vardir}/puppet.git") .with_user('puppet') .that_requires("File[#{environments_dir}]") end it do should contain_file("#{vardir}/puppet.git/hooks/post-receive") .with_owner('puppet') \ .with_mode('0755') \ .that_requires('Git::Repo[puppet_repo]') \ .with_content(/BRANCH_MAP = \{[^a-zA-Z=>]\}/) end describe 'with a puppet git branch map' do let(:params) do super().merge(server_git_branch_map: { 'a' => 'b', 'c' => 'd' }) end it 'should add the branch map to the post receive hook' do should contain_file("#{vardir}/puppet.git/hooks/post-receive") .with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) end end end context 'with directory environments owner' do let(:params) { super().merge(server_environments_owner: 'apache') } it { should contain_file(environments_dir).with_owner('apache') } end context 'with no common modules directory' do let(:params) { super().merge(server_common_modules_path: '') } it { should_not contain_puppet__config__main('basemodulepath') } end describe 'with SSL path overrides' do let(:params) do super().merge( server_foreman_ssl_ca: '/etc/example/ca.pem', server_foreman_ssl_cert: '/etc/example/cert.pem', server_foreman_ssl_key: '/etc/example/key.pem' ) end it 'should pass SSL parameters to the ENC' do - should contain_class('foreman::puppetmaster') + should contain_class('puppetserver_foreman') .with_ssl_ca('/etc/example/ca.pem') .with_ssl_cert('/etc/example/cert.pem') .with_ssl_key('/etc/example/key.pem') end end describe 'with additional settings' do let(:params) do super().merge(server_additional_settings: { 'stringify_facts' => true }) end it 'should configure puppet.conf' do should contain_puppet__config__master('stringify_facts').with_value(true) end end describe 'with server_parser => future' do let(:params) do super().merge(server_parser: 'future') end it { should contain_puppet__config__master('parser').with_value('future') } end describe 'with server_environment_timeout set' do let(:params) do super().merge(server_environment_timeout: '10m') end it { should contain_puppet__config__master('environment_timeout').with_value('10m') } end describe 'with no ssldir managed for master' do let(:params) do super().merge(server_ssl_dir_manage: false) end it { should_not contain_puppet__config__master('ssl_dir') } end describe 'with ssl key management disabled for server' do let(:params) do super().merge( server_certname: 'servercert', server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl', server_ssl_key_manage: false ) end it { should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') } end describe 'with nondefault CA settings' do let(:params) do super().merge(server_ca: false) end it { should contain_exec('puppet_server_config-create_ssl_dir') } it { should_not contain_exec('puppet_server_config-generate_ca_cert') } end describe 'with server_ca_crl_sync => true' do let(:params) do super().merge(server_ca_crl_sync: true) end context 'with server_ca => false and running "puppet apply"' do let(:params) do super().merge( server_ca: false, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end context 'with server_ca => false: running "puppet agent -t"' do let(:params) do super().merge( server_ca: false, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end let(:facts) do facts.merge(servername: 'myserver') end before :context do @cacrl = Tempfile.new('cacrl') File.open(@cacrl, 'w') { |f| f.write 'This is my CRL File' } Puppet.settings[:cacrl] = @cacrl.path end it 'should sync the crl from the ca' do should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') .with_content('This is my CRL File') end end context 'with server_ca => true: running "puppet agent -t"' do let(:params) do super().merge( server_ca: true, server_ssl_dir: '/etc/custom/puppetlabs/puppet/ssl' ) end let(:facts) do facts.merge(servername: 'myserver') end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end end describe 'allow crl checking' do context 'as ca' do let(:params) do super().merge(server_ca: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/ca/ca_crl\.pem}) } end context 'as non-ca' do let(:params) do super().merge(server_ca: false) end it { should contain_file("#{conf_d_dir}/webserver.conf").without_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } context 'server_crl_enable' do let(:params) do super().merge(server_crl_enable: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-crl-path: #{ssldir}/crl\.pem}) } end end end describe 'with ssl_protocols overwritten' do let(:params) do super().merge(server_ssl_protocols: ['TLSv1.1', 'TLSv1.2']) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ssl-protocols: \[\n( +)TLSv1.1,\n( +)TLSv1.2,\n( +)\]/) } end describe 'with ssl_protocols overwritten' do let(:params) do super().merge(server_cipher_suites: %w[TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA]) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/cipher-suites: \[\n( +)TLS_RSA_WITH_AES_256_CBC_SHA256,\n( +)TLS_RSA_WITH_AES_256_CBC_SHA,\n( +)\]/) } end describe 'with ssl_chain_filepath overwritten' do let(:params) do super().merge(server_ssl_chain_filepath: '/etc/example/certchain.pem') end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(%r{ssl-cert-chain: /etc/example/certchain.pem}) } end describe 'with server_custom_trusted_oid_mapping overwritten' do let(:params) do super().merge(server_custom_trusted_oid_mapping: { '1.3.6.1.4.1.34380.1.2.1.1' => { shortname: 'myshortname', longname: 'My Long Name' }, '1.3.6.1.4.1.34380.1.2.1.2' => { shortname: 'myothershortname' } }) end it 'should have a configured custom_trusted_oid_mapping.yaml' do verify_exact_contents(catalogue, "#{confdir}/custom_trusted_oid_mapping.yaml", [ '---', 'oid_mapping:', ' 1.3.6.1.4.1.34380.1.2.1.1:', ' shortname: myshortname', ' longname: My Long Name', ' 1.3.6.1.4.1.34380.1.2.1.2:', ' shortname: myothershortname' ]) end end describe 'with server_certname parameter' do let(:params) do super().merge( server_certname: 'puppetserver43.example.com', server_ssl_dir: '/etc/custom/puppet/ssl' ) end it 'should put the correct ssl key path in webserver.conf' do should contain_file("#{conf_d_dir}/webserver.conf") .with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) end it 'should put the correct ssl cert path in webserver.conf' do should contain_file("#{conf_d_dir}/webserver.conf") .with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) end end describe 'with server_http parameter set to true for the puppet class' do let(:params) do super().merge(server_http: true) end it { should contain_file("#{conf_d_dir}/webserver.conf").with_content(/ host:\s0\.0\.0\.0/).with_content(/ port:\s8139/) } it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end describe 'with server_allow_header_cert_info => true' do let(:params) do super().merge(server_allow_header_cert_info: true) end it { should contain_file("#{conf_d_dir}/auth.conf").with_content(/allow-header-cert-info: true/) } end describe 'server_trusted_external_command' do context 'with default parameters' do it { should_not contain_puppet__config__master('trusted_external_command') } end context 'with puppetversion >= 6.11' do describe 'when server_trusted_external_command => /usr/local/sbin/trusted_external_command' do let(:facts) do super().merge( puppetversion: '6.11.0' ) end let(:params) do super().merge(server_trusted_external_command: '/usr/local/sbin/trusted_external_command' ) end it { should contain_puppet__config__master('trusted_external_command').with_value('/usr/local/sbin/trusted_external_command') } end end context 'with puppetversion < 6.11' do describe 'when server_trusted_external_command => /usr/local/sbin/trusted_external_command' do let(:facts) do super().merge( puppetversion: '6.5.0' ) end let(:params) do super().merge(server_trusted_external_command: '/usr/local/sbin/trusted_external_command' ) end it { is_expected.to raise_error(Puppet::Error, /\$server_trusted_external_command is only available for Puppet > 6\.11/) } end end end end end end