diff --git a/manifests/config.pp b/manifests/config.pp index d407764..7e336e0 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,105 +1,113 @@ # Set up the puppet config # @api private class puppet::config( $allow_any_crl_auth = $puppet::allow_any_crl_auth, $auth_allowed = $puppet::auth_allowed, $auth_template = $puppet::auth_template, $ca_server = $puppet::ca_server, $ca_port = $puppet::ca_port, $dns_alt_names = $puppet::dns_alt_names, $module_repository = $puppet::module_repository, $pluginsource = $puppet::pluginsource, $pluginfactsource = $puppet::pluginfactsource, $puppet_dir = $puppet::dir, $puppetmaster = $puppet::puppetmaster, $syslogfacility = $puppet::syslogfacility, $srv_domain = $puppet::srv_domain, $use_srv_records = $puppet::use_srv_records, $additional_settings = $puppet::additional_settings, $client_certname = $puppet::client_certname, ) { puppet::config::main{ 'vardir': value => $puppet::vardir; 'logdir': value => $puppet::logdir; 'rundir': value => $puppet::rundir; 'ssldir': value => $puppet::ssldir; 'privatekeydir': value => '$ssldir/private_keys { group = service }'; 'hostprivkey': value => '$privatekeydir/$certname.pem { mode = 640 }'; 'show_diff': value => $puppet::show_diff; 'codedir': value => $puppet::codedir; } if $module_repository and !empty($module_repository) { puppet::config::main{'module_repository': value => $module_repository; } } if $ca_server and !empty($ca_server) { puppet::config::main{'ca_server': value => $ca_server; } } if $ca_port { puppet::config::main{'ca_port': value => $ca_port; } } if $dns_alt_names and !empty($dns_alt_names) { puppet::config::main{'dns_alt_names': value => $dns_alt_names; } } if $use_srv_records { unless $srv_domain { fail('$::domain fact found to be undefined and $srv_domain is undefined') } puppet::config::main{ 'use_srv_records': value => true; 'srv_domain': value => $srv_domain; } } else { puppet::config::main { 'server': value => pick($puppetmaster, $facts['networking']['fqdn']); } } if $pluginsource { puppet::config::main{'pluginsource': value => $pluginsource; } } if $pluginfactsource { puppet::config::main{'pluginfactsource': value => $pluginfactsource; } } if $syslogfacility and !empty($syslogfacility) { puppet::config::main{'syslogfacility': value => $syslogfacility; } } if $client_certname { puppet::config::main { 'certname': value => $client_certname; } } $additional_settings.each |$key,$value| { puppet::config::main { $key: value => $value } } concat::fragment { 'puppet.conf_comment': target => "${puppet_dir}/puppet.conf", content => '# file managed by puppet', order => '0_comment', } file { $puppet_dir: ensure => directory, owner => $puppet::dir_owner, group => $puppet::dir_group, } -> case $facts['os']['family'] { 'Windows': { concat { "${puppet_dir}/puppet.conf": mode => '0674', } } default: { concat { "${puppet_dir}/puppet.conf": owner => 'root', group => $puppet::params::root_group, mode => '0644', } } } - ~> file { "${puppet_dir}/auth.conf": - content => template($auth_template), + + if versioncmp($facts['puppetversion'], '7.0.0') >= 0 { + file { "${puppet_dir}/auth.conf": + ensure => absent, + } + } else { + file { "${puppet_dir}/auth.conf": + ensure => file, + content => template($auth_template), + } } } diff --git a/manifests/init.pp b/manifests/init.pp index 1890e4b..ad9d59d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,753 +1,754 @@ # == Class: puppet # # This class installs and configures the puppet agent. # # === Parameters: # # $show_diff:: Show and report changed files with diff output # # $ca_server:: Use a different ca server. Should be either # a string with the location of the ca_server # or 'false'. # # == Advanced puppet parameters # # $version:: Specify a specific version of a package to # install. The version should be the exact # match for your distro. # You can also use certain values like 'latest'. # Note that when you specify exact versions you # should also override $server_version since # that defaults to $version. # # $manage_packages:: Should this module install packages or not. # Can also install only server packages with value # of 'server' or only agent packages with 'agent'. # # $port:: Override the port of the master we connect to. # # $pluginsync:: Enable pluginsync. # # $splay:: Switch to enable a random amount of time # to sleep before each run. # # $splaylimit:: The maximum time to delay before runs. # Defaults to being the same as the run interval. # This setting can be a time interval in seconds # (30 or 30s), minutes (30m), hours (6h), days (2d), # or years (5y). # # $runinterval:: Set up the interval (in seconds) to run # the puppet agent. # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $usecacheonfailure:: Switch to enable use of cached catalog on # failure of run. # # $runmode:: Select the mode to setup the puppet agent. # # $run_hour:: The hour at which to run the puppet agent # when runmode is cron or systemd.timer. # # $run_minute:: The minute at which to run the puppet agent # when runmode is cron or systemd.timer. # # $cron_cmd:: Specify command to launch when runmode is # set 'cron'. # # $systemd_cmd:: Specify command to launch when runmode is # set 'systemd.timer'. # # $systemd_randomizeddelaysec:: Adds a random delay between 0 and this value # (in seconds) to the timer. Only relevant when # runmode is 'systemd.timer'. # # $module_repository:: Use a different puppet module repository # # $ca_port:: Puppet CA port # # $ca_crl_filepath:: Path to CA CRL file, dynamically resolves based on # $::server_ca status. # # $dns_alt_names:: Use additional DNS names when generating a # certificate. Defaults to an empty Array. # # $hiera_config:: The hiera configuration file. # # $syslogfacility:: Facility name to use when logging to syslog # # $use_srv_records:: Whether DNS SRV records will be used to resolve # the Puppet master # # $srv_domain:: Search domain for SRV records # # $additional_settings:: A hash of additional main settings. # # $http_connect_timeout:: The maximum amount of time an agent waits # when establishing an HTTP connection. # # $http_read_timeout:: The time an agent waits for one block to be # read from an HTTP connection. If nothing is # read after the elapsed interval then the # connection will be closed. # # $user:: Override the name of the puppet user. # # $group:: Override the name of the puppet group. # # $dir:: Override the puppet directory. # # $codedir:: Override the puppet code directory. # # $vardir:: Override the puppet var directory. # # $logdir:: Override the log directory. # # $rundir:: Override the PID directory. # # $ssldir:: Override where SSL certificates are kept. # # $sharedir:: Override the system data directory. # # $package_provider:: The provider used to install the agent. # Defaults to chocolatey on Windows # Defaults to undef elsewhere # # $package_source:: The location of the file to be used by the # agent's package resource. # Defaults to undef. If 'windows' or 'msi' are # used as the provider then this setting is # required. # $package_install_options:: Flags that should be passed to the package manager # during installation. Defaults to undef. May be # a string or a hash, see Puppet Package resource # documentation for the provider matching your package manager # # $unavailable_runmodes:: Runmodes that are not available for the # current system. This module will not try # to disable these modes. Default is [] # on Linux, ['cron', 'systemd.timer'] on # Windows and ['systemd.timer'] on other # systems. # # $auth_template:: Use a custom template for /etc/puppetlabs/puppet/auth.conf # # $pluginsource:: URL to retrieve Puppet plugins from during pluginsync # # $pluginfactsource:: URL to retrieve Puppet facts from during pluginsync # # $classfile:: The file in which puppet agent stores a list # of the classes associated with the retrieved # configuration. # # == puppet::agent parameters # # $agent:: Should a puppet agent be installed # # $agent_noop:: Run the agent in noop mode. # # $puppetmaster:: Hostname of your puppetmaster (server # directive in puppet.conf) # # $prerun_command:: A command which gets excuted before each Puppet run # # $postrun_command:: A command which gets excuted after each Puppet run # # $environment:: Default environment of the Puppet agent # # $agent_additional_settings:: A hash of additional agent settings. # Example: {stringify_facts => true} # # $client_certname:: The node's certificate name, and the unique # identifier it uses when requesting catalogs. # # $report:: Send reports to the Puppet Master # # == advanced agent parameters # # $service_name:: The name of the puppet agent service. # # $agent_restart_command:: The command which gets excuted on puppet service restart # # $client_package:: Install a custom package to provide # the puppet client # # $systemd_unit_name:: The name of the puppet systemd units. # # $remove_lock:: Remove the agent lock when running. # # $dir_owner:: Owner of the base puppet directory, used when # puppet::server is false. # # $dir_group:: Group of the base puppet directory, used when # puppet::server is false. # # == puppet::server parameters # # $server:: Should a puppet master be installed as well as the client # # $server_ip:: Bind ip address of the puppetmaster # # $server_port:: Puppet master port # # $server_ca:: Provide puppet CA # # $server_ca_crl_sync:: Sync puppet CA crl file to compile masters, Puppet CA Must be the Puppetserver # for the compile masters. Defaults to false. # # $server_crl_enable:: Turn on crl checking. Defaults to true when server_ca is true. Otherwise # Defaults to false. Note unless you are using an external CA. It is recommended # to set this to true. See $server_ca_crl_sync to enable syncing from CA Puppet Master # # $server_reports:: List of report types to include on the puppetmaster # # $server_external_nodes:: External nodes classifier executable # # $server_trusted_external_command:: The external trusted facts script to use. # (Puppet >= 6.11 only). # # $server_git_repo:: Use git repository as a source of modules # # $server_environments_owner:: The owner of the environments directory # # $server_environments_group:: The group owning the environments directory # # $server_environments_mode:: Environments directory mode. # # $server_common_modules_path:: Common modules paths # # $server_git_repo_path:: Git repository path # # $server_git_repo_mode:: Git repository mode # # $server_git_repo_group:: Git repository group # # $server_git_repo_user:: Git repository user # # $server_git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $server_storeconfigs:: Whether to enable storeconfigs # # $server_certname:: The name to use when handling certificates. # # === Advanced server parameters: # # $server_strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $server_additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $server_manage_user:: Whether to manage the server user resource # # $server_user:: Name of the puppetmaster user. # # $server_group:: Name of the puppetmaster group. # # $server_dir:: Puppet configuration directory # # $server_http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. # # $server_http_port:: Puppet master HTTP port; defaults to 8139. # # $server_config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $server_foreman:: Should foreman integration be installed # # $server_foreman_url:: Foreman URL # # $server_foreman_ssl_ca:: SSL CA of the Foreman server # # $server_foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $server_foreman_ssl_key:: Key for authenticating against Foreman server # # $server_puppet_basedir:: Where is the puppet code base located # # $server_request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $server_environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $server_envs_dir:: Directory that holds puppet environments # # $server_envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $server_jvm_java_bin:: Set the default java to use. # # $server_jvm_config:: Specify the puppetserver jvm configuration file. # # $server_jvm_min_heap_size:: Specify the minimum jvm heap space. # # $server_jvm_max_heap_size:: Specify the maximum jvm heap space. # # $server_jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $server_jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $server_jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $server_default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $server_default_manifest_path:: A string setting the path to the default_manifest # # $server_default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $server_package:: Custom package name for puppet master # # $server_version:: Custom package version for puppet master # # $server_ssl_dir:: SSL directory # # $server_ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $server_ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $server_puppetserver_vardir:: The path of the puppetserver var dir # # $server_puppetserver_rundir:: The path of the puppetserver run dir # # $server_puppetserver_logdir:: The path of the puppetserver log dir # # $server_puppetserver_dir:: The path of the puppetserver config dir # # $server_puppetserver_version:: The version of puppetserver installed (or being installed) # Unfortunately, different versions of puppetserver need # configuring differently. The default is derived from the # installed puppet version. Generally it's not needed to # override this but when upgrading it might be. # # $server_max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $server_max_requests_per_instance:: Max number of requests a jruby instances will handle. Defaults to 0 (disabled) # # $server_max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a # JRuby from the pool. (Puppetserver 5.x only) # Defaults to 0 (disabled) for Puppetserver >= 5.0 # # $server_max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on # 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) # Defaults to 1800 for Puppetserver >= 5.0 # # $server_multithreaded:: Use multithreaded jruby. (Puppetserver >= 6.8 only). Defaults to false. # # $server_idle_timeout:: How long the server will wait for a response on an existing connection # # $server_connect_timeout:: How long the server will wait for a response to a connection attempt # # $server_ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $server_ssl_chain_filepath:: Path to certificate chain for puppetserver # Only used when $ca is true # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $server_cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $server_ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $server_ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $server_admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $server_ca_client_self_delete:: Adds a rule to auth.conf, that allows a client to delete its own certificate # Defaults to false # # $server_use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) +# Note that Puppetserver 7 has dropped this option. # # $server_check_for_updates:: Should the puppetserver phone home to check for available updates? # Defaults to true # # $server_post_hook_content:: Which template to use for git post hook # # $server_post_hook_name:: Name of a git hook # # $server_environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the # environment_classes API. # Defaults to false # # $server_allow_header_cert_info:: Enable client authentication over HTTP Headers # Defaults to false, is also activated by the $server_http setting # # $server_web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has # completed. # Defaults to 30000, using the Jetty default of 30s # # $server_puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $server_puppetserver_metrics:: Enable puppetserver http-client metrics # Defaults to false because that's the Puppet Inc. default behaviour. # # $server_puppetserver_profiler:: Enable JRuby profiling. # Defaults to false because that's the Puppet Inc. default behaviour. # # $server_metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $server_metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $server_metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $server_metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $server_metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $server_metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $server_metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $server_puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $server_puppetserver_auth_template:: Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf # # $server_puppetserver_trusted_agents:: Certificate names of puppet agents that are allowed to fetch *all* catalogs # Defaults to [] and all agents are only allowed to fetch their own catalogs. # # $server_puppetserver_trusted_certificate_extensions:: An array of hashes of certificate extensions and values to be used in auth.conf # A puppet client certificate containing valid extension(s) will be allowed to fetch # *any* catalog. # Defaults to [] and no certificate extensions are recognised as being allowed # to fetch *any* catalog. # Example: [{ 'pp_authorization' => 'catalog' }] # Any client certificate containing the `pp_authorization` extension with value `catalog` # will be permitted to fetch any catalog. # Complicated example: [ # { '1.3.6.1.4.1.34380.1.3.1' => 'catalog' }, # { '1.3.6.1.4.1.34380.1.1.13' => 'jenkins_server', '1.3.6.1.4.1.34380.1.1.24' => 'prod' } # ] # Clients presenting a certificate with `pp_authorization = catalog` *or* with `pp_role` # *and* `pp_apptier` extensions set # correctly will be authorized to fetch any catalog. # NB. If server_ca == false, use oids instead of extension shortnames. # See https://tickets.puppetlabs.com/browse/SERVER-1689 # # $server_compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. # Defaults to undef (off). # # $server_parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # $server_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for unencrypted HTTP traffic. If not provided, the webserver # defaults to the number of virtual cores on the host divided by 8, with a minimum # of 1 and maximum of 4. # # $server_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for unencrypted HTTPS traffic. If not provided, # the webserver defaults to the minimum of: virtual cores on the host divided by 2 # or max-threads divided by 16, with a minimum of 1. # # $server_max_threads:: This sets the maximum number of threads assigned to responding to HTTP and/or # HTTPS requests for a single webserver, effectively changing how many # concurrent requests can be made at one time. If not provided, the # webserver defaults to 200. # # $server_ssl_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for encrypted HTTPS traffic. If not provided, defaults to # the number of virtual cores on the host divided by 8, with a minimum of 1 and maximum of 4. # # $server_ssl_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for encrypted HTTPS traffic. Defaults to the number of # virtual cores on the host divided by 2, with a minimum of 1 and maximum of 4. # The number of selector threads actually used by Jetty is twice the number of selectors # requested. For example, if a value of 3 is specified for the ssl-selector-threads setting, # Jetty will actually use 6 selector threads. # # $server_ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $server_ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # Defaults to false # # $server_ca_enable_infra_crl:: Enable the separate CRL for Puppet infrastructure nodes # Defaults to false # # $server_max_open_files:: Increase the max open files limit for Puppetserver. # Defaults to undef # # $server_versioned_code_id:: The path to an executable script that Puppet Server invokes to generate a code_id # Defaults to undef # # $server_versioned_code_content:: Contains the path to an executable script that Puppet Server # invokes when on static_file_content requests. # Defaults to undef # # === Usage: # # * Simple usage: # # include puppet # # * Installing a puppetmaster # # class {'puppet': # server => true, # } # # * Advanced usage: # # class {'puppet': # agent_noop => true, # version => '6.11.0-1', # } # class puppet ( String $version = $puppet::params::version, String $user = $puppet::params::user, String $group = $puppet::params::group, Stdlib::Absolutepath $dir = $puppet::params::dir, Stdlib::Absolutepath $codedir = $puppet::params::codedir, Stdlib::Absolutepath $vardir = $puppet::params::vardir, Stdlib::Absolutepath $logdir = $puppet::params::logdir, Stdlib::Absolutepath $rundir = $puppet::params::rundir, Stdlib::Absolutepath $ssldir = $puppet::params::ssldir, Stdlib::Absolutepath $sharedir = $puppet::params::sharedir, Variant[Boolean, Enum['server', 'agent']] $manage_packages = $puppet::params::manage_packages, Optional[String] $dir_owner = $puppet::params::dir_owner, Optional[String] $dir_group = $puppet::params::dir_group, Optional[String] $package_provider = $puppet::params::package_provider, Optional[Variant[String,Hash]] $package_install_options = $puppet::params::package_install_options, Optional[Variant[Stdlib::Absolutepath, Stdlib::HTTPUrl]] $package_source = $puppet::params::package_source, Integer[0, 65535] $port = $puppet::params::port, Boolean $pluginsync = $puppet::params::pluginsync, Boolean $splay = $puppet::params::splay, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $splaylimit = $puppet::params::splaylimit, Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::params::autosign, Array[String] $autosign_entries = $puppet::params::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $puppet::params::autosign_mode, Optional[String] $autosign_content = $puppet::params::autosign_content, Optional[String] $autosign_source = $puppet::params::autosign_source, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $runinterval = $puppet::params::runinterval, Boolean $usecacheonfailure = $puppet::params::usecacheonfailure, Enum['cron', 'service', 'systemd.timer', 'none', 'unmanaged'] $runmode = $puppet::params::runmode, Optional[Integer[0,23]] $run_hour = undef, Optional[Integer[0,59]] $run_minute = undef, Array[Enum['cron', 'service', 'systemd.timer', 'none']] $unavailable_runmodes = $puppet::params::unavailable_runmodes, Optional[String] $cron_cmd = $puppet::params::cron_cmd, Optional[String] $systemd_cmd = $puppet::params::systemd_cmd, Integer[0] $systemd_randomizeddelaysec = $puppet::params::systemd_randomizeddelaysec, Boolean $agent_noop = $puppet::params::agent_noop, Boolean $show_diff = $puppet::params::show_diff, Optional[Stdlib::HTTPUrl] $module_repository = $puppet::params::module_repository, Optional[Integer[0]] $http_connect_timeout = $puppet::params::http_connect_timeout, Optional[Integer[0]] $http_read_timeout = $puppet::params::http_read_timeout, Optional[Variant[String, Boolean]] $ca_server = $puppet::params::ca_server, Optional[Integer[0, 65535]] $ca_port = $puppet::params::ca_port, Optional[String] $ca_crl_filepath = $puppet::params::ca_crl_filepath, Optional[String] $prerun_command = $puppet::params::prerun_command, Optional[String] $postrun_command = $puppet::params::postrun_command, Array[String] $dns_alt_names = $puppet::params::dns_alt_names, Boolean $use_srv_records = $puppet::params::use_srv_records, Optional[String] $srv_domain = $puppet::params::srv_domain, String $pluginsource = $puppet::params::pluginsource, String $pluginfactsource = $puppet::params::pluginfactsource, Hash[String, Data] $additional_settings = $puppet::params::additional_settings, Hash[String, Data] $agent_additional_settings = $puppet::params::agent_additional_settings, Optional[String] $agent_restart_command = $puppet::params::agent_restart_command, String $classfile = $puppet::params::classfile, String $hiera_config = $puppet::params::hiera_config, String $auth_template = $puppet::params::auth_template, Boolean $allow_any_crl_auth = $puppet::params::allow_any_crl_auth, Array[String] $auth_allowed = $puppet::params::auth_allowed, Variant[String, Array[String]] $client_package = $puppet::params::client_package, Boolean $agent = $puppet::params::agent, Boolean $remove_lock = $puppet::params::remove_lock, Boolean $report = $puppet::params::report, Variant[String, Boolean] $client_certname = $puppet::params::client_certname, Optional[String] $puppetmaster = $puppet::params::puppetmaster, String $systemd_unit_name = $puppet::params::systemd_unit_name, String $service_name = $puppet::params::service_name, Optional[String] $syslogfacility = $puppet::params::syslogfacility, String $environment = $puppet::params::environment, Boolean $server = $puppet::params::server, Array[String] $server_admin_api_whitelist = $puppet::params::server_admin_api_whitelist, Boolean $server_manage_user = $puppet::params::manage_user, String $server_user = $puppet::params::user, String $server_group = $puppet::params::group, String $server_dir = $puppet::params::dir, String $server_ip = $puppet::params::ip, Integer $server_port = $puppet::params::port, Boolean $server_ca = $puppet::params::server_ca, Boolean $server_ca_crl_sync = $puppet::params::server_ca_crl_sync, Optional[Boolean] $server_crl_enable = $puppet::params::server_crl_enable, Boolean $server_ca_auth_required = $puppet::params::server_ca_auth_required, Boolean $server_ca_client_self_delete = $puppet::params::server_ca_client_self_delete, Array[String] $server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $server_custom_trusted_oid_mapping = $puppet::params::server_custom_trusted_oid_mapping, Boolean $server_http = $puppet::params::server_http, Integer $server_http_port = $puppet::params::server_http_port, String $server_reports = $puppet::params::server_reports, Optional[Stdlib::Absolutepath] $server_puppetserver_dir = $puppet::params::server_puppetserver_dir, Optional[Stdlib::Absolutepath] $server_puppetserver_vardir = $puppet::params::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $server_puppetserver_rundir = $puppet::params::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $server_puppetserver_logdir = $puppet::params::server_puppetserver_logdir, Optional[Pattern[/^[\d]\.[\d]+\.[\d]+$/]] $server_puppetserver_version = $puppet::params::server_puppetserver_version, Variant[Undef, String[0], Stdlib::Absolutepath] $server_external_nodes = $puppet::params::server_external_nodes, Optional[Stdlib::Absolutepath] $server_trusted_external_command = $puppet::params::server_trusted_external_command, Array[String] $server_cipher_suites = $puppet::params::server_cipher_suites, Optional[String] $server_config_version = $puppet::params::server_config_version, Integer[0] $server_connect_timeout = $puppet::params::server_connect_timeout, Boolean $server_git_repo = $puppet::params::server_git_repo, Boolean $server_default_manifest = $puppet::params::server_default_manifest, Stdlib::Absolutepath $server_default_manifest_path = $puppet::params::server_default_manifest_path, String $server_default_manifest_content = $puppet::params::server_default_manifest_content, String $server_environments_owner = $puppet::params::server_environments_owner, Optional[String] $server_environments_group = $puppet::params::server_environments_group, Pattern[/^[0-9]{3,4}$/] $server_environments_mode = $puppet::params::server_environments_mode, Stdlib::Absolutepath $server_envs_dir = $puppet::params::server_envs_dir, Optional[Stdlib::Absolutepath] $server_envs_target = $puppet::params::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $server_common_modules_path = $puppet::params::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $server_git_repo_mode = $puppet::params::server_git_repo_mode, Stdlib::Absolutepath $server_git_repo_path = $puppet::params::server_git_repo_path, String $server_git_repo_group = $puppet::params::server_git_repo_group, String $server_git_repo_user = $puppet::params::server_git_repo_user, Hash[String, String] $server_git_branch_map = $puppet::params::server_git_branch_map, Integer[0] $server_idle_timeout = $puppet::params::server_idle_timeout, String $server_post_hook_content = $puppet::params::server_post_hook_content, String $server_post_hook_name = $puppet::params::server_post_hook_name, Boolean $server_storeconfigs = $puppet::params::server_storeconfigs, Array[Stdlib::Absolutepath] $server_ruby_load_paths = $puppet::params::server_ruby_load_paths, Stdlib::Absolutepath $server_ssl_dir = $puppet::params::server_ssl_dir, Boolean $server_ssl_dir_manage = $puppet::params::server_ssl_dir_manage, Boolean $server_ssl_key_manage = $puppet::params::server_ssl_key_manage, Array[String] $server_ssl_protocols = $puppet::params::server_ssl_protocols, Optional[Stdlib::Absolutepath] $server_ssl_chain_filepath = $puppet::params::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $server_package = $puppet::params::server_package, Optional[String] $server_version = $puppet::params::server_version, String $server_certname = $puppet::params::server_certname, Integer[0] $server_request_timeout = $puppet::params::server_request_timeout, Boolean $server_strict_variables = $puppet::params::server_strict_variables, Hash[String, Data] $server_additional_settings = $puppet::params::server_additional_settings, Boolean $server_foreman = $puppet::params::server_foreman, Stdlib::HTTPUrl $server_foreman_url = $puppet::params::server_foreman_url, Optional[Stdlib::Absolutepath] $server_foreman_ssl_ca = $puppet::params::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $server_foreman_ssl_cert = $puppet::params::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $server_foreman_ssl_key = $puppet::params::server_foreman_ssl_key, Boolean $server_foreman_facts = $puppet::params::server_foreman_facts, Optional[Stdlib::Absolutepath] $server_puppet_basedir = $puppet::params::server_puppet_basedir, Enum['current', 'future'] $server_parser = $puppet::params::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $server_environment_timeout = $puppet::params::server_environment_timeout, String $server_jvm_java_bin = $puppet::params::server_jvm_java_bin, String $server_jvm_config = $puppet::params::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_min_heap_size = $puppet::params::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_max_heap_size = $puppet::params::server_jvm_max_heap_size, Optional[Variant[String,Array[String]]] $server_jvm_extra_args = $puppet::params::server_jvm_extra_args, Optional[String] $server_jvm_cli_args = $puppet::params::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $server_jruby_gem_home = $puppet::params::server_jruby_gem_home, Integer[1] $server_max_active_instances = $puppet::params::server_max_active_instances, Integer[0] $server_max_requests_per_instance = $puppet::params::server_max_requests_per_instance, Integer[0] $server_max_queued_requests = $puppet::params::server_max_queued_requests, Integer[0] $server_max_retry_delay = $puppet::params::server_max_retry_delay, Boolean $server_multithreaded = $puppet::params::server_multithreaded, Boolean $server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf, Boolean $server_check_for_updates = $puppet::params::server_check_for_updates, Boolean $server_environment_class_cache_enabled = $puppet::params::server_environment_class_cache_enabled, Boolean $server_allow_header_cert_info = $puppet::params::server_allow_header_cert_info, Integer[0] $server_web_idle_timeout = $puppet::params::server_web_idle_timeout, Boolean $server_puppetserver_jruby9k = $puppet::params::server_puppetserver_jruby9k, Boolean $server_puppetserver_metrics = false, Boolean $server_puppetserver_profiler = false, Boolean $server_metrics_jmx_enable = $puppet::params::server_metrics_jmx_enable, Boolean $server_metrics_graphite_enable = $puppet::params::server_metrics_graphite_enable, String $server_metrics_graphite_host = $puppet::params::server_metrics_graphite_host, Integer $server_metrics_graphite_port = $puppet::params::server_metrics_graphite_port, String $server_metrics_server_id = $puppet::params::server_metrics_server_id, Integer $server_metrics_graphite_interval = $puppet::params::server_metrics_graphite_interval, Optional[Array] $server_metrics_allowed = $puppet::params::server_metrics_allowed, Boolean $server_puppetserver_experimental = $puppet::params::server_puppetserver_experimental, Optional[String[1]] $server_puppetserver_auth_template = $puppet::params::server_puppetserver_auth_template, Array[String] $server_puppetserver_trusted_agents = $puppet::params::server_puppetserver_trusted_agents, Array[Hash] $server_puppetserver_trusted_certificate_extensions = $puppet::params::server_puppetserver_trusted_certificate_extensions, Optional[Enum['off', 'jit', 'force']] $server_compile_mode = $puppet::params::server_compile_mode, Optional[Integer[1]] $server_acceptor_threads = undef, Optional[Integer[1]] $server_selector_threads = undef, Optional[Integer[1]] $server_ssl_acceptor_threads = undef, Optional[Integer[1]] $server_ssl_selector_threads = undef, Optional[Integer[1]] $server_max_threads = undef, Boolean $server_ca_allow_sans = $puppet::params::server_ca_allow_sans, Boolean $server_ca_allow_auth_extensions = $puppet::params::server_ca_allow_auth_extensions, Boolean $server_ca_enable_infra_crl = $puppet::params::server_ca_enable_infra_crl, Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files, Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef, Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef, ) inherits puppet::params { contain puppet::config if $agent == true { contain puppet::agent } if $server == true { contain puppet::server } # Ensure the server is running before the agent needs it, and that # certificates are generated in the server config (if enabled) if $server == true and $agent == true { Class['puppet::server'] -> Class['puppet::agent::service'] } } diff --git a/manifests/server.pp b/manifests/server.pp index 0523ea5..20c5740 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,500 +1,509 @@ # == Class: puppet::server # # Sets up a puppet master. # # == puppet::server parameters # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $hiera_config:: The hiera configuration file. # # $manage_user:: Whether to manage the puppet user resource # # $user:: Name of the puppetmaster user. # # $group:: Name of the puppetmaster group. # # $dir:: Puppet configuration directory # # $ip:: Bind ip address of the puppetmaster # # $port:: Puppet master port # # $ca:: Provide puppet CA # # $ca_crl_filepath:: Path to ca_crl file # # $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to # be agents of the CA master (MOM) defaults to false # # $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults # to false # # $http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. # # $http_port:: Puppet master HTTP port; defaults to 8139. # # $reports:: List of report types to include on the puppetmaster # # $external_nodes:: External nodes classifier executable # # $trusted_external_command:: The external trusted facts script to use. # (Puppet >= 6.11 only). # # $git_repo:: Use git repository as a source of modules # # $environments_owner:: The owner of the environments directory # # $environments_group:: The group owning the environments directory # # $environments_mode:: Environments directory mode. # # $envs_dir:: Directory that holds puppet environments # # $envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $common_modules_path:: Common modules paths # # $git_repo_path:: Git repository path # # $git_repo_mode:: Git repository mode # # $git_repo_group:: Git repository group # # $git_repo_user:: Git repository user # # $git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $post_hook_content:: Which template to use for git post hook # # $post_hook_name:: Name of a git hook # # $storeconfigs:: Whether to enable storeconfigs # # $ssl_dir:: SSL directory # # $package:: Custom package name for puppet master # # $version:: Custom package version for puppet master # # $certname:: The name to use when handling certificates. # # $strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # $max_open_files:: Increase the max open files limit for Puppetserver. # # # === Advanced server parameters: # # $codedir:: Override the puppet code directory. # # $config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $foreman:: Should foreman integration be installed # # $foreman_url:: Foreman URL # # $foreman_ssl_ca:: SSL CA of the Foreman server # # $foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $foreman_ssl_key:: Key for authenticating against Foreman server # # $puppet_basedir:: Where is the puppet code base located # # $compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. # # # $request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $jvm_java_bin:: Set the default java to use. # # $jvm_config:: Specify the puppetserver jvm configuration file. # # $jvm_min_heap_size:: Specify the minimum jvm heap space. # # $jvm_max_heap_size:: Specify the maximum jvm heap space. # # $jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $jruby_gem_home:: Where jruby gems are located for puppetserver # # $default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $default_manifest_path:: A string setting the path to the default_manifest # # $default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $puppetserver_vardir:: The path of the puppetserver var dir # # $puppetserver_rundir:: The path of the puppetserver run dir # # $puppetserver_logdir:: The path of the puppetserver log dir # # $puppetserver_dir:: The path of the puppetserver config dir # # $puppetserver_version:: The version of puppetserver installed (or being installed) # Unfortunately, different versions of puppetserver need configuring differently. # By default we attempt to derive the version from the puppet version itself but # can be overriden if you're installing an older version. # # $max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) # # $max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a # JRuby from the pool. (Puppetserver 5.x only) # Defaults to 0 (disabled) for Puppetserver >= 5.0 # # $max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on # 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) # Defaults to 1800 for Puppetserver >= 5.0 # # $multithreaded:: Use multithreaded jruby. (Puppetserver >= 6.8 only). Defaults to false. # # $idle_timeout:: How long the server will wait for a response on an existing connection # # $connect_timeout:: How long the server will wait for a response to a connection attempt # # $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. # Defaults to the Jetty default of 30s # # $ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $ssl_chain_filepath:: Path to certificate chain for puppetserver # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $ca_client_self_delete:: Adds a rule to auth.conf, that allows a client to self delete its own certificate # Defaults to false # # $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) +# Note that Puppetserver 7 has dropped support for this. # # $check_for_updates:: Should the puppetserver phone home to check for available updates? # # $environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the # environment_classes API. # # # $allow_header_cert_info:: Allow client authentication over HTTP Headers # Defaults to false, is also activated by the $http setting # # $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $puppetserver_metrics:: Enable puppetserver http-client metrics # Defaults to false because that's the Puppet Inc. default behaviour. # # $puppetserver_profiler:: Enable JRuby profiling. # Defaults to false because that's the Puppet Inc. default behaviour. # # $metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $puppetserver_auth_template:: Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf # # $puppetserver_trusted_agents:: Certificate names of agents that are allowed to fetch *all* catalogs. Defaults to empty array # # $puppetserver_trusted_certificate_extensions:: An array of hashes of certificate extensions and values. # Example: [{ 'pp_authorization' => 'catalog' }] # # $ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # Defaults to false # # $ca_enable_infra_crl:: Enable the separate CRL for Puppet infrastructure nodes # Defaults to false # # $acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for unencrypted HTTP traffic. If not provided, the webserver # defaults to the number of virtual cores on the host divided by 8, with a minimum # of 1 and maximum of 4. # # $selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for unencrypted HTTPS traffic. If not provided, # the webserver defaults to the minimum of: virtual cores on the host divided by 2 # or max-threads divided by 16, with a minimum of 1. # # $max_threads:: This sets the maximum number of threads assigned to responding to HTTP and/or # HTTPS requests for a single webserver, effectively changing how many # concurrent requests can be made at one time. If not provided, the # webserver defaults to 200. # # $ssl_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for encrypted HTTPS traffic. If not provided, defaults to # the number of virtual cores on the host divided by 8, with a minimum of 1 and maximum of 4. # # $ssl_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for encrypted HTTPS traffic. Defaults to the number of # virtual cores on the host divided by 2, with a minimum of 1 and maximum of 4. # The number of selector threads actually used by Jetty is twice the number of selectors # requested. For example, if a value of 3 is specified for the ssl-selector-threads setting, # Jetty will actually use 6 selector threads. # # $versioned_code_id:: The path to an executable script that Puppet Server invokes to generate a code_id # # $versioned_code_content:: Contains the path to an executable script that Puppet Server invokes when an agent makes # a static_file_content API request for the contents of a file resource that # has a source attribute with a puppet:/// URI value. class puppet::server( Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::autosign, Array[String] $autosign_entries = $puppet::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $puppet::autosign_mode, Optional[String] $autosign_content = $puppet::autosign_content, Optional[String] $autosign_source = $puppet::autosign_source, String $hiera_config = $puppet::hiera_config, Array[String] $admin_api_whitelist = $puppet::server_admin_api_whitelist, Boolean $manage_user = $puppet::server_manage_user, String $user = $puppet::server_user, String $group = $puppet::server_group, String $dir = $puppet::server_dir, Stdlib::Absolutepath $codedir = $puppet::codedir, Integer $port = $puppet::server_port, String $ip = $puppet::server_ip, Boolean $ca = $puppet::server_ca, Optional[String] $ca_crl_filepath = $puppet::ca_crl_filepath, Boolean $ca_crl_sync = $puppet::server_ca_crl_sync, Optional[Boolean] $crl_enable = $puppet::server_crl_enable, Boolean $ca_auth_required = $puppet::server_ca_auth_required, Boolean $ca_client_self_delete = $puppet::server_ca_client_self_delete, Array[String] $ca_client_whitelist = $puppet::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $puppet::server_custom_trusted_oid_mapping, Boolean $http = $puppet::server_http, Integer $http_port = $puppet::server_http_port, String $reports = $puppet::server_reports, Stdlib::Absolutepath $puppetserver_vardir = $puppet::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $puppetserver_rundir = $puppet::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $puppetserver_logdir = $puppet::server_puppetserver_logdir, Stdlib::Absolutepath $puppetserver_dir = $puppet::server_puppetserver_dir, Optional[Pattern[/^[\d]\.[\d]+\.[\d]+$/]] $puppetserver_version = $puppet::server_puppetserver_version, Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $puppet::server_external_nodes, Optional[Stdlib::Absolutepath] $trusted_external_command = $puppet::server_trusted_external_command, Array[String] $cipher_suites = $puppet::server_cipher_suites, Optional[String] $config_version = $puppet::server_config_version, Integer[0] $connect_timeout = $puppet::server_connect_timeout, Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout, Boolean $git_repo = $puppet::server_git_repo, Boolean $default_manifest = $puppet::server_default_manifest, Stdlib::Absolutepath $default_manifest_path = $puppet::server_default_manifest_path, String $default_manifest_content = $puppet::server_default_manifest_content, String $environments_owner = $puppet::server_environments_owner, Optional[String] $environments_group = $puppet::server_environments_group, Pattern[/^[0-9]{3,4}$/] $environments_mode = $puppet::server_environments_mode, Stdlib::Absolutepath $envs_dir = $puppet::server_envs_dir, Optional[Stdlib::Absolutepath] $envs_target = $puppet::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $puppet::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $puppet::server_git_repo_mode, Stdlib::Absolutepath $git_repo_path = $puppet::server_git_repo_path, String $git_repo_group = $puppet::server_git_repo_group, String $git_repo_user = $puppet::server_git_repo_user, Hash[String, String] $git_branch_map = $puppet::server_git_branch_map, Integer[0] $idle_timeout = $puppet::server_idle_timeout, String $post_hook_content = $puppet::server_post_hook_content, String $post_hook_name = $puppet::server_post_hook_name, Boolean $storeconfigs = $puppet::server_storeconfigs, Array[Stdlib::Absolutepath] $ruby_load_paths = $puppet::server_ruby_load_paths, Stdlib::Absolutepath $ssl_dir = $puppet::server_ssl_dir, Boolean $ssl_dir_manage = $puppet::server_ssl_dir_manage, Boolean $ssl_key_manage = $puppet::server_ssl_key_manage, Array[String] $ssl_protocols = $puppet::server_ssl_protocols, Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $puppet::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $package = $puppet::server_package, Optional[String] $version = $puppet::server_version, String $certname = $puppet::server_certname, Integer[0] $request_timeout = $puppet::server_request_timeout, Boolean $strict_variables = $puppet::server_strict_variables, Hash[String, Data] $additional_settings = $puppet::server_additional_settings, Boolean $foreman = $puppet::server_foreman, Stdlib::HTTPUrl $foreman_url = $puppet::server_foreman_url, Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $puppet::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $puppet::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $foreman_ssl_key = $puppet::server_foreman_ssl_key, Boolean $server_foreman_facts = $puppet::server_foreman_facts, Optional[Stdlib::Absolutepath] $puppet_basedir = $puppet::server_puppet_basedir, Enum['current', 'future'] $parser = $puppet::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $puppet::server_environment_timeout, String $jvm_java_bin = $puppet::server_jvm_java_bin, String $jvm_config = $puppet::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $puppet::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $puppet::server_jvm_max_heap_size, Optional[Variant[String,Array[String]]] $jvm_extra_args = $puppet::server_jvm_extra_args, Optional[String] $jvm_cli_args = $puppet::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $jruby_gem_home = $puppet::server_jruby_gem_home, Integer[1] $max_active_instances = $puppet::server_max_active_instances, Integer[0] $max_requests_per_instance = $puppet::server_max_requests_per_instance, Integer[0] $max_queued_requests = $puppet::server_max_queued_requests, Integer[0] $max_retry_delay = $puppet::server_max_retry_delay, Boolean $multithreaded = $puppet::server_multithreaded, Boolean $use_legacy_auth_conf = $puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $puppet::server_allow_header_cert_info, Boolean $puppetserver_jruby9k = $puppet::server_puppetserver_jruby9k, Optional[Boolean] $puppetserver_metrics = $puppet::server_puppetserver_metrics, Boolean $puppetserver_profiler = $puppet::server_puppetserver_profiler, Boolean $metrics_jmx_enable = $puppet::server_metrics_jmx_enable, Boolean $metrics_graphite_enable = $puppet::server_metrics_graphite_enable, String $metrics_graphite_host = $puppet::server_metrics_graphite_host, Integer $metrics_graphite_port = $puppet::server_metrics_graphite_port, String $metrics_server_id = $puppet::server_metrics_server_id, Integer $metrics_graphite_interval = $puppet::server_metrics_graphite_interval, Variant[Undef, Array] $metrics_allowed = $puppet::server_metrics_allowed, Boolean $puppetserver_experimental = $puppet::server_puppetserver_experimental, Optional[String[1]] $puppetserver_auth_template = $puppet::server_puppetserver_auth_template, Array[String] $puppetserver_trusted_agents = $puppet::server_puppetserver_trusted_agents, Array[Hash] $puppetserver_trusted_certificate_extensions = $puppet::server_puppetserver_trusted_certificate_extensions, Optional[Enum['off', 'jit', 'force']] $compile_mode = $puppet::server_compile_mode, Optional[Integer[1]] $selector_threads = $puppet::server_selector_threads, Optional[Integer[1]] $acceptor_threads = $puppet::server_acceptor_threads, Optional[Integer[1]] $ssl_selector_threads = $puppet::server_ssl_selector_threads, Optional[Integer[1]] $ssl_acceptor_threads = $puppet::server_ssl_acceptor_threads, Optional[Integer[1]] $max_threads = $puppet::server_max_threads, Boolean $ca_allow_sans = $puppet::server_ca_allow_sans, Boolean $ca_allow_auth_extensions = $puppet::server_ca_allow_auth_extensions, Boolean $ca_enable_infra_crl = $puppet::server_ca_enable_infra_crl, Optional[Integer[1]] $max_open_files = $puppet::server_max_open_files, Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id, Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content, ) { if $ca { $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" $ssl_chain = $ssl_chain_filepath $crl_enable_real = pick($crl_enable, true) } else { $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") $ssl_chain = false $crl_enable_real = pick($crl_enable, false) } $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" if $config_version == undef { if $git_repo { $config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long" } else { $config_version_cmd = undef } } else { $config_version_cmd = $config_version } # For Puppetserver, certain configuration parameters are version specific. We # assume a particular version here. if $puppetserver_version { $real_puppetserver_version = $puppetserver_version - } elsif versioncmp($::puppetversion, '6.0.0') >= 0 { + } elsif versioncmp($facts['puppetversion'], '7.0.0') >= 0 { + $real_puppetserver_version = '7.0.0' + } elsif versioncmp($facts['puppetversion'], '6.0.0') >= 0 { $real_puppetserver_version = '6.0.0' - } else { + } else { $real_puppetserver_version = '5.3.6' } + if versioncmp($real_puppetserver_version, '7.0.0') >= 0 { + if $use_legacy_auth_conf { + fail('The jruby-puppet.use-legacy-auth-conf setting is removed in Puppetserver 7') + } + } + if $jvm_extra_args { $real_jvm_extra_args = $jvm_extra_args } else { $real_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } contain puppet::server::install contain puppet::server::config contain puppet::server::service Class['puppet::server::install'] ~> Class['puppet::server::config'] Class['puppet::config', 'puppet::server::config'] ~> Class['puppet::server::service'] } diff --git a/spec/classes/puppet_config_spec.rb b/spec/classes/puppet_config_spec.rb index 561ffda..c1afd42 100644 --- a/spec/classes/puppet_config_spec.rb +++ b/spec/classes/puppet_config_spec.rb @@ -1,195 +1,204 @@ require 'spec_helper' describe 'puppet' do on_supported_os.each do |os, os_facts| context "on #{os}" do case os_facts[:osfamily] when 'FreeBSD' dir_owner = 'root' dir_group = nil confdir = '/usr/local/etc/puppet' logdir = '/var/log/puppet' rundir = '/var/run/puppet' ssldir = '/var/puppet/ssl' vardir = '/var/puppet' when 'windows' dir_owner = nil dir_group = nil confdir = 'C:/ProgramData/PuppetLabs/puppet/etc' logdir = 'C:/ProgramData/PuppetLabs/puppet/var/log' rundir = 'C:/ProgramData/PuppetLabs/puppet/var/run' ssldir = 'C:/ProgramData/PuppetLabs/puppet/etc/ssl' vardir = 'C:/ProgramData/PuppetLabs/puppet/var' when 'Archlinux' dir_owner = 'root' dir_group = nil confdir = '/etc/puppetlabs/puppet' logdir = '/var/log/puppetlabs/puppet' rundir = '/var/run/puppetlabs' ssldir = '/etc/puppetlabs/puppet/ssl' vardir = '/opt/puppetlabs/puppet/cache' else dir_owner = 'root' dir_group = nil confdir = '/etc/puppetlabs/puppet' logdir = '/var/log/puppetlabs/puppet' rundir = '/var/run/puppetlabs' ssldir = '/etc/puppetlabs/puppet/ssl' vardir = '/opt/puppetlabs/puppet/cache' end let :facts do override_facts(os_facts, networking: {domain: 'example.org'}) end let :params do {} end describe 'with default parameters' do it { is_expected.to contain_file(confdir).with_owner(dir_owner).with_group(dir_group) } - it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(%r{/puppet/v3/}) } - it { is_expected.not_to contain_file("#{confdir}/auth.conf").with_content(%r{^path /certificate_revocation_list/ca\nmethod find$}) } it { is_expected.not_to contain_puppet__config__main('default_manifest') } it { is_expected.not_to contain_file('/etc/puppet/manifests/default_manifest.pp') } it { is_expected.not_to contain_puppet__config__main('reports') } it { is_expected.to contain_puppet__config__main('vardir').with_value(vardir) } it { is_expected.to contain_puppet__config__main('logdir').with_value(logdir) } it { is_expected.to contain_puppet__config__main('rundir').with_value(rundir) } it { is_expected.to contain_puppet__config__main('ssldir').with_value(ssldir) } it { is_expected.to contain_puppet__config__main('privatekeydir').with_value('$ssldir/private_keys { group = service }') } it { is_expected.to contain_puppet__config__main('hostprivkey').with_value('$privatekeydir/$certname.pem { mode = 640 }') } it { is_expected.to contain_puppet__config__main('show_diff').with_value('false') } it { is_expected.to contain_puppet__config__main('server').with_value(facts[:networking]['fqdn']) } - end - describe 'with allow_any_crl_auth' do - let :params do - super().merge(allow_any_crl_auth: true) + context 'puppet < 7', if: os_facts[:puppetversion].to_i < 7 do + it { is_expected.to contain_file("#{confdir}/auth.conf").with_ensure('file').with_content(%r{/puppet/v3/}) } + it { is_expected.not_to contain_file("#{confdir}/auth.conf").with_content(%r{^path /certificate_revocation_list/ca\nmethod find$}) } end - it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(%r{^path /puppet-ca/v1/certificate_revocation_list/ca\nauth any$}) } + context 'puppet >= 7', if: os_facts[:puppetversion].to_i >= 7 do + it { is_expected.to contain_file("#{confdir}/auth.conf").with_ensure('absent') } + end end - describe 'with auth_allowed' do - let :params do - super().merge(auth_allowed: ['$1', 'puppetproxy']) + context 'auth.conf parameters', if: os_facts[:puppetversion].to_i < 7 do + describe 'with allow_any_crl_auth' do + let :params do + super().merge(allow_any_crl_auth: true) + end + + it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(%r{^path /puppet-ca/v1/certificate_revocation_list/ca\nauth any$}) } end - it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(/^allow \$1, puppetproxy$/) } + describe 'with auth_allowed' do + let :params do + super().merge(auth_allowed: ['$1', 'puppetproxy']) + end + + it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(/^allow \$1, puppetproxy$/) } + end end describe "when dns_alt_names => ['foo','bar']" do let :params do super().merge(dns_alt_names: %w[foo bar]) end it { is_expected.to contain_puppet__config__main('dns_alt_names').with_value(%w[foo bar]) } end describe "when syslogfacility => 'local6'" do let :params do super().merge(syslogfacility: 'local6') end it { is_expected.to contain_puppet__config__main('syslogfacility').with_value('local6') } end describe "when module_repository => 'https://myforgeapi.example.com'" do let :params do super().merge(module_repository: 'https://myforgeapi.example.com') end it { is_expected.to contain_puppet__config__main('module_repository').with_value('https://myforgeapi.example.com') } end describe 'when use_srv_records => true' do let :params do super().merge(use_srv_records: true) end context 'domain fact is defined' do it { is_expected.to contain_puppet__config__main('use_srv_records').with_value('true') } it { is_expected.to contain_puppet__config__main('srv_domain').with_value('example.org') } it { is_expected.to contain_puppet__config__main('pluginsource').with_value('puppet:///plugins') } it { is_expected.to contain_puppet__config__main('pluginfactsource').with_value('puppet:///pluginfacts') } it { is_expected.not_to contain_puppet__config__main('server') } end context 'domain fact is unset' do let(:facts) { override_facts(super(), networking: {domain: nil}) } it { is_expected.to raise_error(Puppet::Error, /\$::domain fact found to be undefined and \$srv_domain is undefined/) } end context 'is overriden via param' do let :params do super().merge(srv_domain: 'special.example.com') end it { is_expected.to contain_puppet__config__main('use_srv_records').with_value(true) } it { is_expected.to contain_puppet__config__main('srv_domain').with_value('special.example.com') } end end describe 'client_certname' do context 'with client_certname => $::clientcert' do let :facts do # rspec-puppet(-facts) doesn't mock this super().merge(clientcert: 'client.example.com') end it { is_expected.to contain_puppet__config__main('certname').with_value('client.example.com') } end context 'with client_certname => "foobar"' do let :params do super().merge(client_certname: 'foobar') end it { is_expected.to contain_puppet__config__main('certname').with_value('foobar') } end context 'with client_certname => false' do let :params do super().merge(client_certname: false) end it { is_expected.not_to contain_puppet__config__main('certname') } end end context 'puppetmaster' do describe "when puppetmaster => 'mymaster.example.com'" do let :params do super().merge(puppetmaster: 'mymaster.example.com') end it { is_expected.to contain_puppet__config__main('server').with_value('mymaster.example.com') } end context 'with global puppetmaster' do let(:facts) { super().merge(puppetmaster: 'global.example.com') } describe 'it overrides fqdn' do it { is_expected.to contain_puppet__config__main('server').with_value('global.example.com') } end describe 'the puppetmaster parameter overrides global puppetmaster' do let(:params) { super().merge(puppetmaster: 'mymaster.example.com') } it { is_expected.to contain_puppet__config__main('server').with_value('mymaster.example.com') } end end end describe 'with additional settings' do let :params do super().merge(additional_settings: { disable_warnings: 'deprecations' }) end it { is_expected.to contain_puppet__config__main('disable_warnings').with_value('deprecations') } end end end end diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index 7d8123a..b59bc8d 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -1,563 +1,580 @@ require 'spec_helper' require 'hocon' describe 'puppet' do on_supported_os.each do |os, facts| next if unsupported_puppetmaster_osfamily(facts[:osfamily]) context "on #{os}" do let(:facts) do facts end let(:auth_conf) { '/etc/custom/puppetserver/conf.d/auth.conf' } let(:puppetserver_conf) { '/etc/custom/puppetserver/conf.d/puppetserver.conf' } let(:params) do { server: true, # We set these values because they're calculated server_jvm_config: '/etc/default/puppetserver', server_jvm_min_heap_size: '2G', server_jvm_max_heap_size: '2G', server_jvm_extra_args: '', server_max_active_instances: 2, server_puppetserver_dir: '/etc/custom/puppetserver', server_puppetserver_version: '5.3.6', } end let(:server_vardir) do if ['FreeBSD', 'DragonFly'].include?(facts[:operatingsystem]) '/var/puppet/server/data/puppetserver' else '/opt/puppetlabs/server/data/puppetserver' end end describe 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') .with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) .with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) .with_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'']) .with_context('/files/etc/rc.conf') } else it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap') .with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java']) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } end it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') .with_ensure('file') .with_content(/^( *)allow-subject-alt-names: false$/) .with_content(/^( *)allow-authorization-extensions: false$/) .without_content(/^( *)enable-infra-crl: false$/) } it { should contain_file(puppetserver_conf) .without_content(/^# Settings related to the puppet-admin HTTP API$/) .without_content(/^puppet-admin: \{$/) .without_content(/^\s+client-whitelist: \[$/) .without_content(/^\s+"localhost"\,$/) .without_content(/^\s+"puppetserver123.example.com"\,$/) .without_content(/^\s+"code-id-command"\,$/) .without_content(/^\s+"code-content-command"\,$/) .with_content(/^ max-queued-requests: 0\n/) .with_content(/^ max-retry-delay: 1800\n/) } it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf') .with_content(/ssl-host:\s0\.0\.0\.0/) .with_content(/ssl-port:\s8140/) .without_content(/ host:\s/) .without_content(/ port:\s8139/) .without_content(/selector-threads:/) .without_content(/acceptor-threads:/) .without_content(/ssl-selector-threads:/) .without_content(/ssl-acceptor-threads:/) .without_content(/max-threads:/) } it { should contain_file(auth_conf) .with_content(/allow-header-cert-info: false/) .with_content(%r{^\s+path: "/puppet-ca/v1/certificate_status"}) .with_content(/^\s+name: "puppetlabs cert status"/) .with_content(%r{^\s+path: "/puppet-ca/v1/certificate_statuses"}) .with_content(/^\s+name: "puppetlabs cert statuses"/) .with_content(%r{^\s+path: "/puppet-admin-api/v1/environment-cache"}) .with_content(/^\s+name: "environment-cache"/) .with_content(%r{^\s+path: "/puppet-admin-api/v1/jruby-pool"}) .with_content(/^\s+name: "jruby-pool"/) .with_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) .with_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) .with_content(/^( *)pp_cli_auth: "true"$/) .without_content(%r{^(\ *)name: "Allow nodes to delete their own certificates",$}) } end describe 'server_puppetserver_vardir' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(%r{^ master-var-dir: #{server_vardir}$}) } end context 'with custom server_puppetserver_vardir' do let(:params) { super().merge(server_puppetserver_vardir: '/opt/custom/puppetserver') } it { should contain_file(puppetserver_conf).with_content(%r{^ master-var-dir: /opt/custom/puppetserver$}) } end end describe 'use-legacy-auth-conf' do - context 'with default parameters' do - it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: false$/) } + context 'when server_puppetserver_version >= 5.3.6 and < 7.0.0' do + context 'with default parameters' do + it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: false$/) } + end + + context 'when use-legacy-auth-conf = true' do + let(:params) { super().merge(server_use_legacy_auth_conf: true) } + + it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: true$/) } + end end - context 'when use-legacy-auth-conf = true' do - let(:params) { super().merge(server_use_legacy_auth_conf: true) } - it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: true$/) } + context 'when server_puppetserver_version == 7.0.0' do + let(:params) { super().merge(server_puppetserver_version: '7.0.0') } + + context 'with default parameters' do + it { should contain_file(puppetserver_conf).without_content(/use-legacy-auth-conf/) } + end + + context 'when use-legacy-auth-conf = true' do + let(:params) { super().merge(server_use_legacy_auth_conf: true) } + + it { should compile.and_raise_error(/jruby-puppet.use-legacy-auth-conf setting is removed/) } + end end end describe 'environment-class-cache-enabled' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ environment-class-cache-enabled: false$/) } end context 'when environment-class-cache-enabled = true' do let(:params) { super().merge(server_environment_class_cache_enabled: true) } it { should contain_file(puppetserver_conf).with_content(/^ environment-class-cache-enabled: true$/) } end end describe 'server_max_requests_per_instance' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ max-requests-per-instance: 0$/) } end context 'custom server_max_requests_per_instance' do let(:params) { super().merge(server_max_requests_per_instance: 123_456) } it { should contain_file(puppetserver_conf).with_content(/^ max-requests-per-instance: 123456$/) } end end describe 'server_max_queued_requests' do context 'with custom server_max_queued_requests' do let(:params) { super().merge(server_max_queued_requests: 100) } it { should contain_file(puppetserver_conf).with_content(/^ max-queued-requests: 100\n/) } end end describe 'server_max_retry_delay' do context 'with custom server_max_retry_delay' do let(:params) { super().merge(server_max_retry_delay: 100) } it { should contain_file(puppetserver_conf).with_content(/^ max-retry-delay: 100\n/) } end end describe 'server_multithreaded' do context 'with default parameters' do context 'when server_puppetserver_version >= 5.3.6 and < 6.8.0' do it { should contain_file(puppetserver_conf).without_content(/multithreaded/) } end context 'when server_puppetserver_version == 6.8.0' do let(:params) { super().merge(server_puppetserver_version: '6.8.0') } it { should contain_file(puppetserver_conf).with_content(/^ multithreaded: false\n/) } end end context 'with custom server_multithreaded' do let(:params) { super().merge(server_multithreaded: true) } context 'when server_puppetserver_version >= 5.3.6 and < 6.8.0' do it { should contain_file(puppetserver_conf).without_content(/multithreaded/) } end context 'when server_puppetserver_version == 6.8.0' do let(:params) { super().merge(server_puppetserver_version: '6.8.0') } it { should contain_file(puppetserver_conf).with_content(/^ multithreaded: true\n/) } end end end describe 'ca.cfg' do context 'when server_ca => false' do let(:params) { super().merge(server_ca: false) } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') .with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) .with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) .with_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } end end describe 'product.conf' do context 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf') .with_content(/^\s+check-for-updates: true/) } end context 'with server_check_for_updates => false' do let(:params) { super().merge(server_check_for_updates: false) } it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf') .with_content(/^\s+check-for-updates: false/) } end end describe 'server_metrics' do context 'when server_metrics => true' do let(:params) do super().merge( server_puppetserver_metrics: true, server_metrics_graphite_enable: true, server_metrics_graphite_host: 'graphitehost.example.com', server_metrics_graphite_port: 2003, server_metrics_server_id: 'puppetserver.example.com', server_metrics_graphite_interval: 5, server_metrics_allowed: ['single.element.array'], ) end it { should contain_file(puppetserver_conf) .with_content(/^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)/) .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false/) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') .with_content(/^( *)metrics-allowed: \[\n( *)"single.element.array",\n( *)\]/) .with_content(/^( *)server-id: "puppetserver.example.com"/) .with_content(/^( *)jmx: \{\n( *)enabled: true/) .with_content(/^( *)graphite: \{\n( *)enabled: true/) .with_content(/^( *)host: "graphitehost.example.com"/) .with_content(/^( *)port: 2003/) .with_content(/^( *)update-interval-seconds: 5/) } end context 'when server_metrics => false' do let(:params) { super().merge(server_puppetserver_metrics: false) } it { should contain_file(puppetserver_conf) .with_content(/^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$/) .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false/) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf').with_ensure('file') } end end describe 'server_experimental' do context 'when server_experimental => true' do let(:params) { super().merge(server_puppetserver_experimental: true) } it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_experimental => false' do let(:params) { super().merge(server_puppetserver_experimental: false) } it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end describe 'puppetlabs v3 catalog from agents rule' do let(:content) { catalogue.resource('file', auth_conf).send(:parameters)[:content] } let(:rules) { Hocon.parse(content)['authorization']['rules'] } let(:rule) { rules.find {|rule| rule['name'] == 'puppetlabs v3 catalog from agents' } } context 'when server_trusted_agents set' do let(:params) { super().merge(server_puppetserver_trusted_agents: ['jenkins', 'octocatalog-diff']) } it { expect(rule['allow']).to eq(['jenkins', 'octocatalog-diff', '$1']) } end context 'with server_trusted_certificate_extensions' do let(:params) { super().merge(server_puppetserver_trusted_certificate_extensions: [{'pp_authorization' => 'catalog'}]) } it { expect(rule['allow']).to eq(['$1',{'extensions'=>{'pp_authorization'=>'catalog'}}]) } end context 'with server_trusted_agents and server_trusted_certificate_extensions' do let(:params) { super().merge(server_puppetserver_trusted_agents: ['catalog-diff'], server_puppetserver_trusted_certificate_extensions: [{'pp_authorization' => 'catalog'}]) } it { expect(rule['allow']).to eq(['catalog-diff','$1',{'extensions'=>{'pp_authorization'=>'catalog'}}]) } end end describe 'ca_client_self_delete' do context 'when set' do let(:params) { super().merge(server_ca_client_self_delete: true)} it { should contain_file(auth_conf) .with_content(%r{^(\ *)name: "Allow nodes to delete their own certificates",$}) } end end describe 'server_jruby9k', unless: facts[:osfamily] == 'FreeBSD' do context 'when server_jruby9k => true' do let(:params) { super().merge(server_puppetserver_jruby9k: true) } it do should contain_augeas('puppet::server::puppetserver::jruby_jar') .with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') end end context 'when server_jruby9k => false' do let(:params) { super().merge(server_puppetserver_jruby9k: false) } it do should contain_augeas('puppet::server::puppetserver::jruby_jar') .with_changes(['rm JRUBY_JAR']) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') end end end describe 'server_max_open_files', unless: facts[:osfamily] == 'FreeBSD' do context 'when server_max_open_files => undef' do it do if facts['service_provider'] == 'systemd' should contain_systemd__dropin_file('puppetserver.service-limits.conf') .with_ensure('absent') else should contain_file_line('puppet::server::puppetserver::max_open_files') .with_ensure('absent') end end end context 'when server_max_open_files => 32143' do let(:params) { super().merge(server_max_open_files: 32143) } it do if facts['service_provider'] == 'systemd' should contain_systemd__dropin_file('puppetserver.service-limits.conf') .with_ensure('present') .with_filename('limits.conf') .with_unit('puppetserver.service') .with_content("[Service]\nLimitNOFILE=32143\n") else should contain_file_line('puppet::server::puppetserver::max_open_files') .with_ensure('present') .with_path('/etc/default/puppetserver') .with_line('ulimit -n 32143') .with_match('^ulimit\ -n') end end end end describe 'with extra_args parameter' do let(:params) { super().merge(server_jvm_extra_args: ['-XX:foo=bar', '-XX:bar=foo']) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'']) .with_context('/files/etc/rc.conf') } else it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', 'set JAVA_BIN /usr/bin/java' ]) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } end end describe 'with cli_args parameter', unless: facts[:osfamily] == 'FreeBSD' do let(:params) { super().merge(server_jvm_cli_args: '-Djava.io.tmpdir=/var/puppettmp') } it do should contain_augeas('puppet::server::puppetserver::jvm') .with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java', 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'' ]) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') end end describe 'with jvm_config file parameter' do let(:params) { super().merge(server_jvm_config: '/etc/custom/puppetserver') } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm').with_context('/files/etc/rc.conf') } else it do should contain_augeas('puppet::server::puppetserver::jvm') .with_context('/files/etc/custom/puppetserver') .with_incl('/etc/custom/puppetserver') .with_lens('Shellvars.lns') end end end describe 'gem-path' do if ['FreeBSD', 'DragonFly'].include?(facts[:osfamily]) it do should contain_file(puppetserver_conf) .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "#{server_vardir}/vendored-jruby-gems"\]$}) end else it do should contain_file(puppetserver_conf) .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "#{server_vardir}/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"\]$}) end end end describe 'Puppet Server CA related settings' do context 'when server_puppetserver_version >= 5.3.6 and < 6.0.0' do context 'with ca parameters set' do let(:params) { super().merge( server_ca_allow_sans: true, server_ca_allow_auth_extensions: true, ) } it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') .with_ensure('file') .with_content(/^( *)allow-subject-alt-names: true$/) .with_content(/^( *)allow-authorization-extensions: true$/) } end end context 'when server_puppetserver_version >= 6.0.0' do let(:params) { super().merge(server_puppetserver_version: '6.0.0') } context 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') .with_ensure('file') .with_content(/^( *)allow-subject-alt-names: false$/) .with_content(/^( *)allow-authorization-extensions: false$/) .with_content(/^( *)enable-infra-crl: false$/) } it { should contain_file(auth_conf).with_content(/^( *)pp_cli_auth: "true"$/) } end context 'with ca parameters set' do let(:params) { super().merge( server_ca_allow_sans: true, server_ca_allow_auth_extensions: true, server_ca_enable_infra_crl: true, ) } it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') .with_ensure('file') .with_content(/^( *)allow-subject-alt-names: true$/) .with_content(/^( *)allow-authorization-extensions: true$/) .with_content(/^( *)enable-infra-crl: true$/) } end end end describe 'puppetlabs v4 catalog for services' do context 'when server_puppetserver_version >= 6.3' do let(:params) { super().merge(server_puppetserver_version: '6.3.0') } let(:content) { catalogue.resource('file', auth_conf).send(:parameters)[:content] } let(:rules) { Hocon.parse(content)['authorization']['rules'] } let(:rule) { rules.find {|rule| rule['name'] == 'puppetlabs v4 catalog for services' } } it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "\^/puppet/v4/catalog/\?\$"$}) } context 'by default' do it { should contain_file(auth_conf).with_content(%r{^(\ *)deny: "\*"\n(\ *)sort-order: 500\n(\ *)name: "puppetlabs v4 catalog for services"}) } end context 'with server_trusted_agents' do let(:params) { super().merge(server_puppetserver_trusted_agents: ['jenkins', 'octocatalog-diff']) } it { expect(rule['allow']).to eq(['jenkins', 'octocatalog-diff']) } end context 'with server_trusted_certificate_extensions' do let(:params) { super().merge(server_puppetserver_trusted_certificate_extensions: [{'pp_authorization' => 'catalog'}]) } it { expect(rule['allow']).to eq([{'extensions'=>{'pp_authorization'=>'catalog'}}]) } end context 'with server_trusted_agents and server_trusted_certificate_extensions' do let(:params) { super().merge(server_puppetserver_trusted_agents: ['catalog-diff'], server_puppetserver_trusted_certificate_extensions: [{'pp_authorization' => 'catalog'}]) } it { expect(rule['allow']).to eq(['catalog-diff',{'extensions'=>{'pp_authorization'=>'catalog'}}]) } end end context 'when server_puppetserver_version < 6.3' do let(:params) { super().merge(server_puppetserver_version: '6.2.0') } it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "\^/puppet/v4/catalog/\?\$"$}) } end end describe 'when server_puppetserver_version < 5.3.6' do let(:params) { super().merge(server_puppetserver_version: '5.3.5') } it { should raise_error(Puppet::Error, /puppetserver <5.3.6 is not supported by this module version/) } end describe 'allow jetty specific server threads' do context 'with thread config' do let(:params) do super().merge( server_selector_threads: 1, server_acceptor_threads: 2, server_ssl_selector_threads: 3, server_ssl_acceptor_threads: 4, server_max_threads: 5 ) end it { is_expected.to compile.with_all_deps } it { is_expected.to contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/selector-threads: 1/). with_content(/acceptor-threads: 2/). with_content(/ssl-selector-threads: 3/). with_content(/ssl-acceptor-threads: 4/). with_content(/max-threads: 5/) } end end describe 'versioned code' do context 'when versioned code parameters are set' do let(:params) do super().merge( server_versioned_code_id: '/some/code/id/bin', server_versioned_code_content: '/some/code/content/bin', ) end it { should contain_file(puppetserver_conf) .with_content(%r{^ code-id-command: /some/code/id/bin\n code-content-command: /some/code/content/bin$}) } end end end end end diff --git a/templates/server/puppetserver/conf.d/puppetserver.conf.erb b/templates/server/puppetserver/conf.d/puppetserver.conf.erb index df20a80..f22c405 100644 --- a/templates/server/puppetserver/conf.d/puppetserver.conf.erb +++ b/templates/server/puppetserver/conf.d/puppetserver.conf.erb @@ -1,127 +1,129 @@ # # Managed by Puppet # # configuration for the JRuby interpreters jruby-puppet: { # Where the puppet-agent dependency places puppet, facter, etc... # Puppet server expects to load Puppet from this location ruby-load-path: [ <%- @server_ruby_load_paths.each do |ruby_load_path| -%> <%= ruby_load_path %>, <%- end -%> ] # This setting determines where JRuby will install gems. It is used for loading gems, # and also by the `puppetserver gem` command line tool. gem-home: <%= @server_jruby_gem_home %> # This setting defines the complete "GEM_PATH" for jruby. If set, it should include # the gem-home directory as well as any other directories that gems can be loaded # from (including the vendored gems directory for gems that ship with puppetserver) gem-path: [<%= @server_gem_paths.join(', ') %>] # PLEASE NOTE: Use caution when modifying the below settings. Modifying # these settings will change the value of the corresponding Puppet settings # for Puppet Server, but not for the Puppet CLI tools. This likely will not # be a problem with master-var-dir, master-run-dir, or master-log-dir unless # some critical setting in puppet.conf is interpolating the value of one # of the corresponding settings, but it is important that any changes made to # master-conf-dir and master-code-dir are also made to the corresponding Puppet # settings when running the Puppet CLI tools. See # https://docs.puppetlabs.com/puppetserver/latest/puppet_conf_setting_diffs.html#overriding-puppet-settings-in-puppet-server # for more information. # (optional) path to puppet conf dir; if not specified, will use # the puppet default master-conf-dir: <%= @server_dir %> # (optional) path to puppet code dir; if not specified, will use # the puppet default master-code-dir: <%= @codedir %> # (optional) path to puppet var dir; if not specified, will use # the puppet default master-var-dir: <%= @server_puppetserver_vardir %> # (optional) path to puppet run dir; if not specified, will use # the puppet default master-run-dir: <%= @server_puppetserver_rundir %> # (optional) path to puppet log dir; if not specified, will use # the puppet default master-log-dir: <%= @server_puppetserver_logdir %> # (optional) maximum number of JRuby instances to allow max-active-instances: <%= @server_max_active_instances %> # (optional) the number of HTTP requests a given JRuby instance will handle in its lifetime. max-requests-per-instance: <%= @server_max_requests_per_instance %> # (optional) The maximum number of requests that may be queued waiting to borrow a JRuby from the pool. max-queued-requests: <%= @server_max_queued_requests %> # (optional) Sets the upper limit for the random sleep set as a Retry-After header on 503 responses returned when max-queued-requests is enabled. max-retry-delay: <%= @server_max_retry_delay %> +<%- if scope.function_versioncmp([@server_puppetserver_version, '7.0']) < 0 -%> # (optional) Authorize access to Puppet master endpoints via rules # specified in the legacy Puppet auth.conf file (if true) or via rules # specified in the Puppet Server HOCON-formatted auth.conf (if false or not # specified). use-legacy-auth-conf: <%= @server_use_legacy_auth_conf %> +<%- end -%> # (optional) enable or disable environment class cache environment-class-cache-enabled: <%= @server_environment_class_cache_enabled %> <%- if @compile_mode %> compile-mode: <%= @compile_mode %> <%- end -%> <%- if scope.function_versioncmp([@server_puppetserver_version, '6.8']) >= 0 -%> multithreaded: <%= @server_multithreaded %> <%- end -%> } <%- if @versioned_code_id and @versioned_code_content -%> versioned-code: { code-id-command: <%= @versioned_code_id %> code-content-command: <%= @versioned_code_content %> } <%- end -%> # settings related to HTTPS client requests made by Puppet Server http-client: { # A list of acceptable protocols for making HTTPS requests ssl-protocols: [ <%- @server_ssl_protocols.each do |protocol| -%> <%= protocol %>, <%- end -%> ] # A list of acceptable cipher suites for making HTTPS requests cipher-suites: [ <%- @server_cipher_suites.each do |cipher| -%> <%= cipher %>, <%- end -%> ] # Whether to enable http-client metrics; defaults to 'true'. metrics-enabled: <%= @server_metrics %> # The amount of time, in milliseconds, that an outbound HTTP connection # will wait for data to be available before closing the socket. If not # defined, defaults to 20 minutes. If 0, the timeout is infinite and if # negative, the value is undefined by the application and governed by the # system default behavior. idle-timeout-milliseconds: <%= @server_idle_timeout %> # The amount of time, in milliseconds, that an outbound HTTP connection will # wait to connect before giving up. Defaults to 2 minutes if not set. If 0, # the timeout is infinite and if negative, the value is undefined in the # application and governed by the system default behavior. connect-timeout-milliseconds: <%= @server_connect_timeout %> } # settings related to profiling the puppet Ruby code profiler: { # enable or disable profiling for the Ruby code; enabled: <%= @server_profiler %> }