diff --git a/README.md b/README.md index 88f23bb..b9a88d9 100644 --- a/README.md +++ b/README.md @@ -1,206 +1,194 @@ [![Puppet Forge](https://img.shields.io/puppetforge/v/theforeman/puppet.svg)](https://forge.puppetlabs.com/theforeman/puppet) [![Build Status](https://travis-ci.org/theforeman/puppet-puppet.svg?branch=master)](https://travis-ci.org/theforeman/puppet-puppet) # Puppet module for installing the Puppet agent and master Installs and configures the Puppet agent and optionally a Puppet master (when `server` is true). Part of the [Foreman installer](https://github.com/theforeman/foreman-installer) or to be used as a Puppet module. -The Puppet master is configured under Apache and Passenger by default, unless -`server_passenger` is set to false. When using Puppet Labs AIO packages -(puppet-agent) the JVM-based Puppet Server is installed by default. For Puppet -3.x based installation, `server_implementation` can be set to `puppetserver` -to switch to the JVM-based Puppet Server. - When using Puppet Server (version 2.2.x is the lowest version, this module supports), the module supports and assumes you will be installing the latest version. If you know you'll be installing an earlier or specific version, you will need to override `server_puppetserver_version`. More information in the Puppet Server section below. Many puppet.conf options for agents, masters and other are parameterized, with class documentation provided at the top of the manifests. In addition, there are hash parameters for each configuration section that can be used to supply any options that are not explicitly supported. ## Environments support The module helps configure Puppet environments using directory environments on Puppet 3.6+ and config environments on older versions. These are set up under /etc/puppet/environments/ - change `server_environments` to define the list to create, or use `puppet::server::env` for more control. When using directory environments with R10K you need to set the `server_environments` parameter to an empty array ie. `[]` to prevent `r10k deploy environments` from reporting an error caused by the creation of top level environment directory(s). ## Git repo support Environments can be backed by git by setting `server_git_repo` to true, which sets up `/var/lib/puppet/puppet.git` where each branch maps to one environment. Avoid using 'master' as this name isn't permitted. On each push to the repo, a hook updates `/etc/puppet/environments` with the contents of the branch. Requires [theforeman/git](https://forge.puppetlabs.com/theforeman/git). ## Foreman integration With the 3.0.0 release the Foreman integration became optional. It will still by default install the Foreman integration when `server` is true, so if you wish to run a Puppet master without Foreman, it can be disabled by setting `server_foreman` to false. Requires [theforeman/foreman](https://forge.puppetlabs.com/theforeman/foreman). ## PuppetDB integration The Puppet master can be configured to export catalogs and reports to a PuppetDB instance, using the puppetlabs/puppetdb module. Use its `puppetdb::server` class to install the PuppetDB server and this module to configure the Puppet master to connect to PuppetDB. Requires [puppetlabs/puppetdb](https://forge.puppetlabs.com/puppetlabs/puppetdb) Please see the notes about using puppetlabs/puppetdb 5.x with older versions of Puppet (< 4.x) and PuppetDB (< 3.x) with newer releases of the module and set the values via hiera or an extra include of `puppetdb::globals` with `puppetdb_version` defined. # Installation Available from GitHub (via cloning or tarball), [Puppet Forge](https://forge.puppetlabs.com/theforeman/puppet) or as part of the Foreman installer. # Usage As a parameterized class, all the configurable options can be overridden from your wrapper classes or even your ENC (if it supports param classes). For example: # Agent and cron (or daemon): class { '::puppet': runmode => 'cron' } # Agent and puppetmaster: class { '::puppet': server => true } # You want to use git? class { '::puppet': server => true server_git_repo => true } # Maybe you're using gitolite, new hooks, and a different port? class { '::puppet': server => true server_port => 8141, server_git_repo => true, server_git_repo_path => '/var/lib/gitolite/repositories/puppet.git', server_post_hook_name => 'post-receive.puppet', server_post_hook_content => 'puppetserver/post-hook.puppet', } # Configure master without Foreman integration class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', } # The same example as above but overriding `server_environments` for R10K class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', server_environments => [], } # Want to integrate with an existing PuppetDB? class { '::puppet': server => true, server_puppetdb_host => 'mypuppetdb.example.com', server_reports => 'puppetdb,foreman', server_storeconfigs_backend => 'puppetdb', } Look in _init.pp_ for what can be configured this way, see Contributing if anything doesn't work. To use this in standalone mode, edit a file (e.g. install.pp), put in a class resource, as per the examples above, and the execute _puppet apply_ e.g: cat > install.pp < true } EOF puppet apply install.pp --modulepath /path_to/extracted_tarball # Advanced scenarios An HTTP (non-SSL) puppetmaster instance can be set up (standalone or in addition to the SSL instance) by setting the `server_http` parameter to `true`. This is useful for reverse proxy or load balancer scenarios where the proxy/load balancer takes care of SSL termination. The HTTP puppetmaster instance expects the `X-Client-Verify`, `X-SSL-Client-DN` and `X-SSL-Subject` HTTP headers to have been set on the front end server. The listening port can be configured by setting `server_http_port` (which defaults to 8139). -For passenger setups, this HTTP instance accepts no connections by default (`deny all` in the `` -snippet). Allowed hosts can be configured by setting the `server_http_allow` parameter -(which expects an array). - -For puppetserver, this HTTP instance accepts **ALL** connections and no further restrictions can be configured. The -`server_http_allow` parameter has no effect at all! +For puppetserver, this HTTP instance accepts **ALL** connections and no further restrictions can be configured. **Note that running an HTTP puppetmaster is a huge security risk when improperly configured. Allowed hosts should be tightly controlled; anyone with access to an allowed host can access all client catalogues and client certificates.** # Configure an HTTP puppetmaster vhost in addition to the standard SSL vhost class { '::puppet': server => true, server_http => true, server_http_port => 8130, # default: 8139 - server_http_allow => ['10.20.30.1', 'puppetbalancer.my.corp'], } ## Puppet Server configuration Puppet Server requires slightly different configuration between different versions, which this module supports. It's recommended that you set the `server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version you have installed. By default the module will configure for the latest version available. Currently supported values and configuration behaviours are: * `5.1.0` (default for Puppet >= 5.1) - configures CRL reload service and `/puppet/v3/tasks` route * `5.0.0` (default for Puppet 5.0.x) - configures metrics service and `/puppet/experimental` route * `2.7.x` (default for Puppet < 5) - creates `product.conf` * `2.5.x`, `2.6.x` - configures the certificate authority in `ca.cfg` * `2.4.99` - configures for both 2.4 and 2.5, with `bootstrap.cfg` and `ca.cfg` * `2.3.x`, `2.4.x` - configures the certificate authority and versioned-code-service in `bootstrap.cfg` * `2.2.x` - configures the certificate authority in `bootstrap.cfg` # Contributing * Fork the project * Commit and push until you are happy with your contribution # More info See https://theforeman.org or at #theforeman irc channel on freenode Copyright (c) 2010-2012 Ohad Levy This program and entire repository is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . diff --git a/manifests/init.pp b/manifests/init.pp index 167112b..09ab9f6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,792 +1,739 @@ # == Class: puppet # # This class installs and configures the puppet agent. # # === Parameters: # # $version:: Specify a specific version of a package to # install. The version should be the exact # match for your distro. # You can also use certain values like 'latest'. # Note that when you specify exact versions you # should also override $server_version since # that defaults to $version. # # $manage_packages:: Should this module install packages or not. # Can also install only server packages with value # of 'server' or only agent packages with 'agent'. # # $port:: Override the port of the master we connect to. # # $listen:: Should the puppet agent listen for connections. # # $listen_to:: An array of servers allowed to initiate a puppet run. # If $listen = true one of three things will happen: # 1) if $listen_to is not empty then this array # will be used. # 2) if $listen_to is empty and $puppetmaster is # defined then only $puppetmaster will be # allowed. # 3) if $puppetmaster is not defined or empty, # $fqdn will be used. # # $pluginsync:: Enable pluginsync. # # $splay:: Switch to enable a random amount of time # to sleep before each run. # # $splaylimit:: The maximum time to delay before runs. # Defaults to being the same as the run interval. # This setting can be a time interval in seconds # (30 or 30s), minutes (30m), hours (6h), days (2d), # or years (5y). # # $runinterval:: Set up the interval (in seconds) to run # the puppet agent. # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $usecacheonfailure:: Switch to enable use of cached catalog on # failure of run. # # $runmode:: Select the mode to setup the puppet agent. # # $cron_cmd:: Specify command to launch when runmode is # set 'cron'. # # $systemd_cmd:: Specify command to launch when runmode is # set 'systemd.timer'. # # $systemd_randomizeddelaysec:: Adds a random delay between 0 and this value # (in seconds) to the timer. Only relevant when # runmode is 'systemd.timer'. # # $show_diff:: Show and report changed files with diff output # # $module_repository:: Use a different puppet module repository # # $configtimeout:: How long the client should wait for the # configuration to be retrieved before # considering it a failure. # # $ca_server:: Use a different ca server. Should be either # a string with the location of the ca_server # or 'false'. # # $ca_port:: Puppet CA port # # $ca_crl_filepath:: Path to CA CRL file, dynamically resolves based on # $::server_ca status. # # $dns_alt_names:: Use additional DNS names when generating a # certificate. Defaults to an empty Array. # # $hiera_config:: The hiera configuration file. # # $syslogfacility:: Facility name to use when logging to syslog # # $use_srv_records:: Whether DNS SRV records will be used to resolve # the Puppet master # # $srv_domain:: Search domain for SRV records # # $additional_settings:: A hash of additional main settings. # # == Advanced puppet parameters # # $user:: Override the name of the puppet user. # # $group:: Override the name of the puppet group. # # $dir:: Override the puppet directory. # # $codedir:: Override the puppet code directory. # # $vardir:: Override the puppet var directory. # # $logdir:: Override the log directory. # # $rundir:: Override the PID directory. # # $ssldir:: Override where SSL certificates are kept. # # $sharedir:: Override the system data directory. # # $package_provider:: The provider used to install the agent. # Defaults to chocolatey on Windows # Defaults to undef elsewhere # # $package_source:: The location of the file to be used by the # agent's package resource. # Defaults to undef. If 'windows' or 'msi' are # used as the provider then this setting is # required. # # $unavailable_runmodes:: Runmodes that are not available for the # current system. This module will not try # to disable these modes. Default is [] # on Linux, ['cron', 'systemd.timer'] on # Windows and ['systemd.timer'] on other # systems. # # $auth_template:: Use a custom template for the auth # configuration. # # $use_srv_records:: Whether DNS SRV records will be used to resolve # the Puppet master # # $srv_domain:: Search domain for SRV records # # $pluginsource:: URL to retrieve Puppet plugins from during pluginsync # # $pluginfactsource:: URL to retrieve Puppet facts from during pluginsync # # $classfile:: The file in which puppet agent stores a list # of the classes associated with the retrieved # configuration. # # == puppet::agent parameters # # $agent:: Should a puppet agent be installed # # $agent_noop:: Run the agent in noop mode. # # $puppetmaster:: Hostname of your puppetmaster (server # directive in puppet.conf) # # $prerun_command:: A command which gets excuted before each Puppet run # # $postrun_command:: A command which gets excuted after each Puppet run # # $environment:: Default environment of the Puppet agent # # $agent_additional_settings:: A hash of additional agent settings. # Example: {stringify_facts => true} # # $client_certname:: The node's certificate name, and the unique # identifier it uses when requesting catalogs. # # $report:: Send reports to the Puppet Master # # == advanced agent parameters # # $service_name:: The name of the puppet agent service. # # $agent_restart_command:: The command which gets excuted on puppet service restart # # $client_package:: Install a custom package to provide # the puppet client # # $systemd_unit_name:: The name of the puppet systemd units. # # $remove_lock:: Remove the agent lock when running. # # $dir_owner:: Owner of the base puppet directory, used when # puppet::server is false. # # $dir_group:: Group of the base puppet directory, used when # puppet::server is false. # # == puppet::server parameters # # $server:: Should a puppet master be installed as well as the client # # $server_ip:: Bind ip address of the puppetmaster # # $server_port:: Puppet master port # # $server_ca:: Provide puppet CA # # $server_ca_crl_sync:: Sync puppet CA crl file to compile masters, Puppet CA Must be the Puppetserver # for the compile masters. Defaults to false. # # $server_crl_enable:: Turn on crl checking. Defaults to true when server_ca is true. Otherwise # Defaults to false. Note unless you are using an external CA. It is recommended # to set this to true. See $server_ca_crl_sync to enable syncing from CA Puppet Master # # $server_reports:: List of report types to include on the puppetmaster # -# $server_implementation:: Puppet master implementation, either "master" (traditional -# Ruby) or "puppetserver" (JVM-based) -# # $server_external_nodes:: External nodes classifier executable # # $server_git_repo:: Use git repository as a source of modules # # $server_dynamic_environments:: Use $environment in the modulepath # Deprecated when $server_directory_environments is true, # set $server_environments to [] instead. # # $server_directory_environments:: Enable directory environments, defaulting to true # with Puppet 3.6.0 or higher # # $server_environments:: Environments to setup (creates directories). # Applies only when $server_dynamic_environments # is false # # $server_environments_owner:: The owner of the environments directory # # $server_environments_group:: The group owning the environments directory # # $server_environments_mode:: Environments directory mode. # # $server_common_modules_path:: Common modules paths (only when # $server_git_repo_path and $server_dynamic_environments # are false) # # $server_git_repo_path:: Git repository path # # $server_git_repo_mode:: Git repository mode # # $server_git_repo_group:: Git repository group # # $server_git_repo_user:: Git repository user # # $server_git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $server_storeconfigs_backend:: Do you use storeconfigs? (note: not required) # false if you don't, "active_record" for 2.X # style db, "puppetdb" for puppetdb # # $server_certname:: The name to use when handling certificates. # # $server_strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $server_additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $server_puppetdb_host:: PuppetDB host # # $server_puppetdb_port:: PuppetDB port # # $server_puppetdb_swf:: PuppetDB soft_write_failure # # === Advanced server parameters: # # $server_manage_user:: Whether to manage the server user resource # # $server_user:: Name of the puppetmaster user. # # $server_group:: Name of the puppetmaster group. # # $server_dir:: Puppet configuration directory # # $server_http:: Should the puppet master listen on HTTP as well as HTTPS. -# Useful for load balancer or reverse proxy scenarios. Note that -# the HTTP puppet master denies access from all clients by default, -# allowed clients must be specified with $server_http_allow. +# Useful for load balancer or reverse proxy scenarios. # # $server_http_port:: Puppet master HTTP port; defaults to 8139. # -# $server_http_allow:: Array of allowed clients for the HTTP puppet master. Passed -# to Apache's 'Allow' directive. -# -# $server_httpd_service:: Apache/httpd service name to notify -# on configuration changes. Defaults -# to 'httpd' based on the default -# apache module included with foreman-installer. -# -# $server_passenger:: If set to true, we will configure apache with -# passenger. If set to false, we will enable the -# default puppetmaster service unless -# service_fallback is set to false. See 'Advanced -# server parameters' for more information. -# Only applicable when server_implementation is "master". -# -# $server_service_fallback:: If passenger is not used, do we want to fallback -# to using the puppetmaster service? Set to false -# if you disabled passenger and you do NOT want to -# use the puppetmaster service. Defaults to true. -# -# $server_passenger_min_instances:: The PassengerMinInstances parameter. Sets the -# minimum number of application processes to run. -# Defaults to the number of processors on your -# system. -# -# $server_passenger_pre_start:: Pre-start the first passenger worker instance -# process during httpd start. -# -# $server_passenger_ruby:: The PassengerRuby parameter. Sets the Ruby -# interpreter for serving the puppetmaster -# rack application. -# # $server_config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $server_foreman:: Should foreman integration be installed # # $server_foreman_url:: Foreman URL # # $server_foreman_ssl_ca:: SSL CA of the Foreman server # # $server_foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $server_foreman_ssl_key:: Key for authenticating against Foreman server # # $server_puppet_basedir:: Where is the puppet code base located # # $server_enc_api:: What version of enc script to deploy. # # $server_report_api:: What version of report processor to deploy. # # $server_request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $server_environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $server_envs_dir:: Directory that holds puppet environments # # $server_envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $server_ca_proxy:: The actual server that handles puppet CA. # Setting this to anything non-empty causes # the apache vhost to set up a proxy for all # certificates pointing to the value. # -# $server_rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and -# --vardir. The default is an empty array. -# # $server_jvm_java_bin:: Set the default java to use. # # $server_jvm_config:: Specify the puppetserver jvm configuration file. # # $server_jvm_min_heap_size:: Specify the minimum jvm heap space. # # $server_jvm_max_heap_size:: Specify the maximum jvm heap space. # # $server_jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $server_jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $server_jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $server_default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $server_default_manifest_path:: A string setting the path to the default_manifest # # $server_default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # -# $server_app_root:: Directory where the application lives. Only relevant -# for the rack-based service -# # $server_package:: Custom package name for puppet master # # $server_version:: Custom package version for puppet master # # $server_ssl_dir:: SSL directory # # $server_ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $server_ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $server_puppetserver_vardir:: The path of the puppetserver var dir # # $server_puppetserver_rundir:: The path of the puppetserver run dir # # $server_puppetserver_logdir:: The path of the puppetserver log dir # # $server_puppetserver_dir:: The path of the puppetserver config dir # # $server_puppetserver_version:: The version of puppetserver 2 installed (or being installed) # Unfortunately, different versions of puppetserver need # configuring differently. The default is derived from the # installed puppet version. Generally it's not needed to # override this but when upgrading it might be. # # $server_max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $server_max_requests_per_instance:: Max number of requests a jruby instances will handle. Defaults to 0 (disabled) # # $server_max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a # JRuby from the pool. (Puppetserver 5.x only) # Defaults to 0 (disabled) for Puppetserver >= 5.0 # # $server_max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on # 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) # Defaults to 1800 for Puppetserver >= 5.0 # # $server_idle_timeout:: How long the server will wait for a response on an existing connection # # $server_connect_timeout:: How long the server will wait for a response to a connection attempt # # $server_ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $server_ssl_chain_filepath:: Path to certificate chain for puppetserver # Only used when $ca is true # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $server_cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $server_ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $server_ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $server_admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $server_use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # # $server_check_for_updates:: Should the puppetserver phone home to check for available updates? # Defaults to true # # $server_post_hook_content:: Which template to use for git post hook # # $server_post_hook_name:: Name of a git hook # # $server_environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the # environment_classes API. # Defaults to false # # $server_allow_header_cert_info:: Enable client authentication over HTTP Headers # Defaults to false, is also activated by the $server_http setting # # $server_web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has # completed. # Defaults to 30000, using the Jetty default of 30s # # $server_puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $server_puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? # Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # $server_metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $server_metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $server_metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $server_metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $server_metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $server_metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $server_metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $server_puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $server_puppetserver_trusted_agents:: Certificate names of puppet agents that are allowed to fetch *all* catalogs # Defaults to [] and all agents are only allowed to fetch their own catalogs. # # $server_compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. # Defaults to undef (off). # # $server_parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # $server_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for unencrypted HTTP traffic. If not provided, the webserver # defaults to the number of virtual cores on the host divided by 8, with a minimum # of 1 and maximum of 4. # # $server_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for unencrypted HTTPS traffic. If not provided, # the webserver defaults to the minimum of: virtual cores on the host divided by 2 # or max-threads divided by 16, with a minimum of 1. # # $server_max_threads:: This sets the maximum number of threads assigned to responding to HTTP and/or # HTTPS requests for a single webserver, effectively changing how many # concurrent requests can be made at one time. If not provided, the # webserver defaults to 200. # # $server_ssl_acceptor_threads:: This sets the number of threads that the webserver will dedicate to accepting # socket connections for encrypted HTTPS traffic. If not provided, defaults to # the number of virtual cores on the host divided by 8, with a minimum of 1 and maximum of 4. # # $server_ssl_selector_threads:: This sets the number of selectors that the webserver will dedicate to processing # events on connected sockets for encrypted HTTPS traffic. Defaults to the number of # virtual cores on the host divided by 2, with a minimum of 1 and maximum of 4. # The number of selector threads actually used by Jetty is twice the number of selectors # requested. For example, if a value of 3 is specified for the ssl-selector-threads setting, # Jetty will actually use 6 selector threads. # # $server_ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $server_ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # # === Usage: # # * Simple usage: # # include puppet # # * Installing a puppetmaster # # class {'puppet': # server => true, # } # # * Advanced usage: # # class {'puppet': # agent_noop => true, # version => '2.7.20-1', # } # class puppet ( String $version = $puppet::params::version, String $user = $puppet::params::user, String $group = $puppet::params::group, Stdlib::Absolutepath $dir = $puppet::params::dir, Stdlib::Absolutepath $codedir = $puppet::params::codedir, Stdlib::Absolutepath $vardir = $puppet::params::vardir, Stdlib::Absolutepath $logdir = $puppet::params::logdir, Stdlib::Absolutepath $rundir = $puppet::params::rundir, Stdlib::Absolutepath $ssldir = $puppet::params::ssldir, Stdlib::Absolutepath $sharedir = $puppet::params::sharedir, Variant[Boolean, Enum['server', 'agent']] $manage_packages = $puppet::params::manage_packages, Optional[String] $dir_owner = $puppet::params::dir_owner, Optional[String] $dir_group = $puppet::params::dir_group, Optional[String] $package_provider = $puppet::params::package_provider, Optional[Variant[Stdlib::Absolutepath, Stdlib::HTTPUrl]] $package_source = $puppet::params::package_source, Integer[0, 65535] $port = $puppet::params::port, Boolean $listen = $puppet::params::listen, Array[String] $listen_to = $puppet::params::listen_to, Boolean $pluginsync = $puppet::params::pluginsync, Boolean $splay = $puppet::params::splay, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $splaylimit = $puppet::params::splaylimit, Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::params::autosign, Array[String] $autosign_entries = $puppet::params::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $puppet::params::autosign_mode, Optional[String] $autosign_content = $puppet::params::autosign_content, Optional[String] $autosign_source = $puppet::params::autosign_source, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $runinterval = $puppet::params::runinterval, Boolean $usecacheonfailure = $puppet::params::usecacheonfailure, Enum['cron', 'service', 'systemd.timer', 'none'] $runmode = $puppet::params::runmode, Array[Enum['cron', 'service', 'systemd.timer', 'none']] $unavailable_runmodes = $puppet::params::unavailable_runmodes, Optional[String] $cron_cmd = $puppet::params::cron_cmd, Optional[String] $systemd_cmd = $puppet::params::systemd_cmd, Integer[0] $systemd_randomizeddelaysec = $puppet::params::systemd_randomizeddelaysec, Boolean $agent_noop = $puppet::params::agent_noop, Boolean $show_diff = $puppet::params::show_diff, Optional[Stdlib::HTTPUrl] $module_repository = $puppet::params::module_repository, Optional[Integer[0]] $configtimeout = $puppet::params::configtimeout, Optional[Variant[String, Boolean]] $ca_server = $puppet::params::ca_server, Optional[Integer[0, 65535]] $ca_port = $puppet::params::ca_port, Optional[String] $ca_crl_filepath = $puppet::params::ca_crl_filepath, Optional[String] $prerun_command = $puppet::params::prerun_command, Optional[String] $postrun_command = $puppet::params::postrun_command, Array[String] $dns_alt_names = $puppet::params::dns_alt_names, Boolean $use_srv_records = $puppet::params::use_srv_records, Optional[String] $srv_domain = $puppet::params::srv_domain, String $pluginsource = $puppet::params::pluginsource, String $pluginfactsource = $puppet::params::pluginfactsource, Hash[String, Data] $additional_settings = $puppet::params::additional_settings, Hash[String, Data] $agent_additional_settings = $puppet::params::agent_additional_settings, Optional[String] $agent_restart_command = $puppet::params::agent_restart_command, String $classfile = $puppet::params::classfile, String $hiera_config = $puppet::params::hiera_config, String $auth_template = $puppet::params::auth_template, Boolean $allow_any_crl_auth = $puppet::params::allow_any_crl_auth, Array[String] $auth_allowed = $puppet::params::auth_allowed, Variant[String, Array[String]] $client_package = $puppet::params::client_package, Boolean $agent = $puppet::params::agent, Boolean $remove_lock = $puppet::params::remove_lock, Boolean $report = $puppet::params::report, Variant[String, Boolean] $client_certname = $puppet::params::client_certname, Optional[String] $puppetmaster = $puppet::params::puppetmaster, String $systemd_unit_name = $puppet::params::systemd_unit_name, String $service_name = $puppet::params::service_name, Optional[String] $syslogfacility = $puppet::params::syslogfacility, String $environment = $puppet::params::environment, Boolean $server = $puppet::params::server, Array[String] $server_admin_api_whitelist = $puppet::params::server_admin_api_whitelist, Boolean $server_manage_user = $puppet::params::manage_user, String $server_user = $puppet::params::user, String $server_group = $puppet::params::group, String $server_dir = $puppet::params::dir, String $server_ip = $puppet::params::ip, Integer $server_port = $puppet::params::port, Boolean $server_ca = $puppet::params::server_ca, Boolean $server_ca_crl_sync = $puppet::params::server_ca_crl_sync, Optional[Boolean] $server_crl_enable = $puppet::params::server_crl_enable, Boolean $server_ca_auth_required = $puppet::params::server_ca_auth_required, Array[String] $server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $server_custom_trusted_oid_mapping = $puppet::params::server_custom_trusted_oid_mapping, Boolean $server_http = $puppet::params::server_http, Integer $server_http_port = $puppet::params::server_http_port, - Array[String] $server_http_allow = $puppet::params::server_http_allow, String $server_reports = $puppet::params::server_reports, - Enum['master', 'puppetserver'] $server_implementation = $puppet::params::server_implementation, - Boolean $server_passenger = $puppet::params::server_passenger, Optional[Stdlib::Absolutepath] $server_puppetserver_dir = $puppet::params::server_puppetserver_dir, Optional[Stdlib::Absolutepath] $server_puppetserver_vardir = $puppet::params::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $server_puppetserver_rundir = $puppet::params::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $server_puppetserver_logdir = $puppet::params::server_puppetserver_logdir, Pattern[/^[\d]\.[\d]+\.[\d]+$/] $server_puppetserver_version = $puppet::params::server_puppetserver_version, - Boolean $server_service_fallback = $puppet::params::server_service_fallback, - Integer[0] $server_passenger_min_instances = $puppet::params::server_passenger_min_instances, - Boolean $server_passenger_pre_start = $puppet::params::server_passenger_pre_start, - Optional[String] $server_passenger_ruby = $puppet::params::server_passenger_ruby, - String $server_httpd_service = $puppet::params::server_httpd_service, Variant[Undef, String[0], Stdlib::Absolutepath] $server_external_nodes = $puppet::params::server_external_nodes, Array[String] $server_cipher_suites = $puppet::params::server_cipher_suites, Optional[String] $server_config_version = $puppet::params::server_config_version, Integer[0] $server_connect_timeout = $puppet::params::server_connect_timeout, Boolean $server_git_repo = $puppet::params::server_git_repo, Boolean $server_dynamic_environments = $puppet::params::server_dynamic_environments, Boolean $server_directory_environments = $puppet::params::server_directory_environments, Boolean $server_default_manifest = $puppet::params::server_default_manifest, Stdlib::Absolutepath $server_default_manifest_path = $puppet::params::server_default_manifest_path, String $server_default_manifest_content = $puppet::params::server_default_manifest_content, Array[String] $server_environments = $puppet::params::server_environments, String $server_environments_owner = $puppet::params::server_environments_owner, Optional[String] $server_environments_group = $puppet::params::server_environments_group, Pattern[/^[0-9]{3,4}$/] $server_environments_mode = $puppet::params::server_environments_mode, Stdlib::Absolutepath $server_envs_dir = $puppet::params::server_envs_dir, Optional[Stdlib::Absolutepath] $server_envs_target = $puppet::params::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $server_common_modules_path = $puppet::params::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $server_git_repo_mode = $puppet::params::server_git_repo_mode, Stdlib::Absolutepath $server_git_repo_path = $puppet::params::server_git_repo_path, String $server_git_repo_group = $puppet::params::server_git_repo_group, String $server_git_repo_user = $puppet::params::server_git_repo_user, Hash[String, String] $server_git_branch_map = $puppet::params::server_git_branch_map, Integer[0] $server_idle_timeout = $puppet::params::server_idle_timeout, String $server_post_hook_content = $puppet::params::server_post_hook_content, String $server_post_hook_name = $puppet::params::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $server_storeconfigs_backend = $puppet::params::server_storeconfigs_backend, - Stdlib::Absolutepath $server_app_root = $puppet::params::server_app_root, Array[Stdlib::Absolutepath] $server_ruby_load_paths = $puppet::params::server_ruby_load_paths, Stdlib::Absolutepath $server_ssl_dir = $puppet::params::server_ssl_dir, Boolean $server_ssl_dir_manage = $puppet::params::server_ssl_dir_manage, Boolean $server_ssl_key_manage = $puppet::params::server_ssl_key_manage, Array[String] $server_ssl_protocols = $puppet::params::server_ssl_protocols, Optional[Stdlib::Absolutepath] $server_ssl_chain_filepath = $puppet::params::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $server_package = $puppet::params::server_package, Optional[String] $server_version = $puppet::params::server_version, String $server_certname = $puppet::params::server_certname, Enum['v2'] $server_enc_api = $puppet::params::server_enc_api, Enum['v2'] $server_report_api = $puppet::params::server_report_api, Integer[0] $server_request_timeout = $puppet::params::server_request_timeout, Optional[String] $server_ca_proxy = $puppet::params::server_ca_proxy, Boolean $server_strict_variables = $puppet::params::server_strict_variables, Hash[String, Data] $server_additional_settings = $puppet::params::server_additional_settings, - Array[String] $server_rack_arguments = $puppet::params::server_rack_arguments, Boolean $server_foreman = $puppet::params::server_foreman, Stdlib::HTTPUrl $server_foreman_url = $puppet::params::server_foreman_url, Optional[Stdlib::Absolutepath] $server_foreman_ssl_ca = $puppet::params::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $server_foreman_ssl_cert = $puppet::params::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $server_foreman_ssl_key = $puppet::params::server_foreman_ssl_key, Boolean $server_foreman_facts = $puppet::params::server_foreman_facts, Optional[Stdlib::Absolutepath] $server_puppet_basedir = $puppet::params::server_puppet_basedir, Optional[String] $server_puppetdb_host = $puppet::params::server_puppetdb_host, Integer[0, 65535] $server_puppetdb_port = $puppet::params::server_puppetdb_port, Boolean $server_puppetdb_swf = $puppet::params::server_puppetdb_swf, Enum['current', 'future'] $server_parser = $puppet::params::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $server_environment_timeout = $puppet::params::server_environment_timeout, String $server_jvm_java_bin = $puppet::params::server_jvm_java_bin, String $server_jvm_config = $puppet::params::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_min_heap_size = $puppet::params::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_max_heap_size = $puppet::params::server_jvm_max_heap_size, Variant[String,Array[String]] $server_jvm_extra_args = $puppet::params::server_jvm_extra_args, Optional[String] $server_jvm_cli_args = $puppet::params::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $server_jruby_gem_home = $puppet::params::server_jruby_gem_home, Integer[1] $server_max_active_instances = $puppet::params::server_max_active_instances, Integer[0] $server_max_requests_per_instance = $puppet::params::server_max_requests_per_instance, Integer[0] $server_max_queued_requests = $puppet::params::server_max_queued_requests, Integer[0] $server_max_retry_delay = $puppet::params::server_max_retry_delay, Boolean $server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf, Boolean $server_check_for_updates = $puppet::params::server_check_for_updates, Boolean $server_environment_class_cache_enabled = $puppet::params::server_environment_class_cache_enabled, Boolean $server_allow_header_cert_info = $puppet::params::server_allow_header_cert_info, Integer[0] $server_web_idle_timeout = $puppet::params::server_web_idle_timeout, Boolean $server_puppetserver_jruby9k = $puppet::params::server_puppetserver_jruby9k, Boolean $server_puppetserver_metrics = $puppet::params::server_puppetserver_metrics, Boolean $server_metrics_jmx_enable = $::puppet::params::server_metrics_jmx_enable, Boolean $server_metrics_graphite_enable = $::puppet::params::server_metrics_graphite_enable, String $server_metrics_graphite_host = $::puppet::params::server_metrics_graphite_host, Integer $server_metrics_graphite_port = $::puppet::params::server_metrics_graphite_port, String $server_metrics_server_id = $::puppet::params::server_metrics_server_id, Integer $server_metrics_graphite_interval = $::puppet::params::server_metrics_graphite_interval, Optional[Array] $server_metrics_allowed = $::puppet::params::server_metrics_allowed, Boolean $server_puppetserver_experimental = $puppet::params::server_puppetserver_experimental, Array[String] $server_puppetserver_trusted_agents = $puppet::params::server_puppetserver_trusted_agents, Optional[Enum['off', 'jit', 'force']] $server_compile_mode = $puppet::params::server_compile_mode, Optional[Integer[1]] $server_acceptor_threads = undef, Optional[Integer[1]] $server_selector_threads = undef, Optional[Integer[1]] $server_ssl_acceptor_threads = undef, Optional[Integer[1]] $server_ssl_selector_threads = undef, Optional[Integer[1]] $server_max_threads = undef, Boolean $server_ca_allow_sans = $puppet::params::server_ca_allow_sans, Boolean $server_ca_allow_auth_extensions = $puppet::params::server_ca_allow_auth_extensions, ) inherits puppet::params { contain puppet::config if $agent == true { contain puppet::agent } if $server == true { contain puppet::server } # Ensure the server is running before the agent needs it, and that # certificates are generated in the server config (if enabled) if $server == true and $agent == true { Class['puppet::server'] -> Class['puppet::agent::service'] } } diff --git a/manifests/params.pp b/manifests/params.pp index 260d399..94213ab 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,484 +1,467 @@ # Default parameters class puppet::params { # Basic config $version = 'present' $manage_user = true $user = 'puppet' $group = 'puppet' $ip = '0.0.0.0' $port = 8140 $listen = false $listen_to = [] $pluginsync = true $splay = false $splaylimit = 1800 $runinterval = 1800 $runmode = 'service' $report = true # Not defined here as the commands depend on module parameter "dir" $cron_cmd = undef $systemd_cmd = undef $agent_noop = false $show_diff = false $module_repository = undef $hiera_config = '$confdir/hiera.yaml' $usecacheonfailure = true $ca_server = undef $ca_port = undef $ca_crl_filepath = undef $server_crl_enable = undef $prerun_command = undef $postrun_command = undef $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false if defined('$::domain') { $srv_domain = $::domain } else { $srv_domain = undef } # lint:ignore:puppet_url_without_modules $pluginsource = 'puppet:///plugins' $pluginfactsource = 'puppet:///pluginfacts' # lint:endignore $classfile = '$statedir/classes.txt' $syslogfacility = undef $environment = $::environment $aio_package = ($::osfamily == 'Windows' or $::rubysitedir =~ /\/opt\/puppetlabs\/puppet/) $deb_naio_package = ($::osfamily == 'Debian') $systemd_randomizeddelaysec = 0 case $::osfamily { 'Windows' : { # Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end $dir_prefix = 'C:/ProgramData/PuppetLabs/puppet' $dir = "${dir_prefix}/etc" $codedir = "${dir_prefix}/etc" $logdir = "${dir_prefix}/var/log" $rundir = "${dir_prefix}/var/run" $ssldir = "${dir_prefix}/etc/ssl" $vardir = "${dir_prefix}/var" $sharedir = "${dir_prefix}/share" $bindir = "${dir_prefix}/bin" $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } /^(FreeBSD|DragonFly)$/ : { $dir = '/usr/local/etc/puppet' $codedir = '/usr/local/etc/puppet' $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/puppet/ssl' $vardir = '/var/puppet' $sharedir = '/usr/local/share/puppet' $bindir = '/usr/local/bin' $root_group = undef $server_puppetserver_dir = '/usr/local/etc/puppetserver' $server_puppetserver_vardir = '/var/puppet/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetserver' $server_puppetserver_logdir = '/var/log/puppetserver' $ruby_gem_dir = regsubst($::rubyversion, '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$::rubysitedir, "${ruby_gem_dir}/facter-${::facterversion}/lib"] $server_jruby_gem_home = '/var/puppet/server/data/puppetserver/jruby-gems' } 'Archlinux' : { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/usr/bin' $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } default : { if $aio_package { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/opt/puppetlabs/bin' $server_puppetserver_dir = '/etc/puppetlabs/puppetserver' $server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetlabs/puppetserver' $server_puppetserver_logdir = '/var/log/puppetlabs/puppetserver' $server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby'] $server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems' } else { $dir = '/etc/puppet' $codedir = $deb_naio_package ? { true => '/etc/puppet/code', false => '/etc/puppet', } $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/lib/puppet/ssl' $vardir = '/var/lib/puppet' $sharedir = '/usr/share/puppet' $bindir = '/usr/bin' $server_puppetserver_dir = '/etc/puppetserver' $server_puppetserver_vardir = $vardir $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = '/var/lib/puppet/jruby-gems' } $root_group = undef } } $configtimeout = undef $autosign = "${dir}/autosign.conf" $autosign_entries = [] $autosign_mode = '0664' $autosign_content = undef $autosign_source = undef $puppet_cmd = "${bindir}/puppet" $puppetserver_cmd = "${bindir}/puppetserver" $manage_packages = true if $::osfamily == 'Windows' { $dir_owner = undef $dir_group = undef } elsif $aio_package or $::osfamily == 'Suse' { $dir_owner = 'root' $dir_group = $root_group } else { $dir_owner = $user $dir_group = $group } $package_provider = $::osfamily ? { 'windows' => 'chocolatey', default => undef, } $package_source = undef # Need your own config templates? Specify here: $auth_template = 'puppet/auth.conf.erb' # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false # Authenticated nodes to allow $auth_allowed = ['$1'] # Will this host be a puppet agent ? $agent = true $remove_lock = true $client_certname = $::clientcert if defined('$::puppetmaster') { $puppetmaster = $::puppetmaster } else { $puppetmaster = undef } # Hashes containing additional settings $additional_settings = {} $agent_additional_settings = {} $server_additional_settings = {} # Will this host be a puppetmaster? $server = false $server_ca = true $server_ca_crl_sync = false $server_reports = 'foreman' - $server_passenger = true - $server_service_fallback = true - $server_passenger_min_instances = abs($::processorcount) - $server_passenger_pre_start = true - $server_passenger_ruby = undef - $server_httpd_service = 'httpd' $server_external_nodes = "${dir}/node.rb" $server_enc_api = 'v2' $server_report_api = 'v2' $server_request_timeout = 60 $server_ca_proxy = undef $server_certname = $::clientcert $server_strict_variables = false - $server_rack_arguments = [] $server_http = false $server_http_port = 8139 - $server_http_allow = [] - - # use puppetserver (JVM) or puppet master (Ruby)? - $server_implementation = $aio_package ? { - true => 'puppetserver', - default => 'master', - } # Need a new master template for the server? $server_template = 'puppet/server/puppet.conf.erb' # Template for server settings in [main] $server_main_template = 'puppet/server/puppet.conf.main.erb' # The script that is run to determine the reported manifest version. Undef # means we determine it in server.pp $server_config_version = undef # Set 'false' for static environments, or 'true' for git-based workflow $server_git_repo = false # Git branch to puppet env mapping for the post receive hook $server_git_branch_map = {} # Static environments config, ignore if the git_repo or dynamic_environments is 'true' # What environments do we have $server_environments = ['development', 'production'] # Dynamic environments config (deprecated when directory_environments is true) $server_dynamic_environments = false # Directory environments config $server_directory_environments = true # Owner of the environments dir: for cases external service needs write # access to manage it. $server_environments_owner = $user $server_environments_group = $root_group $server_environments_mode = '0755' # Where we store our puppet environments $server_envs_dir = "${codedir}/environments" $server_envs_target = undef # Modules in this directory would be shared across all environments $server_common_modules_path = unique(["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules']) # Dynamic environments config, ignore if the git_repo is 'false' # Path to the repository $server_git_repo_path = "${vardir}/puppet.git" # mode of the repository $server_git_repo_mode = '0755' # user of the repository $server_git_repo_user = $user # group of the repository $server_git_repo_group = $user # Override these if you need your own hooks $server_post_hook_content = 'puppet/server/post-receive.erb' $server_post_hook_name = 'post-receive' $server_custom_trusted_oid_mapping = undef # PuppetDB config $server_puppetdb_host = undef $server_puppetdb_port = 8081 $server_puppetdb_swf = false # Do you use storeconfigs? (note: not required) # - undef if you don't # - active_record for 2.X style db # - puppetdb for puppetdb $server_storeconfigs_backend = undef - # Passenger config - $server_app_root = "${dir}/rack" $server_ssl_dir = $ssldir - $server_package = undef $server_version = undef if $aio_package { $client_package = ['puppet-agent'] } elsif $::osfamily == 'Debian' { $client_package = $deb_naio_package ? { true => ['puppet'], default => ['puppet-common', 'puppet'] } } elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) { if (versioncmp($::puppetversion, '5.0') > 0) { $client_package = ['puppet5'] } else { $client_package = ['puppet4'] } } else { $client_package = ['puppet'] } # Puppet service name $service_name = 'puppet' # Puppet onedshot systemd service and timer name $systemd_unit_name = 'puppet-run' # Mechanisms to manage and reload/restart the agent # If supported on the OS, reloading is prefered since it does not kill a currently active puppet run case $::osfamily { 'Debian' : { $agent_restart_command = "/usr/sbin/service ${service_name} reload" if ($::operatingsystem == 'Debian' or $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '15.04') >= 0) { $unavailable_runmodes = [] } else { $unavailable_runmodes = ['systemd.timer'] } } 'Redhat' : { # PSBM is a CentOS 6 based distribution # it reports its $osreleasemajor as 2, not 6. # thats why we're matching for '2' in both parts # Amazon Linux is like RHEL6 but reports its osreleasemajor as 2017. $osreleasemajor = regsubst($::operatingsystemrelease, '^(\d+)\..*$', '\1') # workaround for the possibly missing operatingsystemmajrelease $agent_restart_command = $osreleasemajor ? { /^(2|5|6|2017)$/ => "/sbin/service ${service_name} reload", '7' => "/usr/bin/systemctl reload-or-restart ${service_name}", default => undef, } $unavailable_runmodes = $osreleasemajor ? { /^(2|5|6|2017)$/ => ['systemd.timer'], default => [], } } 'Windows': { $agent_restart_command = undef $unavailable_runmodes = ['cron', 'systemd.timer'] } 'Archlinux': { $agent_restart_command = "/usr/bin/systemctl reload-or-restart ${service_name}" $unavailable_runmodes = ['cron'] } default : { $agent_restart_command = undef $unavailable_runmodes = ['systemd.timer'] } } # Foreman parameters $lower_fqdn = downcase($::fqdn) $server_foreman = true $server_foreman_facts = true $server_puppet_basedir = $aio_package ? { true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet', false => undef, } $server_foreman_url = "https://${lower_fqdn}" $server_foreman_ssl_ca = undef $server_foreman_ssl_cert = undef $server_foreman_ssl_key = undef # Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser $server_parser = 'current' # Timeout for cached environments, changed in puppet 3.7.x $server_environment_timeout = undef # puppet server configuration file $server_jvm_config = $::osfamily ? { 'RedHat' => '/etc/sysconfig/puppetserver', 'Debian' => '/etc/default/puppetserver', default => '/etc/default/puppetserver', } $server_jvm_java_bin = '/usr/bin/java' if versioncmp($::puppetversion, '5.0.0') < 0 { $server_jvm_extra_args = '-XX:MaxPermSize=256m' } else { $server_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } $server_jvm_cli_args = undef # This is some very trivial "tuning". See the puppet reference: # https://docs.puppet.com/puppetserver/latest/tuning_guide.html if ($::memorysize_mb =~ String) { $mem_in_mb = scanf($::memorysize_mb, '%i')[0] } else { $mem_in_mb = 0 + $::memorysize_mb } if $mem_in_mb >= 3072 { $server_jvm_min_heap_size = '2G' $server_jvm_max_heap_size = '2G' $server_max_active_instances = min(abs($::processorcount), 4) } elsif $mem_in_mb >= 1024 { $server_max_active_instances = 1 $server_jvm_min_heap_size = '1G' $server_jvm_max_heap_size = '1G' } else { # VMs with 1GB RAM and a crash kernel enabled usually have an effective 992MB RAM $server_max_active_instances = 1 $server_jvm_min_heap_size = '768m' $server_jvm_max_heap_size = '768m' } $server_ssl_dir_manage = true $server_ssl_key_manage = true $server_default_manifest = false $server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp' $server_default_manifest_content = '' # lint:ignore:empty_string_assignment $server_max_requests_per_instance = 0 $server_max_queued_requests = 0 $server_max_retry_delay = 1800 $server_idle_timeout = 1200000 $server_web_idle_timeout = 30000 $server_connect_timeout = 120000 $server_ca_auth_required = true $server_admin_api_whitelist = [ 'localhost', $lower_fqdn ] $server_ca_client_whitelist = [ 'localhost', $lower_fqdn ] $server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA' ] $server_ssl_protocols = [ 'TLSv1.2' ] $server_ssl_chain_filepath = "${server_ssl_dir}/ca/ca_crt.pem" $server_check_for_updates = true $server_environment_class_cache_enabled = false $server_allow_header_cert_info = false $server_ca_allow_sans = false $server_ca_allow_auth_extensions = false # Puppetserver >= 2.2 Which auth.conf shall we use? $server_use_legacy_auth_conf = false # For Puppetserver, certain configuration parameters are version specific. We assume a particular version here. if versioncmp($::puppetversion, '5.5.7') >= 0 { $server_puppetserver_version = '5.3.6' } elsif versioncmp($::puppetversion, '5.5.0') >= 0 { $server_puppetserver_version = '5.3.0' } elsif versioncmp($::puppetversion, '5.1.0') >= 0 { $server_puppetserver_version = '5.1.0' } elsif versioncmp($::puppetversion, '5.0.0') >= 0 { $server_puppetserver_version = '5.0.0' } else { $server_puppetserver_version = '2.7.0' } # For Puppetserver 5, use JRuby 9k? $server_puppetserver_jruby9k = false # this switch also controls Ruby profiling, by default disabled for Puppetserver 2.x, enabled for 5.x $server_puppetserver_metrics = versioncmp($::puppetversion, '5.0.0') >= 0 # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false $server_metrics_graphite_host = '127.0.0.1' $server_metrics_graphite_port = 2003 $server_metrics_server_id = $lower_fqdn $server_metrics_graphite_interval = 5 $server_metrics_allowed = undef # For Puppetserver 5, should the /puppet/experimental route be enabled? $server_puppetserver_experimental = true # Normally agents can only fetch their own catalogs. If you want some nodes to be able to fetch *any* catalog, add them here. $server_puppetserver_trusted_agents = [] } diff --git a/manifests/server.pp b/manifests/server.pp index 603983c..97977be 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,529 +1,451 @@ # == Class: puppet::server # # Sets up a puppet master. # # == puppet::server parameters # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $hiera_config:: The hiera configuration file. # # $manage_user:: Whether to manage the puppet user resource # # $user:: Name of the puppetmaster user. # # $group:: Name of the puppetmaster group. # # $dir:: Puppet configuration directory # # $ip:: Bind ip address of the puppetmaster # # $port:: Puppet master port # # $ca:: Provide puppet CA # # $ca_crl_filepath:: Path to ca_crl file # # $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to # be agents of the CA master (MOM) defaults to false # # $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults # to false # # $http:: Should the puppet master listen on HTTP as well as HTTPS. -# Useful for load balancer or reverse proxy scenarios. Note that -# the HTTP puppet master denies access from all clients by default, -# allowed clients must be specified with $http_allow. +# Useful for load balancer or reverse proxy scenarios. # # $http_port:: Puppet master HTTP port; defaults to 8139. # -# $http_allow:: Array of allowed clients for the HTTP puppet master. Passed -# to Apache's 'Allow' directive. -# # $reports:: List of report types to include on the puppetmaster # -# $implementation:: Puppet master implementation, either "master" (traditional -# Ruby) or "puppetserver" (JVM-based) -# -# $passenger:: If set to true, we will configure apache with -# passenger. If set to false, we will enable the -# default puppetmaster service unless -# service_fallback is set to false. See 'Advanced -# server parameters' for more information. -# Only applicable when server_implementation is "master". -# # $external_nodes:: External nodes classifier executable # # $git_repo:: Use git repository as a source of modules # # $dynamic_environments:: Use $environment in the modulepath # Deprecated when $directory_environments is true, # set $environments to [] instead. # # $directory_environments:: Enable directory environments, defaulting to true # with Puppet 3.6.0 or higher # # $environments:: Environments to setup (creates directories). # Applies only when $dynamic_environments # is false # # $environments_owner:: The owner of the environments directory # # $environments_group:: The group owning the environments directory # # $environments_mode:: Environments directory mode. # # $envs_dir:: Directory that holds puppet environments # # $envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $common_modules_path:: Common modules paths (only when # $git_repo_path and $dynamic_environments # are false) # # $git_repo_path:: Git repository path # # $git_repo_mode:: Git repository mode # # $git_repo_group:: Git repository group # # $git_repo_user:: Git repository user # # $git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $post_hook_content:: Which template to use for git post hook # # $post_hook_name:: Name of a git hook # # $storeconfigs_backend:: Do you use storeconfigs? (note: not required) # false if you don't, "active_record" for 2.X # style db, "puppetdb" for puppetdb # -# $app_root:: Directory where the application lives -# # $ssl_dir:: SSL directory # # $package:: Custom package name for puppet master # # $version:: Custom package version for puppet master # # $certname:: The name to use when handling certificates. # # $strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # -# $rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and -# --vardir. The default is an empty array. -# # $puppetdb_host:: PuppetDB host # # $puppetdb_port:: PuppetDB port # # $puppetdb_swf:: PuppetDB soft_write_failure # # $parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # === Advanced server parameters: # -# $httpd_service:: Apache/httpd service name to notify -# on configuration changes. Defaults -# to 'httpd' based on the default -# apache module included with foreman-installer. -# -# $service_fallback:: If passenger is not used, do we want to fallback -# to using the puppetmaster service? Set to false -# if you disabled passenger and you do NOT want to -# use the puppetmaster service. Defaults to true. -# -# $passenger_min_instances:: The PassengerMinInstances parameter. Sets the -# minimum number of application processes to run. -# Defaults to the number of processors on your -# system. -# -# $passenger_pre_start:: Pre-start the first passenger worker instance -# process during httpd start. -# -# $passenger_ruby:: The PassengerRuby parameter. Sets the Ruby -# interpreter for serving the puppetmaster rack -# application. -# # $config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $foreman:: Should foreman integration be installed # # $foreman_url:: Foreman URL # # $foreman_ssl_ca:: SSL CA of the Foreman server # # $foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $foreman_ssl_key:: Key for authenticating against Foreman server # # $puppet_basedir:: Where is the puppet code base located # # $enc_api:: What version of enc script to deploy. Valid # values are 'v2' for latest, and 'v1' # for Foreman =< 1.2 # # $report_api:: What version of report processor to deploy. # Valid values are 'v2' for latest, and 'v1' # for Foreman =< 1.2 # # $request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $ca_proxy:: The actual server that handles puppet CA. # Setting this to anything non-empty causes # the apache vhost to set up a proxy for all # certificates pointing to the value. # # $jvm_java_bin:: Set the default java to use. # # $jvm_config:: Specify the puppetserver jvm configuration file. # # $jvm_min_heap_size:: Specify the minimum jvm heap space. # # $jvm_max_heap_size:: Specify the maximum jvm heap space. # # $jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $default_manifest_path:: A string setting the path to the default_manifest # # $default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $puppetserver_vardir:: The path of the puppetserver var dir # # $puppetserver_dir:: The path of the puppetserver config dir # # $puppetserver_version:: The version of puppetserver 2 installed (or being installed) # Unfortunately, different versions of puppetserver need configuring differently, # and there's no easy way of determining which version is being installed. # Defaults to '2.3.1' but can be overriden if you're installing an older version. # # $max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) # # $idle_timeout:: How long the server will wait for a response on an existing connection # # $connect_timeout:: How long the server will wait for a response to a connection attempt # # $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. # Defaults to the Jetty default of 30s # # $ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $ssl_chain_filepath:: Path to certificate chain for puppetserver # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef # Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # # $admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # # $allow_header_cert_info:: Allow client authentication over HTTP Headers # Defaults to false, is also activated by the $http setting # # $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? # Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # # $metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $puppetserver_trusted_agents:: Certificate names of agents that are allowed to fetch *all* catalogs. Defaults to empty array # # # $ca_allow_sans:: Allow CA to sign certificate requests that have Subject Alternative Names # Defaults to false # # $ca_allow_auth_extensions:: Allow CA to sign certificate requests that have authorization extensions # Defaults to false # class puppet::server( Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign, Array[String] $autosign_entries = $::puppet::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $::puppet::autosign_mode, Optional[String] $autosign_content = $::puppet::autosign_content, Optional[String] $autosign_source = $::puppet::autosign_source, String $hiera_config = $::puppet::hiera_config, Array[String] $admin_api_whitelist = $::puppet::server_admin_api_whitelist, Boolean $manage_user = $::puppet::server_manage_user, String $user = $::puppet::server_user, String $group = $::puppet::server_group, String $dir = $::puppet::server_dir, Stdlib::Absolutepath $codedir = $::puppet::codedir, Integer $port = $::puppet::server_port, String $ip = $::puppet::server_ip, Boolean $ca = $::puppet::server_ca, Optional[String] $ca_crl_filepath = $::puppet::ca_crl_filepath, Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync, Optional[Boolean] $crl_enable = $::puppet::server_crl_enable, Boolean $ca_auth_required = $::puppet::server_ca_auth_required, Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist, Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $::puppet::server_custom_trusted_oid_mapping, Boolean $http = $::puppet::server_http, Integer $http_port = $::puppet::server_http_port, - Array[String] $http_allow = $::puppet::server_http_allow, String $reports = $::puppet::server_reports, - Enum['master', 'puppetserver'] $implementation = $::puppet::server_implementation, - Boolean $passenger = $::puppet::server_passenger, Stdlib::Absolutepath $puppetserver_vardir = $::puppet::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $puppetserver_rundir = $::puppet::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $puppetserver_logdir = $::puppet::server_puppetserver_logdir, Stdlib::Absolutepath $puppetserver_dir = $::puppet::server_puppetserver_dir, Pattern[/^[\d]\.[\d]+\.[\d]+$/] $puppetserver_version = $::puppet::server_puppetserver_version, - Boolean $service_fallback = $::puppet::server_service_fallback, - Integer[0] $passenger_min_instances = $::puppet::server_passenger_min_instances, - Boolean $passenger_pre_start = $::puppet::server_passenger_pre_start, - Optional[String] $passenger_ruby = $::puppet::server_passenger_ruby, - String $httpd_service = $::puppet::server_httpd_service, Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $::puppet::server_external_nodes, Array[String] $cipher_suites = $::puppet::server_cipher_suites, Optional[String] $config_version = $::puppet::server_config_version, Integer[0] $connect_timeout = $::puppet::server_connect_timeout, Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout, Boolean $git_repo = $::puppet::server_git_repo, Boolean $dynamic_environments = $::puppet::server_dynamic_environments, Boolean $directory_environments = $::puppet::server_directory_environments, Boolean $default_manifest = $::puppet::server_default_manifest, Stdlib::Absolutepath $default_manifest_path = $::puppet::server_default_manifest_path, String $default_manifest_content = $::puppet::server_default_manifest_content, Array[String] $environments = $::puppet::server_environments, String $environments_owner = $::puppet::server_environments_owner, Optional[String] $environments_group = $::puppet::server_environments_group, Pattern[/^[0-9]{3,4}$/] $environments_mode = $::puppet::server_environments_mode, Stdlib::Absolutepath $envs_dir = $::puppet::server_envs_dir, Optional[Stdlib::Absolutepath] $envs_target = $::puppet::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $::puppet::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $::puppet::server_git_repo_mode, Stdlib::Absolutepath $git_repo_path = $::puppet::server_git_repo_path, String $git_repo_group = $::puppet::server_git_repo_group, String $git_repo_user = $::puppet::server_git_repo_user, Hash[String, String] $git_branch_map = $::puppet::server_git_branch_map, Integer[0] $idle_timeout = $::puppet::server_idle_timeout, String $post_hook_content = $::puppet::server_post_hook_content, String $post_hook_name = $::puppet::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $storeconfigs_backend = $::puppet::server_storeconfigs_backend, - Stdlib::Absolutepath $app_root = $::puppet::server_app_root, Array[Stdlib::Absolutepath] $ruby_load_paths = $::puppet::server_ruby_load_paths, Stdlib::Absolutepath $ssl_dir = $::puppet::server_ssl_dir, Boolean $ssl_dir_manage = $::puppet::server_ssl_dir_manage, Boolean $ssl_key_manage = $::puppet::server_ssl_key_manage, Array[String] $ssl_protocols = $::puppet::server_ssl_protocols, Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $::puppet::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $package = $::puppet::server_package, Optional[String] $version = $::puppet::server_version, String $certname = $::puppet::server_certname, Enum['v2', 'v1'] $enc_api = $::puppet::server_enc_api, Enum['v2', 'v1'] $report_api = $::puppet::server_report_api, Integer[0] $request_timeout = $::puppet::server_request_timeout, Optional[String] $ca_proxy = $::puppet::server_ca_proxy, Boolean $strict_variables = $::puppet::server_strict_variables, Hash[String, Data] $additional_settings = $::puppet::server_additional_settings, - Array[String] $rack_arguments = $::puppet::server_rack_arguments, Boolean $foreman = $::puppet::server_foreman, Stdlib::HTTPUrl $foreman_url = $::puppet::server_foreman_url, Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $::puppet::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $foreman_ssl_key = $::puppet::server_foreman_ssl_key, Boolean $server_foreman_facts = $::puppet::server_foreman_facts, Optional[Stdlib::Absolutepath] $puppet_basedir = $::puppet::server_puppet_basedir, Optional[String] $puppetdb_host = $::puppet::server_puppetdb_host, Integer[0, 65535] $puppetdb_port = $::puppet::server_puppetdb_port, Boolean $puppetdb_swf = $::puppet::server_puppetdb_swf, Enum['current', 'future'] $parser = $::puppet::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $::puppet::server_environment_timeout, String $jvm_java_bin = $::puppet::server_jvm_java_bin, String $jvm_config = $::puppet::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $::puppet::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $::puppet::server_jvm_max_heap_size, Variant[String,Array[String]] $jvm_extra_args = $::puppet::server_jvm_extra_args, Optional[String] $jvm_cli_args = $::puppet::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $jruby_gem_home = $::puppet::server_jruby_gem_home, Integer[1] $max_active_instances = $::puppet::server_max_active_instances, Integer[0] $max_requests_per_instance = $::puppet::server_max_requests_per_instance, Integer[0] $max_queued_requests = $puppet::server_max_queued_requests, Integer[0] $max_retry_delay = $puppet::server_max_retry_delay, Boolean $use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $::puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $::puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $::puppet::server_allow_header_cert_info, Boolean $puppetserver_jruby9k = $::puppet::server_puppetserver_jruby9k, Boolean $puppetserver_metrics = $::puppet::server_puppetserver_metrics, Boolean $metrics_jmx_enable = $::puppet::server_metrics_jmx_enable, Boolean $metrics_graphite_enable = $::puppet::server_metrics_graphite_enable, String $metrics_graphite_host = $::puppet::server_metrics_graphite_host, Integer $metrics_graphite_port = $::puppet::server_metrics_graphite_port, String $metrics_server_id = $::puppet::server_metrics_server_id, Integer $metrics_graphite_interval = $::puppet::server_metrics_graphite_interval, Variant[Undef, Array] $metrics_allowed = $::puppet::server_metrics_allowed, Boolean $puppetserver_experimental = $::puppet::server_puppetserver_experimental, Array[String] $puppetserver_trusted_agents = $::puppet::server_puppetserver_trusted_agents, Optional[Enum['off', 'jit', 'force']] $compile_mode = $::puppet::server_compile_mode, Optional[Integer[1]] $selector_threads = $::puppet::server_selector_threads, Optional[Integer[1]] $acceptor_threads = $::puppet::server_acceptor_threads, Optional[Integer[1]] $ssl_selector_threads = $::puppet::server_ssl_selector_threads, Optional[Integer[1]] $ssl_acceptor_threads = $::puppet::server_ssl_acceptor_threads, Optional[Integer[1]] $max_threads = $::puppet::server_max_threads, Boolean $ca_allow_sans = $::puppet::server_ca_allow_sans, Boolean $ca_allow_auth_extensions = $::puppet::server_ca_allow_auth_extensions, ) { - if $implementation == 'master' and $ip != $puppet::params::ip { - notify { - 'ip_not_supported': - message => "Bind IP address is unsupported for the ${implementation} implementation.", - loglevel => 'warning', - } - } - if $ca { $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" $ssl_chain = $ssl_chain_filepath $crl_enable_real = pick($crl_enable, true) } else { $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") $ssl_chain = false $crl_enable_real = pick($crl_enable, false) } $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" if $config_version == undef { if $git_repo { $config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long" } else { $config_version_cmd = undef } } else { $config_version_cmd = $config_version } - if $implementation == 'master' { - $pm_service = !$passenger and $service_fallback - $ps_service = undef - $rack_service = $passenger - } elsif $implementation == 'puppetserver' { - $pm_service = undef - $ps_service = true - $rack_service = false - } - - class { 'puppet::server::service': - app_root => $app_root, - httpd_service => $httpd_service, - puppetmaster => $pm_service, - puppetserver => $ps_service, - rack => $rack_service, - } - contain puppet::server::install contain puppet::server::config contain puppet::server::service Class['puppet::server::install'] ~> Class['puppet::server::config'] Class['puppet::config', 'puppet::server::config'] ~> Class['puppet::server::service'] } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index fa17691..640cc66 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,333 +1,323 @@ # Set up the puppet server config class puppet::server::config inherits puppet::config { - if $::puppet::server::passenger and $::puppet::server::implementation == 'master' { - contain 'puppet::server::passenger' - } - - if $::puppet::server::implementation == 'puppetserver' { - contain 'puppet::server::puppetserver' - unless empty($::puppet::server::puppetserver_vardir) { - puppet::config::master { - 'vardir': value => $::puppet::server::puppetserver_vardir; - } + contain 'puppet::server::puppetserver' + unless empty($::puppet::server::puppetserver_vardir) { + puppet::config::master { + 'vardir': value => $::puppet::server::puppetserver_vardir; } - unless empty($::puppet::server::puppetserver_rundir) { - puppet::config::master { - 'rundir': value => $::puppet::server::puppetserver_rundir; - } + } + unless empty($::puppet::server::puppetserver_rundir) { + puppet::config::master { + 'rundir': value => $::puppet::server::puppetserver_rundir; } - unless empty($::puppet::server::puppetserver_logdir) { - puppet::config::master { - 'logdir': value => $::puppet::server::puppetserver_logdir; - } + } + unless empty($::puppet::server::puppetserver_logdir) { + puppet::config::master { + 'logdir': value => $::puppet::server::puppetserver_logdir; } } # Mirror the relationship, as defined() is parse-order dependent # Ensures puppetmasters certs are generated before the proxy is needed if defined(Class['foreman_proxy::config']) and $foreman_proxy::ssl { Class['puppet::server::config'] ~> Class['foreman_proxy::config'] Class['puppet::server::config'] ~> Class['foreman_proxy::service'] } # And before Foreman's cert-using service needs it if defined(Class['foreman::service']) and $foreman::ssl { Class['puppet::server::config'] -> Class['foreman::service'] } ## General configuration $ca_server = $::puppet::ca_server $ca_port = $::puppet::ca_port $server_storeconfigs_backend = $::puppet::server::storeconfigs_backend $server_external_nodes = $::puppet::server::external_nodes $server_environment_timeout = $::puppet::server::environment_timeout if $server_external_nodes and $server_external_nodes != '' { class{ '::puppet::server::enc': enc_path => $server_external_nodes, } } $autosign = ($::puppet::server::autosign =~ Boolean)? { true => $::puppet::server::autosign, false => "${::puppet::server::autosign} { mode = ${::puppet::server::autosign_mode} }" } puppet::config::main { 'reports': value => $::puppet::server::reports; } if $::puppet::server::hiera_config and !empty($::puppet::server::hiera_config){ puppet::config::main { 'hiera_config': value => $::puppet::server::hiera_config; } } if $puppet::server::directory_environments { puppet::config::main { 'environmentpath': value => $puppet::server::envs_dir; } } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { puppet::config::main { 'basemodulepath': value => $puppet::server::common_modules_path, joiner => ':'; } } if $puppet::server::default_manifest { puppet::config::main { 'default_manifest': value => $puppet::server::default_manifest_path; } } puppet::config::master { 'autosign': value => $autosign; 'ca': value => $::puppet::server::ca; 'certname': value => $::puppet::server::certname; 'parser': value => $::puppet::server::parser; 'strict_variables': value => $::puppet::server::strict_variables; } if $::puppet::server::ssl_dir_manage { puppet::config::master { 'ssldir': value => $::puppet::server::ssl_dir; } } if $server_environment_timeout { puppet::config::master { 'environment_timeout': value => $server_environment_timeout; } } if $server_storeconfigs_backend { puppet::config::master { 'storeconfigs': value => true; 'storeconfigs_backend': value => $server_storeconfigs_backend; } } if !$::puppet::server::directory_environments and ($::puppet::server::git_repo or $::puppet::server::dynamic_environments) { puppet::config::master { 'manifest': value => "${::puppet::server::envs_dir}/\$environment/manifests/site.pp"; 'modulepath': value => "${::puppet::server::envs_dir}/\$environment/modules"; } if $::puppet::server::config_version_cmd { puppet::config::master { 'config_version': value => $::puppet::server::config_version_cmd; } } } $::puppet::server_additional_settings.each |$key,$value| { puppet::config::master { $key: value => $value } } file { "${puppet::vardir}/reports": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', } if '/usr/share/puppet/modules' in $puppet::server::common_modules_path { # Create Foreman share dir which does not depend on Puppet version exec { 'mkdir -p /usr/share/puppet/modules': creates => '/usr/share/puppet/modules', path => ['/usr/bin', '/bin'], } } ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${::puppet::server::ssl_dir}/private_keys": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', require => Exec['puppet_server_config-create_ssl_dir'], } if $puppet::server::ssl_key_manage { file { "${::puppet::server::ssl_dir}/private_keys/${::puppet::server::certname}.pem": owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0640', } } if $puppet::server::custom_trusted_oid_mapping { $_custom_trusted_oid_mapping = { oid_mapping => $puppet::server::custom_trusted_oid_mapping, } file { "${::puppet::dir}/custom_trusted_oid_mapping.yaml": ensure => file, owner => 'root', group => $::puppet::params::root_group, mode => '0644', content => to_yaml($_custom_trusted_oid_mapping), } } # If the ssl dir is not the default dir, it needs to be created before running # the generate ca cert or it will fail. exec {'puppet_server_config-create_ssl_dir': creates => $::puppet::server::ssl_dir, command => "/bin/mkdir -p ${::puppet::server::ssl_dir}", umask => '0022', } # Generate a new CA and host cert if our host cert doesn't exist if $::puppet::server::ca { if versioncmp($::puppetversion, '6.0') > 0 { $command = "${::puppet::puppetserver_cmd} ca setup" } else { $command = "${::puppet::puppet_cmd} cert --generate ${::puppet::server::certname} --allow-dns-alt-names" } exec {'puppet_server_config-generate_ca_cert': creates => $::puppet::server::ssl_cert, command => $command, umask => '0022', require => [ Concat["${::puppet::server::dir}/puppet.conf"], Exec['puppet_server_config-create_ssl_dir'], ], } } elsif $::puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca master if defined('$::servername') { file { $::puppet::server::ssl_ca_crl: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0644', content => file($::settings::cacrl, $::settings::hostcrl, '/dev/null'), } } } - if $::puppet::server::passenger and $::puppet::server::implementation == 'master' and $::puppet::server::ca { - Exec['puppet_server_config-generate_ca_cert'] ~> Service[$::puppet::server::httpd_service] - } - # autosign file if $::puppet::server_ca and !($puppet::server::autosign =~ Boolean) { if $::puppet::server::autosign_content or $::puppet::server::autosign_source { if !empty($::puppet::server::autosign_entries) { fail('Cannot set both autosign_content/autosign_source and autosign_entries') } $autosign_content = $::puppet::server::autosign_content } elsif !empty($::puppet::server::autosign_entries) { $autosign_content = template('puppet/server/autosign.conf.erb') } else { $autosign_content = undef } file { $::puppet::server::autosign: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => $::puppet::server::autosign_mode, content => $autosign_content, source => $::puppet::server::autosign_source, } } # only manage this file if we provide content if $::puppet::server::default_manifest and $::puppet::server::default_manifest_content != '' { file { $::puppet::server::default_manifest_path: ensure => file, owner => $puppet::user, group => $puppet::group, mode => '0644', content => $::puppet::server::default_manifest_content, } } ## Environments # location where our puppet environments are located if $::puppet::server::envs_target and $::puppet::server::envs_target != '' { $ensure = 'link' } else { $ensure = 'directory' } file { $::puppet::server::envs_dir: ensure => $ensure, owner => $::puppet::server::environments_owner, group => $::puppet::server::environments_group, mode => $::puppet::server::environments_mode, target => $::puppet::server::envs_target, force => true, } if $::puppet::server::git_repo { # need to chown the $vardir before puppet does it, or else # we can't write puppet.git/ on the first run include ::git git::repo { 'puppet_repo': bare => true, target => $::puppet::server::git_repo_path, mode => $::puppet::server::git_repo_mode, user => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, require => File[$::puppet::server::envs_dir], } $git_branch_map = $::puppet::server::git_branch_map # git post hook to auto generate an environment per branch file { "${::puppet::server::git_repo_path}/hooks/${::puppet::server::post_hook_name}": content => template($::puppet::server::post_hook_content), owner => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, mode => $::puppet::server::git_repo_mode, require => Git::Repo['puppet_repo'], } } elsif ! $::puppet::server::dynamic_environments { file { $puppet::sharedir: ensure => directory, } if $::puppet::server::common_modules_path and $::puppet::server::common_modules_path != '' { file { $::puppet::server::common_modules_path: ensure => directory, owner => $::puppet::server_environments_owner, group => $::puppet::server_environments_group, mode => $::puppet::server_environments_mode, } } # setup empty directories for our environments puppet::server::env {$::puppet::server::environments: } } ## Foreman if $::puppet::server::foreman { # Include foreman components for the puppetmaster # ENC script, reporting script etc. class { 'foreman::puppetmaster': foreman_url => $::puppet::server::foreman_url, receive_facts => $::puppet::server::server_foreman_facts, puppet_home => $::puppet::server::puppetserver_vardir, puppet_basedir => $::puppet::server::puppet_basedir, puppet_etcdir => $puppet::dir, enc_api => $::puppet::server::enc_api, report_api => $::puppet::server::report_api, timeout => $::puppet::server::request_timeout, ssl_ca => pick($::puppet::server::foreman_ssl_ca, $::puppet::server::ssl_ca_cert), ssl_cert => pick($::puppet::server::foreman_ssl_cert, $::puppet::server::ssl_cert), ssl_key => pick($::puppet::server::foreman_ssl_key, $::puppet::server::ssl_cert_key), } contain foreman::puppetmaster } ## PuppetDB if $::puppet::server::puppetdb_host { class { '::puppetdb::master::config': puppetdb_server => $::puppet::server::puppetdb_host, puppetdb_port => $::puppet::server::puppetdb_port, puppetdb_soft_write_failure => $::puppet::server::puppetdb_swf, manage_storeconfigs => false, restart_puppet => false, } Class['puppetdb::master::puppetdb_conf'] ~> Class['puppet::server::service'] } } diff --git a/manifests/server/install.pp b/manifests/server/install.pp index ac20563..41f6a70 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -1,68 +1,49 @@ # Install the puppet server class puppet::server::install { # Mirror the relationship, as defined() is parse-order dependent # Ensures 'puppet' user group is present before managing users if defined(Class['foreman_proxy::config']) { Class['puppet::server::install'] -> Class['foreman_proxy::config'] } if defined(Class['foreman::config']) { Class['puppet::server::install'] -> Class['foreman::config'] } if $::puppet::server::manage_user { $shell = $::puppet::server::git_repo ? { true => $::osfamily ? { /^(FreeBSD|DragonFly)$/ => '/usr/local/bin/git-shell', default => '/usr/bin/git-shell' }, default => undef, } user { $::puppet::server::user: shell => $shell, } } if $::puppet::manage_packages == true or $::puppet::manage_packages == 'server' { - $server_package_default = $::puppet::server::implementation ? { - 'master' => $::osfamily ? { - 'Debian' => ['puppet-master'], - /^(FreeBSD|DragonFly)$/ => [], - default => ['puppet-server'], - }, - 'puppetserver' => 'puppetserver', - } - $server_package = pick($::puppet::server::package, $server_package_default) + $server_package = pick($::puppet::server::package, 'puppetserver') $server_version = pick($::puppet::server::version, $::puppet::version) package { $server_package: ensure => $server_version, } if $::puppet::server::manage_user { Package[$server_package] -> User[$::puppet::server::user] } } - # Prevent the master service running and preventing Apache from binding to the port - if $::puppet::server::passenger and $::osfamily == 'Debian' { - file { '/etc/default/puppetmaster': - content => "START=no\n", - } - - if $::puppet::manage_packages == true or $::puppet::manage_packages == 'server' { - File['/etc/default/puppetmaster'] -> Package[$server_package] - } - } - if $::puppet::server::git_repo { Class['git'] -> User[$::puppet::server::user] file { $puppet::vardir: ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, } } } diff --git a/manifests/server/passenger.pp b/manifests/server/passenger.pp deleted file mode 100644 index d47f6f6..0000000 --- a/manifests/server/passenger.pp +++ /dev/null @@ -1,141 +0,0 @@ -# == Class: puppet::server::passenger -# -# Set up the puppet server using passenger and apache. -# -class puppet::server::passenger ( - $app_root = $::puppet::server::app_root, - $passenger_min_instances = $::puppet::server::passenger_min_instances, - $passenger_pre_start = $::puppet::server::passenger_pre_start, - $passenger_ruby = $::puppet::server::passenger_ruby, - $port = $::puppet::server::port, - $ssl_ca_cert = $::puppet::server::ssl_ca_cert, - $ssl_ca_crl = $::puppet::server::ssl_ca_crl, - $ssl_cert = $::puppet::server::ssl_cert, - $ssl_cert_key = $::puppet::server::ssl_cert_key, - $ssl_chain = $::puppet::server::ssl_chain, - $ssl_dir = $::puppet::server::ssl_dir, - $ssl_protocol = 'ALL -SSLv2 -SSLv3', - $ssl_cipher = 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA', - $puppet_ca_proxy = $::puppet::server::ca_proxy, - $user = $::puppet::server::user, - $http = $::puppet::server::http, - $http_port = $::puppet::server::http_port, - $http_allow = $::puppet::server::http_allow, - $confdir = $::puppet::server::dir, - $rack_arguments = $::puppet::server::rack_arguments, - $vardir = $::puppet::vardir, -) { - include ::apache - include ::apache::mod::passenger - contain 'puppet::server::rack' - - $directory = { - 'path' => "${app_root}/public/", - 'passenger_enabled' => 'On', - } - - $directories = [ - $directory, - ] - - $http_pre_start = $passenger_pre_start ? { - true => "http://${::fqdn}:${http_port}", - false => undef, - } - - $https_pre_start = $passenger_pre_start ? { - true => "https://${::fqdn}:${port}", - false => undef, - } - - # The following client headers allow the same configuration to work with Pound. - $request_headers = [ - 'set X-SSL-Subject %{SSL_CLIENT_S_DN}e', - 'set X-Client-DN %{SSL_CLIENT_S_DN}e', - 'set X-Client-Verify %{SSL_CLIENT_VERIFY}e', - 'unset X-Forwarded-For', - ] - - if $puppet_ca_proxy and $puppet_ca_proxy != '' { - include ::apache::mod::proxy - include ::apache::mod::proxy_http - - $custom_fragment = "ProxyPassMatch ^/([^/]+/certificate.*)$ ${puppet_ca_proxy}/\$1" - $ssl_proxyengine = true - } else { - $custom_fragment = undef - $ssl_proxyengine = false - } - - $ssl_crl_check = $ssl_ca_crl ? { - false => undef, - undef => undef, - default => 'chain', - } - - apache::vhost { 'puppet': - docroot => "${app_root}/public/", - directories => $directories, - port => $port, - ssl => true, - ssl_cert => $ssl_cert, - ssl_key => $ssl_cert_key, - ssl_ca => $ssl_ca_cert, - ssl_crl => $ssl_ca_crl, - ssl_crl_check => $ssl_crl_check, - ssl_chain => $ssl_chain, - ssl_protocol => $ssl_protocol, - ssl_cipher => $ssl_cipher, - ssl_honorcipherorder => 'on', - ssl_verify_client => 'optional', - ssl_options => '+StdEnvVars +ExportCertData', - ssl_verify_depth => '1', - ssl_proxyengine => $ssl_proxyengine, - custom_fragment => $custom_fragment, - request_headers => $request_headers, - options => ['None'], - passenger_pre_start => $https_pre_start, - passenger_min_instances => $passenger_min_instances, - passenger_ruby => $passenger_ruby, - require => Class['::puppet::server::rack'], - } - - if $http { - # Order, deny and allow cannot be configured for Apache >= 2.4 using the Puppetlabs/Apache - # module, but they can be set to false. So, set to false and configure manually via custom fragments. - # We can't get rid of the 'Order allow,deny' directive and we need to support all Apache versions. - # Best we can do is reverse the Order directive and add our own 'Deny from all' for good measure. - $directories_http = [ - merge($directory, { - 'order' => false, - 'deny' => false, - 'allow' => false, - 'custom_fragment' => join([ - 'Order deny,allow', - 'Deny from all', - inline_template("<%- if @http_allow and Array(@http_allow).join(' ') != '' -%>Allow from <%= @http_allow.join(' ') %><%- end -%>"), - ], "\n") - }), - ] - - apache::vhost { 'puppet-http': - docroot => "${app_root}/public/", - directories => $directories_http, - port => $http_port, - ssl_proxyengine => $ssl_proxyengine, - custom_fragment => join([ - $custom_fragment ? { - undef => '', - default => $custom_fragment - }, - 'SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1', - 'SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1', - ], "\n"), - options => ['None'], - passenger_pre_start => $http_pre_start, - passenger_min_instances => $passenger_min_instances, - passenger_ruby => $passenger_ruby, - require => Class['::puppet::server::rack'], - } - } -} diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index aa65494..2dccbd9 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -1,327 +1,322 @@ # == Class: puppet::server::puppetserver # # Configures the puppetserver jvm configuration file using augeas. # # === Parameters: # # * `java_bin` # Path to the java executable to use # # * `config` # Path to the jvm configuration file. # This file is usually either /etc/default/puppetserver or # /etc/sysconfig/puppetserver depending on your *nix flavor. # # * `jvm_min_heap_size` # Translates into the -Xms option and is added to the JAVA_ARGS # # * `jvm_max_heap_size` # Translates into the -Xmx option and is added to the JAVA_ARGS # # * `jvm_extra_args` # Custom options to pass through to the java binary. These get added to # the end of the JAVA_ARGS variable # # * `jvm_cli_args` # Custom options to pass through to the java binary when using a # puppetserver subcommand, (eg puppetserver gem). These get used # in the JAVA_ARGS_CLI variable. # # * `server_puppetserver_dir` # Puppetserver config directory # # * `server_puppetserver_vardir` # Puppetserver var directory # # * `server_jruby_gem_home` # Puppetserver jruby gemhome # # * `server_cipher_suites` # Puppetserver array of acceptable ciphers # # * `server_ssl_protocols` # Puppetserver array of acceptable ssl protocols # # * `server_max_active_instances` # Puppetserver number of max jruby instances # # * `server_max_requests_per_instance` # Puppetserver number of max requests per jruby instance # # * `server_max_queued_requests` # The maximum number of requests that may be queued waiting # to borrow a JRuby from the pool. # # * `server_max_retry_delay` # Sets the upper limit for the random sleep set as a Retry-After # header on 503 responses returned when max-queued-requests is enabled. # # === Example # # @example # # # configure memory for java < 8 # class {'::puppet::server::puppetserver': # jvm_min_heap_size => '1G', # jvm_max_heap_size => '3G', # jvm_extra_args => '-XX:MaxPermSize=256m', # } # class puppet::server::puppetserver ( $config = $::puppet::server::jvm_config, $java_bin = $::puppet::server::jvm_java_bin, $jvm_extra_args = $::puppet::server::jvm_extra_args, $jvm_cli_args = $::puppet::server::jvm_cli_args, $jvm_min_heap_size = $::puppet::server::jvm_min_heap_size, $jvm_max_heap_size = $::puppet::server::jvm_max_heap_size, $server_puppetserver_dir = $::puppet::server::puppetserver_dir, $server_puppetserver_vardir = $::puppet::server::puppetserver_vardir, $server_puppetserver_rundir = $::puppet::server::puppetserver_rundir, $server_puppetserver_logdir = $::puppet::server::puppetserver_logdir, $server_jruby_gem_home = $::puppet::server::jruby_gem_home, $server_ruby_load_paths = $::puppet::server::ruby_load_paths, $server_cipher_suites = $::puppet::server::cipher_suites, $server_max_active_instances = $::puppet::server::max_active_instances, $server_max_requests_per_instance = $::puppet::server::max_requests_per_instance, $server_max_queued_requests = $::puppet::server::max_queued_requests, $server_max_retry_delay = $::puppet::server::max_retry_delay, $server_ssl_protocols = $::puppet::server::ssl_protocols, $server_ssl_ca_crl = $::puppet::server::ssl_ca_crl, $server_ssl_ca_cert = $::puppet::server::ssl_ca_cert, $server_ssl_cert = $::puppet::server::ssl_cert, $server_ssl_cert_key = $::puppet::server::ssl_cert_key, $server_ssl_chain = $::puppet::server::ssl_chain, $server_crl_enable = $::puppet::server::crl_enable_real, $server_ip = $::puppet::server::ip, $server_port = $::puppet::server::port, $server_http = $::puppet::server::http, - $server_http_allow = $::puppet::server::http_allow, $server_http_port = $::puppet::server::http_port, $server_ca = $::puppet::server::ca, $server_dir = $::puppet::server::dir, $codedir = $::puppet::server::codedir, $server_idle_timeout = $::puppet::server::idle_timeout, $server_web_idle_timeout = $::puppet::server::web_idle_timeout, $server_connect_timeout = $::puppet::server::connect_timeout, $server_ca_auth_required = $::puppet::server::ca_auth_required, $server_ca_client_whitelist = $::puppet::server::ca_client_whitelist, $server_admin_api_whitelist = $::puppet::server::admin_api_whitelist, $server_puppetserver_version = $::puppet::server::puppetserver_version, $server_use_legacy_auth_conf = $::puppet::server::use_legacy_auth_conf, $server_check_for_updates = $::puppet::server::check_for_updates, $server_environment_class_cache_enabled = $::puppet::server::environment_class_cache_enabled, $server_jruby9k = $::puppet::server::puppetserver_jruby9k, $server_metrics = $::puppet::server::puppetserver_metrics, $metrics_jmx_enable = $::puppet::server::metrics_jmx_enable, $metrics_graphite_enable = $::puppet::server::metrics_graphite_enable, $metrics_graphite_host = $::puppet::server::metrics_graphite_host, $metrics_graphite_port = $::puppet::server::metrics_graphite_port, $metrics_server_id = $::puppet::server::metrics_server_id, $metrics_graphite_interval = $::puppet::server::metrics_graphite_interval, $metrics_allowed = $::puppet::server::metrics_allowed, $server_experimental = $::puppet::server::puppetserver_experimental, $server_trusted_agents = $::puppet::server::puppetserver_trusted_agents, $allow_header_cert_info = $::puppet::server::allow_header_cert_info, $compile_mode = $::puppet::server::compile_mode, $acceptor_threads = $::puppet::server::acceptor_threads, $selector_threads = $::puppet::server::selector_threads, $ssl_acceptor_threads = $::puppet::server::ssl_acceptor_threads, $ssl_selector_threads = $::puppet::server::ssl_selector_threads, $max_threads = $::puppet::server::max_threads, $ca_allow_sans = $::puppet::server::ca_allow_sans, $ca_allow_auth_extensions = $::puppet::server::ca_allow_auth_extensions, ) { include ::puppet::server if versioncmp($server_puppetserver_version, '2.2') < 0 { fail('puppetserver <2.2 is not supported by this module version') } - if !(empty($server_http_allow)) { - fail('setting $server_http_allow is not supported for puppetserver as it would have no effect') - } - $puppetserver_package = pick($::puppet::server::package, 'puppetserver') $jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args] $jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' ')) if $::osfamily == 'FreeBSD' { $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", ] # lint:ignore:single_quote_string_with_variables augeas { 'puppet::server::puppetserver::jvm': context => '/files/etc/rc.conf', changes => [ "set puppetserver_java_opts '\"${jvm_cmd}\"'" ], } } else { if $jvm_cli_args { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", "set JAVA_ARGS_CLI '\"${jvm_cli_args}\"'", ] } else { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", ] } augeas { 'puppet::server::puppetserver::jvm': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $changes, } if versioncmp($server_puppetserver_version, '2.4.99') == 0 { $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg,${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" } elsif versioncmp($server_puppetserver_version, '2.5') >= 0 { $bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" } else { # 2.4 $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg" } if versioncmp($server_puppetserver_version, '5.3') >= 0 { $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", "\"/opt/puppetlabs/puppet/lib/ruby/vendor_gems\""] # lint:ignore:single_quote_string_with_variables } else { $server_gem_paths = [ '${jruby-puppet.gem-home}', "\"${server_puppetserver_vardir}/vendored-jruby-gems\"", ] # lint:ignore:single_quote_string_with_variables } augeas { 'puppet::server::puppetserver::bootstrap': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'", } if versioncmp($server_puppetserver_version, '5.0') >= 0 { $jruby_jar_changes = $server_jruby9k ? { true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'", default => 'rm JRUBY_JAR' } augeas { 'puppet::server::puppetserver::jruby_jar': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $jruby_jar_changes, } } } # 2.4.99 configures for both 2.4 and 2.5 making upgrades and new installations easier when the # precise version available isn't known if versioncmp($server_puppetserver_version, '2.4.99') >= 0 { $servicesd = "${server_puppetserver_dir}/services.d" file { $servicesd: ensure => directory, } file { "${servicesd}/ca.cfg": ensure => file, content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'), } unless $::osfamily == 'FreeBSD' { file { '/opt/puppetlabs/server/apps/puppetserver/config': ensure => directory, } file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d': ensure => directory, } } } if versioncmp($server_puppetserver_version, '2.5') < 0 { $bootstrapcfg = "${server_puppetserver_dir}/bootstrap.cfg" file { $bootstrapcfg: ensure => file, } $ca_enabled_ensure = $server_ca ? { true => present, default => absent, } $ca_disabled_ensure = $server_ca ? { false => present, default => absent, } file_line { 'ca_enabled': ensure => $ca_enabled_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service', require => File[$bootstrapcfg], } file_line { 'ca_disabled': ensure => $ca_disabled_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service', require => File[$bootstrapcfg], } if versioncmp($server_puppetserver_version, '2.3') >= 0 { $versioned_code_service_ensure = present } else { $versioned_code_service_ensure = absent } file_line { 'versioned_code_service': ensure => $versioned_code_service_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service', require => File[$bootstrapcfg], } } if versioncmp($server_puppetserver_version, '5.3.6') >= 0 { $ca_conf_ensure = present } else { $ca_conf_ensure = absent } file { "${server_puppetserver_dir}/conf.d/ca.conf": ensure => $ca_conf_ensure, content => template('puppet/server/puppetserver/conf.d/ca.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/puppetserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/puppetserver.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/auth.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/auth.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/webserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/webserver.conf.erb'), } if versioncmp($server_puppetserver_version, '2.7') >= 0 { $product_conf_ensure = file } else { $product_conf_ensure = absent } file { "${server_puppetserver_dir}/conf.d/product.conf": ensure => $product_conf_ensure, content => template('puppet/server/puppetserver/conf.d/product.conf.erb'), } if versioncmp($server_puppetserver_version, '5.0') >= 0 { $metrics_conf = "${server_puppetserver_dir}/conf.d/metrics.conf" $metrics_conf_ensure = $server_metrics ? { true => file, default => absent } file { $metrics_conf: ensure => $metrics_conf_ensure, content => template('puppet/server/puppetserver/conf.d/metrics.conf.erb'), } } } diff --git a/manifests/server/rack.pp b/manifests/server/rack.pp deleted file mode 100644 index b49bd9f..0000000 --- a/manifests/server/rack.pp +++ /dev/null @@ -1,32 +0,0 @@ -# = Class: puppet::server::rack -# -# Description of puppet::server::rack -# -# == Actions: -# -# Create a directory structure to use with passenger -# -# == Sample Usage: -# -# include puppet::server::rack -# -class puppet::server::rack( - $app_root = $::puppet::server::passenger::app_root, - $confdir = $::puppet::server::passenger::confdir, - $rack_arguments = $::puppet::server::passenger::rack_arguments, - $user = $::puppet::server::passenger::user, - $vardir = $::puppet::server::passenger::vardir, -) { - file { - [$app_root, "${app_root}/public", "${app_root}/tmp"]: - ensure => directory, - owner => $user, - mode => '0755', - } - - file { "${app_root}/config.ru": - owner => $user, - content => template('puppet/server/config.ru.erb'), - } - -} diff --git a/manifests/server/service.pp b/manifests/server/service.pp index 85e8552..5f21e9a 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -1,72 +1,14 @@ -# == Class: puppet::server::service -# # Set up the puppet server as a service # -# === Parameters: -# -# $app_root:: Rack application top-level directory -# -# $httpd_service:: Apache/httpd service name, used for ordering -# -# $puppetmaster:: Whether to start/stop the (Ruby) puppetmaster service -# -# $puppetserver:: Whether to start/stop the (JVM) puppetserver service -# -# $rack:: Whether the Puppet server is running under Apache with Rack and Passenger -# Does not manage the Apache service, only restarts and ordering. +# @param $enable Whether to enable the service or not +# @param $service_name The service name to manage # class puppet::server::service( - Optional[Stdlib::Absolutepath] $app_root = undef, - String $httpd_service = 'httpd', - Optional[Boolean] $puppetmaster = undef, - Optional[Boolean] $puppetserver = undef, - Optional[Boolean] $rack = undef, + Boolean $enable = true, + String $service_name = 'puppetserver', ) { - if $puppetmaster and $puppetserver { - fail('Both puppetmaster and puppetserver cannot be enabled simultaneously') - } - - if $::osfamily == 'Debian' { - $puppetmaster_service = 'puppet-master' - } else { - $puppetmaster_service = 'puppetmaster' - } - - if $puppetmaster != undef { - $pm_ensure = $puppetmaster ? { - true => 'running', - false => 'stopped', - } - service { $puppetmaster_service: - ensure => $pm_ensure, - enable => $puppetmaster, - } - - if $rack and !$puppetmaster { - Service[$puppetmaster_service] -> Service[$httpd_service] - } - } - - if $puppetserver != undef { - $ps_ensure = $puppetserver ? { - true => 'running', - false => 'stopped', - } - service { 'puppetserver': - ensure => $ps_ensure, - enable => $puppetserver, - } - - if $rack and !$puppetserver { - Service['puppetserver'] -> Service[$httpd_service] - } - } - - if $rack { - exec {'restart_puppetmaster': - command => "/bin/touch ${app_root}/tmp/restart.txt", - refreshonly => true, - cwd => $app_root, - } + service { $service_name: + ensure => $enable, + enable => $enable, } } diff --git a/spec/classes/puppet_server_passenger_spec.rb b/spec/classes/puppet_server_passenger_spec.rb deleted file mode 100644 index 1c8fb82..0000000 --- a/spec/classes/puppet_server_passenger_spec.rb +++ /dev/null @@ -1,110 +0,0 @@ -require 'spec_helper' - -describe 'puppet::server::passenger' do - on_os_under_test.each do |os, facts| - next if unsupported_puppetmaster_osfamily(facts[:osfamily]) - context "on #{os}" do - let :facts do - facts - end - - let(:default_params) do { - :app_root => '/etc/puppet/rack', - :confdir => '/etc/puppet', - :vardir => '/var/lib/puppet', - :passenger_pre_start => true, - :passenger_min_instances => 12, - :passenger_ruby => '/usr/bin/tfm-ruby', - :port => 8140, - :http => false, - :http_port => 8139, - :http_allow => [], - :ssl_cert => 'cert.pem', - :ssl_cert_key => 'key.pem', - :ssl_ca_cert => 'ca.pem', - :ssl_ca_crl => false, - :ssl_chain => 'ca.pem', - :ssl_dir => 'ssl/', - :puppet_ca_proxy => '', - :rack_arguments => [], - :user => 'puppet', - } end - - describe 'without parameters' do - let(:params) { default_params } - it 'should include the puppet vhost' do - should contain_apache__vhost('puppet').with({ - :ssl_proxyengine => false, - :ssl_crl_check => nil, - }) - end - end - - describe 'with puppet ca proxy' do - let :params do - default_params.merge({ - :puppet_ca_proxy => 'https://ca.example.org:8140', - }) - end - - it 'should include the puppet vhost' do - should contain_apache__vhost('puppet').with({ - :ssl_proxyengine => true, - :custom_fragment => "ProxyPassMatch ^/([^/]+/certificate.*)$ https://ca.example.org:8140/$1", - }) - end - - it 'should include the puppet http vhost' do - should contain_apache__vhost('puppet').with({ - :ssl_proxyengine => true, - :custom_fragment => "ProxyPassMatch ^/([^/]+/certificate.*)$ https://ca.example.org:8140/$1", - }) - end - end - - describe 'with SSL CRL' do - let :params do - default_params.merge({ - :ssl_ca_crl => '/var/lib/puppet/ssl/ca/ca_crl.pem', - }) - end - - it 'should include the puppet vhost' do - should contain_apache__vhost('puppet').with({ - :ssl_crl => '/var/lib/puppet/ssl/ca/ca_crl.pem', - :ssl_crl_check => 'chain', - }) - end - end - - describe 'with passenger settings' do - let :params do - default_params.merge({ - :http => true, - :passenger_min_instances => 10, - :passenger_pre_start => true, - :passenger_ruby => '/opt/ruby2.0/bin/ruby', - }) - end - - it 'should include the puppet https vhost' do - should contain_apache__vhost('puppet').with({ - :passenger_min_instances => 10, - :passenger_pre_start => 'https://foo.example.com:8140', - :passenger_ruby => '/opt/ruby2.0/bin/ruby', - :ssl_proxyengine => false, - }) - end - - it 'should include the puppet http vhost' do - should contain_apache__vhost('puppet-http').with({ - :passenger_min_instances => 10, - :passenger_pre_start => 'http://foo.example.com:8139', - :passenger_ruby => '/opt/ruby2.0/bin/ruby', - :ssl_proxyengine => false, - }) - end - end - end - end -end diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index 7dd6e62..856de8f 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -1,654 +1,653 @@ require 'spec_helper' describe 'puppet' do on_os_under_test.each do |os, facts| next if unsupported_puppetmaster_osfamily(facts[:osfamily]) context "on #{os}" do let(:facts) do facts end let(:auth_conf) { '/etc/custom/puppetserver/conf.d/auth.conf' } let(:puppetserver_conf) { '/etc/custom/puppetserver/conf.d/puppetserver.conf' } let(:params) do { server: true, - server_implementation: 'puppetserver', # We set these values because they're calculated server_jvm_config: '/etc/default/puppetserver', server_jvm_min_heap_size: '2G', server_jvm_max_heap_size: '2G', server_jvm_extra_args: '', server_max_active_instances: 2, server_puppetserver_dir: '/etc/custom/puppetserver', server_puppetserver_version: '2.4.99', } end describe 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled').with_ensure('present') } it { should contain_file_line('ca_disabled').with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') .with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) .with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) .without_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'']) .with_context('/files/etc/rc.conf') } else it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap') .with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') } it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java']) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } end it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').with_ensure('absent') } it { should contain_file(puppetserver_conf) .without_content(/^# Settings related to the puppet-admin HTTP API$/) .without_content(/^puppet-admin: \{$/) .without_content(/^\s+client-whitelist: \[$/) .without_content(/^\s+"localhost"\,$/) .without_content(/^\s+"puppetserver123.example.com"\,$/) } it { should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf') .with_content(/ssl-host:\s0\.0\.0\.0/) .with_content(/ssl-port:\s8140/) .without_content(/ host:\s/) .without_content(/ port:\s8139/) .without_content(/selector-threads:/) .without_content(/acceptor-threads:/) .without_content(/ssl-selector-threads:/) .without_content(/ssl-acceptor-threads:/) .without_content(/max-threads:/) } it { should contain_file(auth_conf) .with_content(/allow-header-cert-info: false/) .with_content(%r{^\s+path: "/puppet-ca/v1/certificate_status"}) .with_content(/^\s+name: "puppetlabs cert status"/) .with_content(%r{^\s+path: "/puppet-ca/v1/certificate_statuses"}) .with_content(/^\s+name: "puppetlabs cert statuses"/) .with_content(%r{^\s+path: "/puppet-admin-api/v1/environment-cache"}) .with_content(/^\s+name: "environment-cache"/) .with_content(%r{^\s+path: "/puppet-admin-api/v1/jruby-pool"}) .with_content(/^\s+name: "jruby-pool"/) } end describe 'server_puppetserver_vardir' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(%r{^ master-var-dir: /opt/puppetlabs/server/data/puppetserver$}) } end context 'with custom server_puppetserver_vardir' do let(:params) { super().merge(server_puppetserver_vardir: '/opt/custom/puppetserver') } it { should contain_file(puppetserver_conf).with_content(%r{^ master-var-dir: /opt/custom/puppetserver$}) } end end describe 'use-legacy-auth-conf' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: false$/) } end context 'when use-legacy-auth-conf = true' do let(:params) { super().merge(server_use_legacy_auth_conf: true) } it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: true$/) } end end describe 'environment-class-cache-enabled' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ environment-class-cache-enabled: false$/) } end context 'when environment-class-cache-enabled = true' do let(:params) { super().merge(server_environment_class_cache_enabled: true) } it { should contain_file(puppetserver_conf).with_content(/^ environment-class-cache-enabled: true$/) } end context 'when server_puppetserver_version < 2.4' do let(:params) { super().merge(server_puppetserver_version: '2.2.2') } it { should contain_file(puppetserver_conf).without_content('environment-class-cache-enabled') } end end describe 'server_max_requests_per_instance' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ max-requests-per-instance: 0$/) } end context 'custom server_max_requests_per_instance' do let(:params) { super().merge(server_max_requests_per_instance: 123_456) } it { should contain_file(puppetserver_conf).with_content(/^ max-requests-per-instance: 123456$/) } end end describe 'server_max_queued_requests' do context 'when server_puppetserver_version >= 5.0' do let(:params) { super().merge(server_puppetserver_version: '5.0.0') } context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ max-queued-requests: 0\n/) } end context 'with custom server_max_queued_requests' do let(:params) { super().merge(server_max_queued_requests: 100) } it { should contain_file(puppetserver_conf).with_content(/^ max-queued-requests: 100\n/) } end end context 'when server_puppetserver_version < 5.0 with default parameters' do let(:params) { super().merge(server_puppetserver_version: '2.7.0') } it { should contain_file(puppetserver_conf).without_content('max-queued-requests') } end end describe 'server_max_retry_delay' do context 'when server_puppetserver_version >= 5.0' do let(:params) { super().merge(server_puppetserver_version: '5.0.0') } context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ max-retry-delay: 1800\n/) } end context 'with custom server_max_retry_delay' do let(:params) { super().merge(server_max_retry_delay: 100) } it { should contain_file(puppetserver_conf).with_content(/^ max-retry-delay: 100\n/) } end end context 'when server_puppetserver_version < 5.0 with default parameters' do let(:params) { super().merge(server_puppetserver_version: '2.7.0') } it { should contain_file(puppetserver_conf).without_content('max-retry-delay') } end end describe 'versioned-code-service' do context 'when server_puppetserver_version >= 2.5' do let(:params) { super().merge(server_puppetserver_version: '2.5.0') } it { should_not contain_file_line('versioned_code_service') } end context 'when server_puppetserver_version >= 2.3 and < 2.5' do let(:params) { super().merge(server_puppetserver_version: '2.3.1') } it 'should have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service') .with_ensure('present') .with_path('/etc/custom/puppetserver/bootstrap.cfg') .with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service') .that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end context 'when server_puppetserver_version < 2.3' do let(:params) { super().merge(server_puppetserver_version: '2.2.2') } it 'should not have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service') .with_ensure('absent') .with_path('/etc/custom/puppetserver/bootstrap.cfg') .with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service') .that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end end describe 'bootstrap.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) { super().merge(server_puppetserver_version: '2.5.0') } it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should_not contain_file_line('ca_enabled') } it { should_not contain_file_line('ca_disabled') } end context 'when server_puppetserver_version < 2.4.99' do let(:params) { super().merge(server_puppetserver_version: '2.4.98') } it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled') .with_ensure('present') .with_path('/etc/custom/puppetserver/bootstrap.cfg') .with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service') .that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } it { should contain_file_line('ca_disabled') .with_ensure('absent') .with_path('/etc/custom/puppetserver/bootstrap.cfg') .with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service') .that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } unless facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::bootstrap') .with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\'') .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } end end end describe 'ca.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) { super().merge(server_puppetserver_version: '2.5.0') } it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') .with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) .with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } unless facts[:osfamily] == 'FreeBSD' it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } it { should contain_augeas('puppet::server::puppetserver::bootstrap') .with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } end end context 'when server_puppetserver_version >= 2.5 and server_ca => false' do let(:params) do super().merge( server_puppetserver_version: '2.5.0', server_ca: false ) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') .with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) .with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } end context 'when server_puppetserver_version < 2.4.99' do let(:params) { super().merge(server_puppetserver_version: '2.4.98') } it { should_not contain_file('/etc/custom/puppetserver/services.d') } it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') } end context 'when server_puppetserver_version >= 5.1' do let(:params) { super().merge(server_puppetserver_version: '5.1.0') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') .with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}) .with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) .with_content(%r{^puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service}) } end end describe 'product.conf' do context 'when server_puppetserver_version >= 2.7' do let(:params) { super().merge(server_puppetserver_version: '2.7.0') } context 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf') .with_content(/^\s+check-for-updates: true/) } end context 'with server_check_for_updates => false' do let(:params) { super().merge(server_check_for_updates: false) } it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf') .with_content(/^\s+check-for-updates: false/) } end end context 'when server_puppetserver_version < 2.7' do let(:params) { super().merge(server_puppetserver_version: '2.6.0') } it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf').with_ensure('absent') } end end describe 'server_metrics' do context 'when server_puppetserver_version < 5.0' do let(:params) { super().merge(server_puppetserver_version: '2.7.0') } context 'when server_metrics => true' do let(:params) { super().merge(server_puppetserver_metrics: true) } it { should contain_file(puppetserver_conf) .without_content(/^ metrics-enabled: (.*)$/) .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true/) } it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } end context 'when server_metrics => false' do let(:params) { super().merge(server_puppetserver_metrics: false) } it { should contain_file(puppetserver_conf) .without_content(/^ metrics-enabled: (.*)$/) .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false/) } it { should_not contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') } end end context 'when server_puppetserver_version >= 5.0' do let(:params) { super().merge(server_puppetserver_version: '5.0.0') } context 'when server_metrics => true' do let(:params) do super().merge( server_puppetserver_metrics: true, server_metrics_graphite_enable: true, server_metrics_graphite_host: 'graphitehost.example.com', server_metrics_graphite_port: 2003, server_metrics_server_id: 'puppetserver.example.com', server_metrics_graphite_interval: 5, server_metrics_allowed: ['single.element.array'], ) end it { should contain_file(puppetserver_conf) .with_content(/^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)/) .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true/) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf') .with_content(/^( *)metrics-allowed: \[\n( *)"single.element.array",\n( *)\]/) .with_content(/^( *)server-id: "puppetserver.example.com"/) .with_content(/^( *)jmx: \{\n( *)enabled: true/) .with_content(/^( *)graphite: \{\n( *)enabled: true/) .with_content(/^( *)host: "graphitehost.example.com"/) .with_content(/^( *)port: 2003/) .with_content(/^( *)update-interval-seconds: 5/) } end context 'when server_metrics => false' do let(:params) { super().merge(server_puppetserver_metrics: false) } it { should contain_file(puppetserver_conf) .with_content(/^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$/) .with_content(/^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false/) } it { should contain_file('/etc/custom/puppetserver/conf.d/metrics.conf').with_ensure('absent') } end end end describe 'server_experimental' do context 'when server_puppetserver_version < 5.0' do let(:params) { super().merge(server_puppetserver_version: '2.7.0') } context 'when server_experimental => true' do let(:params) { super().merge(server_puppetserver_experimental: true) } it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_experimental => false' do let(:params) { super().merge(server_puppetserver_experimental: false) } it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end context 'when server_puppetserver_version >= 5.0' do let(:params) { super().merge(server_puppetserver_version: '5.0.0') } context 'when server_experimental => true' do let(:params) { super().merge(server_puppetserver_experimental: true) } it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_experimental => false' do let(:params) { super().merge(server_puppetserver_experimental: false) } it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end end describe 'puppet tasks information' do context 'when server_puppetserver_version < 5.1' do let(:params) { super().merge(server_puppetserver_version: '5.0.0') } it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } end context 'when server_puppetserver_version >= 5.1' do let(:params) { super().merge(server_puppetserver_version: '5.1.0') } it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "/puppet/v3/tasks"$}) } end end describe 'puppet facts upload' do context 'when server_puppetserver_version >= 5.3' do let(:params) { super().merge(server_puppetserver_version: '5.3.0') } it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) } end context 'when server_puppetserver_version < 5.3' do let(:params) { super().merge(server_puppetserver_version: '5.2.0') } it { should contain_file(auth_conf).without_content(%r{^(\ *)path: "\^/puppet/v3/facts/(.*)$}) } end end describe 'server_trusted_agents' do context 'when set' do let(:params) do super().merge( server_puppetserver_version: '2.7.0', server_puppetserver_trusted_agents: ['jenkins', 'octocatalog-diff'] ) end it { should contain_file(auth_conf).with_content(/^ allow: \["jenkins", "octocatalog-diff", "\$1"\]$/) } end end describe 'server_jruby9k', unless: facts[:osfamily] == 'FreeBSD' do context 'when server_puppetserver_version < 5.0' do let(:params) { super().merge(server_puppetserver_version: '2.7.0') } context 'when server_jruby9k => true' do let(:params) { super().merge(server_puppetserver_jruby9k: true) } it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_jruby9k => false' do let(:params) { super().merge(server_puppetserver_jruby9k: false) } it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end end context 'when server_puppetserver_version >= 5.0' do let(:params) { super().merge(server_puppetserver_version: '5.0.0') } context 'when server_jruby9k => true' do let(:params) { super().merge(server_puppetserver_jruby9k: true) } it do should contain_augeas('puppet::server::puppetserver::jruby_jar') .with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') end end context 'when server_jruby9k => false' do let(:params) { super().merge(server_puppetserver_jruby9k: false) } it do should contain_augeas('puppet::server::puppetserver::jruby_jar') .with_changes(['rm JRUBY_JAR']) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') end end end end describe 'with extra_args parameter' do let(:params) { super().merge(server_jvm_extra_args: ['-XX:foo=bar', '-XX:bar=foo']) } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes(['set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'']) .with_context('/files/etc/rc.conf') } else it { should contain_augeas('puppet::server::puppetserver::jvm') .with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', 'set JAVA_BIN /usr/bin/java' ]) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') } end end describe 'with cli_args parameter', unless: facts[:osfamily] == 'FreeBSD' do let(:params) { super().merge(server_jvm_cli_args: '-Djava.io.tmpdir=/var/puppettmp') } it do should contain_augeas('puppet::server::puppetserver::jvm') .with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java', 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'' ]) .with_context('/files/etc/default/puppetserver') .with_incl('/etc/default/puppetserver') .with_lens('Shellvars.lns') end end describe 'with jvm_config file parameter' do let(:params) { super().merge(server_jvm_config: '/etc/custom/puppetserver') } if facts[:osfamily] == 'FreeBSD' it { should contain_augeas('puppet::server::puppetserver::jvm').with_context('/files/etc/rc.conf') } else it do should contain_augeas('puppet::server::puppetserver::jvm') .with_context('/files/etc/custom/puppetserver') .with_incl('/etc/custom/puppetserver') .with_lens('Shellvars.lns') end end end describe 'gem-path' do context 'when server_puppetserver_version > 2.7 but < 5.3' do let(:params) { super().merge(server_puppetserver_version: '5.0.0') } it do should contain_file(puppetserver_conf) .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems"\]$}) end end context 'when server_puppetserver_version >= 5.3' do let(:params) { super().merge(server_puppetserver_version: '5.3.0') } if facts[:osfamily] == 'FreeBSD' it do should contain_file(puppetserver_conf) .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "/var/puppet/server/data/puppetserver/vendored-jruby-gems"\]$}) end else it do should contain_file(puppetserver_conf) .with_content(%r{^ gem-path: \[\$\{jruby-puppet.gem-home\}, "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"\]$}) end end end end describe 'Puppet Server CA related settings' do context 'when server_puppetserver_version < 5.3.6' do let(:params) { super().merge(server_puppetserver_version: '5.3.5') } context 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').with_ensure('absent') } it { should contain_file(auth_conf).without_content(/^( *)pp_cli_auth: "true"$/) } end end context 'when server_puppetserver_version >= 5.3.6' do let(:params) { super().merge(server_puppetserver_version: '5.3.6') } context 'with default parameters' do it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') .with_ensure('present') .with_content(/^( *)allow-subject-alt-names: false$/) .with_content(/^( *)allow-authorization-extensions: false$/) } it { should contain_file(auth_conf).with_content(/^( *)pp_cli_auth: "true"$/) } end context 'with ca parameters set' do let(:params) { super().merge( server_ca_allow_sans: true, server_ca_allow_auth_extensions: true, ) } it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') .with_ensure('present') .with_content(/^( *)allow-subject-alt-names: true$/) .with_content(/^( *)allow-authorization-extensions: true$/) } end end end describe 'when server_puppetserver_version < 2.2' do let(:params) { super().merge(server_puppetserver_version: '2.1.0') } it { should raise_error(Puppet::Error, /puppetserver <2.2 is not supported by this module version/) } end describe 'allow jetty specific server threads' do context 'with thread config' do let(:params) do super().merge( server_selector_threads: 1, server_acceptor_threads: 2, server_ssl_selector_threads: 3, server_ssl_acceptor_threads: 4, server_max_threads: 5 ) end it { is_expected.to compile.with_all_deps } it { is_expected.to contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/selector-threads: 1/). with_content(/acceptor-threads: 2/). with_content(/ssl-selector-threads: 3/). with_content(/ssl-acceptor-threads: 4/). with_content(/max-threads: 5/) } end end end end end diff --git a/spec/classes/puppet_server_service_spec.rb b/spec/classes/puppet_server_service_spec.rb index 3d2cf4d..da261b2 100644 --- a/spec/classes/puppet_server_service_spec.rb +++ b/spec/classes/puppet_server_service_spec.rb @@ -1,113 +1,15 @@ require 'spec_helper' describe 'puppet::server::service' do - on_os_under_test.each do |os, facts| - next if facts[:osfamily] == 'windows' - context "on #{os}" do - if facts[:osfamily] == 'Debian' - master_service = 'puppet-master' - else - master_service = 'puppetmaster' - end - - let(:facts) do - facts - end - - describe 'default_parameters' do - it { should_not contain_service(master_service) } - it { should_not contain_service('puppetserver') } - it { should_not contain_exec('restart_puppetmaster') } - end - - describe 'when puppetmaster => true' do - let(:params) { {:puppetmaster => true, :puppetserver => Undef.new} } - it do - should contain_service(master_service).with({ - :ensure => 'running', - :enable => 'true', - }) - end - end - - describe 'when puppetserver => true' do - let(:params) { {:puppetserver => true, :puppetmaster => Undef.new} } - it do - should contain_service('puppetserver').with({ - :ensure => 'running', - :enable => 'true', - }) - end - end - - describe 'when puppetmaster => false' do - let(:params) { {:puppetmaster => false} } - it do - should contain_service(master_service).with({ - :ensure => 'stopped', - :enable => 'false', - }) - end - - describe 'and rack => true' do - let(:params) { {:puppetmaster => false, :rack => true} } - let(:pre_condition) { 'service { "httpd": }' } - it do - should contain_service(master_service).with({ - :ensure => 'stopped', - :enable => 'false', - }).that_comes_before('Service[httpd]') - end - end - end - - describe 'when puppetserver => false' do - let(:params) { {:puppetserver => false} } - it do - should contain_service('puppetserver').with({ - :ensure => 'stopped', - :enable => 'false', - }) - end - - describe 'and rack => true' do - let(:params) { {:puppetserver => false, :rack => true} } - let(:pre_condition) { 'service { "httpd": }' } - it do - should contain_service('puppetserver').with({ - :ensure => 'stopped', - :enable => 'false', - }).that_comes_before('Service[httpd]') - end - end - end - - describe 'when rack => true' do - let(:params) { {:rack => true, :puppetserver => :undef, :puppetmaster => :undef, :app_root => '/etc/puppet/rack'} } - it do - should contain_exec('restart_puppetmaster').with({ - :command => '/bin/touch /etc/puppet/rack/tmp/restart.txt', - :refreshonly => true, - :cwd => '/etc/puppet/rack', - }) - end - end - - describe 'when puppetmaster => undef' do - let(:params) { {:puppetmaster => Undef.new} } - it { should_not contain_service(master_service) } - end - - describe 'when puppetserver => undef' do - let(:params) { {:puppetserver => Undef.new} } - it { should_not contain_service('puppetserver') } - end - - describe 'when puppetmaster => true and puppetserver => true' do - let(:params) { {:puppetserver => true, :puppetmaster => true} } - it { should raise_error(Puppet::Error, /Both puppetmaster and puppetserver cannot be enabled simultaneously/) } - end + context 'default parameters' do + it { is_expected.to contain_service('puppetserver').with_ensure(true).with_enable(true) } + end + context 'enable => false' do + let(:params) do + { enable: false } end + + it { is_expected.to contain_service('puppetserver').with_ensure(false).with_enable(false) } end end diff --git a/templates/server/config.ru.erb b/templates/server/config.ru.erb deleted file mode 100644 index 73a86fe..0000000 --- a/templates/server/config.ru.erb +++ /dev/null @@ -1,117 +0,0 @@ -### Next part of the file is managed by a different template ### -## Module: '<%= scope.to_hash['module_name'] %>' -# a config.ru, for use with every rack-compatible webserver. -# SSL needs to be handled outside this, though. - -# if puppet is not in your RUBYLIB: -# $LOAD_PATH.unshift('/opt/puppet/lib') - -$0 = "master" - -# if you want debugging: -# ARGV << "--debug" - -ARGV << "--rack" - -# Rack applications typically don't start as root. Set --confdir and --vardir -# to prevent reading configuration from ~puppet/.puppet/puppet.conf and writing -# to ~puppet/.puppet -ARGV << "--confdir" << "<%= @confdir %>" -ARGV << "--vardir" << "<%= @vardir %>" -<% (@rack_arguments || []).each do |server_rack_argument| -%> -ARGV << "<%= server_rack_argument %>" -<% end -%> - -# always_cache_features is a performance improvement and safe for a master to -# apply. This is intended to allow agents to recognize new features that may be -# delivered during catalog compilation. -ARGV << "--always_cache_features" - -# Rack middleware for Puppet 3 compatibility -# See Debian bug #832536 -class Puppet3Compat - attr_reader :master - @@puppet4_endpoints = ['puppet', 'puppet-ca'] - @@v1_res_endpoints = ['catalog', 'file_bucket_file', 'file_content', - 'file_metadata', 'file_metadatas', 'report', - 'facts', 'node', 'resource_type', 'resource_types', - 'status'] - @@v1_ca_endpoints = ['certificate', 'certificate_request', - 'certificate_status', 'certificate_statuses', - 'certificate_revocation_list'] - @@v2_endpoints = ['environments'] - - def initialize(app) - @master = app - end - - def call(env) - components = env["PATH_INFO"].to_s.split("/") - - components.shift if components.first.empty? - - if components.length < 2 - return master.call(env) - end - - environment = components.shift - @api = components.first - - # Short-circuit Puppet 4 requests - if @@puppet4_endpoints.include?(environment) - return master.call(env) - end - - @req = Rack::Request.new(env) - - # Rewrite Puppet 3 requests - if @@v1_ca_endpoints.include?(@api) - @req.path_info = "/puppet-ca/v1/#{components.join("/")}" - elsif @@v1_res_endpoints.include?(@api) || @@v2_endpoints.include?(@api) - @req.path_info = "/puppet/v3/#{components.join("/")}" - end - - if environment != "v2.0" - @req.update_param("environment", environment) - - # Re-create the query string - env['QUERY_STRING'] = Rack::Utils.build_query(@req.params) - end - - env["HTTP_ACCEPT"] = env["HTTP_ACCEPT"].split(/\s*,\s*/).map { |a| a.sub(/^raw|s$/, 'binary') }.uniq.join(', ') - if @api == "file_bucket_file" && (@req.post? || @req.put?) - env["CONTENT_TYPE"] = "application/octet-stream" - end - - master.call(env).tap do |res| - if @api =~ /^file_(content|bucket_file)/ && @req.get? - # Always respond with text/plain to Puppet 3 clients. - res[1]["Content-Type"] = "text/plain" - end - end - end -end - -use Puppet3Compat - -# NOTE: it's unfortunate that we have to use the "CommandLine" class -# here to launch the app, but it contains some initialization logic -# (such as triggering the parsing of the config file) that is very -# important. We should do something less nasty here when we've -# gotten our API and settings initialization logic cleaned up. -# -# Also note that the "$0 = master" line up near the top here is -# the magic that allows the CommandLine class to know that it's -# supposed to be running master. -# -# --cprice 2012-05-22 -# - -#Ensure UTF-8 is our default (sadly Ruby 1.9 sets to US-ASCII) -Encoding.default_external = Encoding::UTF_8 if defined? Encoding - -require 'puppet/util/command_line' -# we're usually running inside a Rack::Builder.new {} block, -# therefore we need to call run *here*. -run Puppet::Util::CommandLine.new.execute -