diff --git a/README.md b/README.md index cfe7584..ce9c678 100644 --- a/README.md +++ b/README.md @@ -1,212 +1,212 @@ [![Puppet Forge](http://img.shields.io/puppetforge/v/theforeman/puppet.svg)](https://forge.puppetlabs.com/theforeman/puppet) [![Build Status](https://travis-ci.org/theforeman/puppet-puppet.svg?branch=master)](https://travis-ci.org/theforeman/puppet-puppet) # Puppet module for installing the Puppet agent and master Installs and configures the Puppet agent and optionally a Puppet master (when `server` is true). Part of the [Foreman installer](http://github.com/theforeman/foreman-installer) or to be used as a Puppet module. The Puppet master is configured under Apache and Passenger by default, unless `server_passenger` is set to false. When using Puppet Labs AIO packages (puppet-agent) the JVM-based Puppet Server is installed by default. For Puppet 3.x based installation, `server_implementation` can be set to `puppetserver` to switch to the JVM-based Puppet Server. -When using Puppet Server 2 (version 2.0 was the first version to support Puppet 4), +When using Puppet Server (version 2.2.x is the lowest version, this module supports), the module supports and assumes you will be installing the latest version. If you know you'll be installing an earlier or specific version, you will need to override `server_puppetserver_version`. More information in the Puppet Server section below. Many puppet.conf options for agents, masters and other are parameterized, with class documentation provided at the top of the manifests. In addition, there are hash parameters for each configuration section that can be used to supply any options that are not explicitly supported. ## Environments support The module helps configure Puppet environments using directory environments on Puppet 3.6+ and config environments on older versions. These are set up under /etc/puppet/environments/ - change `server_environments` to define the list to create, or use `puppet::server::env` for more control. When using directory environments with R10K you need to set the `server_environments` parameter to an empty array ie. `[]` to prevent `r10k deploy environments` from reporting an error caused by the creation of top level environment directory(s). ## Git repo support Environments can be backed by git by setting `server_git_repo` to true, which sets up `/var/lib/puppet/puppet.git` where each branch maps to one environment. Avoid using 'master' as this name isn't permitted. On each push to the repo, a hook updates `/etc/puppet/environments` with the contents of the branch. Requires [theforeman/git](https://forge.puppetlabs.com/theforeman/git). ## Foreman integration With the 3.0.0 release the Foreman integration became optional. It will still by default install the Foreman integration when `server` is true, so if you wish to run a Puppet master without Foreman, it can be disabled by setting `server_foreman` to false. Requires [theforeman/foreman](https://forge.puppetlabs.com/theforeman/foreman). ## PuppetDB integration The Puppet master can be configured to export catalogs and reports to a PuppetDB instance, using the puppetlabs/puppetdb module. Use its `puppetdb::server` class to install the PuppetDB server and this module to configure the Puppet master to connect to PuppetDB. Requires [puppetlabs/puppetdb](https://forge.puppetlabs.com/puppetlabs/puppetdb) Please see the notes about using puppetlabs/puppetdb 5.x with older versions of Puppet (< 4.x) and PuppetDB (< 3.x) with newer releases of the module and set the values via hiera or an extra include of `puppetdb::globals` with `puppetdb_version` defined. # Installation Available from GitHub (via cloning or tarball), [Puppet Forge](https://forge.puppetlabs.com/theforeman/puppet) or as part of the Foreman installer. # Usage As a parameterized class, all the configurable options can be overridden from your wrapper classes or even your ENC (if it supports param classes). For example: # Agent and cron (or daemon): class { '::puppet': runmode => 'cron' } # Agent and puppetmaster: class { '::puppet': server => true } # You want to use git? class { '::puppet': server => true server_git_repo => true } # You need need your own template for puppet.conf? class { '::puppet': agent_template => 'puppetagent/puppet.conf.core.erb', server => true, server_template => 'puppetserver/puppet.conf.master.erb', } # Maybe you're using gitolite, new hooks, and a different port? class { '::puppet': server => true server_port => 8141, server_git_repo => true, server_git_repo_path => '/var/lib/gitolite/repositories/puppet.git', server_post_hook_name => 'post-receive.puppet', server_post_hook_content => 'puppetserver/post-hook.puppet', } # Configure master without Foreman integration class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', } # The same example as above but overriding `server_environments` for R10K class { '::puppet': server => true, server_foreman => false, server_reports => 'store', server_external_nodes => '', server_environments => [], } # Want to integrate with an existing PuppetDB? class { '::puppet': server => true, server_puppetdb_host => 'mypuppetdb.example.com', server_reports => 'puppetdb,foreman', server_storeconfigs_backend => 'puppetdb', } Look in _init.pp_ for what can be configured this way, see Contributing if anything doesn't work. To use this in standalone mode, edit a file (e.g. install.pp), put in a class resource, as per the examples above, and the execute _puppet apply_ e.g: cat > install.pp < true } EOF puppet apply install.pp --modulepath /path_to/extracted_tarball # Advanced scenarios An HTTP (non-SSL) puppetmaster instance can be set up (standalone or in addition to the SSL instance) by setting the `server_http` parameter to `true`. This is useful for reverse proxy or load balancer scenarios where the proxy/load balancer takes care of SSL termination. The HTTP puppetmaster instance expects the `X-Client-Verify`, `X-SSL-Client-DN` and `X-SSL-Subject` HTTP headers to have been set on the front end server. The listening port can be configured by setting `server_http_port` (which defaults to 8139). For passenger setups, this HTTP instance accepts no connections by default (`deny all` in the `` snippet). Allowed hosts can be configured by setting the `server_http_allow` parameter (which expects an array). For puppetserver, this HTTP instance accepts **ALL** connections and no further restrictions can be configured. The `server_http_allow` parameter has no effect at all! **Note that running an HTTP puppetmaster is a huge security risk when improperly configured. Allowed hosts should be tightly controlled; anyone with access to an allowed host can access all client catalogues and client certificates.** # Configure an HTTP puppetmaster vhost in addition to the standard SSL vhost class { '::puppet': server => true, server_http => true, server_http_port => 8130, # default: 8139 server_http_allow => ['10.20.30.1', 'puppetbalancer.my.corp'], } ## Puppet Server configuration Puppet Server requires slightly different configuration between different versions, which this module supports. It's recommended that you set the `server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version you have installed. By default the module will configure for the latest version available. Currently supported values and configuration behaviours are: * `5.0.0` (default for Puppet >= 5) - configures metrics service and `/puppet/experimental` route * `2.7.x` (default for Puppet < 5) - creates `product.conf` * `2.5.x`, `2.6.x` - configures the certificate authority in `ca.cfg` * `2.4.99` - configures for both 2.4 and 2.5, with `bootstrap.cfg` and `ca.cfg` * `2.3.x`, `2.4.x` - configures the certificate authority and versioned-code-service in `bootstrap.cfg` -* `2.2.x` or lower - configures the certificate authority in `bootstrap.cfg` +* `2.2.x` - configures the certificate authority in `bootstrap.cfg` # Contributing * Fork the project * Commit and push until you are happy with your contribution # More info See http://theforeman.org or at #theforeman irc channel on freenode Copyright (c) 2010-2012 Ohad Levy This program and entire repository is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index 47ab368..239ced3 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -1,375 +1,350 @@ # == Class: puppet::server::puppetserver # # Configures the puppetserver jvm configuration file using augeas. # # === Parameters: # # * `java_bin` # Path to the java executable to use # # * `config` # Path to the jvm configuration file. # This file is usually either /etc/default/puppetserver or # /etc/sysconfig/puppetserver depending on your *nix flavor. # # * `jvm_min_heap_size` # Translates into the -Xms option and is added to the JAVA_ARGS # # * `jvm_max_heap_size` # Translates into the -Xmx option and is added to the JAVA_ARGS # # * `jvm_extra_args` # Custom options to pass through to the java binary. These get added to # the end of the JAVA_ARGS variable # # * `jvm_cli_args` # Custom options to pass through to the java binary when using a # puppetserver subcommand, (eg puppetserver gem). These get used # in the JAVA_ARGS_CLI variable. # # * `server_puppetserver_dir` # Puppetserver config directory # # * `server_puppetserver_vardir` # Puppetserver var directory # # * `server_jruby_gem_home` # Puppetserver jruby gemhome # # * `server_cipher_suites` # Puppetserver array of acceptable ciphers # # * `server_ssl_protocols` # Puppetserver array of acceptable ssl protocols # # * `server_max_active_instances` # Puppetserver number of max jruby instances # # * `server_max_requests_per_instance` # Puppetserver number of max requests per jruby instance # # === Example # # @example # # # configure memory for java < 8 # class {'::puppet::server::puppetserver': # jvm_min_heap_size => '1G', # jvm_max_heap_size => '3G', # jvm_extra_args => '-XX:MaxPermSize=256m', # } # class puppet::server::puppetserver ( $config = $::puppet::server::jvm_config, $java_bin = $::puppet::server::jvm_java_bin, $jvm_extra_args = $::puppet::server::jvm_extra_args, $jvm_cli_args = $::puppet::server::jvm_cli_args, $jvm_min_heap_size = $::puppet::server::jvm_min_heap_size, $jvm_max_heap_size = $::puppet::server::jvm_max_heap_size, $server_puppetserver_dir = $::puppet::server::puppetserver_dir, $server_puppetserver_vardir = $::puppet::server::puppetserver_vardir, $server_puppetserver_rundir = $::puppet::server::puppetserver_rundir, $server_puppetserver_logdir = $::puppet::server::puppetserver_logdir, $server_jruby_gem_home = $::puppet::server::jruby_gem_home, $server_ruby_load_paths = $::puppet::server::ruby_load_paths, $server_cipher_suites = $::puppet::server::cipher_suites, $server_max_active_instances = $::puppet::server::max_active_instances, $server_max_requests_per_instance = $::puppet::server::max_requests_per_instance, $server_ssl_protocols = $::puppet::server::ssl_protocols, $server_ssl_ca_crl = $::puppet::server::ssl_ca_crl, $server_ssl_ca_cert = $::puppet::server::ssl_ca_cert, $server_ssl_cert = $::puppet::server::ssl_cert, $server_ssl_cert_key = $::puppet::server::ssl_cert_key, $server_ssl_chain = $::puppet::server::ssl_chain, $server_crl_enable = $::puppet::server::crl_enable_real, $server_ip = $::puppet::server::ip, $server_port = $::puppet::server::port, $server_http = $::puppet::server::http, $server_http_allow = $::puppet::server::http_allow, $server_http_port = $::puppet::server::http_port, $server_ca = $::puppet::server::ca, $server_dir = $::puppet::server::dir, $codedir = $::puppet::server::codedir, $server_idle_timeout = $::puppet::server::idle_timeout, $server_web_idle_timeout = $::puppet::server::web_idle_timeout, $server_connect_timeout = $::puppet::server::connect_timeout, $server_ca_auth_required = $::puppet::server::ca_auth_required, $server_ca_client_whitelist = $::puppet::server::ca_client_whitelist, $server_admin_api_whitelist = $::puppet::server::admin_api_whitelist, $server_puppetserver_version = $::puppet::server::puppetserver_version, $server_use_legacy_auth_conf = $::puppet::server::use_legacy_auth_conf, $server_check_for_updates = $::puppet::server::check_for_updates, $server_environment_class_cache_enabled = $::puppet::server::environment_class_cache_enabled, $server_jruby9k = $::puppet::server::puppetserver_jruby9k, $server_metrics = $::puppet::server::puppetserver_metrics, $server_experimental = $::puppet::server::puppetserver_experimental, $server_trusted_agents = $::puppet::server::puppetserver_trusted_agents, ) { include ::puppet::server + if versioncmp($server_puppetserver_version, '2.2') < 0 { + fail('puppetserver <2.2 is not supported by this module version') + } + if !(empty($server_http_allow)) { fail('setting $server_http_allow is not supported for puppetserver as it would have no effect') } $puppetserver_package = pick($::puppet::server::package, 'puppetserver') $jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args] $jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' ')) if $::osfamily == 'FreeBSD' { augeas { 'puppet::server::puppetserver::jvm': context => '/files/etc/rc.conf', changes => [ "set puppetserver_java_opts '\"${jvm_cmd}\"'" ], } } else { if $jvm_cli_args { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", "set JAVA_ARGS_CLI '\"${jvm_cli_args}\"'", ] } else { $changes = [ "set JAVA_ARGS '\"${jvm_cmd}\"'", "set JAVA_BIN ${java_bin}", ] } augeas { 'puppet::server::puppetserver::jvm': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $changes, } if versioncmp($server_puppetserver_version, '2.4.99') == 0 { $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg,${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" } elsif versioncmp($server_puppetserver_version, '2.5') >= 0 { $bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/" } else { # 2.4 $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg" } augeas { 'puppet::server::puppetserver::bootstrap': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'", } if versioncmp($server_puppetserver_version, '5.0') >= 0 { $jruby_jar_changes = $server_jruby9k ? { true => "set JRUBY_JAR '\"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar\"'", default => 'rm JRUBY_JAR' } augeas { 'puppet::server::puppetserver::jruby_jar': lens => 'Shellvars.lns', incl => $config, context => "/files${config}", changes => $jruby_jar_changes, } } } # 2.4.99 configures for both 2.4 and 2.5 making upgrades and new installations easier when the # precise version available isn't known if versioncmp($server_puppetserver_version, '2.4.99') >= 0 { $servicesd = "${server_puppetserver_dir}/services.d" file { $servicesd: ensure => directory, } file { "${servicesd}/ca.cfg": ensure => file, content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'), } unless $::osfamily == 'FreeBSD' { file { '/opt/puppetlabs/server/apps/puppetserver/config': ensure => directory, } file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d': ensure => directory, } } } if versioncmp($server_puppetserver_version, '2.5') < 0 { $bootstrapcfg = "${server_puppetserver_dir}/bootstrap.cfg" file { $bootstrapcfg: ensure => file, } $ca_enabled_ensure = $server_ca ? { true => present, default => absent, } $ca_disabled_ensure = $server_ca ? { false => present, default => absent, } file_line { 'ca_enabled': ensure => $ca_enabled_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service', require => File[$bootstrapcfg], } file_line { 'ca_disabled': ensure => $ca_disabled_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service', require => File[$bootstrapcfg], } if versioncmp($server_puppetserver_version, '2.3') >= 0 { $versioned_code_service_ensure = present } else { $versioned_code_service_ensure = absent } file_line { 'versioned_code_service': ensure => $versioned_code_service_ensure, path => $bootstrapcfg, line => 'puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service', require => File[$bootstrapcfg], } } - $ca_conf = "${server_puppetserver_dir}/conf.d/ca.conf" - - if versioncmp($server_puppetserver_version, '2.2') < 0 { - $ca_conf_ensure = file - - hocon_setting { 'certificate-authority.certificate-status.authorization-required': - ensure => present, - path => $ca_conf, - setting => 'certificate-authority.certificate-status.authorization-required', - value => $server_ca_auth_required, - require => File[$ca_conf], - } - - $ca_conf_client_whitelist_ensure = $server_ca_auth_required ? { - true => present, - default => absent, - } - - hocon_setting { 'certificate-authority.certificate-status.client-whitelist': - ensure => $ca_conf_client_whitelist_ensure, - path => $ca_conf, - setting => 'certificate-authority.certificate-status.client-whitelist', - value => $server_ca_client_whitelist, - require => File[$ca_conf], - } - } else { - $ca_conf_ensure = absent - } - - file { $ca_conf: - ensure => $ca_conf_ensure, + file { "${server_puppetserver_dir}/conf.d/ca.conf": + ensure => absent, } file { "${server_puppetserver_dir}/conf.d/puppetserver.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/puppetserver.conf.erb'), } file { "${server_puppetserver_dir}/conf.d/auth.conf": ensure => file, content => template('puppet/server/puppetserver/conf.d/auth.conf.erb'), } $webserver_conf = "${server_puppetserver_dir}/conf.d/webserver.conf" file { $webserver_conf: ensure => file, } $webserver_general_settings = { 'webserver.access-log-config' => "${server_puppetserver_dir}/request-logging.xml", 'webserver.client-auth' => 'want', 'webserver.ssl-host' => $server_ip, 'webserver.ssl-port' => $server_port, 'webserver.ssl-cert' => $server_ssl_cert, 'webserver.ssl-key' => $server_ssl_cert_key, 'webserver.ssl-ca-cert' => $server_ssl_ca_cert, 'webserver.idle-timeout-milliseconds' => $server_web_idle_timeout, } $webserver_general_settings.each |$setting, $value| { hocon_setting { $setting: ensure => present, path => $webserver_conf, setting => $setting, value => $value, require => File[$webserver_conf], } } $webserver_http_settings_ensure = $server_http ? { true => present, default => absent, } $webserver_http_settings = { 'webserver.host' => $server_ip, 'webserver.port' => $server_http_port, } $webserver_http_settings.each |$setting, $value| { hocon_setting { $setting: ensure => $webserver_http_settings_ensure, path => $webserver_conf, setting => $setting, value => $value, require => File[$webserver_conf], } } $webserver_crl_settings_ensure = $server_crl_enable ? { true => present, default => absent, } hocon_setting { 'webserver.ssl-crl-path': ensure => $webserver_crl_settings_ensure, path => $webserver_conf, setting => 'webserver.ssl-crl-path', value => $server_ssl_ca_crl, require => File[$webserver_conf], } $webserver_ca_settings_ensure = $server_ca ? { true => present, default => absent, } hocon_setting { 'webserver.ssl-cert-chain': ensure => $webserver_ca_settings_ensure, path => $webserver_conf, setting => 'webserver.ssl-cert-chain', value => $server_ssl_chain, require => File[$webserver_conf], } $product_conf = "${server_puppetserver_dir}/conf.d/product.conf" if versioncmp($server_puppetserver_version, '2.7') >= 0 { $product_conf_ensure = file hocon_setting { 'product.check-for-updates': ensure => present, path => $product_conf, setting => 'product.check-for-updates', value => $server_check_for_updates, require => File[$product_conf], } } else { $product_conf_ensure = absent } file { $product_conf: ensure => $product_conf_ensure, } } diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index 06115bb..e8262c6 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -1,800 +1,715 @@ require 'spec_helper' describe 'puppet::server::puppetserver' do on_os_under_test.each do |os, facts| next if facts[:osfamily] == 'windows' next if facts[:osfamily] == 'Archlinux' context "on #{os}" do let :pre_condition do "class {'puppet': server_implementation => 'puppetserver'}" end if Puppet.version < '4.0' additional_facts = {} else additional_facts = {:rubysitedir => '/opt/puppetlabs/puppet/lib/ruby/site_ruby/2.1.0'} end let(:facts) do facts.merge(additional_facts) end let(:default_params) do { :java_bin => '/usr/bin/java', :config => '/etc/default/puppetserver', :jvm_min_heap_size => '2G', :jvm_max_heap_size => '2G', :jvm_extra_args => '', :jvm_cli_args => false, # In reality defaults to undef :server_ca_auth_required => true, :server_ca_client_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_admin_api_whitelist => [ 'localhost', 'puppetserver123.example.com' ], :server_ruby_load_paths => [ '/some/path', ], :server_ssl_protocols => [ 'TLSv1.2', ], :server_cipher_suites => [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ], :server_max_active_instances => 2, :server_max_requests_per_instance => 0, :server_http => false, :server_http_allow => [], :server_ca => true, :server_puppetserver_version => '2.4.99', :server_use_legacy_auth_conf => false, :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/puppetlabs/server/data/puppetserver', :server_puppetserver_rundir => '/var/run/puppetlabs/puppetserver', :server_puppetserver_logdir => '/var/log/puppetlabs/puppetserver', :server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', :server_dir => '/etc/puppetlabs/puppet', :codedir => '/etc/puppetlabs/code', :server_idle_timeout => 1200000, :server_web_idle_timeout => 30000, :server_connect_timeout => 120000, :server_check_for_updates => true, :server_environment_class_cache_enabled => false, :server_jruby9k => false, :server_metrics => true, :server_experimental => true, :server_ip => '0.0.0.0', :server_port => '8140', :server_http_port => '8139', :server_ssl_ca_crl => '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem', :server_ssl_ca_cert => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', :server_ssl_cert => '/etc/puppetlabs/puppet/ssl/certs/puppetserver123.example.com.pem', :server_ssl_cert_key => '/etc/puppetlabs/puppet/ssl/private_keys/puppetserver123.example.com.pem', :server_ssl_chain => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem', :server_crl_enable => true, :server_trusted_agents => [], } end describe 'with default parameters' do let(:params) do - default_params.merge({ + default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + ) end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled').with_ensure('present') } it { should contain_file_line('ca_disabled'). with_ensure('absent') } it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') } - if facts[:osfamily] == 'FreeBSD' - it { should contain_augeas('puppet::server::puppetserver::jvm'). - with_changes([ - 'set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'', - ]). + if facts[:osfamily] == 'FreeBSD' + it { + should contain_augeas('puppet::server::puppetserver::jvm'). + with_changes([ + 'set puppetserver_java_opts \'"-Xms2G -Xmx2G"\'', + ]). with_context('/files/etc/rc.conf'). with({}) } else it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } - it { should contain_augeas('puppet::server::puppetserver::bootstrap'). - with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') + it { + should contain_augeas('puppet::server::puppetserver::bootstrap'). + with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'') } - it { should contain_augeas('puppet::server::puppetserver::jvm'). - with_changes([ - 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', - 'set JAVA_BIN /usr/bin/java', - ]). - with_context('/files/etc/default/puppetserver'). - with_incl('/etc/default/puppetserver'). - with_lens('Shellvars.lns'). - with({}) + it { + should contain_augeas('puppet::server::puppetserver::jvm'). + with_changes([ 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java' ]). + with_context('/files/etc/default/puppetserver'). + with_incl('/etc/default/puppetserver'). + with_lens('Shellvars.lns'). + with({}) } end - it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf'). - with_ensure('absent') + it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf').with_ensure('absent') } + it { + should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). + without_content(/^# Settings related to the puppet-admin HTTP API$/). + without_content(/^puppet-admin: \{$/). + without_content(/^\s+client-whitelist: \[$/). + without_content(/^\s+"localhost"\,$/). + without_content(/^\s+"puppetserver123.example.com"\,$/). + with({}) # So we can use a trailing dot on each with_content line } - it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf') } - it { should contain_hocon_setting('webserver.ssl-host'). + it { + should contain_hocon_setting('webserver.ssl-host'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-host'). with_value('0.0.0.0'). with_ensure('present') - } - it { should contain_hocon_setting('webserver.ssl-port'). + } + it { + should contain_hocon_setting('webserver.ssl-port'). with_path('/etc/custom/puppetserver/conf.d/webserver.conf'). with_setting('webserver.ssl-port'). with_value('8140'). with_ensure('present') - } - it { should contain_hocon_setting('webserver.host'). - with_ensure('absent') - } - it { should contain_hocon_setting('webserver.port'). - with_ensure('absent') } - it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). - with_content(/allow-header-cert-info: false/). - with({}) + it { should contain_hocon_setting('webserver.host').with_ensure('absent') } + it { should contain_hocon_setting('webserver.port').with_ensure('absent') } + it { + should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). + with_content(/allow-header-cert-info: false/). + with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/). + with_content(/^\s+name: "certificate_status"/). + with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/). + with_content(/^\s+name: "certificate_statuses"/). + with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/). + with_content(/^\s+name: "environment-cache"/). + with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/). + with_content(/^\s+name: "jruby-pool"/). + with({}) # So we can use a trailing dot on each with_content line } end describe 'server_puppetserver_vardir' do context 'with default parameters' do let(:params) do default_params.merge({ :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/puppetlabs/server/data/puppetserver\n]) end end context 'with custom server_puppetserver_vardir' do let(:params) do - default_params.merge({ + default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', :server_puppetserver_vardir => '/opt/custom/puppetlabs/server/data/puppetserver', - }) + ) end it 'should have master-var-dir: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ master-var-dir: /opt/custom/puppetlabs/server/data/puppetserver\n]) end end end describe 'use-legacy-auth-conf' do context 'with default parameters' do let(:params) do - default_params.merge({ + default_params.merge( :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + ) end it 'should have use-legacy-auth-conf: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: false\n]) end end context 'when use-legacy-auth-conf = true' do let(:params) do default_params.merge({ :server_use_legacy_auth_conf => true, :server_puppetserver_dir => '/etc/custom/puppetserver', }) end it 'should have use-legacy-auth-conf: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ use-legacy-auth-conf: true\n]) end end - context 'when server_puppetserver_version < 2.2' do - let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.1.2', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) - end - it 'should not have a use-legacy-auth-conf setting in puppetserver.conf' do - content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] - expect(content).not_to include('use-legacy-auth-conf') - end - end end describe 'environment-class-cache-enabled' do context 'with default parameters' do let(:params) do - default_params.merge({ - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have environment-class-cache-enabled: false in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: false\n]) end end context 'when environment-class-cache-enabled = true' do let(:params) do - default_params.merge({ - :server_environment_class_cache_enabled => true, - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_environment_class_cache_enabled => true, + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it 'should have environment-class-cache-enabled: true in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ environment-class-cache-enabled: true\n]) end end context 'when server_puppetserver_version < 2.4' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.2.2', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_puppetserver_version => '2.2.2', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it 'should not have a environment-class-cache-enabled setting in puppetserver.conf' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).not_to include('environment-class-cache-enabled') end end end describe 'server_max_requests_per_instance' do context 'with default parameters' do let(:params) do - default_params.merge({ - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge(:server_puppetserver_dir => '/etc/custom/puppetserver') end it 'should have max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 0\n]) end end context 'custom server_max_requests_per_instance' do let(:params) do - default_params.merge({ - :server_max_requests_per_instance => 123456, - }) + default_params.merge(:server_max_requests_per_instance => 123456) end it 'should have custom max-requests-per-instance: /opt/puppetlabs/server/data/puppetserver' do content = catalogue.resource('file', '/etc/custom/puppetserver/conf.d/puppetserver.conf').send(:parameters)[:content] expect(content).to include(%Q[ max-requests-per-instance: 123456\n]) end end end describe 'versioned-code-service' do context 'when server_puppetserver_version >= 2.5' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.5.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_puppetserver_version => '2.5.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it { should_not contain_file_line('versioned_code_service') } end context 'when server_puppetserver_version >= 2.3 and < 2.5' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.3.1', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_puppetserver_version => '2.3.1', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it 'should have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). - with_ensure('present'). - with_path('/etc/custom/puppetserver/bootstrap.cfg'). - with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). - that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') + with_ensure('present'). + with_path('/etc/custom/puppetserver/bootstrap.cfg'). + with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). + that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end context 'when server_puppetserver_version < 2.3' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.2.2', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_puppetserver_version => '2.2.2', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it 'should not have versioned-code-service in bootstrap.cfg' do should contain_file_line('versioned_code_service'). - with_ensure('absent'). - with_path('/etc/custom/puppetserver/bootstrap.cfg'). - with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). - that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') + with_ensure('absent'). + with_path('/etc/custom/puppetserver/bootstrap.cfg'). + with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service'). + that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') end end end describe 'bootstrap.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.5.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_puppetserver_version => '2.5.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should_not contain_file_line('ca_enabled') } it { should_not contain_file_line('ca_disabled') } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.4.98', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_puppetserver_version => '2.4.98', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') } it { should contain_file_line('ca_enabled'). with_ensure('present'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } it { should contain_file_line('ca_disabled'). with_ensure('absent'). with_path('/etc/custom/puppetserver/bootstrap.cfg'). with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service'). that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]') } unless facts[:osfamily] == 'FreeBSD' - it { should contain_augeas('puppet::server::puppetserver::bootstrap'). - with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\''). - with_context('/files/etc/default/puppetserver'). - with_incl('/etc/default/puppetserver'). - with_lens('Shellvars.lns'). - with({}) + it { + should contain_augeas('puppet::server::puppetserver::bootstrap'). + with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\''). + with_context('/files/etc/default/puppetserver'). + with_incl('/etc/default/puppetserver'). + with_lens('Shellvars.lns'). + with({}) } end end end describe 'ca.cfg' do context 'when server_puppetserver_version >= 2.5' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.5.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_puppetserver_version => '2.5.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') } it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } unless facts[:osfamily] == 'FreeBSD' it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') } it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') } - it { should contain_augeas('puppet::server::puppetserver::bootstrap'). - with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\''). - with_context('/files/etc/default/puppetserver'). - with_incl('/etc/default/puppetserver'). - with_lens('Shellvars.lns'). - with({}) + it { + should contain_augeas('puppet::server::puppetserver::bootstrap'). + with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\''). + with_context('/files/etc/default/puppetserver'). + with_incl('/etc/default/puppetserver'). + with_lens('Shellvars.lns'). + with({}) } end end context 'when server_puppetserver_version >= 2.5 and server_ca => false' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.5.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_ca => false, - }) + default_params.merge( + :server_puppetserver_version => '2.5.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_ca => false, + ) end it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg'). with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}). with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service}) } end context 'when server_puppetserver_version < 2.4.99' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.4.98', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) + default_params.merge( + :server_puppetserver_version => '2.4.98', + :server_puppetserver_dir => '/etc/custom/puppetserver', + ) end it { should_not contain_file('/etc/custom/puppetserver/services.d') } it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') } it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') } end end - describe 'server_ca related settings' do - context 'when server_puppetserver_version >= 2.2' do - let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.2.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) - end - it { - should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). - with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/). - with_content(/^\s+name: "certificate_status"/). - with_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/). - with_content(/^\s+name: "certificate_statuses"/). - with_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/). - with_content(/^\s+name: "environment-cache"/). - with_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/). - with_content(/^\s+name: "jruby-pool"/). - with({}) # So we can use a trailing dot on each with_content line - } - it { - should contain_file('/etc/custom/puppetserver/conf.d/ca.conf'). - with_ensure('absent'). - with({}) # So we can use a trailing dot on each with_content line - } - it { - should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). - without_content(/^# Settings related to the puppet-admin HTTP API$/). - without_content(/^puppet-admin: \{$/). - without_content(/^\s+client-whitelist: \[$/). - without_content(/^\s+"localhost"\,$/). - without_content(/^\s+"puppetserver123.example.com"\,$/). - with({}) # So we can use a trailing dot on each with_content line - } - end - - context 'when server_puppetserver_version < 2.2' do - let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.1.1', - :server_puppetserver_dir => '/etc/custom/puppetserver', - }) - end - it { - should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). - without_content(/^\s+path: "\/puppet-ca\/v1\/certificate_status\/"/). - without_content(/^\s+name: "certificate_status"/). - without_content(/^\s+path: "\/puppet-ca\/v1\/certificate_statuses\/"/). - without_content(/^\s+name: "certificate_statuses"/). - without_content(/^\s+path: "\/puppet-admin-api\/v1\/environment-cache"/). - without_content(/^\s+name: "environment-cache"/). - without_content(/^\s+path: "\/puppet-admin-api\/v1\/jruby-pool"/). - without_content(/^\s+name: "jruby-pool"/). - with({}) # So we can use a trailing dot on each with_content line - } - it { - should contain_file('/etc/custom/puppetserver/conf.d/ca.conf'). - with_ensure('file') - } - it { should contain_hocon_setting('certificate-authority.certificate-status.authorization-required'). - with_path('/etc/custom/puppetserver/conf.d/ca.conf'). - with_setting('certificate-authority.certificate-status.authorization-required'). - with_value(true). - with_ensure('present') - } - it { should contain_hocon_setting('certificate-authority.certificate-status.client-whitelist'). - with_path('/etc/custom/puppetserver/conf.d/ca.conf'). - with_setting('certificate-authority.certificate-status.client-whitelist'). - with_value(['localhost', 'puppetserver123.example.com']). - with_ensure('present') - } - it { - should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). - with_content(/^# Settings related to the puppet-admin HTTP API$/). - with_content(/^puppet-admin: \{$/). - with_content(/^\s+client-whitelist: \[$/). - with_content(/^\s+"localhost"\,$/). - with_content(/^\s+"puppetserver123.example.com"\,$/). - with({}) # So we can use a trailing dot on each with_content line - } - end - end - describe 'product.conf' do context 'when server_puppetserver_version >= 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.7.0', :server_puppetserver_dir => '/etc/custom/puppetserver', :server_check_for_updates => false, ) end it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf'). with_ensure('file') } it { should contain_hocon_setting('product.check-for-updates'). with_path('/etc/custom/puppetserver/conf.d/product.conf'). with_setting('product.check-for-updates'). with_value(false). with_ensure('present') } end context 'when server_puppetserver_version < 2.7' do let(:params) do default_params.merge( :server_puppetserver_version => '2.6.0', :server_puppetserver_dir => '/etc/custom/puppetserver', ) end - it { - should contain_file('/etc/custom/puppetserver/conf.d/product.conf'). - with_ensure('absent') - } - it { - should_not contain_hocon_setting('product.check-for-updates') - } + it { should contain_file('/etc/custom/puppetserver/conf.d/product.conf').with_ensure('absent') } + it { should_not contain_hocon_setting('product.check-for-updates') } end end describe 'server_metrics' do context 'when server_puppetserver_version < 5.0 and server_metrics => true' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_metrics => true, - }) + default_params.merge( + :server_puppetserver_version => '2.7.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_metrics => true, + ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). without_content(%r{^ metrics-enabled: (.*)$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } end context 'when server_puppetserver_version < 5.0 and server_metrics => false' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_metrics => false, - }) + default_params.merge( + :server_puppetserver_version => '2.7.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_metrics => false, + ) + end + it { + should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). + without_content(%r{^ metrics-enabled: (.*)$}). + with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) + } end - it { - should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). - without_content(%r{^ metrics-enabled: (.*)$}). - with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) - } - end context 'when server_puppetserver_version >= 5.0 and server_metrics => true' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '5.0.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_metrics => true, - }) + default_params.merge( + :server_puppetserver_version => '5.0.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_metrics => true, + ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: true$(.*)}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: true}) } end context 'when server_puppetserver_version >= 5.0 and server_metrics => false' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '5.0.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_metrics => false, - }) + default_params.merge( + :server_puppetserver_version => '5.0.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_metrics => false, + ) end it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf'). with_content(%r{^ # Whether to enable http-client metrics; defaults to 'true'.\n metrics-enabled: false$}). with_content(%r{^profiler: \{\n # enable or disable profiling for the Ruby code;\n enabled: false}) } end end describe 'server_experimental' do context 'when server_puppetserver_version < 5.0 and server_experimental => true' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_experimental => true, - }) + default_params.merge( + :server_puppetserver_version => '2.7.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_experimental => true, + ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version < 5.0 and server_experimental => false' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_experimental => false, - }) + default_params.merge( + :server_puppetserver_version => '2.7.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_experimental => false, + ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => true' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '5.0.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_experimental => true, - }) + default_params.merge( + :server_puppetserver_version => '5.0.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_experimental => true, + ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^(\ *)path: "/puppet/experimental"$}) } end context 'when server_puppetserver_version >= 5.0 and server_experimental => false' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '5.0.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_experimental => false, - }) + default_params.merge( + :server_puppetserver_version => '5.0.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_experimental => false, + ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). without_content(%r{^(\ *)path: "/puppet/experimental"$}) } end end describe 'server_trusted_agents' do context 'when set' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_trusted_agents => ['jenkins', 'octocatalog-diff'], - }) + default_params.merge( + :server_puppetserver_version => '2.7.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_trusted_agents => ['jenkins', 'octocatalog-diff'], + ) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(%r{^ allow: \["jenkins", "octocatalog-diff", "\$1"\]$}) } end end unless facts[:osfamily] == 'FreeBSD' describe 'server_jruby9k' do context 'when server_puppetserver_version < 5.0 and server_jruby9k => true' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_jruby9k => true, - }) + default_params.merge( + :server_puppetserver_version => '2.7.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_jruby9k => true, + ) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version < 5.0 and server_jruby9k => false' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '2.7.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_jruby9k => false, - }) + default_params.merge( + :server_puppetserver_version => '2.7.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_jruby9k => false, + ) end it { should_not contain_augeas('puppet::server::puppetserver::jruby_jar') } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => true' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '5.0.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_jruby9k => true, - }) + default_params.merge( + :server_puppetserver_version => '5.0.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_jruby9k => true, + ) end it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). with_changes(['set JRUBY_JAR \'"/opt/puppetlabs/server/apps/puppetserver/jruby-9k.jar"\'']). with_context('/files/etc/default/puppetserver'). with_incl('/etc/default/puppetserver'). with_lens('Shellvars.lns'). with({}) } end context 'when server_puppetserver_version >= 5.0 and server_jruby9k => false' do let(:params) do - default_params.merge({ - :server_puppetserver_version => '5.0.0', - :server_puppetserver_dir => '/etc/custom/puppetserver', - :server_jruby9k => false, - }) + default_params.merge( + :server_puppetserver_version => '5.0.0', + :server_puppetserver_dir => '/etc/custom/puppetserver', + :server_jruby9k => false, + ) end - it { should contain_augeas('puppet::server::puppetserver::jruby_jar'). - with_changes(['rm JRUBY_JAR']). - with_context('/files/etc/default/puppetserver'). - with_incl('/etc/default/puppetserver'). - with_lens('Shellvars.lns'). - with({}) + it { + should contain_augeas('puppet::server::puppetserver::jruby_jar'). + with_changes(['rm JRUBY_JAR']). + with_context('/files/etc/default/puppetserver'). + with_incl('/etc/default/puppetserver'). + with_lens('Shellvars.lns'). + with({}) } end end end describe 'with extra_args parameter' do let :params do - default_params.merge({ + default_params.merge( :jvm_extra_args => ['-XX:foo=bar', '-XX:bar=foo'], - }) + ) end if facts[:osfamily] == 'FreeBSD' - it { should contain_augeas('puppet::server::puppetserver::jvm'). - with_changes([ - 'set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', - ]). - with_context('/files/etc/rc.conf'). - with({}) + it { + should contain_augeas('puppet::server::puppetserver::jvm'). + with_changes([ + 'set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', + ]). + with_context('/files/etc/rc.conf'). + with({}) } else - it { should contain_augeas('puppet::server::puppetserver::jvm'). - with_changes([ - 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', - 'set JAVA_BIN /usr/bin/java', - ]). - with_context('/files/etc/default/puppetserver'). - with_incl('/etc/default/puppetserver'). - with_lens('Shellvars.lns'). - with({}) + it { + should contain_augeas('puppet::server::puppetserver::jvm'). + with_changes([ + 'set JAVA_ARGS \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\'', + 'set JAVA_BIN /usr/bin/java', + ]). + with_context('/files/etc/default/puppetserver'). + with_incl('/etc/default/puppetserver'). + with_lens('Shellvars.lns'). + with({}) } end end describe 'with cli_args parameter' do let :params do - default_params.merge({ - :jvm_cli_args => '-Djava.io.tmpdir=/var/puppettmp', - }) + default_params.merge(:jvm_cli_args => '-Djava.io.tmpdir=/var/puppettmp') end if facts[:osfamily] != 'FreeBSD' - it { should contain_augeas('puppet::server::puppetserver::jvm'). - with_changes([ - 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', - 'set JAVA_BIN /usr/bin/java', - 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'', - ]). - with_context('/files/etc/default/puppetserver'). - with_incl('/etc/default/puppetserver'). - with_lens('Shellvars.lns'). - with({}) + it { + should contain_augeas('puppet::server::puppetserver::jvm'). + with_changes([ + 'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', + 'set JAVA_BIN /usr/bin/java', + 'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\'', + ]). + with_context('/files/etc/default/puppetserver'). + with_incl('/etc/default/puppetserver'). + with_lens('Shellvars.lns'). + with({}) } end end describe 'with jvm_config file parameter' do - let :params do default_params.merge({ - :config => '/etc/custom/puppetserver', - }) + let :params do + default_params.merge(:config => '/etc/custom/puppetserver') end if facts[:osfamily] == 'FreeBSD' - it { should contain_augeas('puppet::server::puppetserver::jvm'). - with_context('/files/etc/rc.conf'). - with({}) - } + it { should contain_augeas('puppet::server::puppetserver::jvm').with_context('/files/etc/rc.conf') } else - it { should contain_augeas('puppet::server::puppetserver::jvm'). - with_context('/files/etc/custom/puppetserver'). - with_incl('/etc/custom/puppetserver'). - with_lens('Shellvars.lns'). - with({}) + it { + should contain_augeas('puppet::server::puppetserver::jvm'). + with_context('/files/etc/custom/puppetserver'). + with_incl('/etc/custom/puppetserver'). + with_lens('Shellvars.lns'). + with({}) } end end + + describe 'when server_puppetserver_version < 2.2' do + let(:params) do + default_params.merge(:server_puppetserver_version => '2.1.0') + end + it { should raise_error(Puppet::Error, /puppetserver <2.2 is not supported by this module version/) } + end end end end diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index b58f0ae..b181ff1 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -1,270 +1,268 @@ authorization: { version: 1 allow-header-cert-info: <%= scope.lookupvar('puppet::server::http') || scope.lookupvar('puppet::server::allow_header_cert_info') %> rules: [ { # Allow nodes to retrieve their own catalog match-request: { path: "^/puppet/v3/catalog/([^/]+)$" type: regex method: [get, post] } allow: <%= @server_trusted_agents << '$1' %> sort-order: 500 name: "puppetlabs catalog" }, { # Allow nodes to retrieve the certificate they requested earlier match-request: { path: "/puppet-ca/v1/certificate/" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs certificate" }, { # Allow all nodes to access the certificate revocation list match-request: { path: "/puppet-ca/v1/certificate_revocation_list/ca" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs crl" }, { # Allow nodes to request a new certificate match-request: { path: "/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow-unauthenticated: true sort-order: 500 name: "puppetlabs csr" }, -<%- if scope.function_versioncmp([@server_puppetserver_version, '2.2']) > 0 -%> <%- if @server_ca -%> { match-request: { path: "/puppet-ca/v1/certificate_status/" type: path method: [ get, put, delete ] } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] <%- end -%> sort-order: 200 name: "certificate_status" }, { match-request: { path: "/puppet-ca/v1/certificate_statuses/" type: path method: get } <%- if @server_ca_auth_required == false -%> allow-unauthenticated: true <%- else -%> allow: [ <%- @server_ca_client_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] <%- end -%> sort-order: 200 name: "certificate_statuses" }, <%- end -%> { match-request: { path: "/puppet-admin-api/v1/environment-cache" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "environment-cache" }, { match-request: { path: "/puppet-admin-api/v1/jruby-pool" type: path method: delete } allow: [ <%- @server_admin_api_whitelist.each do |client| -%> "<%= client %>", <%- end -%> ] sort-order: 200 name: "jruby-pool" }, -<%- end -%> { match-request: { path: "/puppet/v3/environments" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environments" }, { match-request: { path: "/puppet/v3/environment_classes" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs environment classes" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) < 0 -%> { match-request: { path: "/puppet/v3/resource_type" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs resource type" }, { # Allow nodes to access all file services; this is necessary for # pluginsync, file serving from modules, and file serving from # custom mount points (see fileserver.conf). Note that the `/file` # prefix matches requests to file_metadata, file_content, and # file_bucket_file paths. match-request: { path: "/puppet/v3/file" type: path } allow: "*" sort-order: 500 name: "puppetlabs file" }, <%- else -%> { # Allow nodes to access all file_bucket_files. Note that access for # the 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_bucket_file" type: path method: [get, head, post, put] } allow: "*" sort-order: 500 name: "puppetlabs file bucket file" }, { # Allow nodes to access all file_content. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_content" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file content" }, { # Allow nodes to access all file_metadata. Note that access for the # 'delete' method is forbidden by Puppet regardless of the # configuration of this rule. match-request: { path: "/puppet/v3/file_metadata" type: path method: [get, post] } allow: "*" sort-order: 500 name: "puppetlabs file metadata" }, <%- end -%> { # Allow nodes to retrieve only their own node definition match-request: { path: "^/puppet/v3/node/([^/]+)$" type: regex method: get } allow: "$1" sort-order: 500 name: "puppetlabs node" }, { # Allow nodes to store only their own reports match-request: { path: "^/puppet/v3/report/([^/]+)$" type: regex method: put } allow: "$1" sort-order: 500 name: "puppetlabs report" }, { match-request: { path: "/puppet/v3/status" type: path method: get } allow-unauthenticated: true sort-order: 500 name: "puppetlabs status" }, { match-request: { path: "/puppet/v3/static_file_content" type: path method: get } allow: "*" sort-order: 500 name: "puppetlabs static file content" }, <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 && @server_experimental -%> { # Allow all users access to the experimental endpoint # which currently only provides a dashboard web ui. match-request: { path: "/puppet/experimental" type: path } allow-unauthenticated: true sort-order: 500 name: "puppetlabs experimental" }, <%- end -%> { # Deny everything else. This ACL is not strictly # necessary, but illustrates the default policy match-request: { path: "/" type: path } deny: "*" sort-order: 999 name: "puppetlabs deny all" } ] } diff --git a/templates/server/puppetserver/conf.d/puppetserver.conf.erb b/templates/server/puppetserver/conf.d/puppetserver.conf.erb index 8900b49..9021d5c 100644 --- a/templates/server/puppetserver/conf.d/puppetserver.conf.erb +++ b/templates/server/puppetserver/conf.d/puppetserver.conf.erb @@ -1,129 +1,110 @@ # configuration for the JRuby interpreters jruby-puppet: { -<%- if scope.function_versioncmp([@puppetversion, '4.0']) >= 0 -%> # Where the puppet-agent dependency places puppet, facter, etc... # Puppet server expects to load Puppet from this location ruby-load-path: [ <%- @server_ruby_load_paths.each do |ruby_load_path| -%> <%= ruby_load_path %>, <%- end -%> ] -<%- end -%> # This setting determines where JRuby will install gems. It is used for loading gems, # and also by the `puppetserver gem` command line tool. gem-home: <%= @server_jruby_gem_home %> <%- if scope.function_versioncmp([@server_puppetserver_version, '2.7']) >= 0 -%> # This setting defines the complete "GEM_PATH" for jruby. If set, it should include # the gem-home directory as well as any other directories that gems can be loaded # from (including the vendored gems directory for gems that ship with puppetserver) gem-path: [${jruby-puppet.gem-home}, "<%= @server_puppetserver_vardir %>/vendored-jruby-gems"] <%- end -%> # PLEASE NOTE: Use caution when modifying the below settings. Modifying # these settings will change the value of the corresponding Puppet settings # for Puppet Server, but not for the Puppet CLI tools. This likely will not # be a problem with master-var-dir, master-run-dir, or master-log-dir unless # some critical setting in puppet.conf is interpolating the value of one # of the corresponding settings, but it is important that any changes made to # master-conf-dir and master-code-dir are also made to the corresponding Puppet # settings when running the Puppet CLI tools. See # https://docs.puppetlabs.com/puppetserver/latest/puppet_conf_setting_diffs.html#overriding-puppet-settings-in-puppet-server # for more information. # (optional) path to puppet conf dir; if not specified, will use # the puppet default master-conf-dir: <%= @server_dir %> -<%- if scope.function_versioncmp([@server_puppetserver_version, '2.1']) >= 0 -%> # (optional) path to puppet code dir; if not specified, will use # the puppet default master-code-dir: <%= @codedir %> -<%- end -%> # (optional) path to puppet var dir; if not specified, will use # the puppet default master-var-dir: <%= @server_puppetserver_vardir %> -<%- if scope.function_versioncmp([@server_puppetserver_version, '2.1']) >= 0 -%> # (optional) path to puppet run dir; if not specified, will use # the puppet default master-run-dir: <%= @server_puppetserver_rundir %> # (optional) path to puppet log dir; if not specified, will use # the puppet default master-log-dir: <%= @server_puppetserver_logdir %> -<%- end -%> # (optional) maximum number of JRuby instances to allow max-active-instances: <%= @server_max_active_instances %> # (optional) the number of HTTP requests a given JRuby instance will handle in its lifetime. max-requests-per-instance: <%= @server_max_requests_per_instance %> -<%- if scope.function_versioncmp([@server_puppetserver_version, '2.2']) >= 0 -%> # (optional) Authorize access to Puppet master endpoints via rules # specified in the legacy Puppet auth.conf file (if true) or via rules # specified in the Puppet Server HOCON-formatted auth.conf (if false or not # specified). use-legacy-auth-conf: <%= @server_use_legacy_auth_conf %> -<%- end -%> <%- if scope.function_versioncmp([@server_puppetserver_version, '2.3']) >= 0 -%> # (optional) enable or disable environment class cache environment-class-cache-enabled: <%= @server_environment_class_cache_enabled %> <%- end -%> } # settings related to HTTP client requests made by Puppet Server http-client: { # A list of acceptable protocols for making HTTP requests ssl-protocols: [ <%- @server_ssl_protocols.each do |protocol| -%> <%= protocol %>, <%- end -%> ] # A list of acceptable cipher suites for making HTTP requests cipher-suites: [ <%- @server_cipher_suites.each do |cipher| -%> <%= cipher %>, <%- end -%> ] <%- if scope.function_versioncmp([@server_puppetserver_version, '5.0']) >= 0 -%> # Whether to enable http-client metrics; defaults to 'true'. metrics-enabled: <%= @server_metrics %> <%- end -%> # The amount of time, in milliseconds, that an outbound HTTP connection # will wait for data to be available before closing the socket. If not # defined, defaults to 20 minutes. If 0, the timeout is infinite and if # negative, the value is undefined by the application and governed by the # system default behavior. idle-timeout-milliseconds: <%= @server_idle_timeout %> # The amount of time, in milliseconds, that an outbound HTTP connection will # wait to connect before giving up. Defaults to 2 minutes if not set. If 0, # the timeout is infinite and if negative, the value is undefined in the # application and governed by the system default behavior. connect-timeout-milliseconds: <%= @server_connect_timeout %> } # settings related to profiling the puppet Ruby code profiler: { # enable or disable profiling for the Ruby code; enabled: <%= @server_metrics %> } -<%- if scope.function_versioncmp([@server_puppetserver_version, '2.2']) < 0 -%> - -# Settings related to the puppet-admin HTTP API -puppet-admin: { - client-whitelist: [ - <%- @server_admin_api_whitelist.each do |certname| -%> - "<%= certname %>", - <%- end -%> - ] -} -<%- end -%>