diff --git a/manifests/init.pp b/manifests/init.pp index 5455520..63ad662 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,753 +1,757 @@ # == Class: puppet # # This class installs and configures the puppet agent. # # === Parameters: # # $version:: Specify a specific version of a package to # install. The version should be the exact # match for your distro. # You can also use certain values like 'latest'. # Note that when you specify exact versions you # should also override $server_version since # that defaults to $version. # # $manage_packages:: Should this module install packages or not. # Can also install only server packages with value # of 'server' or only agent packages with 'agent'. # # $port:: Override the port of the master we connect to. # # $listen:: Should the puppet agent listen for connections. # # $listen_to:: An array of servers allowed to initiate a puppet run. # If $listen = true one of three things will happen: # 1) if $listen_to is not empty then this array # will be used. # 2) if $listen_to is empty and $puppetmaster is # defined then only $puppetmaster will be # allowed. # 3) if $puppetmaster is not defined or empty, # $fqdn will be used. # # $pluginsync:: Enable pluginsync. # # $splay:: Switch to enable a random amount of time # to sleep before each run. # # $splaylimit:: The maximum time to delay before runs. # Defaults to being the same as the run interval. # This setting can be a time interval in seconds # (30 or 30s), minutes (30m), hours (6h), days (2d), # or years (5y). # # $runinterval:: Set up the interval (in seconds) to run # the puppet agent. # # $autosign:: If set to a boolean, autosign is enabled or disabled # for all incoming requests. Otherwise this has to be # set to the full file path of an autosign.conf file or # an autosign script. If this is set to a script, make # sure that script considers the content of autosign.conf # as otherwise Foreman functionality might be broken. # # $autosign_entries:: A list of certnames or domain name globs # whose certificate requests will automatically be signed. # Defaults to an empty Array. # # $autosign_mode:: mode of the autosign file/script # # $autosign_content:: If set, write the autosign file content # using the value of this parameter. # Cannot be used at the same time as autosign_entries # For example, could be a string, or # file('another_module/autosign.sh') or # template('another_module/autosign.sh.erb') # # $autosign_source:: If set, use this as the source for the autosign file, # instead of autosign_content. # # $usecacheonfailure:: Switch to enable use of cached catalog on # failure of run. # # $runmode:: Select the mode to setup the puppet agent. # # $cron_cmd:: Specify command to launch when runmode is # set 'cron'. # # $systemd_cmd:: Specify command to launch when runmode is # set 'systemd.timer'. # # $systemd_randomizeddelaysec:: Adds a random delay between 0 and this value # (in seconds) to the timer. Only relevant when # runmode is 'systemd.timer'. # # $show_diff:: Show and report changed files with diff output # # $module_repository:: Use a different puppet module repository # # $configtimeout:: How long the client should wait for the # configuration to be retrieved before # considering it a failure. # # $ca_server:: Use a different ca server. Should be either # a string with the location of the ca_server # or 'false'. # # $ca_port:: Puppet CA port # # $ca_crl_filepath:: Path to CA CRL file, dynamically resolves based on # $::server_ca status. # # $dns_alt_names:: Use additional DNS names when generating a # certificate. Defaults to an empty Array. # # $hiera_config:: The hiera configuration file. # # $syslogfacility:: Facility name to use when logging to syslog # # $use_srv_records:: Whether DNS SRV records will be used to resolve # the Puppet master # # $srv_domain:: Search domain for SRV records # # $additional_settings:: A hash of additional main settings. # # == Advanced puppet parameters # # $user:: Override the name of the puppet user. # # $group:: Override the name of the puppet group. # # $dir:: Override the puppet directory. # # $codedir:: Override the puppet code directory. # # $vardir:: Override the puppet var directory. # # $logdir:: Override the log directory. # # $rundir:: Override the PID directory. # # $ssldir:: Override where SSL certificates are kept. # # $sharedir:: Override the system data directory. # # $package_provider:: The provider used to install the agent. # Defaults to chocolatey on Windows # Defaults to undef elsewhere # # $package_source:: The location of the file to be used by the # agent's package resource. # Defaults to undef. If 'windows' or 'msi' are # used as the provider then this setting is # required. # # $unavailable_runmodes:: Runmodes that are not available for the # current system. This module will not try # to disable these modes. Default is [] # on Linux, ['cron', 'systemd.timer'] on # Windows and ['systemd.timer'] on other # systems. # # $auth_template:: Use a custom template for the auth # configuration. # # $use_srv_records:: Whether DNS SRV records will be used to resolve # the Puppet master # # $srv_domain:: Search domain for SRV records # # $pluginsource:: URL to retrieve Puppet plugins from during pluginsync # # $pluginfactsource:: URL to retrieve Puppet facts from during pluginsync # # $classfile:: The file in which puppet agent stores a list # of the classes associated with the retrieved # configuration. # # == puppet::agent parameters # # $agent:: Should a puppet agent be installed # # $agent_noop:: Run the agent in noop mode. # # $puppetmaster:: Hostname of your puppetmaster (server # directive in puppet.conf) # # $prerun_command:: A command which gets excuted before each Puppet run # # $postrun_command:: A command which gets excuted after each Puppet run # # $environment:: Default environment of the Puppet agent # # $agent_additional_settings:: A hash of additional agent settings. # Example: {stringify_facts => true} # # $client_certname:: The node's certificate name, and the unique # identifier it uses when requesting catalogs. # # $report:: Send reports to the Puppet Master # # == advanced agent parameters # # $service_name:: The name of the puppet agent service. # # $agent_restart_command:: The command which gets excuted on puppet service restart # # $client_package:: Install a custom package to provide # the puppet client # # $systemd_unit_name:: The name of the puppet systemd units. # # $remove_lock:: Remove the agent lock when running. # # $dir_owner:: Owner of the base puppet directory, used when # puppet::server is false. # # $dir_group:: Group of the base puppet directory, used when # puppet::server is false. # # == puppet::server parameters # # $server:: Should a puppet master be installed as well as the client # # $server_ip:: Bind ip address of the puppetmaster # # $server_port:: Puppet master port # # $server_ca:: Provide puppet CA # # $server_ca_crl_sync:: Sync puppet CA crl file to compile masters, Puppet CA Must be the Puppetserver # for the compile masters. Defaults to false. # # $server_crl_enable:: Turn on crl checking. Defaults to true when server_ca is true. Otherwise # Defaults to false. Note unless you are using an external CA. It is recommended # to set this to true. See $server_ca_crl_sync to enable syncing from CA Puppet Master # # $server_reports:: List of report types to include on the puppetmaster # # $server_implementation:: Puppet master implementation, either "master" (traditional # Ruby) or "puppetserver" (JVM-based) # # $server_external_nodes:: External nodes classifier executable # # $server_git_repo:: Use git repository as a source of modules # # $server_dynamic_environments:: Use $environment in the modulepath # Deprecated when $server_directory_environments is true, # set $server_environments to [] instead. # # $server_directory_environments:: Enable directory environments, defaulting to true # with Puppet 3.6.0 or higher # # $server_environments:: Environments to setup (creates directories). # Applies only when $server_dynamic_environments # is false # # $server_environments_owner:: The owner of the environments directory # # $server_environments_group:: The group owning the environments directory # # $server_environments_mode:: Environments directory mode. # # $server_common_modules_path:: Common modules paths (only when # $server_git_repo_path and $server_dynamic_environments # are false) # # $server_git_repo_path:: Git repository path # # $server_git_repo_mode:: Git repository mode # # $server_git_repo_group:: Git repository group # # $server_git_repo_user:: Git repository user # # $server_git_branch_map:: Git branch to puppet env mapping for the # default post receive hook # # $server_storeconfigs_backend:: Do you use storeconfigs? (note: not required) # false if you don't, "active_record" for 2.X # style db, "puppetdb" for puppetdb # # $server_certname:: The name to use when handling certificates. # # $server_strict_variables:: if set to true, it will throw parse errors # when accessing undeclared variables. # # $server_additional_settings:: A hash of additional settings. # Example: {trusted_node_data => true, ordering => 'manifest'} # # $server_puppetdb_host:: PuppetDB host # # $server_puppetdb_port:: PuppetDB port # # $server_puppetdb_swf:: PuppetDB soft_write_failure # # === Advanced server parameters: # # $server_manage_user:: Whether to manage the server user resource # # $server_user:: Name of the puppetmaster user. # # $server_group:: Name of the puppetmaster group. # # $server_dir:: Puppet configuration directory # # $server_http:: Should the puppet master listen on HTTP as well as HTTPS. # Useful for load balancer or reverse proxy scenarios. Note that # the HTTP puppet master denies access from all clients by default, # allowed clients must be specified with $server_http_allow. # # $server_http_port:: Puppet master HTTP port; defaults to 8139. # # $server_http_allow:: Array of allowed clients for the HTTP puppet master. Passed # to Apache's 'Allow' directive. # # $server_httpd_service:: Apache/httpd service name to notify # on configuration changes. Defaults # to 'httpd' based on the default # apache module included with foreman-installer. # # $server_passenger:: If set to true, we will configure apache with # passenger. If set to false, we will enable the # default puppetmaster service unless # service_fallback is set to false. See 'Advanced # server parameters' for more information. # Only applicable when server_implementation is "master". # # $server_service_fallback:: If passenger is not used, do we want to fallback # to using the puppetmaster service? Set to false # if you disabled passenger and you do NOT want to # use the puppetmaster service. Defaults to true. # # $server_passenger_min_instances:: The PassengerMinInstances parameter. Sets the # minimum number of application processes to run. # Defaults to the number of processors on your # system. # # $server_passenger_pre_start:: Pre-start the first passenger worker instance # process during httpd start. # # $server_passenger_ruby:: The PassengerRuby parameter. Sets the Ruby # interpreter for serving the puppetmaster # rack application. # # $server_config_version:: How to determine the configuration version. When # using git_repo, by default a git describe # approach will be installed. # # $server_foreman_facts:: Should foreman receive facts from puppet # # $server_foreman:: Should foreman integration be installed # # $server_foreman_url:: Foreman URL # # $server_foreman_ssl_ca:: SSL CA of the Foreman server # # $server_foreman_ssl_cert:: Client certificate for authenticating against Foreman server # # $server_foreman_ssl_key:: Key for authenticating against Foreman server # # $server_puppet_basedir:: Where is the puppet code base located # # $server_enc_api:: What version of enc script to deploy. # # $server_report_api:: What version of report processor to deploy. # # $server_request_timeout:: Timeout in node.rb script for fetching # catalog from Foreman (in seconds). # # $server_environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # # $server_envs_dir:: Directory that holds puppet environments # # $server_envs_target:: Indicates that $envs_dir should be # a symbolic link to this target # # $server_ca_proxy:: The actual server that handles puppet CA. # Setting this to anything non-empty causes # the apache vhost to set up a proxy for all # certificates pointing to the value. # # $server_rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and # --vardir. The default is an empty array. # # $server_jvm_java_bin:: Set the default java to use. # # $server_jvm_config:: Specify the puppetserver jvm configuration file. # # $server_jvm_min_heap_size:: Specify the minimum jvm heap space. # # $server_jvm_max_heap_size:: Specify the maximum jvm heap space. # # $server_jvm_extra_args:: Additional java options to pass through. # This can be used for Java versions prior to # Java 8 to specify the max perm space to use: # For example: '-XX:MaxPermSize=128m'. # # $server_jvm_cli_args:: Java options to use when using puppetserver # subcommands (eg puppetserver gem). # # $server_jruby_gem_home:: Where jruby gems are located for puppetserver # # $allow_any_crl_auth:: Allow any authentication for the CRL. This # is needed on the puppet CA to accept clients # from a the puppet CA proxy. # # $auth_allowed:: An array of authenticated nodes allowed to # access all catalog and node endpoints. # default to ['$1'] # # $server_default_manifest:: Toggle if default_manifest setting should # be added to the [main] section # # $server_default_manifest_path:: A string setting the path to the default_manifest # # $server_default_manifest_content:: A string to set the content of the default_manifest # If set to '' it will not manage the file # # $server_app_root:: Directory where the application lives. Only relevant # for the rack-based service # # $server_package:: Custom package name for puppet master # # $server_version:: Custom package version for puppet master # # $server_ssl_dir:: SSL directory # # $server_ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] # configuration section. This is necessary to # disable in case CA is delegated to a separate instance # # $server_ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" # should be created with default user and group. This is used in # the default Forman setup to reuse the key for TLS communication. # # $server_puppetserver_vardir:: The path of the puppetserver var dir # # $server_puppetserver_rundir:: The path of the puppetserver run dir # # $server_puppetserver_logdir:: The path of the puppetserver log dir # # $server_puppetserver_dir:: The path of the puppetserver config dir # # $server_puppetserver_version:: The version of puppetserver 2 installed (or being installed) # Unfortunately, different versions of puppetserver need # configuring differently. The default is derived from the # installed puppet version. Generally it's not needed to # override this but when upgrading it might be. # # $server_max_active_instances:: Max number of active jruby instances. Defaults to # processor count # # $server_max_requests_per_instance:: Max number of requests a jruby instances will handle. Defaults to 0 (disabled) # # $server_max_queued_requests:: The maximum number of requests that may be queued waiting to borrow a # JRuby from the pool. (Puppetserver 5.x only) # Defaults to 0 (disabled) for Puppetserver >= 5.0 # # $server_max_retry_delay:: Sets the upper limit for the random sleep set as a Retry-After header on # 503 responses returned when max-queued-requests is enabled. (Puppetserver 5.x only) # Defaults to 1800 for Puppetserver >= 5.0 # # $server_idle_timeout:: How long the server will wait for a response on an existing connection # # $server_connect_timeout:: How long the server will wait for a response to a connection attempt # # $server_ssl_protocols:: Array of SSL protocols to use. # Defaults to [ 'TLSv1.2' ] # # $server_ssl_chain_filepath:: Path to certificate chain for puppetserver # Only used when $ca is true # Defaults to "${ssl_dir}/ca/ca_crt.pem" # # $server_cipher_suites:: List of SSL ciphers to use in negotiation # Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $server_ruby_load_paths:: List of ruby paths # Defaults based on $::puppetversion # # $server_ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # +# $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef +# Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } +# # $server_admin_api_whitelist:: The whitelist of clients that # can query the puppet-admin-api endpoint # Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # # $server_ca_auth_required:: Whether client certificates are needed to access the puppet-admin api # Defaults to true # # $server_use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? # Defaults to false (the puppetserver will use its own conf.d/auth.conf) # # $server_check_for_updates:: Should the puppetserver phone home to check for available updates? # Defaults to true # # $server_post_hook_content:: Which template to use for git post hook # # $server_post_hook_name:: Name of a git hook # # $server_environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the # environment_classes API. # Defaults to false # # $server_allow_header_cert_info:: Enable client authentication over HTTP Headers # Defaults to false, is also activated by the $server_http setting # # $server_web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has # completed. # Defaults to 30000, using the Jetty default of 30s # # $server_puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # # $server_puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? # Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # $server_metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # # $server_metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # # $server_metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # # $server_metrics_graphite_port:: Graphite server port. Defaults to 2003 # # $server_metrics_server_id:: A server id that will be used as part of the namespace for metrics produced # Defaults to $fqdn # # $server_metrics_graphite_interval:: How often to send metrics to graphite (in seconds) # Defaults to 5 # # $server_metrics_allowed:: Specify metrics to allow in addition to those in the default list # Defaults to undef # # $server_puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # # $server_puppetserver_trusted_agents:: Certificate names of puppet agents that are allowed to fetch *all* catalogs # Defaults to [] and all agents are only allowed to fetch their own catalogs. # # $server_compile_mode:: Used to control JRuby's "CompileMode", which may improve performance. # Defaults to undef (off). # # $server_parser:: Sets the parser to use. Valid options are 'current' or 'future'. # Defaults to 'current'. # # === Usage: # # * Simple usage: # # include puppet # # * Installing a puppetmaster # # class {'puppet': # server => true, # } # # * Advanced usage: # # class {'puppet': # agent_noop => true, # version => '2.7.20-1', # } # class puppet ( String $version = $puppet::params::version, String $user = $puppet::params::user, String $group = $puppet::params::group, Stdlib::Absolutepath $dir = $puppet::params::dir, Stdlib::Absolutepath $codedir = $puppet::params::codedir, Stdlib::Absolutepath $vardir = $puppet::params::vardir, Stdlib::Absolutepath $logdir = $puppet::params::logdir, Stdlib::Absolutepath $rundir = $puppet::params::rundir, Stdlib::Absolutepath $ssldir = $puppet::params::ssldir, Stdlib::Absolutepath $sharedir = $puppet::params::sharedir, Variant[Boolean, Enum['server', 'agent']] $manage_packages = $puppet::params::manage_packages, Optional[String] $dir_owner = $puppet::params::dir_owner, Optional[String] $dir_group = $puppet::params::dir_group, Optional[String] $package_provider = $puppet::params::package_provider, Optional[Variant[Stdlib::Absolutepath, Stdlib::HTTPUrl]] $package_source = $puppet::params::package_source, Integer[0, 65535] $port = $puppet::params::port, Boolean $listen = $puppet::params::listen, Array[String] $listen_to = $puppet::params::listen_to, Boolean $pluginsync = $puppet::params::pluginsync, Boolean $splay = $puppet::params::splay, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $splaylimit = $puppet::params::splaylimit, Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::params::autosign, Array[String] $autosign_entries = $puppet::params::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $puppet::params::autosign_mode, Optional[String] $autosign_content = $puppet::params::autosign_content, Optional[String] $autosign_source = $puppet::params::autosign_source, Variant[Integer[0],Pattern[/^\d+[smhdy]?$/]] $runinterval = $puppet::params::runinterval, Boolean $usecacheonfailure = $puppet::params::usecacheonfailure, Enum['cron', 'service', 'systemd.timer', 'none'] $runmode = $puppet::params::runmode, Array[Enum['cron', 'service', 'systemd.timer', 'none']] $unavailable_runmodes = $puppet::params::unavailable_runmodes, Optional[String] $cron_cmd = $puppet::params::cron_cmd, Optional[String] $systemd_cmd = $puppet::params::systemd_cmd, Integer[0] $systemd_randomizeddelaysec = $puppet::params::systemd_randomizeddelaysec, Boolean $agent_noop = $puppet::params::agent_noop, Boolean $show_diff = $puppet::params::show_diff, Optional[Stdlib::HTTPUrl] $module_repository = $puppet::params::module_repository, Optional[Integer[0]] $configtimeout = $puppet::params::configtimeout, Optional[Variant[String, Boolean]] $ca_server = $puppet::params::ca_server, Optional[Integer[0, 65535]] $ca_port = $puppet::params::ca_port, Optional[String] $ca_crl_filepath = $puppet::params::ca_crl_filepath, Optional[String] $prerun_command = $puppet::params::prerun_command, Optional[String] $postrun_command = $puppet::params::postrun_command, Array[String] $dns_alt_names = $puppet::params::dns_alt_names, Boolean $use_srv_records = $puppet::params::use_srv_records, Optional[String] $srv_domain = $puppet::params::srv_domain, String $pluginsource = $puppet::params::pluginsource, String $pluginfactsource = $puppet::params::pluginfactsource, Hash[String, Data] $additional_settings = $puppet::params::additional_settings, Hash[String, Data] $agent_additional_settings = $puppet::params::agent_additional_settings, Optional[String] $agent_restart_command = $puppet::params::agent_restart_command, String $classfile = $puppet::params::classfile, String $hiera_config = $puppet::params::hiera_config, String $auth_template = $puppet::params::auth_template, Boolean $allow_any_crl_auth = $puppet::params::allow_any_crl_auth, Array[String] $auth_allowed = $puppet::params::auth_allowed, Variant[String, Array[String]] $client_package = $puppet::params::client_package, Boolean $agent = $puppet::params::agent, Boolean $remove_lock = $puppet::params::remove_lock, Boolean $report = $puppet::params::report, Variant[String, Boolean] $client_certname = $puppet::params::client_certname, Optional[String] $puppetmaster = $puppet::params::puppetmaster, String $systemd_unit_name = $puppet::params::systemd_unit_name, String $service_name = $puppet::params::service_name, Optional[String] $syslogfacility = $puppet::params::syslogfacility, String $environment = $puppet::params::environment, Boolean $server = $puppet::params::server, Array[String] $server_admin_api_whitelist = $puppet::params::server_admin_api_whitelist, Boolean $server_manage_user = $puppet::params::manage_user, String $server_user = $puppet::params::user, String $server_group = $puppet::params::group, String $server_dir = $puppet::params::dir, String $server_ip = $puppet::params::ip, Integer $server_port = $puppet::params::port, Boolean $server_ca = $puppet::params::server_ca, Boolean $server_ca_crl_sync = $puppet::params::server_ca_crl_sync, Optional[Boolean] $server_crl_enable = $puppet::params::server_crl_enable, Boolean $server_ca_auth_required = $puppet::params::server_ca_auth_required, Array[String] $server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist, + Optional[Puppet::Custom_trusted_oid_mapping] $server_custom_trusted_oid_mapping = $puppet::params::server_custom_trusted_oid_mapping, Boolean $server_http = $puppet::params::server_http, Integer $server_http_port = $puppet::params::server_http_port, Array[String] $server_http_allow = $puppet::params::server_http_allow, String $server_reports = $puppet::params::server_reports, Enum['master', 'puppetserver'] $server_implementation = $puppet::params::server_implementation, Boolean $server_passenger = $puppet::params::server_passenger, Optional[Stdlib::Absolutepath] $server_puppetserver_dir = $puppet::params::server_puppetserver_dir, Optional[Stdlib::Absolutepath] $server_puppetserver_vardir = $puppet::params::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $server_puppetserver_rundir = $puppet::params::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $server_puppetserver_logdir = $puppet::params::server_puppetserver_logdir, Pattern[/^[\d]\.[\d]+\.[\d]+$/] $server_puppetserver_version = $puppet::params::server_puppetserver_version, Boolean $server_service_fallback = $puppet::params::server_service_fallback, Integer[0] $server_passenger_min_instances = $puppet::params::server_passenger_min_instances, Boolean $server_passenger_pre_start = $puppet::params::server_passenger_pre_start, Optional[String] $server_passenger_ruby = $puppet::params::server_passenger_ruby, String $server_httpd_service = $puppet::params::server_httpd_service, Variant[Undef, String[0], Stdlib::Absolutepath] $server_external_nodes = $puppet::params::server_external_nodes, Array[String] $server_cipher_suites = $puppet::params::server_cipher_suites, Optional[String] $server_config_version = $puppet::params::server_config_version, Integer[0] $server_connect_timeout = $puppet::params::server_connect_timeout, Boolean $server_git_repo = $puppet::params::server_git_repo, Boolean $server_dynamic_environments = $puppet::params::server_dynamic_environments, Boolean $server_directory_environments = $puppet::params::server_directory_environments, Boolean $server_default_manifest = $puppet::params::server_default_manifest, Stdlib::Absolutepath $server_default_manifest_path = $puppet::params::server_default_manifest_path, String $server_default_manifest_content = $puppet::params::server_default_manifest_content, Array[String] $server_environments = $puppet::params::server_environments, String $server_environments_owner = $puppet::params::server_environments_owner, Optional[String] $server_environments_group = $puppet::params::server_environments_group, Pattern[/^[0-9]{3,4}$/] $server_environments_mode = $puppet::params::server_environments_mode, Stdlib::Absolutepath $server_envs_dir = $puppet::params::server_envs_dir, Optional[Stdlib::Absolutepath] $server_envs_target = $puppet::params::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $server_common_modules_path = $puppet::params::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $server_git_repo_mode = $puppet::params::server_git_repo_mode, Stdlib::Absolutepath $server_git_repo_path = $puppet::params::server_git_repo_path, String $server_git_repo_group = $puppet::params::server_git_repo_group, String $server_git_repo_user = $puppet::params::server_git_repo_user, Hash[String, String] $server_git_branch_map = $puppet::params::server_git_branch_map, Integer[0] $server_idle_timeout = $puppet::params::server_idle_timeout, String $server_post_hook_content = $puppet::params::server_post_hook_content, String $server_post_hook_name = $puppet::params::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $server_storeconfigs_backend = $puppet::params::server_storeconfigs_backend, Stdlib::Absolutepath $server_app_root = $puppet::params::server_app_root, Array[Stdlib::Absolutepath] $server_ruby_load_paths = $puppet::params::server_ruby_load_paths, Stdlib::Absolutepath $server_ssl_dir = $puppet::params::server_ssl_dir, Boolean $server_ssl_dir_manage = $puppet::params::server_ssl_dir_manage, Boolean $server_ssl_key_manage = $puppet::params::server_ssl_key_manage, Array[String] $server_ssl_protocols = $puppet::params::server_ssl_protocols, Optional[Stdlib::Absolutepath] $server_ssl_chain_filepath = $puppet::params::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $server_package = $puppet::params::server_package, Optional[String] $server_version = $puppet::params::server_version, String $server_certname = $puppet::params::server_certname, Enum['v2'] $server_enc_api = $puppet::params::server_enc_api, Enum['v2'] $server_report_api = $puppet::params::server_report_api, Integer[0] $server_request_timeout = $puppet::params::server_request_timeout, Optional[String] $server_ca_proxy = $puppet::params::server_ca_proxy, Boolean $server_strict_variables = $puppet::params::server_strict_variables, Hash[String, Data] $server_additional_settings = $puppet::params::server_additional_settings, Array[String] $server_rack_arguments = $puppet::params::server_rack_arguments, Boolean $server_foreman = $puppet::params::server_foreman, Stdlib::HTTPUrl $server_foreman_url = $puppet::params::server_foreman_url, Optional[Stdlib::Absolutepath] $server_foreman_ssl_ca = $puppet::params::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $server_foreman_ssl_cert = $puppet::params::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $server_foreman_ssl_key = $puppet::params::server_foreman_ssl_key, Boolean $server_foreman_facts = $puppet::params::server_foreman_facts, Optional[Stdlib::Absolutepath] $server_puppet_basedir = $puppet::params::server_puppet_basedir, Optional[String] $server_puppetdb_host = $puppet::params::server_puppetdb_host, Integer[0, 65535] $server_puppetdb_port = $puppet::params::server_puppetdb_port, Boolean $server_puppetdb_swf = $puppet::params::server_puppetdb_swf, Enum['current', 'future'] $server_parser = $puppet::params::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $server_environment_timeout = $puppet::params::server_environment_timeout, String $server_jvm_java_bin = $puppet::params::server_jvm_java_bin, String $server_jvm_config = $puppet::params::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_min_heap_size = $puppet::params::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $server_jvm_max_heap_size = $puppet::params::server_jvm_max_heap_size, Variant[String,Array[String]] $server_jvm_extra_args = $puppet::params::server_jvm_extra_args, Optional[String] $server_jvm_cli_args = $puppet::params::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $server_jruby_gem_home = $puppet::params::server_jruby_gem_home, Integer[1] $server_max_active_instances = $puppet::params::server_max_active_instances, Integer[0] $server_max_requests_per_instance = $puppet::params::server_max_requests_per_instance, Integer[0] $server_max_queued_requests = $puppet::params::server_max_queued_requests, Integer[0] $server_max_retry_delay = $puppet::params::server_max_retry_delay, Boolean $server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf, Boolean $server_check_for_updates = $puppet::params::server_check_for_updates, Boolean $server_environment_class_cache_enabled = $puppet::params::server_environment_class_cache_enabled, Boolean $server_allow_header_cert_info = $puppet::params::server_allow_header_cert_info, Integer[0] $server_web_idle_timeout = $puppet::params::server_web_idle_timeout, Boolean $server_puppetserver_jruby9k = $puppet::params::server_puppetserver_jruby9k, Boolean $server_puppetserver_metrics = $puppet::params::server_puppetserver_metrics, Boolean $server_metrics_jmx_enable = $::puppet::params::server_metrics_jmx_enable, Boolean $server_metrics_graphite_enable = $::puppet::params::server_metrics_graphite_enable, String $server_metrics_graphite_host = $::puppet::params::server_metrics_graphite_host, Integer $server_metrics_graphite_port = $::puppet::params::server_metrics_graphite_port, String $server_metrics_server_id = $::puppet::params::server_metrics_server_id, Integer $server_metrics_graphite_interval = $::puppet::params::server_metrics_graphite_interval, Optional[Array] $server_metrics_allowed = $::puppet::params::server_metrics_allowed, Boolean $server_puppetserver_experimental = $puppet::params::server_puppetserver_experimental, Array[String] $server_puppetserver_trusted_agents = $puppet::params::server_puppetserver_trusted_agents, Optional[Enum['off', 'jit', 'force']] $server_compile_mode = $puppet::params::server_compile_mode, ) inherits puppet::params { include ::puppet::config Class['puppet::config'] -> Class['puppet'] if $agent == true { include ::puppet::agent Class['puppet::agent'] -> Class['puppet'] } if $server == true { include ::puppet::server Class['puppet::server'] -> Class['puppet'] } # Ensure the server is running before the agent needs it, and that # certificates are generated in the server config (if enabled) if $server == true and $agent == true { Class['puppet::server'] -> Class['puppet::agent::service'] } } diff --git a/manifests/params.pp b/manifests/params.pp index 7accccc..5c06a22 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,479 +1,480 @@ # Default parameters class puppet::params { # Basic config $version = 'present' $manage_user = true $user = 'puppet' $group = 'puppet' $ip = '0.0.0.0' $port = 8140 $listen = false $listen_to = [] $pluginsync = true $splay = false $splaylimit = 1800 $runinterval = 1800 $runmode = 'service' $report = true # Not defined here as the commands depend on module parameter "dir" $cron_cmd = undef $systemd_cmd = undef $agent_noop = false $show_diff = false $module_repository = undef $hiera_config = '$confdir/hiera.yaml' $usecacheonfailure = true $ca_server = undef $ca_port = undef $ca_crl_filepath = undef $server_crl_enable = undef $prerun_command = undef $postrun_command = undef $server_compile_mode = undef $dns_alt_names = [] $use_srv_records = false if defined('$::domain') { $srv_domain = $::domain } else { $srv_domain = undef } # lint:ignore:puppet_url_without_modules $pluginsource = 'puppet:///plugins' $pluginfactsource = 'puppet:///pluginfacts' # lint:endignore $classfile = '$statedir/classes.txt' $syslogfacility = undef $environment = $::environment $aio_package = ($::osfamily == 'Windows' or $::rubysitedir =~ /\/opt\/puppetlabs\/puppet/) $deb_naio_package = ($::osfamily == 'Debian') $systemd_randomizeddelaysec = 0 case $::osfamily { 'Windows' : { # Windows prefixes normal paths with the Data Directory's path and leaves 'puppet' off the end $dir_prefix = 'C:/ProgramData/PuppetLabs/puppet' $dir = "${dir_prefix}/etc" $codedir = "${dir_prefix}/etc" $logdir = "${dir_prefix}/var/log" $rundir = "${dir_prefix}/var/run" $ssldir = "${dir_prefix}/etc/ssl" $vardir = "${dir_prefix}/var" $sharedir = "${dir_prefix}/share" $bindir = "${dir_prefix}/bin" $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } /^(FreeBSD|DragonFly)$/ : { $dir = '/usr/local/etc/puppet' $codedir = '/usr/local/etc/puppet' $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/puppet/ssl' $vardir = '/var/puppet' $sharedir = '/usr/local/share/puppet' $bindir = '/usr/local/bin' $root_group = undef $server_puppetserver_dir = '/usr/local/etc/puppetserver' $server_puppetserver_vardir = '/var/puppet/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetserver' $server_puppetserver_logdir = '/var/log/puppetserver' $ruby_gem_dir = regsubst($::rubyversion, '^(\d+\.\d+).*$', '/usr/local/lib/ruby/gems/\1/gems') $server_ruby_load_paths = [$::rubysitedir, "${ruby_gem_dir}/facter-${::facterversion}/lib"] $server_jruby_gem_home = '/var/puppet/server/data/puppetserver/jruby-gems' } 'Archlinux' : { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/usr/bin' $root_group = undef $server_puppetserver_dir = undef $server_puppetserver_vardir = undef $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = undef } default : { if $aio_package { $dir = '/etc/puppetlabs/puppet' $codedir = '/etc/puppetlabs/code' $logdir = '/var/log/puppetlabs/puppet' $rundir = '/var/run/puppetlabs' $ssldir = '/etc/puppetlabs/puppet/ssl' $vardir = '/opt/puppetlabs/puppet/cache' $sharedir = '/opt/puppetlabs/puppet' $bindir = '/opt/puppetlabs/bin' $server_puppetserver_dir = '/etc/puppetlabs/puppetserver' $server_puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' $server_puppetserver_rundir = '/var/run/puppetlabs/puppetserver' $server_puppetserver_logdir = '/var/log/puppetlabs/puppetserver' $server_ruby_load_paths = ['/opt/puppetlabs/puppet/lib/ruby/vendor_ruby'] $server_jruby_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems' } else { $dir = '/etc/puppet' $codedir = $deb_naio_package ? { true => '/etc/puppet/code', false => '/etc/puppet', } $logdir = '/var/log/puppet' $rundir = '/var/run/puppet' $ssldir = '/var/lib/puppet/ssl' $vardir = '/var/lib/puppet' $sharedir = '/usr/share/puppet' $bindir = '/usr/bin' $server_puppetserver_dir = '/etc/puppetserver' $server_puppetserver_vardir = $vardir $server_puppetserver_rundir = undef $server_puppetserver_logdir = undef $server_ruby_load_paths = [] $server_jruby_gem_home = '/var/lib/puppet/jruby-gems' } $root_group = undef } } $configtimeout = undef $autosign = "${dir}/autosign.conf" $autosign_entries = [] $autosign_mode = '0664' $autosign_content = undef $autosign_source = undef $puppet_cmd = "${bindir}/puppet" $manage_packages = true if $::osfamily == 'Windows' { $dir_owner = undef $dir_group = undef } elsif $aio_package or $::osfamily == 'Suse' { $dir_owner = 'root' $dir_group = $root_group } else { $dir_owner = $user $dir_group = $group } $package_provider = $::osfamily ? { 'windows' => 'chocolatey', default => undef, } $package_source = undef # Need your own config templates? Specify here: $auth_template = 'puppet/auth.conf.erb' # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false # Authenticated nodes to allow $auth_allowed = ['$1'] # Will this host be a puppet agent ? $agent = true $remove_lock = true $client_certname = $::clientcert if defined('$::puppetmaster') { $puppetmaster = $::puppetmaster } else { $puppetmaster = undef } # Hashes containing additional settings $additional_settings = {} $agent_additional_settings = {} $server_additional_settings = {} # Will this host be a puppetmaster? $server = false $server_ca = true $server_ca_crl_sync = false $server_reports = 'foreman' $server_passenger = true $server_service_fallback = true $server_passenger_min_instances = abs($::processorcount) $server_passenger_pre_start = true $server_passenger_ruby = undef $server_httpd_service = 'httpd' $server_external_nodes = "${dir}/node.rb" $server_enc_api = 'v2' $server_report_api = 'v2' $server_request_timeout = 60 $server_ca_proxy = undef $server_certname = $::clientcert $server_strict_variables = false $server_rack_arguments = [] $server_http = false $server_http_port = 8139 $server_http_allow = [] # use puppetserver (JVM) or puppet master (Ruby)? $server_implementation = $aio_package ? { true => 'puppetserver', default => 'master', } # Need a new master template for the server? $server_template = 'puppet/server/puppet.conf.erb' # Template for server settings in [main] $server_main_template = 'puppet/server/puppet.conf.main.erb' # The script that is run to determine the reported manifest version. Undef # means we determine it in server.pp $server_config_version = undef # Set 'false' for static environments, or 'true' for git-based workflow $server_git_repo = false # Git branch to puppet env mapping for the post receive hook $server_git_branch_map = {} # Static environments config, ignore if the git_repo or dynamic_environments is 'true' # What environments do we have $server_environments = ['development', 'production'] # Dynamic environments config (deprecated when directory_environments is true) $server_dynamic_environments = false # Directory environments config $server_directory_environments = true # Owner of the environments dir: for cases external service needs write # access to manage it. $server_environments_owner = $user $server_environments_group = $root_group $server_environments_mode = '0755' # Where we store our puppet environments $server_envs_dir = "${codedir}/environments" $server_envs_target = undef # Modules in this directory would be shared across all environments $server_common_modules_path = unique(["${server_envs_dir}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules']) # Dynamic environments config, ignore if the git_repo is 'false' # Path to the repository $server_git_repo_path = "${vardir}/puppet.git" # mode of the repository $server_git_repo_mode = '0755' # user of the repository $server_git_repo_user = $user # group of the repository $server_git_repo_group = $user # Override these if you need your own hooks $server_post_hook_content = 'puppet/server/post-receive.erb' $server_post_hook_name = 'post-receive' + $server_custom_trusted_oid_mapping = undef # PuppetDB config $server_puppetdb_host = undef $server_puppetdb_port = 8081 $server_puppetdb_swf = false # Do you use storeconfigs? (note: not required) # - undef if you don't # - active_record for 2.X style db # - puppetdb for puppetdb $server_storeconfigs_backend = undef # Passenger config $server_app_root = "${dir}/rack" $server_ssl_dir = $ssldir $server_package = undef $server_version = undef if $aio_package { $client_package = ['puppet-agent'] } elsif $::osfamily == 'Debian' { $client_package = $deb_naio_package ? { true => ['puppet'], default => ['puppet-common', 'puppet'] } } elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) { if (versioncmp($::puppetversion, '5.0') > 0) { $client_package = ['puppet5'] } else { $client_package = ['puppet4'] } } else { $client_package = ['puppet'] } $puppetrun_cmd = "${puppet_cmd} kick" $puppetca_cmd = "${puppet_cmd} cert" # Puppet service name $service_name = 'puppet' # Puppet onedshot systemd service and timer name $systemd_unit_name = 'puppet-run' # Mechanisms to manage and reload/restart the agent # If supported on the OS, reloading is prefered since it does not kill a currently active puppet run case $::osfamily { 'Debian' : { $agent_restart_command = "/usr/sbin/service ${service_name} reload" if ($::operatingsystem == 'Debian' or $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '15.04') >= 0) { $unavailable_runmodes = [] } else { $unavailable_runmodes = ['systemd.timer'] } } 'Redhat' : { # PSBM is a CentOS 6 based distribution # it reports its $osreleasemajor as 2, not 6. # thats why we're matching for '2' in both parts # Amazon Linux is like RHEL6 but reports its osreleasemajor as 2017. $osreleasemajor = regsubst($::operatingsystemrelease, '^(\d+)\..*$', '\1') # workaround for the possibly missing operatingsystemmajrelease $agent_restart_command = $osreleasemajor ? { /^(2|5|6|2017)$/ => "/sbin/service ${service_name} reload", '7' => "/usr/bin/systemctl reload-or-restart ${service_name}", default => undef, } $unavailable_runmodes = $osreleasemajor ? { /^(2|5|6|2017)$/ => ['systemd.timer'], default => [], } } 'Windows': { $agent_restart_command = undef $unavailable_runmodes = ['cron', 'systemd.timer'] } 'Archlinux': { $agent_restart_command = "/usr/bin/systemctl reload-or-restart ${service_name}" $unavailable_runmodes = ['cron'] } default : { $agent_restart_command = undef $unavailable_runmodes = ['systemd.timer'] } } # Foreman parameters $lower_fqdn = downcase($::fqdn) $server_foreman = true $server_foreman_facts = true $server_puppet_basedir = $aio_package ? { true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet', false => undef, } $server_foreman_url = "https://${lower_fqdn}" $server_foreman_ssl_ca = undef $server_foreman_ssl_cert = undef $server_foreman_ssl_key = undef # Which Parser do we want to use? https://docs.puppetlabs.com/references/latest/configuration.html#parser $server_parser = 'current' # Timeout for cached environments, changed in puppet 3.7.x $server_environment_timeout = undef # puppet server configuration file $server_jvm_config = $::osfamily ? { 'RedHat' => '/etc/sysconfig/puppetserver', 'Debian' => '/etc/default/puppetserver', default => '/etc/default/puppetserver', } $server_jvm_java_bin = '/usr/bin/java' if versioncmp($::puppetversion, '5.0.0') < 0 { $server_jvm_extra_args = '-XX:MaxPermSize=256m' } else { $server_jvm_extra_args = '-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger' } $server_jvm_cli_args = undef # This is some very trivial "tuning". See the puppet reference: # https://docs.puppet.com/puppetserver/latest/tuning_guide.html if ($::memorysize_mb =~ String) { $mem_in_mb = scanf($::memorysize_mb, '%i')[0] } else { $mem_in_mb = 0 + $::memorysize_mb } if $mem_in_mb >= 3072 { $server_jvm_min_heap_size = '2G' $server_jvm_max_heap_size = '2G' $server_max_active_instances = min(abs($::processorcount), 4) } elsif $mem_in_mb >= 1024 { $server_max_active_instances = 1 $server_jvm_min_heap_size = '1G' $server_jvm_max_heap_size = '1G' } else { # VMs with 1GB RAM and a crash kernel enabled usually have an effective 992MB RAM $server_max_active_instances = 1 $server_jvm_min_heap_size = '768m' $server_jvm_max_heap_size = '768m' } $server_ssl_dir_manage = true $server_ssl_key_manage = true $server_default_manifest = false $server_default_manifest_path = '/etc/puppet/manifests/default_manifest.pp' $server_default_manifest_content = '' # lint:ignore:empty_string_assignment $server_max_requests_per_instance = 0 $server_max_queued_requests = 0 $server_max_retry_delay = 1800 $server_idle_timeout = 1200000 $server_web_idle_timeout = 30000 $server_connect_timeout = 120000 $server_ca_auth_required = true $server_admin_api_whitelist = [ 'localhost', $lower_fqdn ] $server_ca_client_whitelist = [ 'localhost', $lower_fqdn ] $server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA' ] $server_ssl_protocols = [ 'TLSv1.2' ] $server_ssl_chain_filepath = "${server_ssl_dir}/ca/ca_crt.pem" $server_check_for_updates = true $server_environment_class_cache_enabled = false $server_allow_header_cert_info = false # Puppetserver >= 2.2 Which auth.conf shall we use? $server_use_legacy_auth_conf = false # For Puppetserver, certain configuration parameters are version specific. We assume a particular version here. if versioncmp($::puppetversion, '5.1.0') >= 0 { $server_puppetserver_version = '5.1.0' } elsif versioncmp($::puppetversion, '5.0.0') >= 0 { $server_puppetserver_version = '5.0.0' } else { $server_puppetserver_version = '2.7.0' } # For Puppetserver 5, use JRuby 9k? $server_puppetserver_jruby9k = false # this switch also controls Ruby profiling, by default disabled for Puppetserver 2.x, enabled for 5.x $server_puppetserver_metrics = versioncmp($::puppetversion, '5.0.0') >= 0 # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false $server_metrics_graphite_host = '127.0.0.1' $server_metrics_graphite_port = 2003 $server_metrics_server_id = $lower_fqdn $server_metrics_graphite_interval = 5 $server_metrics_allowed = undef # For Puppetserver 5, should the /puppet/experimental route be enabled? $server_puppetserver_experimental = true # Normally agents can only fetch their own catalogs. If you want some nodes to be able to fetch *any* catalog, add them here. $server_puppetserver_trusted_agents = [] } diff --git a/manifests/server.pp b/manifests/server.pp index 8e82ed5..242c370 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,509 +1,513 @@ # == Class: puppet::server # # Sets up a puppet master. # # == puppet::server parameters # -# $autosign:: If set to a boolean, autosign is enabled or disabled -# for all incoming requests. Otherwise this has to be -# set to the full file path of an autosign.conf file or -# an autosign script. If this is set to a script, make -# sure that script considers the content of autosign.conf -# as otherwise Foreman functionality might be broken. +# $autosign:: If set to a boolean, autosign is enabled or disabled +# for all incoming requests. Otherwise this has to be +# set to the full file path of an autosign.conf file or +# an autosign script. If this is set to a script, make +# sure that script considers the content of autosign.conf +# as otherwise Foreman functionality might be broken. # -# $autosign_entries:: A list of certnames or domain name globs -# whose certificate requests will automatically be signed. -# Defaults to an empty Array. +# $autosign_entries:: A list of certnames or domain name globs +# whose certificate requests will automatically be signed. +# Defaults to an empty Array. # -# $autosign_mode:: mode of the autosign file/script +# $autosign_mode:: mode of the autosign file/script # -# $autosign_content:: If set, write the autosign file content -# using the value of this parameter. -# Cannot be used at the same time as autosign_entries -# For example, could be a string, or -# file('another_module/autosign.sh') or -# template('another_module/autosign.sh.erb') +# $autosign_content:: If set, write the autosign file content +# using the value of this parameter. +# Cannot be used at the same time as autosign_entries +# For example, could be a string, or +# file('another_module/autosign.sh') or +# template('another_module/autosign.sh.erb') # -# $autosign_source:: If set, use this as the source for the autosign file, -# instead of autosign_content. +# $autosign_source:: If set, use this as the source for the autosign file, +# instead of autosign_content. # -# $hiera_config:: The hiera configuration file. +# $hiera_config:: The hiera configuration file. # -# $manage_user:: Whether to manage the puppet user resource +# $manage_user:: Whether to manage the puppet user resource # -# $user:: Name of the puppetmaster user. +# $user:: Name of the puppetmaster user. # -# $group:: Name of the puppetmaster group. +# $group:: Name of the puppetmaster group. # -# $dir:: Puppet configuration directory +# $dir:: Puppet configuration directory # -# $ip:: Bind ip address of the puppetmaster +# $ip:: Bind ip address of the puppetmaster # -# $port:: Puppet master port +# $port:: Puppet master port # -# $ca:: Provide puppet CA +# $ca:: Provide puppet CA # -# $ca_crl_filepath:: Path to ca_crl file +# $ca_crl_filepath:: Path to ca_crl file # -# $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to -# be agents of the CA master (MOM) defaults to false +# $ca_crl_sync:: Sync the puppet ca crl to compile masters. Requires compile masters to +# be agents of the CA master (MOM) defaults to false # -# $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults -# to false +# $crl_enable:: Enable CRL processing, defaults to true when $ca is true else defaults +# to false # -# $http:: Should the puppet master listen on HTTP as well as HTTPS. -# Useful for load balancer or reverse proxy scenarios. Note that -# the HTTP puppet master denies access from all clients by default, -# allowed clients must be specified with $http_allow. +# $http:: Should the puppet master listen on HTTP as well as HTTPS. +# Useful for load balancer or reverse proxy scenarios. Note that +# the HTTP puppet master denies access from all clients by default, +# allowed clients must be specified with $http_allow. # -# $http_port:: Puppet master HTTP port; defaults to 8139. +# $http_port:: Puppet master HTTP port; defaults to 8139. # -# $http_allow:: Array of allowed clients for the HTTP puppet master. Passed -# to Apache's 'Allow' directive. +# $http_allow:: Array of allowed clients for the HTTP puppet master. Passed +# to Apache's 'Allow' directive. # -# $reports:: List of report types to include on the puppetmaster +# $reports:: List of report types to include on the puppetmaster # -# $implementation:: Puppet master implementation, either "master" (traditional -# Ruby) or "puppetserver" (JVM-based) +# $implementation:: Puppet master implementation, either "master" (traditional +# Ruby) or "puppetserver" (JVM-based) # -# $passenger:: If set to true, we will configure apache with -# passenger. If set to false, we will enable the -# default puppetmaster service unless -# service_fallback is set to false. See 'Advanced -# server parameters' for more information. -# Only applicable when server_implementation is "master". +# $passenger:: If set to true, we will configure apache with +# passenger. If set to false, we will enable the +# default puppetmaster service unless +# service_fallback is set to false. See 'Advanced +# server parameters' for more information. +# Only applicable when server_implementation is "master". # -# $external_nodes:: External nodes classifier executable +# $external_nodes:: External nodes classifier executable # -# $git_repo:: Use git repository as a source of modules +# $git_repo:: Use git repository as a source of modules # -# $dynamic_environments:: Use $environment in the modulepath -# Deprecated when $directory_environments is true, -# set $environments to [] instead. +# $dynamic_environments:: Use $environment in the modulepath +# Deprecated when $directory_environments is true, +# set $environments to [] instead. # -# $directory_environments:: Enable directory environments, defaulting to true -# with Puppet 3.6.0 or higher +# $directory_environments:: Enable directory environments, defaulting to true +# with Puppet 3.6.0 or higher # -# $environments:: Environments to setup (creates directories). -# Applies only when $dynamic_environments -# is false +# $environments:: Environments to setup (creates directories). +# Applies only when $dynamic_environments +# is false # -# $environments_owner:: The owner of the environments directory +# $environments_owner:: The owner of the environments directory # -# $environments_group:: The group owning the environments directory +# $environments_group:: The group owning the environments directory # -# $environments_mode:: Environments directory mode. +# $environments_mode:: Environments directory mode. # -# $envs_dir:: Directory that holds puppet environments +# $envs_dir:: Directory that holds puppet environments # -# $envs_target:: Indicates that $envs_dir should be -# a symbolic link to this target +# $envs_target:: Indicates that $envs_dir should be +# a symbolic link to this target # -# $common_modules_path:: Common modules paths (only when -# $git_repo_path and $dynamic_environments -# are false) +# $common_modules_path:: Common modules paths (only when +# $git_repo_path and $dynamic_environments +# are false) # -# $git_repo_path:: Git repository path +# $git_repo_path:: Git repository path # -# $git_repo_mode:: Git repository mode +# $git_repo_mode:: Git repository mode # -# $git_repo_group:: Git repository group +# $git_repo_group:: Git repository group # -# $git_repo_user:: Git repository user +# $git_repo_user:: Git repository user # -# $git_branch_map:: Git branch to puppet env mapping for the -# default post receive hook +# $git_branch_map:: Git branch to puppet env mapping for the +# default post receive hook # -# $post_hook_content:: Which template to use for git post hook +# $post_hook_content:: Which template to use for git post hook # -# $post_hook_name:: Name of a git hook +# $post_hook_name:: Name of a git hook # -# $storeconfigs_backend:: Do you use storeconfigs? (note: not required) -# false if you don't, "active_record" for 2.X -# style db, "puppetdb" for puppetdb +# $storeconfigs_backend:: Do you use storeconfigs? (note: not required) +# false if you don't, "active_record" for 2.X +# style db, "puppetdb" for puppetdb # -# $app_root:: Directory where the application lives +# $app_root:: Directory where the application lives # -# $ssl_dir:: SSL directory +# $ssl_dir:: SSL directory # -# $package:: Custom package name for puppet master +# $package:: Custom package name for puppet master # -# $version:: Custom package version for puppet master +# $version:: Custom package version for puppet master # -# $certname:: The name to use when handling certificates. +# $certname:: The name to use when handling certificates. # -# $strict_variables:: if set to true, it will throw parse errors -# when accessing undeclared variables. +# $strict_variables:: if set to true, it will throw parse errors +# when accessing undeclared variables. # -# $additional_settings:: A hash of additional settings. -# Example: {trusted_node_data => true, ordering => 'manifest'} +# $additional_settings:: A hash of additional settings. +# Example: {trusted_node_data => true, ordering => 'manifest'} # -# $rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and -# --vardir. The default is an empty array. +# $rack_arguments:: Arguments passed to rack app ARGV in addition to --confdir and +# --vardir. The default is an empty array. # -# $puppetdb_host:: PuppetDB host +# $puppetdb_host:: PuppetDB host # -# $puppetdb_port:: PuppetDB port +# $puppetdb_port:: PuppetDB port # -# $puppetdb_swf:: PuppetDB soft_write_failure +# $puppetdb_swf:: PuppetDB soft_write_failure # -# $parser:: Sets the parser to use. Valid options are 'current' or 'future'. -# Defaults to 'current'. +# $parser:: Sets the parser to use. Valid options are 'current' or 'future'. +# Defaults to 'current'. # # === Advanced server parameters: # -# $httpd_service:: Apache/httpd service name to notify -# on configuration changes. Defaults -# to 'httpd' based on the default -# apache module included with foreman-installer. +# $httpd_service:: Apache/httpd service name to notify +# on configuration changes. Defaults +# to 'httpd' based on the default +# apache module included with foreman-installer. # -# $service_fallback:: If passenger is not used, do we want to fallback -# to using the puppetmaster service? Set to false -# if you disabled passenger and you do NOT want to -# use the puppetmaster service. Defaults to true. +# $service_fallback:: If passenger is not used, do we want to fallback +# to using the puppetmaster service? Set to false +# if you disabled passenger and you do NOT want to +# use the puppetmaster service. Defaults to true. # -# $passenger_min_instances:: The PassengerMinInstances parameter. Sets the -# minimum number of application processes to run. -# Defaults to the number of processors on your -# system. +# $passenger_min_instances:: The PassengerMinInstances parameter. Sets the +# minimum number of application processes to run. +# Defaults to the number of processors on your +# system. # -# $passenger_pre_start:: Pre-start the first passenger worker instance -# process during httpd start. +# $passenger_pre_start:: Pre-start the first passenger worker instance +# process during httpd start. # -# $passenger_ruby:: The PassengerRuby parameter. Sets the Ruby -# interpreter for serving the puppetmaster rack -# application. +# $passenger_ruby:: The PassengerRuby parameter. Sets the Ruby +# interpreter for serving the puppetmaster rack +# application. # -# $config_version:: How to determine the configuration version. When -# using git_repo, by default a git describe -# approach will be installed. +# $config_version:: How to determine the configuration version. When +# using git_repo, by default a git describe +# approach will be installed. # -# $server_foreman_facts:: Should foreman receive facts from puppet +# $server_foreman_facts:: Should foreman receive facts from puppet # -# $foreman:: Should foreman integration be installed +# $foreman:: Should foreman integration be installed # -# $foreman_url:: Foreman URL +# $foreman_url:: Foreman URL # -# $foreman_ssl_ca:: SSL CA of the Foreman server +# $foreman_ssl_ca:: SSL CA of the Foreman server # -# $foreman_ssl_cert:: Client certificate for authenticating against Foreman server +# $foreman_ssl_cert:: Client certificate for authenticating against Foreman server # -# $foreman_ssl_key:: Key for authenticating against Foreman server +# $foreman_ssl_key:: Key for authenticating against Foreman server # -# $puppet_basedir:: Where is the puppet code base located +# $puppet_basedir:: Where is the puppet code base located # -# $enc_api:: What version of enc script to deploy. Valid -# values are 'v2' for latest, and 'v1' -# for Foreman =< 1.2 +# $enc_api:: What version of enc script to deploy. Valid +# values are 'v2' for latest, and 'v1' +# for Foreman =< 1.2 # -# $report_api:: What version of report processor to deploy. -# Valid values are 'v2' for latest, and 'v1' -# for Foreman =< 1.2 +# $report_api:: What version of report processor to deploy. +# Valid values are 'v2' for latest, and 'v1' +# for Foreman =< 1.2 # -# $request_timeout:: Timeout in node.rb script for fetching -# catalog from Foreman (in seconds). +# $request_timeout:: Timeout in node.rb script for fetching +# catalog from Foreman (in seconds). # -# $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) +# $environment_timeout:: Timeout for cached compiled catalogs (10s, 5m, ...) # -# $ca_proxy:: The actual server that handles puppet CA. -# Setting this to anything non-empty causes -# the apache vhost to set up a proxy for all -# certificates pointing to the value. +# $ca_proxy:: The actual server that handles puppet CA. +# Setting this to anything non-empty causes +# the apache vhost to set up a proxy for all +# certificates pointing to the value. # -# $jvm_java_bin:: Set the default java to use. +# $jvm_java_bin:: Set the default java to use. # -# $jvm_config:: Specify the puppetserver jvm configuration file. +# $jvm_config:: Specify the puppetserver jvm configuration file. # -# $jvm_min_heap_size:: Specify the minimum jvm heap space. +# $jvm_min_heap_size:: Specify the minimum jvm heap space. # -# $jvm_max_heap_size:: Specify the maximum jvm heap space. +# $jvm_max_heap_size:: Specify the maximum jvm heap space. # -# $jvm_extra_args:: Additional java options to pass through. -# This can be used for Java versions prior to -# Java 8 to specify the max perm space to use: -# For example: '-XX:MaxPermSize=128m'. +# $jvm_extra_args:: Additional java options to pass through. +# This can be used for Java versions prior to +# Java 8 to specify the max perm space to use: +# For example: '-XX:MaxPermSize=128m'. # -# $jvm_cli_args:: Java options to use when using puppetserver -# subcommands (eg puppetserver gem). +# $jvm_cli_args:: Java options to use when using puppetserver +# subcommands (eg puppetserver gem). # -# $jruby_gem_home:: Where jruby gems are located for puppetserver +# $jruby_gem_home:: Where jruby gems are located for puppetserver # -# $allow_any_crl_auth:: Allow any authentication for the CRL. This -# is needed on the puppet CA to accept clients -# from a the puppet CA proxy. +# $allow_any_crl_auth:: Allow any authentication for the CRL. This +# is needed on the puppet CA to accept clients +# from a the puppet CA proxy. # -# $auth_allowed:: An array of authenticated nodes allowed to -# access all catalog and node endpoints. -# default to ['$1'] +# $auth_allowed:: An array of authenticated nodes allowed to +# access all catalog and node endpoints. +# default to ['$1'] # -# $default_manifest:: Toggle if default_manifest setting should -# be added to the [main] section +# $default_manifest:: Toggle if default_manifest setting should +# be added to the [main] section # -# $default_manifest_path:: A string setting the path to the default_manifest +# $default_manifest_path:: A string setting the path to the default_manifest # -# $default_manifest_content:: A string to set the content of the default_manifest -# If set to '' it will not manage the file +# $default_manifest_content:: A string to set the content of the default_manifest +# If set to '' it will not manage the file # -# $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] -# configuration section. This is necessary to -# disable in case CA is delegated to a separate instance +# $ssl_dir_manage:: Toggle if ssl_dir should be added to the [master] +# configuration section. This is necessary to +# disable in case CA is delegated to a separate instance # -# $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" -# should be created with default user and group. This is used in -# the default Forman setup to reuse the key for TLS communication. +# $ssl_key_manage:: Toggle if "private_keys/${::puppet::server::certname}.pem" +# should be created with default user and group. This is used in +# the default Forman setup to reuse the key for TLS communication. # -# $puppetserver_vardir:: The path of the puppetserver var dir +# $puppetserver_vardir:: The path of the puppetserver var dir # -# $puppetserver_dir:: The path of the puppetserver config dir +# $puppetserver_dir:: The path of the puppetserver config dir # -# $puppetserver_version:: The version of puppetserver 2 installed (or being installed) -# Unfortunately, different versions of puppetserver need configuring differently, -# and there's no easy way of determining which version is being installed. -# Defaults to '2.3.1' but can be overriden if you're installing an older version. +# $puppetserver_version:: The version of puppetserver 2 installed (or being installed) +# Unfortunately, different versions of puppetserver need configuring differently, +# and there's no easy way of determining which version is being installed. +# Defaults to '2.3.1' but can be overriden if you're installing an older version. # -# $max_active_instances:: Max number of active jruby instances. Defaults to -# processor count +# $max_active_instances:: Max number of active jruby instances. Defaults to +# processor count # -# $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) +# $max_requests_per_instance:: Max number of requests per jruby instance. Defaults to 0 (disabled) # -# $idle_timeout:: How long the server will wait for a response on an existing connection +# $idle_timeout:: How long the server will wait for a response on an existing connection # -# $connect_timeout:: How long the server will wait for a response to a connection attempt +# $connect_timeout:: How long the server will wait for a response to a connection attempt # -# $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. -# Defaults to the Jetty default of 30s +# $web_idle_timeout:: Time in ms that Jetty allows a socket to be idle, after processing has completed. +# Defaults to the Jetty default of 30s # -# $ssl_protocols:: Array of SSL protocols to use. -# Defaults to [ 'TLSv1.2' ] +# $ssl_protocols:: Array of SSL protocols to use. +# Defaults to [ 'TLSv1.2' ] # -# $ssl_chain_filepath:: Path to certificate chain for puppetserver -# Defaults to "${ssl_dir}/ca/ca_crt.pem" +# $ssl_chain_filepath:: Path to certificate chain for puppetserver +# Defaults to "${ssl_dir}/ca/ca_crt.pem" # -# $cipher_suites:: List of SSL ciphers to use in negotiation -# Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', -# 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] +# $cipher_suites:: List of SSL ciphers to use in negotiation +# Defaults to [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', +# 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # -# $ruby_load_paths:: List of ruby paths -# Defaults based on $::puppetversion +# $ruby_load_paths:: List of ruby paths +# Defaults based on $::puppetversion # -# $ca_client_whitelist:: The whitelist of client certificates that -# can query the certificate-status endpoint -# Defaults to [ '127.0.0.1', '::1', $::ipaddress ] +# $ca_client_whitelist:: The whitelist of client certificates that +# can query the certificate-status endpoint +# Defaults to [ '127.0.0.1', '::1', $::ipaddress ] + +# $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef +# Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } } # -# $admin_api_whitelist:: The whitelist of clients that -# can query the puppet-admin-api endpoint -# Defaults to [ '127.0.0.1', '::1', $::ipaddress ] +# $admin_api_whitelist:: The whitelist of clients that +# can query the puppet-admin-api endpoint +# Defaults to [ '127.0.0.1', '::1', $::ipaddress ] # -# $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api -# Defaults to true +# $ca_auth_required:: Whether client certificates are needed to access the puppet-admin api +# Defaults to true # -# $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? -# Defaults to false (the puppetserver will use its own conf.d/auth.conf) +# $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? +# Defaults to false (the puppetserver will use its own conf.d/auth.conf) # -# $allow_header_cert_info:: Allow client authentication over HTTP Headers -# Defaults to false, is also activated by the $http setting +# $allow_header_cert_info:: Allow client authentication over HTTP Headers +# Defaults to false, is also activated by the $http setting # -# $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false +# $puppetserver_jruby9k:: For Puppetserver 5, use JRuby 9k? Defaults to false # -# $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? -# Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x +# $puppetserver_metrics:: Enable metrics (Puppetserver 5.x only) and JRuby profiling? +# Defaults to true on Puppetserver 5.x and to false on Puppetserver 2.x # # -# $metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true +# $metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # -# $metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false +# $metrics_graphite_enable:: Enable or disable Graphite metrics reporter. Defaults to false # -# $metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" +# $metrics_graphite_host:: Graphite server host. Defaults to "127.0.0.1" # -# $metrics_graphite_port:: Graphite server port. Defaults to 2003 +# $metrics_graphite_port:: Graphite server port. Defaults to 2003 # -# $metrics_server_id:: A server id that will be used as part of the namespace for metrics produced -# Defaults to $fqdn +# $metrics_server_id:: A server id that will be used as part of the namespace for metrics produced +# Defaults to $fqdn # -# $metrics_graphite_interval:: How often to send metrics to graphite (in seconds) -# Defaults to 5 +# $metrics_graphite_interval:: How often to send metrics to graphite (in seconds) +# Defaults to 5 # -# $metrics_allowed:: Specify metrics to allow in addition to those in the default list -# Defaults to undef +# $metrics_allowed:: Specify metrics to allow in addition to those in the default list +# Defaults to undef # -# $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true +# $puppetserver_experimental:: For Puppetserver 5, enable the /puppet/experimental route? Defaults to true # -# $puppetserver_trusted_agents:: Certificate names of agents that are allowed to fetch *all* catalogs. Defaults to empty array +# $puppetserver_trusted_agents:: Certificate names of agents that are allowed to fetch *all* catalogs. Defaults to empty array # class puppet::server( Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign, Array[String] $autosign_entries = $::puppet::autosign_entries, Pattern[/^[0-9]{3,4}$/] $autosign_mode = $::puppet::autosign_mode, Optional[String] $autosign_content = $::puppet::autosign_content, Optional[String] $autosign_source = $::puppet::autosign_source, String $hiera_config = $::puppet::hiera_config, Array[String] $admin_api_whitelist = $::puppet::server_admin_api_whitelist, Boolean $manage_user = $::puppet::server_manage_user, String $user = $::puppet::server_user, String $group = $::puppet::server_group, String $dir = $::puppet::server_dir, Stdlib::Absolutepath $codedir = $::puppet::codedir, Integer $port = $::puppet::server_port, String $ip = $::puppet::server_ip, Boolean $ca = $::puppet::server_ca, Optional[String] $ca_crl_filepath = $::puppet::ca_crl_filepath, Boolean $ca_crl_sync = $::puppet::server_ca_crl_sync, Optional[Boolean] $crl_enable = $::puppet::server_crl_enable, Boolean $ca_auth_required = $::puppet::server_ca_auth_required, Array[String] $ca_client_whitelist = $::puppet::server_ca_client_whitelist, + Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $::puppet::server_custom_trusted_oid_mapping, Boolean $http = $::puppet::server_http, Integer $http_port = $::puppet::server_http_port, Array[String] $http_allow = $::puppet::server_http_allow, String $reports = $::puppet::server_reports, Enum['master', 'puppetserver'] $implementation = $::puppet::server_implementation, Boolean $passenger = $::puppet::server_passenger, Stdlib::Absolutepath $puppetserver_vardir = $::puppet::server_puppetserver_vardir, Optional[Stdlib::Absolutepath] $puppetserver_rundir = $::puppet::server_puppetserver_rundir, Optional[Stdlib::Absolutepath] $puppetserver_logdir = $::puppet::server_puppetserver_logdir, Stdlib::Absolutepath $puppetserver_dir = $::puppet::server_puppetserver_dir, Pattern[/^[\d]\.[\d]+\.[\d]+$/] $puppetserver_version = $::puppet::server_puppetserver_version, Boolean $service_fallback = $::puppet::server_service_fallback, Integer[0] $passenger_min_instances = $::puppet::server_passenger_min_instances, Boolean $passenger_pre_start = $::puppet::server_passenger_pre_start, Optional[String] $passenger_ruby = $::puppet::server_passenger_ruby, String $httpd_service = $::puppet::server_httpd_service, Variant[Undef, String[0], Stdlib::Absolutepath] $external_nodes = $::puppet::server_external_nodes, Array[String] $cipher_suites = $::puppet::server_cipher_suites, Optional[String] $config_version = $::puppet::server_config_version, Integer[0] $connect_timeout = $::puppet::server_connect_timeout, Integer[0] $web_idle_timeout = $puppet::server_web_idle_timeout, Boolean $git_repo = $::puppet::server_git_repo, Boolean $dynamic_environments = $::puppet::server_dynamic_environments, Boolean $directory_environments = $::puppet::server_directory_environments, Boolean $default_manifest = $::puppet::server_default_manifest, Stdlib::Absolutepath $default_manifest_path = $::puppet::server_default_manifest_path, String $default_manifest_content = $::puppet::server_default_manifest_content, Array[String] $environments = $::puppet::server_environments, String $environments_owner = $::puppet::server_environments_owner, Optional[String] $environments_group = $::puppet::server_environments_group, Pattern[/^[0-9]{3,4}$/] $environments_mode = $::puppet::server_environments_mode, Stdlib::Absolutepath $envs_dir = $::puppet::server_envs_dir, Optional[Stdlib::Absolutepath] $envs_target = $::puppet::server_envs_target, Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $::puppet::server_common_modules_path, Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $::puppet::server_git_repo_mode, Stdlib::Absolutepath $git_repo_path = $::puppet::server_git_repo_path, String $git_repo_group = $::puppet::server_git_repo_group, String $git_repo_user = $::puppet::server_git_repo_user, Hash[String, String] $git_branch_map = $::puppet::server_git_branch_map, Integer[0] $idle_timeout = $::puppet::server_idle_timeout, String $post_hook_content = $::puppet::server_post_hook_content, String $post_hook_name = $::puppet::server_post_hook_name, Variant[Undef, Boolean, Enum['active_record', 'puppetdb']] $storeconfigs_backend = $::puppet::server_storeconfigs_backend, Stdlib::Absolutepath $app_root = $::puppet::server_app_root, Array[Stdlib::Absolutepath] $ruby_load_paths = $::puppet::server_ruby_load_paths, Stdlib::Absolutepath $ssl_dir = $::puppet::server_ssl_dir, Boolean $ssl_dir_manage = $::puppet::server_ssl_dir_manage, Boolean $ssl_key_manage = $::puppet::server_ssl_key_manage, Array[String] $ssl_protocols = $::puppet::server_ssl_protocols, Optional[Stdlib::Absolutepath] $ssl_chain_filepath = $::puppet::server_ssl_chain_filepath, Optional[Variant[String, Array[String]]] $package = $::puppet::server_package, Optional[String] $version = $::puppet::server_version, String $certname = $::puppet::server_certname, Enum['v2', 'v1'] $enc_api = $::puppet::server_enc_api, Enum['v2', 'v1'] $report_api = $::puppet::server_report_api, Integer[0] $request_timeout = $::puppet::server_request_timeout, Optional[String] $ca_proxy = $::puppet::server_ca_proxy, Boolean $strict_variables = $::puppet::server_strict_variables, Hash[String, Data] $additional_settings = $::puppet::server_additional_settings, Array[String] $rack_arguments = $::puppet::server_rack_arguments, Boolean $foreman = $::puppet::server_foreman, Stdlib::HTTPUrl $foreman_url = $::puppet::server_foreman_url, Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca, Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $::puppet::server_foreman_ssl_cert, Optional[Stdlib::Absolutepath] $foreman_ssl_key = $::puppet::server_foreman_ssl_key, Boolean $server_foreman_facts = $::puppet::server_foreman_facts, Optional[Stdlib::Absolutepath] $puppet_basedir = $::puppet::server_puppet_basedir, Optional[String] $puppetdb_host = $::puppet::server_puppetdb_host, Integer[0, 65535] $puppetdb_port = $::puppet::server_puppetdb_port, Boolean $puppetdb_swf = $::puppet::server_puppetdb_swf, Enum['current', 'future'] $parser = $::puppet::server_parser, Variant[Undef, Enum['unlimited'], Pattern[/^\d+[smhdy]?$/]] $environment_timeout = $::puppet::server_environment_timeout, String $jvm_java_bin = $::puppet::server_jvm_java_bin, String $jvm_config = $::puppet::server_jvm_config, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_min_heap_size = $::puppet::server_jvm_min_heap_size, Pattern[/^[0-9]+[kKmMgG]$/] $jvm_max_heap_size = $::puppet::server_jvm_max_heap_size, Variant[String,Array[String]] $jvm_extra_args = $::puppet::server_jvm_extra_args, Optional[String] $jvm_cli_args = $::puppet::server_jvm_cli_args, Optional[Stdlib::Absolutepath] $jruby_gem_home = $::puppet::server_jruby_gem_home, Integer[1] $max_active_instances = $::puppet::server_max_active_instances, Integer[0] $max_requests_per_instance = $::puppet::server_max_requests_per_instance, Integer[0] $max_queued_requests = $puppet::server_max_queued_requests, Integer[0] $max_retry_delay = $puppet::server_max_retry_delay, Boolean $use_legacy_auth_conf = $::puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $::puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $::puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $::puppet::server_allow_header_cert_info, Boolean $puppetserver_jruby9k = $::puppet::server_puppetserver_jruby9k, Boolean $puppetserver_metrics = $::puppet::server_puppetserver_metrics, Boolean $metrics_jmx_enable = $::puppet::server_metrics_jmx_enable, Boolean $metrics_graphite_enable = $::puppet::server_metrics_graphite_enable, String $metrics_graphite_host = $::puppet::server_metrics_graphite_host, Integer $metrics_graphite_port = $::puppet::server_metrics_graphite_port, String $metrics_server_id = $::puppet::server_metrics_server_id, Integer $metrics_graphite_interval = $::puppet::server_metrics_graphite_interval, Variant[Undef, Array] $metrics_allowed = $::puppet::server_metrics_allowed, Boolean $puppetserver_experimental = $::puppet::server_puppetserver_experimental, Array[String] $puppetserver_trusted_agents = $::puppet::server_puppetserver_trusted_agents, Optional[Enum['off', 'jit', 'force']] $compile_mode = $::puppet::server_compile_mode, ) { if $implementation == 'master' and $ip != $puppet::params::ip { notify { 'ip_not_supported': message => "Bind IP address is unsupported for the ${implementation} implementation.", loglevel => 'warning', } } if $ca { $ssl_ca_cert = "${ssl_dir}/ca/ca_crt.pem" $ssl_ca_crl = "${ssl_dir}/ca/ca_crl.pem" $ssl_chain = $ssl_chain_filepath $crl_enable_real = pick($crl_enable, true) } else { $ssl_ca_cert = "${ssl_dir}/certs/ca.pem" $ssl_ca_crl = pick($ca_crl_filepath, "${ssl_dir}/crl.pem") $ssl_chain = false $crl_enable_real = pick($crl_enable, false) } $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" if $config_version == undef { if $git_repo { $config_version_cmd = "git --git-dir ${envs_dir}/\$environment/.git describe --all --long" } else { $config_version_cmd = undef } } else { $config_version_cmd = $config_version } if $implementation == 'master' { $pm_service = !$passenger and $service_fallback $ps_service = undef $rack_service = $passenger } elsif $implementation == 'puppetserver' { $pm_service = undef $ps_service = true $rack_service = false } class { '::puppet::server::install': } ~> class { '::puppet::server::config': } ~> class { '::puppet::server::service': app_root => $app_root, httpd_service => $httpd_service, puppetmaster => $pm_service, puppetserver => $ps_service, rack => $rack_service, } -> Class['puppet::server'] Class['puppet::config'] ~> Class['puppet::server::service'] } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index ce8b42b..bb62d29 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,314 +1,327 @@ # Set up the puppet server config class puppet::server::config inherits puppet::config { if $::puppet::server::passenger and $::puppet::server::implementation == 'master' { contain 'puppet::server::passenger' } if $::puppet::server::implementation == 'puppetserver' { contain 'puppet::server::puppetserver' unless empty($::puppet::server::puppetserver_vardir) { puppet::config::master { 'vardir': value => $::puppet::server::puppetserver_vardir; } } unless empty($::puppet::server::puppetserver_rundir) { puppet::config::master { 'rundir': value => $::puppet::server::puppetserver_rundir; } } unless empty($::puppet::server::puppetserver_logdir) { puppet::config::master { 'logdir': value => $::puppet::server::puppetserver_logdir; } } } # Mirror the relationship, as defined() is parse-order dependent # Ensures puppetmasters certs are generated before the proxy is needed if defined(Class['foreman_proxy::config']) and $foreman_proxy::ssl { Class['puppet::server::config'] ~> Class['foreman_proxy::config'] Class['puppet::server::config'] ~> Class['foreman_proxy::service'] } # And before Foreman's cert-using service needs it if defined(Class['foreman::service']) and $foreman::ssl { Class['puppet::server::config'] -> Class['foreman::service'] } ## General configuration $ca_server = $::puppet::ca_server $ca_port = $::puppet::ca_port $server_storeconfigs_backend = $::puppet::server::storeconfigs_backend $server_external_nodes = $::puppet::server::external_nodes $server_environment_timeout = $::puppet::server::environment_timeout if $server_external_nodes and $server_external_nodes != '' { class{ '::puppet::server::enc': enc_path => $server_external_nodes, } } $autosign = ($::puppet::server::autosign =~ Boolean)? { true => $::puppet::server::autosign, false => "${::puppet::server::autosign} { mode = ${::puppet::server::autosign_mode} }" } puppet::config::main { 'reports': value => $::puppet::server::reports; } if $::puppet::server::hiera_config and !empty($::puppet::server::hiera_config){ puppet::config::main { 'hiera_config': value => $::puppet::server::hiera_config; } } if $puppet::server::directory_environments { puppet::config::main { 'environmentpath': value => $puppet::server::envs_dir; } } if $puppet::server::common_modules_path and !empty($puppet::server::common_modules_path) { puppet::config::main { 'basemodulepath': value => $puppet::server::common_modules_path, joiner => ':'; } } if $puppet::server::default_manifest { puppet::config::main { 'default_manifest': value => $puppet::server::default_manifest_path; } } puppet::config::master { 'autosign': value => $autosign; 'ca': value => $::puppet::server::ca; 'certname': value => $::puppet::server::certname; 'parser': value => $::puppet::server::parser; 'strict_variables': value => $::puppet::server::strict_variables; } if $::puppet::server::ssl_dir_manage { puppet::config::master { 'ssldir': value => $::puppet::server::ssl_dir; } } if $server_environment_timeout { puppet::config::master { 'environment_timeout': value => $server_environment_timeout; } } if $server_storeconfigs_backend { puppet::config::master { 'storeconfigs': value => true; 'storeconfigs_backend': value => $server_storeconfigs_backend; } } if !$::puppet::server::directory_environments and ($::puppet::server::git_repo or $::puppet::server::dynamic_environments) { puppet::config::master { 'manifest': value => "${::puppet::server::envs_dir}/\$environment/manifests/site.pp"; 'modulepath': value => "${::puppet::server::envs_dir}/\$environment/modules"; } if $::puppet::server::config_version_cmd { puppet::config::master { 'config_version': value => $::puppet::server::config_version_cmd; } } } $::puppet::server_additional_settings.each |$key,$value| { puppet::config::master { $key: value => $value } } file { "${puppet::vardir}/reports": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', } if '/usr/share/puppet/modules' in $puppet::server::common_modules_path { # Create Foreman share dir which does not depend on Puppet version exec { 'mkdir -p /usr/share/puppet/modules': creates => '/usr/share/puppet/modules', path => ['/usr/bin', '/bin'], } } ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${::puppet::server::ssl_dir}/private_keys": ensure => directory, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0750', require => Exec['puppet_server_config-create_ssl_dir'], } if $puppet::server::ssl_key_manage { file { "${::puppet::server::ssl_dir}/private_keys/${::puppet::server::certname}.pem": owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0640', } } + if $puppet::server::custom_trusted_oid_mapping { + $_custom_trusted_oid_mapping = { + oid_mapping => $puppet::server::custom_trusted_oid_mapping, + } + file { "${::puppet::dir}/custom_trusted_oid_mapping.yaml": + ensure => file, + owner => 'root', + group => $::puppet::params::root_group, + mode => '0644', + content => to_yaml($_custom_trusted_oid_mapping), + } + } + # If the ssl dir is not the default dir, it needs to be created before running # the generate ca cert or it will fail. exec {'puppet_server_config-create_ssl_dir': creates => $::puppet::server::ssl_dir, command => "/bin/mkdir -p ${::puppet::server::ssl_dir}", umask => '0022', } # Generate a new CA and host cert if our host cert doesn't exist if $::puppet::server::ca { exec {'puppet_server_config-generate_ca_cert': creates => $::puppet::server::ssl_cert, command => "${::puppet::puppetca_cmd} --generate ${::puppet::server::certname} --allow-dns-alt-names", umask => '0022', require => [ Concat["${::puppet::server::dir}/puppet.conf"], Exec['puppet_server_config-create_ssl_dir'], ], } } elsif $::puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca master if defined('$::servername') { file { $::puppet::server::ssl_ca_crl: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => '0644', content => file($::settings::cacrl, $::settings::hostcrl, '/dev/null'), } } } if $::puppet::server::passenger and $::puppet::server::implementation == 'master' and $::puppet::server::ca { Exec['puppet_server_config-generate_ca_cert'] ~> Service[$::puppet::server::httpd_service] } # autosign file if $::puppet::server_ca and !($puppet::server::autosign =~ Boolean) { if $::puppet::server::autosign_content or $::puppet::server::autosign_source { if !empty($::puppet::server::autosign_entries) { fail('Cannot set both autosign_content/autosign_source and autosign_entries') } $autosign_content = $::puppet::server::autosign_content } elsif !empty($::puppet::server::autosign_entries) { $autosign_content = template('puppet/server/autosign.conf.erb') } else { $autosign_content = undef } file { $::puppet::server::autosign: ensure => file, owner => $::puppet::server::user, group => $::puppet::server::group, mode => $::puppet::server::autosign_mode, content => $autosign_content, source => $::puppet::server::autosign_source, } } # only manage this file if we provide content if $::puppet::server::default_manifest and $::puppet::server::default_manifest_content != '' { file { $::puppet::server::default_manifest_path: ensure => file, owner => $puppet::user, group => $puppet::group, mode => '0644', content => $::puppet::server::default_manifest_content, } } ## Environments # location where our puppet environments are located if $::puppet::server::envs_target and $::puppet::server::envs_target != '' { $ensure = 'link' } else { $ensure = 'directory' } file { $::puppet::server::envs_dir: ensure => $ensure, owner => $::puppet::server::environments_owner, group => $::puppet::server::environments_group, mode => $::puppet::server::environments_mode, target => $::puppet::server::envs_target, force => true, } if $::puppet::server::git_repo { # need to chown the $vardir before puppet does it, or else # we can't write puppet.git/ on the first run include ::git git::repo { 'puppet_repo': bare => true, target => $::puppet::server::git_repo_path, mode => $::puppet::server::git_repo_mode, user => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, require => File[$::puppet::server::envs_dir], } $git_branch_map = $::puppet::server::git_branch_map # git post hook to auto generate an environment per branch file { "${::puppet::server::git_repo_path}/hooks/${::puppet::server::post_hook_name}": content => template($::puppet::server::post_hook_content), owner => $::puppet::server::git_repo_user, group => $::puppet::server::git_repo_group, mode => $::puppet::server::git_repo_mode, require => Git::Repo['puppet_repo'], } } elsif ! $::puppet::server::dynamic_environments { file { $puppet::sharedir: ensure => directory, } if $::puppet::server::common_modules_path and $::puppet::server::common_modules_path != '' { file { $::puppet::server::common_modules_path: ensure => directory, owner => $::puppet::server_environments_owner, group => $::puppet::server_environments_group, mode => $::puppet::server_environments_mode, } } # setup empty directories for our environments puppet::server::env {$::puppet::server::environments: } } ## Foreman if $::puppet::server::foreman { # Include foreman components for the puppetmaster # ENC script, reporting script etc. class { 'foreman::puppetmaster': foreman_url => $::puppet::server::foreman_url, receive_facts => $::puppet::server::server_foreman_facts, puppet_home => $::puppet::server::puppetserver_vardir, puppet_basedir => $::puppet::server::puppet_basedir, puppet_etcdir => $puppet::dir, enc_api => $::puppet::server::enc_api, report_api => $::puppet::server::report_api, timeout => $::puppet::server::request_timeout, ssl_ca => pick($::puppet::server::foreman_ssl_ca, $::puppet::server::ssl_ca_cert), ssl_cert => pick($::puppet::server::foreman_ssl_cert, $::puppet::server::ssl_cert), ssl_key => pick($::puppet::server::foreman_ssl_key, $::puppet::server::ssl_cert_key), } contain foreman::puppetmaster } ## PuppetDB if $::puppet::server::puppetdb_host { class { '::puppetdb::master::config': puppetdb_server => $::puppet::server::puppetdb_host, puppetdb_port => $::puppet::server::puppetdb_port, puppetdb_soft_write_failure => $::puppet::server::puppetdb_swf, manage_storeconfigs => false, restart_puppet => false, } Class['puppetdb::master::puppetdb_conf'] ~> Class['puppet::server::service'] } } diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb index 0821495..fc8c5dd 100644 --- a/spec/classes/puppet_server_config_spec.rb +++ b/spec/classes/puppet_server_config_spec.rb @@ -1,909 +1,942 @@ require 'spec_helper' describe 'puppet::server::config' do before :each do @cacrl = Tempfile.new('cacrl') File.open(@cacrl, 'w') { |f| f.write "This is my CRL File" } Puppet.settings[:cacrl] = @cacrl.path end on_os_under_test.each do |os, facts| next if unsupported_puppetmaster_osfamily(facts[:osfamily]) context "on #{os}" do if facts[:osfamily] == 'FreeBSD' codedir = '/usr/local/etc/puppet' confdir = '/usr/local/etc/puppet' conf_file = '/usr/local/etc/puppet/puppet.conf' environments_dir = '/usr/local/etc/puppet/environments' logdir = '/var/log/puppet' rundir = '/var/run/puppet' vardir = '/var/puppet' puppetserver_vardir = '/var/puppet/server/data/puppetserver' puppetserver_logdir = '/var/log/puppetserver' puppetserver_rundir = '/var/run/puppetserver' ssldir = '/var/puppet/ssl' sharedir = '/usr/local/share/puppet' etcdir = '/usr/local/etc/puppet' puppetcacmd = '/usr/local/bin/puppet cert' else codedir = '/etc/puppetlabs/code' confdir = '/etc/puppetlabs/puppet' conf_file = '/etc/puppetlabs/puppet/puppet.conf' environments_dir = '/etc/puppetlabs/code/environments' logdir = '/var/log/puppetlabs/puppet' rundir = '/var/run/puppetlabs' vardir = '/opt/puppetlabs/puppet/cache' puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver' puppetserver_logdir = '/var/log/puppetlabs/puppetserver' puppetserver_rundir = '/var/run/puppetlabs/puppetserver' ssldir = '/etc/puppetlabs/puppet/ssl' sharedir = '/opt/puppetlabs/puppet' etcdir = '/etc/puppetlabs/puppet' puppetcacmd = '/opt/puppetlabs/bin/puppet cert' end let(:facts) do facts.merge({:clientcert => 'puppetmaster.example.com'}) end describe 'with no custom parameters' do let :pre_condition do "class {'puppet': server => true}" end it 'should set up SSL permissions' do should contain_file("#{ssldir}/private_keys"). \ with_group('puppet'). \ with_mode('0750') should contain_file("#{ssldir}/private_keys/puppetmaster.example.com.pem"). \ with_group('puppet'). \ with_mode('0640') should contain_exec('puppet_server_config-create_ssl_dir'). \ with_creates(ssldir). \ with_command("/bin/mkdir -p #{ssldir}"). \ with_umask('0022') should contain_exec('puppet_server_config-generate_ca_cert'). \ with_creates("#{ssldir}/certs/puppetmaster.example.com.pem"). \ with_command("#{puppetcacmd} --generate puppetmaster.example.com --allow-dns-alt-names"). \ with_umask('0022'). \ that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) should contain_puppet__config__main('environmentpath').with_value(environments_dir) end context 'with non-AIO packages', if: facts[:osfamily] == 'FreeBSD' do it 'CA cert generation should notify the Apache service' do should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[httpd]') end end context 'with AIO packages', unless: facts[:osfamily] == 'FreeBSD' do it 'CA cert generation should notify the puppetserver service' do should contain_exec('puppet_server_config-generate_ca_cert').that_notifies('Service[puppetserver]') end end it 'should set up the ENC' do should contain_class('foreman::puppetmaster'). with_foreman_url("https://foo.example.com"). with_receive_facts(true). with_puppet_home(puppetserver_vardir). with_puppet_etcdir(etcdir). with_timeout(60) # Since this is managed inside the foreman module it does not # make sense to test it here #with_puppet_basedir('/usr/lib/ruby/site_ruby/1.9/puppet'). end it 'should set up the environments' do should contain_file(environments_dir). with_ensure('directory'). with_owner('puppet'). with_group(nil). with_mode('0755') should contain_file(sharedir).with_ensure('directory') should contain_file("#{codedir}/environments/common"). with_ensure('directory'). with_owner('puppet'). with_group(nil). with_mode('0755') should contain_file("#{sharedir}/modules"). with_ensure('directory'). with_owner('puppet'). with_group(nil). with_mode('0755') should contain_puppet__server__env('development') should contain_puppet__server__env('production') end it 'should configure puppet' do should contain_puppet__config__main("logdir").with({'value' => "#{logdir}"}) should contain_puppet__config__main("rundir").with({'value' => "#{rundir}"}) should contain_puppet__config__main("ssldir").with({'value' => "#{ssldir}"}) should contain_puppet__config__main("privatekeydir").with({'value' => '$ssldir/private_keys { group = service }'}) should contain_puppet__config__main("hostprivkey").with({'value' => '$privatekeydir/$certname.pem { mode = 640 }'}) should contain_puppet__config__main("reports").with({'value' => 'foreman'}) should contain_puppet__config__main("environmentpath").with({'value' => "#{codedir}/environments"}) should contain_puppet__config__main("basemodulepath").with({ 'value' => ["#{codedir}/environments/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"], 'joiner' => ':'}) should contain_puppet__config__agent('classfile').with({'value' => '$statedir/classes.txt'}) should contain_puppet__config__master('external_nodes').with({'value' => "#{etcdir}\/node.rb"}) should contain_puppet__config__master('node_terminus').with({'value' => 'exec'}) should contain_puppet__config__master('ca').with({'value' => 'true'}) should contain_puppet__config__master('ssldir').with({'value' => "#{ssldir}"}) should contain_puppet__config__master('parser').with({'value' => 'current'}) should contain_puppet__config__master("autosign").with({'value' => "#{etcdir}\/autosign.conf \{ mode = 0664 \}"}) should contain_concat(conf_file) should_not contain_puppet__config__master('storeconfigs') should contain_file("#{etcdir}/autosign.conf") end it 'should not set configtimeout' do should_not contain_puppet__config__agent('configtimeout') end it 'should not configure PuppetDB' do should_not contain_class('puppetdb') should_not contain_class('puppetdb::master::config') end + + it 'should not configure custom_trusted_oid_mapping.yaml' do + should_not contain_file('#{confdir}/custom_trusted_oid_mapping.yaml') + end end describe "when autosign => true" do let :pre_condition do "class {'puppet': server => true, autosign => true, }" end it 'should contain puppet.conf [main] with autosign = true' do should contain_puppet__config__master('autosign').with_value(true) end end describe 'when autosign => /somedir/custom_autosign, autosign_mode => 664' do let :pre_condition do "class {'puppet': server => true, autosign => '/somedir/custom_autosign', autosign_mode => '664', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 664 }' do should contain_puppet__config__master('autosign').with_value("/somedir/custom_autosign { mode = 664 }") end end describe "when autosign_entries is not set" do let :pre_condition do "class {'puppet': server => true, }" end it 'should contain autosign.conf with out content set' do should contain_file("#{confdir}/autosign.conf") should_not contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should_not contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_entries set to ['foo.bar']" do let :pre_condition do "class {'puppet': server => true, autosign_entries => ['foo.bar'], }" end it 'should contain autosign.conf with content set' do should contain_file("#{confdir}/autosign.conf") should contain_file("#{confdir}/autosign.conf").with_content(/# Managed by Puppet/) should contain_file("#{confdir}/autosign.conf").with_content(/foo.bar/) end end describe "when autosign_content => set to foo.bar and and autosign_entries set to ['foo.bar']=> true" do let :pre_condition do "class {'puppet': server => true, autosign_content => 'foo.bar', autosign_entries => ['foo.bar'], }" end it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) } end describe "when autosign_source => set to puppet:///foo/bar and and autosign_entries set to ['foo.bar']=> true" do let :pre_condition do "class {'puppet': server => true, autosign_source => 'puppet:///foo/bar', autosign_entries => ['foo.bar'], }" end it { should raise_error(Puppet::Error, /Cannot set both autosign_content\/autosign_source and autosign_entries/) } end describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_content set to 'foo.bar'" do let :pre_condition do "class {'puppet': server => true, autosign => '#{confdir}/custom_autosign.sh', autosign_mode => '775', autosign_content => 'foo.bar', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do should contain_puppet__config__master('autosign').with_value("#{confdir}/custom_autosign.sh { mode = 775 }") end it 'should contain custom_autosign.sh with content set' do should contain_file("#{confdir}/custom_autosign.sh") should contain_file("#{confdir}/custom_autosign.sh").with_content(/foo.bar/) end end describe "when autosign => #{confdir}/custom_autosign.sh, autosign_mode => 775 and autosign_source set to 'puppet:///foo/bar'" do let :pre_condition do "class {'puppet': server => true, autosign => '#{confdir}/custom_autosign.sh', autosign_mode => '775', autosign_source => 'puppet:///foo/bar', }" end it 'should contain puppet.conf [main] with autosign = /somedir/custom_autosign { mode = 775 }' do should contain_puppet__config__master('autosign').with_value("#{confdir}/custom_autosign.sh { mode = 775 }") end it 'should contain custom_autosign.sh with content set' do should contain_file("#{confdir}/custom_autosign.sh") should contain_file("#{confdir}/custom_autosign.sh").with_source('puppet:///foo/bar') end end describe "when hiera_config => '$confdir/hiera.yaml'" do let :pre_condition do "class {'puppet': server => true, hiera_config => '/etc/puppet/hiera/production/hiera.yaml', }" end it 'should contain puppet.conf [main] with non-default hiera_config' do should contain_puppet__config__main("hiera_config").with_value('/etc/puppet/hiera/production/hiera.yaml') end end describe 'without foreman' do let :pre_condition do "class {'puppet': server => true, server_reports => 'store', server_external_nodes => '', }" end it 'should contain an empty external_nodes' do should_not contain_puppet__config__master('external_nodes') end end describe 'without external_nodes' do let :pre_condition do "class {'puppet': server => true, server_external_nodes => '', }" end it 'should not contain external_nodes' do should_not contain_puppet__config__master('external_nodes') should_not contain_puppet__config__master('node_terminus') end end describe 'with server_default_manifest => true and undef content' do let :pre_condition do 'class { "::puppet": server_default_manifest => true, server => true }' end it 'should contain default_manifest setting in puppet.conf' do should contain_puppet__config__main('default_manifest').with_value('/etc/puppet/manifests/default_manifest.pp') end it 'should_not contain default manifest /etc/puppet/manifests/default_manifest.pp' do should_not contain_file('/etc/puppet/manifests/default_manifest.pp') end end describe 'with server_default_manifest => true and server_default_manifest_content => "include foo"' do let :pre_condition do 'class { "::puppet": server_default_manifest => true, server_default_manifest_content => "include foo", server => true }' end it 'should contain default_manifest setting in puppet.conf' do should contain_puppet__config__main('default_manifest').with({'value' => '/etc/puppet/manifests/default_manifest.pp'}) end it 'should contain default manifest /etc/puppet/manifests/default_manifest.pp' do should contain_file('/etc/puppet/manifests/default_manifest.pp').with_content(/include foo/) end end describe 'with git repo' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, }" end it 'should set up the environments directory' do should contain_file(environments_dir). \ with_ensure('directory'). \ with_owner('puppet') end it 'should create the puppet user' do shell = case facts[:osfamily] when /^(FreeBSD|DragonFly)$/ '/usr/local/bin/git-shell' else '/usr/bin/git-shell' end should contain_user('puppet'). with_shell(shell). that_requires('Class[git]') end it 'should create the git repo' do should contain_file(vardir). with_ensure('directory'). with_owner('puppet') should contain_git__repo('puppet_repo'). with_bare(true). with_target("#{vardir}/puppet.git"). with_user('puppet'). that_requires("File[#{environments_dir}]") should contain_file("#{vardir}/puppet.git/hooks/post-receive"). with_owner('puppet'). \ with_mode('0755'). \ with_require(%r{Git::Repo\[puppet_repo\]}). \ with_content(%r{BRANCH_MAP = \{[^a-zA-Z=>]\}}) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } context 'with directory environments' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_directory_environments => true, }" end it 'should configure puppet.conf' do should_not contain_puppet__config__master('config_version') should contain_puppet__config__main('environmentpath').with_value(environments_dir) end end context 'with config environments' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_directory_environments => false, }" end it 'should configure puppet.conf' do should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") should contain_puppet__config__master('config_version').with_value("git --git-dir #{environments_dir}/\$environment/.git describe --all --long") end end end describe 'with dynamic environments' do context 'with directory environments' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => true, server_environments_owner => 'apache', }" end it 'should set up the environments directory' do should contain_file(environments_dir). \ with_ensure('directory'). \ with_owner('apache') end it 'should configure puppet.conf' do should contain_puppet__config__main('environmentpath').with_value(environments_dir) should contain_puppet__config__main('basemodulepath').with_value(["#{environments_dir}/common","#{codedir}/modules","#{sharedir}/modules","/usr/share/puppet/modules"]) end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } end context 'with no common modules directory' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => true, server_environments_owner => 'apache', server_common_modules_path => '', }" end it 'should configure puppet.conf' do should_not contain_puppet__config__main('basemodulepath') end end context 'with config environments' do let :pre_condition do "class {'puppet': server => true, server_dynamic_environments => true, server_directory_environments => false, server_environments_owner => 'apache', }" end it 'should set up the environments directory' do should contain_file(environments_dir). \ with_ensure('directory'). \ with_owner('apache') end it 'should configure puppet.conf' do should contain_puppet__config__master('manifest').with_value("#{environments_dir}/\$environment/manifests/site.pp") should contain_puppet__config__master('modulepath').with_value("#{environments_dir}/\$environment/modules") end it { should_not contain_puppet__server__env('development') } it { should_not contain_puppet__server__env('production') } end end describe 'with SSL path overrides' do let :pre_condition do "class {'puppet': server => true, server_foreman_ssl_ca => '/etc/example/ca.pem', server_foreman_ssl_cert => '/etc/example/cert.pem', server_foreman_ssl_key => '/etc/example/key.pem', }" end it 'should pass SSL parameters to the ENC' do should contain_class('foreman::puppetmaster'). with_ssl_ca('/etc/example/ca.pem'). with_ssl_cert('/etc/example/cert.pem'). with_ssl_key('/etc/example/key.pem') end end describe 'with a PuppetDB host set' do let :pre_condition do "class {'puppet': server => true, server_puppetdb_host => 'mypuppetdb.example.com', server_storeconfigs_backend => 'puppetdb', }" end it 'should configure PuppetDB' do should compile.with_all_deps should contain_class('puppetdb::master::config'). with_puppetdb_server('mypuppetdb.example.com'). with_puppetdb_port(8081). with_puppetdb_soft_write_failure(false). with_manage_storeconfigs(false). with_restart_puppet(false) end end describe 'with a puppet git branch map' do let :pre_condition do "class {'puppet': server => true, server_git_repo => true, server_git_branch_map => { 'a' => 'b', 'c' => 'd' } }" end it 'should add the branch map to the post receive hook' do should contain_file("#{vardir}/puppet.git/hooks/post-receive"). with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/) end end describe 'with additional settings' do let :pre_condition do "class {'puppet': server => true, server_additional_settings => {stringify_facts => true}, }" end it 'should configure puppet.conf' do should contain_puppet__config__master('stringify_facts').with_value(true) end end describe 'with server_parser => future' do let :pre_condition do "class {'puppet': server => true, server_parser => 'future', }" end it 'should configure future parser' do should contain_puppet__config__master('parser').with_value('future') end end describe 'with server_environment_timeout set' do let :pre_condition do "class {'puppet': server => true, server_environment_timeout => '10m', }" end it 'should configure environment_timeout accordingly' do should contain_puppet__config__master('environment_timeout').with_value('10m') end end describe 'with no ssldir managed for master' do let :pre_condition do "class {'puppet': server => true, server_ssl_dir_manage => false}" end it 'should not contain ssl_dir configuration setting in the master section' do should_not contain_puppet__config__master('ssl_dir') end end describe 'with ssl key management disabled for server' do let :pre_condition do "class {'puppet': server => true, server_certname => 'servercert', server_ssl_key_manage => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end it 'should not contain a default ssl key definition' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/private_keys/servercert.pem') end end describe 'with nondefault CA settings' do let :pre_condition do "class {'puppet': server => true, server_ca => false, }" end it 'should create the ssl directory' do should contain_exec('puppet_server_config-create_ssl_dir') end it 'should not generate CA certificates' do should_not contain_exec('puppet_server_config-generate_ca_cert') end end describe 'with server_implementation => "puppetserver"' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver' }" end it 'should configure puppet.conf' do should contain_puppet__config__master("vardir").with_value(puppetserver_vardir) should contain_puppet__config__master("logdir").with_value(puppetserver_logdir) should contain_puppet__config__master("rundir").with_value(puppetserver_rundir) end end describe 'with server_ca_crl_sync => true' do context 'with server_ca => false and running "puppet apply"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end context 'with server_ca => false: running "puppet agent -t"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => false, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end let(:facts) do facts.merge({:servername => 'myserver' }) end it 'should sync the crl from the ca' do should contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem'). with_content("This is my CRL File") end end context 'with server_ca => true: running "puppet agent -t"' do let :pre_condition do "class {'puppet': server => true, server_ca_crl_sync => true, server_ca => true, server_ssl_dir => '/etc/custom/puppetlabs/puppet/ssl' }" end let(:facts) do facts.merge({:servername => 'myserver' }) end it 'should not sync the crl' do should_not contain_file('/etc/custom/puppetlabs/puppet/ssl/crl.pem') end end end describe 'allow crl checking' do context 'as ca' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the ca_crl.pem file' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-crl-path: #{ssldir}\/ca\/ca_crl.pem/) end end context 'as non-ca with default' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => false, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the ca_crl.pem file' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). without_content(/ssl-crl-path: #{ssldir}\/crl.pem/) end end context 'as non-ca with server_crl_enable' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => false, server_crl_enable => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems' }" end it 'should use the crl.pem file' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-crl-path: #{ssldir}\/crl.pem/) end end end describe 'with ssl_protocols overwritten' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_ssl_protocols => ['TLSv1.1', 'TLSv1.2'], }" end it 'should set the ssl protocols' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-protocols: \[\n( +)TLSv1.1,\n( +)TLSv1.2,\n( +)\]/) end end describe 'with cipher-suites overwritten' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_cipher_suites => ['TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA'], }" end it 'should set the cipher suite' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/cipher-suites: \[\n( +)TLS_RSA_WITH_AES_256_CBC_SHA256,\n( +)TLS_RSA_WITH_AES_256_CBC_SHA,\n( +)\]/) end end describe 'with ssl_chain_filepath overwritten' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_ca => true, server_puppetserver_dir => '/etc/custom/puppetserver', server_jruby_gem_home => '/opt/puppetlabs/server/data/puppetserver/jruby-gems', server_ssl_chain_filepath => '/etc/example/certchain.pem', }" end it 'should use the server_ssl_chain_filepath file' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ssl-cert-chain: \/etc\/example\/certchain.pem/) end end + describe 'with server_custom_trusted_oid_mapping overwritten' do + let :pre_condition do + "class {'puppet': + server => true, + server_custom_trusted_oid_mapping => { + '1.3.6.1.4.1.34380.1.2.1.1' => { + shortname => 'myshortname', + longname => 'My Long Name', + }, + '1.3.6.1.4.1.34380.1.2.1.2' => { + shortname => 'myothershortname', + }, + } + }" + end + + it 'should have a configured custom_trusted_oid_mapping.yaml' do + verify_exact_contents(catalogue, "#{confdir}/custom_trusted_oid_mapping.yaml", [ + '---', + 'oid_mapping:', + ' 1.3.6.1.4.1.34380.1.2.1.1:', + ' shortname: myshortname', + ' longname: My Long Name', + ' 1.3.6.1.4.1.34380.1.2.1.2:', + ' shortname: myothershortname', + ]) + end + end + describe 'with server_ip parameter given to the puppet class' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_ip => '127.0.0.1', }" end it 'should put the correct ip address in webserver.conf' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf').with_content(/ssl-host:\s127\.0\.0\.1/) end end describe 'with server_certname parameter' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_certname => 'puppetserver43.example.com', server_ssl_dir => '/etc/custom/puppet/ssl', }" end it 'should put the correct ssl key path in webserver.conf' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(%r{ssl-key: /etc/custom/puppet/ssl/private_keys/puppetserver43\.example\.com\.pem}) end it 'should put the correct ssl cert path in webserver.conf' do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(%r{ssl-cert: /etc/custom/puppet/ssl/certs/puppetserver43\.example\.com\.pem}) end end describe 'with server_http parameter set to true for the puppet class' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_http => true, }" end it do should contain_file('/etc/custom/puppetserver/conf.d/webserver.conf'). with_content(/ host:\s0\.0\.0\.0/). with_content(/ port:\s8139/). with({}) end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(/allow-header-cert-info: true/). with({}) } end describe 'with server_allow_header_cert_info parameter set to true for the puppet class' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_allow_header_cert_info => true, }" end it { should contain_file('/etc/custom/puppetserver/conf.d/auth.conf'). with_content(/allow-header-cert-info: true/). with({}) } end describe 'with server_http_allow parameter set for the puppet class' do let :pre_condition do "class {'puppet': server => true, server_implementation => 'puppetserver', server_puppetserver_dir => '/etc/custom/puppetserver', server_http => true, server_http_allow => ['1.2.3.4'], }" end it { should raise_error(Puppet::Error, /setting \$server_http_allow is not supported for puppetserver as it would have no effect/) } end end end end diff --git a/types/custom_trusted_oid_mapping.pp b/types/custom_trusted_oid_mapping.pp new file mode 100644 index 0000000..ff549d1 --- /dev/null +++ b/types/custom_trusted_oid_mapping.pp @@ -0,0 +1 @@ +type Puppet::Custom_trusted_oid_mapping = Hash[String, Struct[{ shortname => String, longname => Optional[String], }]]