Project

General

Profile

« Previous | Next » 

Revision 210c5ad1

Added by Julian Todt almost 6 years ago

Refs #24012 - Add PuppetCA providers settings

View differences:

README.md
| Module version | Proxy versions | Notes |
|----------------|----------------|-------------------------------------------------|
| 5.x | 1.16 and newer | |
| 5.x | 1.16 and newer | See compatibility notes here for 1.16-1.18 |
| 4.x | 1.12 - 1.17 | See compatibility notes in its README for 1.15+ |
| 3.x | 1.11 | |
| 2.x | 1.5 - 1.10 | |
| 1.x | 1.4 and older | |
### Compatibility notes for Smart Proxy < 1.18
On Smart Proxy 1.16, 1.17 & 1.18, also set
```puppet
puppetca_modular => false,
```
to ensure that it only uses the `puppetca.yml` configuration not the provider settings files.
## Examples
### Minimal setup for Puppet/PuppetCA Smart Proxy
manifests/config.pp
feature => 'Puppet CA',
listen_on => $::foreman_proxy::puppetca_listen_on,
}
if $::foreman_proxy::puppetca_modular {
foreman_proxy::settings_file { [
'puppetca_hostname_whitelisting',
]:
module => false,
}
}
foreman_proxy::settings_file { 'realm':
enabled => $::foreman_proxy::realm,
feature => 'Realm',
manifests/init.pp
#
# $puppet_group:: Groups of Foreman proxy user
#
# $autosignfile:: Path to the autosign file
# $autosignfile:: Hostname-Whitelisting only: Location of puppets autosign.conf
#
# $manage_puppet_group:: Whether to ensure the $puppet_group exists. Also ensures group owner of ssl keys and certs is $puppet_group
# Not applicable when ssl is false.
......
#
# $dhcp_manage_acls:: Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750.
#
# $puppetca_modular:: Whether the PuppetCa implementation is modular. This is true for 1.19 or later.
#
# $puppetca_provider:: Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
#
class foreman_proxy (
String $repo = $::foreman_proxy::params::repo,
Boolean $gpgcheck = $::foreman_proxy::params::gpgcheck,
......
Stdlib::Absolutepath $puppetdir = $::foreman_proxy::params::puppetdir,
String $puppetca_cmd = $::foreman_proxy::params::puppetca_cmd,
String $puppet_group = $::foreman_proxy::params::puppet_group,
Boolean $puppetca_modular = $::foreman_proxy::params::puppetca_modular,
String $puppetca_provider = $::foreman_proxy::params::puppetca_provider,
Stdlib::Absolutepath $autosignfile = $::foreman_proxy::params::autosignfile,
Boolean $manage_puppet_group = $::foreman_proxy::params::manage_puppet_group,
Boolean $puppet = $::foreman_proxy::params::puppet,
manifests/params.pp
$puppet_api_timeout = 30
# puppetca settings
$puppetca = true
$puppetca_listen_on = 'https'
$puppetca_cmd = "${puppet_cmd} cert"
$puppet_group = 'puppet'
$autosignfile = "${puppetdir}/autosign.conf"
$puppetca = true
$puppetca_modular = true
$puppetca_provider = 'puppetca_hostname_whitelisting'
$puppetca_listen_on = 'https'
$puppetca_cmd = "${puppet_cmd} cert"
$puppet_group = 'puppet'
$autosignfile = "${puppetdir}/autosign.conf"
# The puppet-agent package, (puppet 4 AIO) doesn't create a puppet group
$manage_puppet_group = versioncmp($::puppetversion, '4.0') > 0
spec/classes/foreman_proxy__config__spec.rb
'settings.d/dns_nsupdate.yml', 'settings.d/dns_nsupdate_gss.yml',
'settings.d/dns_libvirt.yml', 'settings.d/dhcp.yml', 'settings.d/dhcp_isc.yml',
'settings.d/dhcp_libvirt.yml', 'settings.d/logs.yml', 'settings.d/puppet.yml',
'settings.d/puppetca.yml', 'settings.d/puppet_proxy_customrun.yml',
'settings.d/puppetca.yml', 'settings.d/puppetca_hostname_whitelisting.yml',
'settings.d/puppet_proxy_customrun.yml',
'settings.d/puppet_proxy_legacy.yml', 'settings.d/puppet_proxy_mcollective.yml',
'settings.d/puppet_proxy_puppet_api.yml', 'settings.d/puppet_proxy_puppetrun.yml',
'settings.d/puppet_proxy_salt.yml', 'settings.d/puppet_proxy_ssh.yml',
......
verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [
'---',
':enabled: https',
':use_provider: puppetca_hostname_whitelisting',
":ssldir: #{ssl_dir}",
])
end
it 'should generate correct puppetca_hostname_whitelisting.yml' do
verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml", [
'---',
":autosignfile: #{puppet_etc_dir}/autosign.conf",
])
end
......
end
end
context 'using the non-modular legacy puppetca' do
let :pre_condition do
'class { "foreman_proxy":
puppetca_modular => false,
autosignfile => "/bar/baz.conf",
}'
end
it 'should generate correct puppetca.yml' do
verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [
'---',
':enabled: https',
":ssldir: #{ssl_dir}",
":autosignfile: /bar/baz.conf",
])
end
it 'should not generate a puppetca_hostname_whitelisting' do
should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_hostname_whitelisting")
end
end
context 'when puppetrun_provider and puppetrun_cmd set' do
let :pre_condition do
'class { "foreman_proxy":
templates/puppetca.yml.erb
# PuppetCA management
:enabled: <%= @module_enabled %>
:ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
<% if scope.lookupvar("foreman_proxy::puppetca_modular") -%>
:use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %>
<% else -%>
:autosignfile: <%= scope.lookupvar("foreman_proxy::autosignfile") %>
<% end -%>
templates/puppetca_hostname_whitelisting.yml.erb
---
#
# Configuration of the PuppetCA hostname_whitelisting provider
#
:autosignfile: <%= scope.lookupvar('foreman_proxy::autosignfile') %>

Also available in: Unified diff