Revision 210c5ad1
Added by Julian Todt almost 6 years ago
README.md | ||
---|---|---|
|
||
| Module version | Proxy versions | Notes |
|
||
|----------------|----------------|-------------------------------------------------|
|
||
| 5.x | 1.16 and newer | |
|
||
| 5.x | 1.16 and newer | See compatibility notes here for 1.16-1.18 |
|
||
| 4.x | 1.12 - 1.17 | See compatibility notes in its README for 1.15+ |
|
||
| 3.x | 1.11 | |
|
||
| 2.x | 1.5 - 1.10 | |
|
||
| 1.x | 1.4 and older | |
|
||
|
||
### Compatibility notes for Smart Proxy < 1.18
|
||
|
||
On Smart Proxy 1.16, 1.17 & 1.18, also set
|
||
|
||
```puppet
|
||
puppetca_modular => false,
|
||
```
|
||
|
||
to ensure that it only uses the `puppetca.yml` configuration not the provider settings files.
|
||
|
||
|
||
## Examples
|
||
|
||
### Minimal setup for Puppet/PuppetCA Smart Proxy
|
manifests/config.pp | ||
---|---|---|
feature => 'Puppet CA',
|
||
listen_on => $::foreman_proxy::puppetca_listen_on,
|
||
}
|
||
if $::foreman_proxy::puppetca_modular {
|
||
foreman_proxy::settings_file { [
|
||
'puppetca_hostname_whitelisting',
|
||
]:
|
||
module => false,
|
||
}
|
||
}
|
||
foreman_proxy::settings_file { 'realm':
|
||
enabled => $::foreman_proxy::realm,
|
||
feature => 'Realm',
|
manifests/init.pp | ||
---|---|---|
#
|
||
# $puppet_group:: Groups of Foreman proxy user
|
||
#
|
||
# $autosignfile:: Path to the autosign file
|
||
# $autosignfile:: Hostname-Whitelisting only: Location of puppets autosign.conf
|
||
#
|
||
# $manage_puppet_group:: Whether to ensure the $puppet_group exists. Also ensures group owner of ssl keys and certs is $puppet_group
|
||
# Not applicable when ssl is false.
|
||
... | ... | |
#
|
||
# $dhcp_manage_acls:: Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750.
|
||
#
|
||
# $puppetca_modular:: Whether the PuppetCa implementation is modular. This is true for 1.19 or later.
|
||
#
|
||
# $puppetca_provider:: Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
|
||
#
|
||
class foreman_proxy (
|
||
String $repo = $::foreman_proxy::params::repo,
|
||
Boolean $gpgcheck = $::foreman_proxy::params::gpgcheck,
|
||
... | ... | |
Stdlib::Absolutepath $puppetdir = $::foreman_proxy::params::puppetdir,
|
||
String $puppetca_cmd = $::foreman_proxy::params::puppetca_cmd,
|
||
String $puppet_group = $::foreman_proxy::params::puppet_group,
|
||
Boolean $puppetca_modular = $::foreman_proxy::params::puppetca_modular,
|
||
String $puppetca_provider = $::foreman_proxy::params::puppetca_provider,
|
||
Stdlib::Absolutepath $autosignfile = $::foreman_proxy::params::autosignfile,
|
||
Boolean $manage_puppet_group = $::foreman_proxy::params::manage_puppet_group,
|
||
Boolean $puppet = $::foreman_proxy::params::puppet,
|
manifests/params.pp | ||
---|---|---|
$puppet_api_timeout = 30
|
||
|
||
# puppetca settings
|
||
$puppetca = true
|
||
$puppetca_listen_on = 'https'
|
||
$puppetca_cmd = "${puppet_cmd} cert"
|
||
$puppet_group = 'puppet'
|
||
$autosignfile = "${puppetdir}/autosign.conf"
|
||
$puppetca = true
|
||
$puppetca_modular = true
|
||
$puppetca_provider = 'puppetca_hostname_whitelisting'
|
||
$puppetca_listen_on = 'https'
|
||
$puppetca_cmd = "${puppet_cmd} cert"
|
||
$puppet_group = 'puppet'
|
||
$autosignfile = "${puppetdir}/autosign.conf"
|
||
|
||
# The puppet-agent package, (puppet 4 AIO) doesn't create a puppet group
|
||
$manage_puppet_group = versioncmp($::puppetversion, '4.0') > 0
|
spec/classes/foreman_proxy__config__spec.rb | ||
---|---|---|
'settings.d/dns_nsupdate.yml', 'settings.d/dns_nsupdate_gss.yml',
|
||
'settings.d/dns_libvirt.yml', 'settings.d/dhcp.yml', 'settings.d/dhcp_isc.yml',
|
||
'settings.d/dhcp_libvirt.yml', 'settings.d/logs.yml', 'settings.d/puppet.yml',
|
||
'settings.d/puppetca.yml', 'settings.d/puppet_proxy_customrun.yml',
|
||
'settings.d/puppetca.yml', 'settings.d/puppetca_hostname_whitelisting.yml',
|
||
'settings.d/puppet_proxy_customrun.yml',
|
||
'settings.d/puppet_proxy_legacy.yml', 'settings.d/puppet_proxy_mcollective.yml',
|
||
'settings.d/puppet_proxy_puppet_api.yml', 'settings.d/puppet_proxy_puppetrun.yml',
|
||
'settings.d/puppet_proxy_salt.yml', 'settings.d/puppet_proxy_ssh.yml',
|
||
... | ... | |
verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [
|
||
'---',
|
||
':enabled: https',
|
||
':use_provider: puppetca_hostname_whitelisting',
|
||
":ssldir: #{ssl_dir}",
|
||
])
|
||
end
|
||
|
||
it 'should generate correct puppetca_hostname_whitelisting.yml' do
|
||
verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml", [
|
||
'---',
|
||
":autosignfile: #{puppet_etc_dir}/autosign.conf",
|
||
])
|
||
end
|
||
... | ... | |
end
|
||
end
|
||
|
||
context 'using the non-modular legacy puppetca' do
|
||
let :pre_condition do
|
||
'class { "foreman_proxy":
|
||
puppetca_modular => false,
|
||
autosignfile => "/bar/baz.conf",
|
||
}'
|
||
end
|
||
|
||
it 'should generate correct puppetca.yml' do
|
||
verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [
|
||
'---',
|
||
':enabled: https',
|
||
":ssldir: #{ssl_dir}",
|
||
":autosignfile: /bar/baz.conf",
|
||
])
|
||
end
|
||
|
||
it 'should not generate a puppetca_hostname_whitelisting' do
|
||
should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_hostname_whitelisting")
|
||
end
|
||
end
|
||
|
||
context 'when puppetrun_provider and puppetrun_cmd set' do
|
||
let :pre_condition do
|
||
'class { "foreman_proxy":
|
templates/puppetca.yml.erb | ||
---|---|---|
# PuppetCA management
|
||
:enabled: <%= @module_enabled %>
|
||
:ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
|
||
<% if scope.lookupvar("foreman_proxy::puppetca_modular") -%>
|
||
:use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %>
|
||
<% else -%>
|
||
:autosignfile: <%= scope.lookupvar("foreman_proxy::autosignfile") %>
|
||
<% end -%>
|
templates/puppetca_hostname_whitelisting.yml.erb | ||
---|---|---|
---
|
||
#
|
||
# Configuration of the PuppetCA hostname_whitelisting provider
|
||
#
|
||
|
||
:autosignfile: <%= scope.lookupvar('foreman_proxy::autosignfile') %>
|
Also available in: Unified diff
Refs #24012 - Add PuppetCA providers settings