Revision b7eab059
Added by Michael Moll over 8 years ago
manifests/config.pp | ||
---|---|---|
|
||
user { $foreman_proxy::user:
|
||
ensure => 'present',
|
||
shell => '/bin/false',
|
||
shell => $::foreman_proxy::shell,
|
||
comment => 'Foreman Proxy account',
|
||
groups => $groups,
|
||
home => $foreman_proxy::dir,
|
||
... | ... | |
}
|
||
|
||
foreman_proxy::settings_file { 'settings':
|
||
path => '/etc/foreman-proxy/settings.yml',
|
||
path => "${::foreman_proxy::etc}/foreman-proxy/settings.yml",
|
||
module => false,
|
||
}
|
||
|
||
... | ... | |
if $foreman_proxy::puppetca or $foreman_proxy::puppetrun {
|
||
if $foreman_proxy::use_sudoersd {
|
||
if $foreman_proxy::manage_sudoersd {
|
||
file { '/etc/sudoers.d':
|
||
file { "${::foreman_proxy::sudoers}.d":
|
||
ensure => directory,
|
||
}
|
||
}
|
||
|
||
file { '/etc/sudoers.d/foreman-proxy':
|
||
file { "${::foreman_proxy::sudoers}.d/foreman-proxy":
|
||
ensure => file,
|
||
owner => 'root',
|
||
group => 'root',
|
||
group => 0,
|
||
mode => '0440',
|
||
content => template('foreman_proxy/sudo.erb'),
|
||
require => File['/etc/sudoers.d'],
|
||
}
|
||
} else {
|
||
augeas { 'sudo-foreman-proxy':
|
||
context => '/files/etc/sudoers',
|
||
context => "/files${::foreman_proxy::sudoers}",
|
||
changes => template('foreman_proxy/sudo_augeas.erb'),
|
||
}
|
||
}
|
||
... | ... | |
file { $foreman_proxy::puppet_cache_location:
|
||
ensure => directory,
|
||
owner => $foreman_proxy::user,
|
||
group => 'root',
|
||
group => 0,
|
||
mode => '0750',
|
||
}
|
||
}
|
manifests/params.pp | ||
---|---|---|
include ::tftp::params
|
||
include ::puppet::params
|
||
|
||
case $::osfamily {
|
||
'RedHat': {
|
||
$plugin_prefix = 'rubygem-smart_proxy_'
|
||
$foreman_api_package = 'rubygem-apipie-bindings'
|
||
|
||
$dir = '/usr/share/foreman-proxy'
|
||
$etc = '/etc'
|
||
$shell = '/bin/false'
|
||
$user = 'foreman-proxy'
|
||
|
||
$puppetssh_command = '/usr/bin/puppet agent --onetime --no-usecacheonfailure'
|
||
|
||
$dhcp_config = '/etc/dhcp/dhcpd.conf'
|
||
$dhcp_leases = '/var/lib/dhcpd/dhcpd.leases'
|
||
|
||
$keyfile = '/etc/rndc.key'
|
||
$nsupdate = 'bind-utils'
|
||
|
||
$tftp_syslinux_filenames = ['/usr/share/syslinux/chain.c32',
|
||
'/usr/share/syslinux/menu.c32',
|
||
'/usr/share/syslinux/memdisk',
|
||
'/usr/share/syslinux/pxelinux.0']
|
||
}
|
||
'Debian': {
|
||
$plugin_prefix = 'ruby-smart-proxy-'
|
||
$foreman_api_package = 'ruby-apipie-bindings'
|
||
|
||
$dir = '/usr/share/foreman-proxy'
|
||
$etc = '/etc'
|
||
$shell = '/bin/false'
|
||
$user = 'foreman-proxy'
|
||
|
||
$puppetssh_command = '/usr/bin/puppet agent --onetime --no-usecacheonfailure'
|
||
|
||
$dhcp_config = '/etc/dhcp/dhcpd.conf'
|
||
$dhcp_leases = '/var/lib/dhcp/dhcpd.leases'
|
||
|
||
$keyfile = '/etc/bind/rndc.key'
|
||
$nsupdate = 'dnsutils'
|
||
if ($::operatingsystem == 'Debian') and (versioncmp($::operatingsystemrelease, '8.0') >= 0) or
|
||
($::operatingsystem == 'Ubuntu') and (versioncmp($::operatingsystemrelease, '14.10') >= 0) {
|
||
$tftp_syslinux_filenames = ['/usr/lib/PXELINUX/pxelinux.0',
|
||
'/usr/lib/syslinux/memdisk',
|
||
'/usr/lib/syslinux/modules/bios/chain.c32',
|
||
'/usr/lib/syslinux/modules/bios/ldlinux.c32',
|
||
'/usr/lib/syslinux/modules/bios/libutil.c32',
|
||
'/usr/lib/syslinux/modules/bios/menu.c32']
|
||
} else {
|
||
$tftp_syslinux_filenames = ['/usr/lib/syslinux/chain.c32',
|
||
'/usr/lib/syslinux/menu.c32',
|
||
'/usr/lib/syslinux/memdisk',
|
||
'/usr/lib/syslinux/pxelinux.0']
|
||
}
|
||
}
|
||
default: {
|
||
fail("${::hostname}: This module does not support osfamily ${::osfamily}")
|
||
}
|
||
}
|
||
|
||
# Packaging
|
||
$repo = 'stable'
|
||
$gpgcheck = true
|
||
$repo = 'stable'
|
||
$gpgcheck = true
|
||
# if set to true, no repo will be added by this module, letting you to
|
||
# set it to some custom location.
|
||
$custom_repo = false
|
||
$version = 'present'
|
||
$custom_repo = false
|
||
$version = 'present'
|
||
$plugin_version = 'installed'
|
||
|
||
# variables
|
||
$bind_host = '*'
|
||
$port = undef # deprecated in favor of $ssl_port/$http_port
|
||
$dir = '/usr/share/foreman-proxy'
|
||
$user = 'foreman-proxy'
|
||
$log = '/var/log/foreman-proxy/proxy.log'
|
||
$log_level = 'ERROR'
|
||
$port = undef # deprecated in favor of $ssl_port/$http_port
|
||
$log = '/var/log/foreman-proxy/proxy.log'
|
||
$log_level = 'ERROR'
|
||
|
||
$puppet_home = $puppet::params::vardir
|
||
|
||
# Enable listening on http
|
||
$http = false
|
||
$http = false
|
||
$http_port = '8000'
|
||
|
||
# Enable SSL, ensure proxy is added with "https://" protocol if true
|
||
$ssl = true
|
||
$ssl = true
|
||
$ssl_port = '8443'
|
||
# If CA is specified, remote Foreman host will be verified
|
||
$ssl_ca = "${puppet_home}/ssl/certs/ca.pem"
|
||
# Used to communicate to Foreman
|
||
$ssl_cert = "${puppet_home}/ssl/certs/${::fqdn}.pem"
|
||
$ssl_key = "${puppet_home}/ssl/private_keys/${::fqdn}.pem"
|
||
$ssl_key = "${puppet_home}/ssl/private_keys/${::fqdn}.pem"
|
||
|
||
$foreman_ssl_ca = undef
|
||
$foreman_ssl_ca = undef
|
||
$foreman_ssl_cert = undef
|
||
$foreman_ssl_key = undef
|
||
$foreman_ssl_key = undef
|
||
|
||
# Only hosts listed will be permitted, empty array to disable authorization
|
||
$trusted_hosts = [$::fqdn]
|
||
|
||
# Whether to manage File['/etc/sudoers.d'] or not. When reusing this module,
|
||
$sudoers = "${etc}/sudoers"
|
||
|
||
# Whether to manage File["$etc/sudoers.d"] or not. When reusing this module,
|
||
# this may be disabled to let a dedicated sudo module manage it instead.
|
||
$manage_sudoersd = true
|
||
|
||
... | ... | |
$use_sudoersd = true
|
||
|
||
# puppet settings
|
||
$puppet_url = "https://${::fqdn}:8140"
|
||
$puppet_url = "https://${::fqdn}:8140"
|
||
$puppet_use_environment_api = undef
|
||
$puppet_use_cache = undef
|
||
$puppet_cache_location = '/var/cache/foreman-proxy'
|
||
|
||
# puppetca settings
|
||
$puppetca = true
|
||
$puppetca_listen_on = 'https'
|
||
$autosign_location = '/etc/puppet/autosign.conf'
|
||
$autosign_location = "${etc}/puppet/autosign.conf"
|
||
$puppetca_cmd = $puppet::params::puppetca_cmd
|
||
$puppet_group = 'puppet'
|
||
$ssldir = "${puppet_home}/ssl"
|
||
... | ... | |
$puppetrun_listen_on = 'https'
|
||
$puppetrun_cmd = $puppet::params::puppetrun_cmd
|
||
$puppetrun_provider = undef
|
||
$customrun_cmd = '/bin/false'
|
||
$customrun_cmd = $shell
|
||
$customrun_args = '-ay -f -s'
|
||
$puppetssh_sudo = false
|
||
$puppetssh_command = '/usr/bin/puppet agent --onetime --no-usecacheonfailure'
|
||
$puppetssh_user = 'root'
|
||
$puppetssh_keyfile = '/etc/foreman-proxy/id_rsa'
|
||
$puppetssh_keyfile = "${etc}/foreman-proxy/id_rsa"
|
||
$puppetssh_wait = false
|
||
$puppet_user = 'root'
|
||
$salt_puppetrun_cmd = 'puppet.run'
|
||
... | ... | |
$template_url = "http://${::fqdn}:${http_port}"
|
||
|
||
# TFTP settings - requires optional TFTP puppet module
|
||
$tftp = true
|
||
$tftp_listen_on = 'https'
|
||
$tftp = true
|
||
$tftp_listen_on = 'https'
|
||
$tftp_root = $tftp::params::root
|
||
$tftp_dirs = ["${tftp_root}/pxelinux.cfg","${tftp_root}/boot"]
|
||
$tftp_servername = undef
|
||
|
||
# TODO: remove these on the next major version bump
|
||
$tftp_syslinux_root = undef
|
||
$tftp_syslinux_files = undef
|
||
|
||
case $::osfamily {
|
||
'Debian': {
|
||
if ($::operatingsystem == 'Debian') and (versioncmp($::operatingsystemrelease, '8.0') >= 0) or
|
||
($::operatingsystem == 'Ubuntu') and (versioncmp($::operatingsystemrelease, '14.10') >= 0) {
|
||
$tftp_syslinux_filenames = ['/usr/lib/PXELINUX/pxelinux.0',
|
||
'/usr/lib/syslinux/memdisk',
|
||
'/usr/lib/syslinux/modules/bios/chain.c32',
|
||
'/usr/lib/syslinux/modules/bios/ldlinux.c32',
|
||
'/usr/lib/syslinux/modules/bios/libutil.c32',
|
||
'/usr/lib/syslinux/modules/bios/menu.c32']
|
||
} else {
|
||
$tftp_syslinux_filenames = ['/usr/lib/syslinux/chain.c32',
|
||
'/usr/lib/syslinux/menu.c32',
|
||
'/usr/lib/syslinux/memdisk',
|
||
'/usr/lib/syslinux/pxelinux.0']
|
||
}
|
||
}
|
||
default: {
|
||
$tftp_syslinux_filenames = ['/usr/share/syslinux/chain.c32',
|
||
'/usr/share/syslinux/menu.c32',
|
||
'/usr/share/syslinux/memdisk',
|
||
'/usr/share/syslinux/pxelinux.0']
|
||
}
|
||
}
|
||
$tftp_root = $tftp::params::root
|
||
$tftp_dirs = ["${tftp_root}/pxelinux.cfg","${tftp_root}/boot"]
|
||
$tftp_servername = undef
|
||
|
||
# DHCP settings - requires optional DHCP puppet module
|
||
$dhcp = false
|
||
$dhcp_listen_on = 'https'
|
||
... | ... | |
$dhcp_key_name = undef
|
||
$dhcp_key_secret = undef
|
||
$dhcp_omapi_port = 7911
|
||
|
||
# DHCP server settings
|
||
case $::osfamily {
|
||
'Debian': {
|
||
$dhcp_vendor = 'isc'
|
||
$dhcp_config = '/etc/dhcp/dhcpd.conf'
|
||
$dhcp_leases = '/var/lib/dhcp/dhcpd.leases'
|
||
}
|
||
'RedHat': {
|
||
$dhcp_vendor = 'isc'
|
||
$dhcp_config = '/etc/dhcp/dhcpd.conf'
|
||
$dhcp_leases = '/var/lib/dhcpd/dhcpd.leases'
|
||
}
|
||
default: {
|
||
$dhcp_vendor = 'isc'
|
||
$dhcp_config = '/etc/dhcpd.conf'
|
||
$dhcp_leases = '/var/lib/dhcpd/dhcpd.leases'
|
||
}
|
||
}
|
||
$dhcp_vendor = 'isc'
|
||
|
||
# DNS settings - requires optional DNS puppet module
|
||
$dns = false
|
||
... | ... | |
# localhost can resolve to ipv6 which ruby doesn't handle well
|
||
$dns_server = '127.0.0.1'
|
||
$dns_ttl = '86400'
|
||
$dns_tsig_keytab = '/etc/foreman-proxy/dns.keytab'
|
||
$dns_tsig_keytab = "${etc}/foreman-proxy/dns.keytab"
|
||
$dns_tsig_principal = "foremanproxy/${::fqdn}@${dns_realm}"
|
||
case $::osfamily {
|
||
'Debian': {
|
||
$keyfile = '/etc/bind/rndc.key'
|
||
$nsupdate = 'dnsutils'
|
||
}
|
||
default: {
|
||
$keyfile = '/etc/rndc.key'
|
||
$nsupdate = 'bind-utils'
|
||
}
|
||
}
|
||
|
||
$dns_forwarders = []
|
||
|
||
... | ... | |
$realm = false
|
||
$realm_listen_on = 'https'
|
||
$realm_provider = 'freeipa'
|
||
$realm_keytab = '/etc/foreman-proxy/freeipa.keytab'
|
||
$realm_keytab = "${etc}/foreman-proxy/freeipa.keytab"
|
||
$realm_principal = 'realm-proxy@EXAMPLE.COM'
|
||
$freeipa_remove_dns = true
|
||
|
||
... | ... | |
$oauth_effective_user = 'admin'
|
||
# OAuth credentials
|
||
# shares cached_data with the foreman module so they're the same
|
||
$oauth_consumer_key = cache_data('oauth_consumer_key', random_password(32))
|
||
$oauth_consumer_key = cache_data('oauth_consumer_key', random_password(32))
|
||
$oauth_consumer_secret = cache_data('oauth_consumer_secret', random_password(32))
|
||
|
||
$foreman_api_package = $::osfamily ? {
|
||
'Debian' => 'ruby-apipie-bindings',
|
||
default => 'rubygem-apipie-bindings',
|
||
}
|
||
|
||
case $::osfamily {
|
||
'RedHat': {
|
||
$plugin_prefix = 'rubygem-smart_proxy_'
|
||
}
|
||
'Debian': {
|
||
$plugin_prefix = 'ruby-smart-proxy-'
|
||
}
|
||
default: {
|
||
$plugin_prefix = 'smart_proxy_'
|
||
}
|
||
}
|
||
|
||
$puppet_use_cache = undef
|
||
$puppet_cache_location = '/var/cache/foreman-proxy'
|
||
}
|
manifests/plugin/chef/params.pp | ||
---|---|---|
# Default parameters for the Chef smart proxy plugin
|
||
class foreman_proxy::plugin::chef::params {
|
||
include ::foreman_proxy
|
||
|
||
$enabled = true
|
||
$group = undef
|
||
$listen_on = 'https'
|
||
$version = undef
|
||
$server_url = "https://${::fqdn}"
|
||
$client_name = $::fqdn
|
||
$private_key = '/etc/chef/client.pem'
|
||
$private_key = "${foreman_proxy::etc}/chef/client.pem"
|
||
$ssl_verify = true
|
||
$ssl_pem_file = undef
|
||
}
|
manifests/plugin/salt/params.pp | ||
---|---|---|
# Default parameters for the Salt smart proxy plugin
|
||
class foreman_proxy::plugin::salt::params {
|
||
$enabled = true
|
||
$listen_on = 'https'
|
||
$autosign_file = '/etc/salt/autosign.conf'
|
||
$user = 'root'
|
||
$group = undef
|
||
include ::foreman_proxy
|
||
|
||
$api = false
|
||
$api_url = 'https://localhost:8080'
|
||
$api_auth = 'pam'
|
||
$api_username = 'saltuser'
|
||
$api_password = 'saltpassword'
|
||
$enabled = true
|
||
$listen_on = 'https'
|
||
$autosign_file = "${foreman_proxy::etc}/salt/autosign.conf"
|
||
$user = 'root'
|
||
$group = undef
|
||
|
||
$api = false
|
||
$api_url = 'https://localhost:8080'
|
||
$api_auth = 'pam'
|
||
$api_username = 'saltuser'
|
||
$api_password = 'saltpassword'
|
||
}
|
manifests/settings_file.pp | ||
---|---|---|
$module = true,
|
||
$enabled = true,
|
||
$listen_on = 'https',
|
||
$path = "/etc/foreman-proxy/settings.d/${title}.yml",
|
||
$path = "${::foreman_proxy::etc}/foreman-proxy/settings.d/${title}.yml",
|
||
$owner = 'root',
|
||
$group = $::foreman_proxy::user,
|
||
$mode = '0640',
|
spec/classes/foreman_proxy__config__spec.rb | ||
---|---|---|
should contain_file('/etc/sudoers.d/foreman-proxy').with({
|
||
:ensure => 'file',
|
||
:owner => 'root',
|
||
:group => 'root',
|
||
:group => 0,
|
||
:mode => '0440',
|
||
:require => 'File[/etc/sudoers.d]',
|
||
})
|
||
|
||
verify_exact_contents(catalogue, '/etc/sudoers.d/foreman-proxy', [
|
spec/classes/foreman_proxy__plugin__chef__spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'foreman_proxy::plugin::chef' do
|
||
on_supported_os.each do |os, facts|
|
||
context "on #{os}" do
|
||
context 'chef plugin is enabled' do
|
||
let :params do
|
||
{
|
||
:enabled => true
|
||
}
|
||
end
|
||
|
||
it 'should call the plugin' do
|
||
should contain_foreman_proxy__plugin('chef')
|
||
end
|
||
|
||
it 'should install configuration file' do
|
||
should contain_foreman_proxy__settings_file('chef')
|
||
should contain_file('/etc/foreman-proxy/settings.d/chef.yml').with_content(/:enabled: true/)
|
||
end
|
||
end
|
||
|
||
context 'chef plugin is disabled' do
|
||
let :params do
|
||
{
|
||
:enabled => false
|
||
}
|
||
end
|
||
|
||
it 'should call the plugin' do
|
||
should contain_foreman_proxy__plugin('chef')
|
||
end
|
||
|
||
it 'should install configuration file' do
|
||
should contain_foreman_proxy__settings_file('chef')
|
||
should contain_file('/etc/foreman-proxy/settings.d/chef.yml').with_content(/:enabled: false/)
|
||
end
|
||
end
|
||
let :facts do
|
||
on_supported_os['redhat-6-x86_64']
|
||
end
|
||
|
||
let :pre_condition do
|
||
"include foreman_proxy"
|
||
end
|
||
|
||
context 'chef plugin is enabled' do
|
||
let :params do
|
||
{
|
||
:enabled => true
|
||
}
|
||
end
|
||
|
||
it 'should call the plugin' do
|
||
should contain_foreman_proxy__plugin('chef')
|
||
end
|
||
|
||
it 'should install configuration file' do
|
||
should contain_foreman_proxy__settings_file('chef')
|
||
should contain_file('/etc/foreman-proxy/settings.d/chef.yml').with_content(/:enabled: true/)
|
||
end
|
||
end
|
||
|
||
context 'chef plugin is disabled' do
|
||
let :params do
|
||
{
|
||
:enabled => false
|
||
}
|
||
end
|
||
|
||
it 'should call the plugin' do
|
||
should contain_foreman_proxy__plugin('chef')
|
||
end
|
||
|
||
it 'should install configuration file' do
|
||
should contain_foreman_proxy__settings_file('chef')
|
||
should contain_file('/etc/foreman-proxy/settings.d/chef.yml').with_content(/:enabled: false/)
|
||
end
|
||
end
|
||
end
|
spec/classes/foreman_proxy__plugin__openscap_spec.rb | ||
---|---|---|
require 'spec_helper'
|
||
|
||
describe 'foreman_proxy::plugin::openscap' do
|
||
on_supported_os.each do |os, facts|
|
||
context "on #{os}" do
|
||
context 'openscap plugin is enabled' do
|
||
let :params do
|
||
{
|
||
:enabled => true
|
||
}
|
||
end
|
||
|
||
it 'should call the plugin' do
|
||
should contain_foreman_proxy__plugin('openscap')
|
||
end
|
||
|
||
it 'should install configuration file' do
|
||
should contain_foreman_proxy__settings_file('openscap')
|
||
content = catalogue.resource('file', '/etc/foreman-proxy/settings.d/openscap.yml').send(:parameters)[:content]
|
||
content.split("\n").reject { |c| c =~ /(^#|^$)/ }.should == [
|
||
'---',
|
||
':enabled: https',
|
||
':openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log',
|
||
":spooldir: /var/spool/foreman-proxy/openscap",
|
||
]
|
||
end
|
||
end
|
||
|
||
context 'openscap plugin is disabled' do
|
||
let :params do
|
||
{
|
||
:enabled => false
|
||
}
|
||
end
|
||
|
||
it 'should call the plugin' do
|
||
should contain_foreman_proxy__plugin('openscap')
|
||
end
|
||
|
||
it 'should install configuration file' do
|
||
should contain_foreman_proxy__settings_file('openscap')
|
||
content = catalogue.resource('file', '/etc/foreman-proxy/settings.d/openscap.yml').send(:parameters)[:content]
|
||
content.split("\n").reject { |c| c =~ /(^#|^$)/ }.should == [
|
||
'---',
|
||
':enabled: false',
|
||
':openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log',
|
||
":spooldir: /var/spool/foreman-proxy/openscap",
|
||
]
|
||
end
|
||
end
|
||
let :facts do
|
||
on_supported_os['redhat-6-x86_64']
|
||
end
|
||
|
||
let :pre_condition do
|
||
"include foreman_proxy"
|
||
end
|
||
|
||
context 'openscap plugin is enabled' do
|
||
let :params do
|
||
{
|
||
:enabled => true
|
||
}
|
||
end
|
||
|
||
it 'should call the plugin' do
|
||
should contain_foreman_proxy__plugin('openscap')
|
||
end
|
||
|
||
it 'should install configuration file' do
|
||
should contain_foreman_proxy__settings_file('openscap')
|
||
verify_exact_contents(catalogue, '/etc/foreman-proxy/settings.d/openscap.yml', [
|
||
'---',
|
||
':enabled: https',
|
||
':openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log',
|
||
":spooldir: /var/spool/foreman-proxy/openscap",
|
||
])
|
||
end
|
||
end
|
||
|
||
context 'openscap plugin is disabled' do
|
||
let :params do
|
||
{
|
||
:enabled => false
|
||
}
|
||
end
|
||
|
||
it 'should call the plugin' do
|
||
should contain_foreman_proxy__plugin('openscap')
|
||
end
|
||
|
||
it 'should install configuration file' do
|
||
should contain_foreman_proxy__settings_file('openscap')
|
||
verify_exact_contents(catalogue, '/etc/foreman-proxy/settings.d/openscap.yml', [
|
||
'---',
|
||
':enabled: false',
|
||
':openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log',
|
||
":spooldir: /var/spool/foreman-proxy/openscap",
|
||
])
|
||
end
|
||
end
|
||
end
|
templates/settings.yml.erb | ||
---|---|---|
### File managed with puppet ###
|
||
## Module: '<%= scope.to_hash['module_name'] %>'
|
||
|
||
:settings_directory: /etc/foreman-proxy/settings.d
|
||
:settings_directory: <%= scope.lookupvar("foreman_proxy::etc") -%>/foreman-proxy/settings.d
|
||
|
||
# SSL Setup
|
||
<% ssl = scope.lookupvar("foreman_proxy::real_ssl") -%>
|
Also available in: Unified diff
prepare support for more OSes & refactor few tests