Refs #24012 - Add PuppetCA providers settings

README.md

@@ -9,12 +9,23 @@ Part of the Foreman installer: <https://github.com/theforeman/foreman-installer>
 
 | Module version | Proxy versions | Notes                                           |
 |----------------|----------------|-------------------------------------------------|
-| 5.x            | 1.16 and newer |                                                 |
+| 5.x            | 1.16 and newer | See compatibility notes here for 1.16-1.18      |
 | 4.x            | 1.12 - 1.17    | See compatibility notes in its README for 1.15+ |
 | 3.x            | 1.11           |                                                 |
 | 2.x            | 1.5 - 1.10     |                                                 |
 | 1.x            | 1.4 and older  |                                                 |
 
+### Compatibility notes for Smart Proxy < 1.18
+
+On Smart Proxy 1.16, 1.17 & 1.18, also set
+
+```puppet
+puppetca_modular => false,
+```
+
+to ensure that it only uses the `puppetca.yml` configuration not the provider settings files.
+
+
 ## Examples
 
 ### Minimal setup for Puppet/PuppetCA Smart Proxy

manifests/config.pp

@@ -87,6 +87,13 @@
     feature   => 'Puppet CA',
     listen_on => $::foreman_proxy::puppetca_listen_on,
   }
+  if $::foreman_proxy::puppetca_modular {
+    foreman_proxy::settings_file { [
+        'puppetca_hostname_whitelisting',
+      ]:
+        module => false,
+    }
+  }
   foreman_proxy::settings_file { 'realm':
     enabled   => $::foreman_proxy::realm,
     feature   => 'Realm',

manifests/init.pp

@@ -81,7 +81,7 @@
 #
 # $puppet_group::               Groups of Foreman proxy user
 #
-# $autosignfile::               Path to the autosign file
+# $autosignfile::               Hostname-Whitelisting only: Location of puppets autosign.conf
 #
 # $manage_puppet_group::        Whether to ensure the $puppet_group exists.  Also ensures group owner of ssl keys and certs is $puppet_group
 #                               Not applicable when ssl is false.
@@ -291,6 +291,10 @@
 #
 # $dhcp_manage_acls::           Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750.
 #
+# $puppetca_modular::           Whether the PuppetCa implementation is modular. This is true for 1.19 or later.
+#
+# $puppetca_provider::          Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
+#
 class foreman_proxy (
   String $repo = $::foreman_proxy::params::repo,
   Boolean $gpgcheck = $::foreman_proxy::params::gpgcheck,
@@ -328,6 +332,8 @@
   Stdlib::Absolutepath $puppetdir = $::foreman_proxy::params::puppetdir,
   String $puppetca_cmd = $::foreman_proxy::params::puppetca_cmd,
   String $puppet_group = $::foreman_proxy::params::puppet_group,
+  Boolean $puppetca_modular = $::foreman_proxy::params::puppetca_modular,
+  String $puppetca_provider = $::foreman_proxy::params::puppetca_provider,
   Stdlib::Absolutepath $autosignfile = $::foreman_proxy::params::autosignfile,
   Boolean $manage_puppet_group = $::foreman_proxy::params::manage_puppet_group,
   Boolean $puppet = $::foreman_proxy::params::puppet,

manifests/params.pp

@@ -237,11 +237,13 @@
   $puppet_api_timeout         = 30
 
   # puppetca settings
-  $puppetca           = true
-  $puppetca_listen_on = 'https'
-  $puppetca_cmd       = "${puppet_cmd} cert"
-  $puppet_group       = 'puppet'
-  $autosignfile       = "${puppetdir}/autosign.conf"
+  $puppetca              = true
+  $puppetca_modular      = true
+  $puppetca_provider     = 'puppetca_hostname_whitelisting'
+  $puppetca_listen_on    = 'https'
+  $puppetca_cmd          = "${puppet_cmd} cert"
+  $puppet_group          = 'puppet'
+  $autosignfile          = "${puppetdir}/autosign.conf"
 
   # The puppet-agent package, (puppet 4 AIO) doesn't create a puppet group
   $manage_puppet_group = versioncmp($::puppetversion, '4.0') > 0

spec/classes/foreman_proxy__config__spec.rb

@@ -82,7 +82,8 @@
             'settings.d/dns_nsupdate.yml', 'settings.d/dns_nsupdate_gss.yml',
             'settings.d/dns_libvirt.yml', 'settings.d/dhcp.yml', 'settings.d/dhcp_isc.yml',
             'settings.d/dhcp_libvirt.yml', 'settings.d/logs.yml', 'settings.d/puppet.yml',
-            'settings.d/puppetca.yml', 'settings.d/puppet_proxy_customrun.yml',
+            'settings.d/puppetca.yml', 'settings.d/puppetca_hostname_whitelisting.yml',
+            'settings.d/puppet_proxy_customrun.yml',
             'settings.d/puppet_proxy_legacy.yml', 'settings.d/puppet_proxy_mcollective.yml',
             'settings.d/puppet_proxy_puppet_api.yml', 'settings.d/puppet_proxy_puppetrun.yml',
             'settings.d/puppet_proxy_salt.yml', 'settings.d/puppet_proxy_ssh.yml',
@@ -252,7 +253,14 @@
           verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [
             '---',
             ':enabled: https',
+            ':use_provider: puppetca_hostname_whitelisting',
             ":ssldir: #{ssl_dir}",
+          ])
+        end
+
+        it 'should generate correct puppetca_hostname_whitelisting.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml", [
+            '---',
             ":autosignfile: #{puppet_etc_dir}/autosign.conf",
           ])
         end
@@ -775,6 +783,28 @@
         end
       end
 
+      context 'using the non-modular legacy puppetca' do
+        let :pre_condition do
+          'class { "foreman_proxy":
+            puppetca_modular => false,
+            autosignfile => "/bar/baz.conf",
+          }'
+        end
+
+        it 'should generate correct puppetca.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [
+            '---',
+            ':enabled: https',
+            ":ssldir: #{ssl_dir}",
+            ":autosignfile: /bar/baz.conf",
+          ])
+        end
+
+        it 'should not generate a puppetca_hostname_whitelisting' do
+          should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_hostname_whitelisting")
+        end
+      end
+
       context 'when puppetrun_provider and puppetrun_cmd set' do
         let :pre_condition do
           'class { "foreman_proxy":

templates/puppetca.yml.erb

@@ -2,4 +2,8 @@
 # PuppetCA management
 :enabled: <%= @module_enabled %>
 :ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+<% if scope.lookupvar("foreman_proxy::puppetca_modular") -%>
+:use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %>
+<% else -%>
 :autosignfile: <%= scope.lookupvar("foreman_proxy::autosignfile") %>
+<% end -%>

templates/puppetca_hostname_whitelisting.yml.erb

@@ -0,0 +1,6 @@
+---
+#
+# Configuration of the PuppetCA hostname_whitelisting provider
+#
+
+:autosignfile: <%= scope.lookupvar('foreman_proxy::autosignfile') %>