CHANGELOG.md

@@ -1,6 +1,19 @@
 # Changelog
 
-## [14.0.0](https://github.com/theforeman/puppet-puppet/tree/14.0.0) (2020-05-13)
+## [14.1.0](https://github.com/theforeman/puppet-puppet/tree/14.1.0) (2020-08-05)
+
+[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/14.0.0...14.1.0)
+
+**Implemented enhancements:**
+
+- Use server\_trusted\_agents in v4 catalog endpoint [\#756](https://github.com/theforeman/puppet-puppet/pull/756) ([alexjfisher](https://github.com/alexjfisher))
+- also allow whitelisted admin clients to clean certs [\#748](https://github.com/theforeman/puppet-puppet/pull/748) ([foxxx0](https://github.com/foxxx0))
+
+**Fixed bugs:**
+
+- Don't re-create existing CA certs [\#747](https://github.com/theforeman/puppet-puppet/pull/747) ([zipkid](https://github.com/zipkid))
+
+## [14.0.0](https://github.com/theforeman/puppet-puppet/tree/14.0.0) (2020-05-14)
 
 [Full Changelog](https://github.com/theforeman/puppet-puppet/compare/13.0.0...14.0.0)
 

HISTORY.md

@@ -1,3 +1,76 @@
+## [14.0.0](https://github.com/theforeman/puppet-puppet/tree/14.0.0) (2020-05-14)
+
+[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/13.0.0...14.0.0)
+
+**Breaking changes:**
+
+- Use modern facts [\#743](https://github.com/theforeman/puppet-puppet/issues/743)
+- Drop EOL Windows 7, 2008 R2 [\#739](https://github.com/theforeman/puppet-puppet/pull/739) ([ekohl](https://github.com/ekohl))
+- Drop Foreman API version parameters [\#736](https://github.com/theforeman/puppet-puppet/pull/736) ([ekohl](https://github.com/ekohl))
+- Refactor PuppetDB integration [\#732](https://github.com/theforeman/puppet-puppet/pull/732) ([ekohl](https://github.com/ekohl))
+
+**Implemented enhancements:**
+
+- Support Ubuntu Focal \(20.04\) [\#746](https://github.com/theforeman/puppet-puppet/pull/746) ([mmoll](https://github.com/mmoll))
+- Fixes [\#29735](https://projects.theforeman.org/issues/29735) - support el8 [\#742](https://github.com/theforeman/puppet-puppet/pull/742) ([wbclark](https://github.com/wbclark))
+- Switch AIO detection to use aio\_agent\_version fact [\#737](https://github.com/theforeman/puppet-puppet/pull/737) ([ekohl](https://github.com/ekohl))
+- Allow extlib 5.x [\#733](https://github.com/theforeman/puppet-puppet/pull/733) ([mmoll](https://github.com/mmoll))
+- Add server\_trusted\_external\_command parameter [\#731](https://github.com/theforeman/puppet-puppet/pull/731) ([baurmatt](https://github.com/baurmatt))
+- Add server\_ca\_client\_self\_delete to CA Servers [\#728](https://github.com/theforeman/puppet-puppet/pull/728) ([neilfromit](https://github.com/neilfromit))
+- implement 'versioned code' for puppetserver [\#726](https://github.com/theforeman/puppet-puppet/pull/726) ([mmoll](https://github.com/mmoll))
+
+**Closed issues:**
+
+- Systemd dependency missing [\#704](https://github.com/theforeman/puppet-puppet/issues/704)
+
+**Merged pull requests:**
+
+- Add Fedora 31, drop Fedora 26 [\#745](https://github.com/theforeman/puppet-puppet/pull/745) ([ekohl](https://github.com/ekohl))
+
+## [13.0.0](https://github.com/theforeman/puppet-puppet/tree/13.0.0) (2020-02-12)
+
+[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/12.1.0...13.0.0)
+
+**Breaking changes:**
+
+- Update cipher suites [\#721](https://github.com/theforeman/puppet-puppet/pull/721) ([mmoll](https://github.com/mmoll))
+- Drop listen parameter [\#718](https://github.com/theforeman/puppet-puppet/pull/718) ([ekohl](https://github.com/ekohl))
+
+**Implemented enhancements:**
+
+- Add server\_multithreaded parameter [\#720](https://github.com/theforeman/puppet-puppet/pull/720) ([alexjfisher](https://github.com/alexjfisher))
+- Add Debian 10 [\#716](https://github.com/theforeman/puppet-puppet/pull/716) ([mmoll](https://github.com/mmoll))
+
+**Fixed bugs:**
+
+- Restart Puppet Agent service after updating the package [\#712](https://github.com/theforeman/puppet-puppet/pull/712) ([fraenki](https://github.com/fraenki))
+
+**Merged pull requests:**
+
+- Move parameters to advanced [\#719](https://github.com/theforeman/puppet-puppet/pull/719) ([ekohl](https://github.com/ekohl))
+- Stop acceptance tests on EL7 [\#715](https://github.com/theforeman/puppet-puppet/pull/715) ([ekohl](https://github.com/ekohl))
+
+## [12.1.0](https://github.com/theforeman/puppet-puppet/tree/12.1.0) (2019-10-25)
+
+[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/12.0.1...12.1.0)
+
+**Implemented enhancements:**
+
+- Ensure config file ends with a new line [\#707](https://github.com/theforeman/puppet-puppet/pull/707) ([baurmatt](https://github.com/baurmatt))
+
+**Merged pull requests:**
+
+- Document campotocamp/systemd soft dependency [\#696](https://github.com/theforeman/puppet-puppet/pull/696) ([dogjarek](https://github.com/dogjarek))
+
+## [12.0.1](https://github.com/theforeman/puppet-puppet/tree/12.0.1) (2019-06-13)
+
+[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/12.0.0...12.0.1)
+
+**Merged pull requests:**
+
+- Allow puppetlabs/concat 6.x and puppet/extlib 4.x [\#700](https://github.com/theforeman/puppet-puppet/pull/700) ([alexjfisher](https://github.com/alexjfisher))
+- Allow `puppetlabs/stdlib` 6.x [\#698](https://github.com/theforeman/puppet-puppet/pull/698) ([alexjfisher](https://github.com/alexjfisher))
+
 ## [12.0.0](https://github.com/theforeman/puppet-puppet/tree/12.0.0) (2019-04-17)
 
 [Full Changelog](https://github.com/theforeman/puppet-puppet/compare/11.0.1...12.0.0)

manifests/server/config.pp

@@ -158,13 +158,15 @@
   # Generate a new CA and host cert if our host cert doesn't exist
   if $puppet::server::ca {
     if versioncmp($::puppetversion, '6.0') > 0 {
+      $creates = $puppet::server::ssl_ca_cert
       $command = "${puppet::puppetserver_cmd} ca setup"
     } else {
+      $creates = $puppet::server::ssl_cert
       $command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names"
     }
 
     exec {'puppet_server_config-generate_ca_cert':
-      creates => $puppet::server::ssl_cert,
+      creates => $creates,
       command => $command,
       umask   => '0022',
       require => [

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "theforeman-puppet",
-  "version": "14.0.0",
+  "version": "14.1.0",
   "author": "theforeman",
   "summary": "Puppet agent and server configuration",
   "license": "GPL-3.0+",

spec/classes/puppet_server_puppetserver_spec.rb

@@ -463,6 +463,13 @@
         context 'when server_puppetserver_version >= 6.3' do
           let(:params) { super().merge(server_puppetserver_version: '6.3.0') }
           it { should contain_file(auth_conf).with_content(%r{^(\ *)path: "\^/puppet/v4/catalog/\?\$"$}) }
+          context 'by default' do
+            it { should contain_file(auth_conf).with_content(%r{^(\ *)deny: "\*"\n(\ *)sort-order: 500\n(\ *)name: "puppetlabs v4 catalog for services"}) }
+          end
+          context 'with server_trusted_agents' do
+            let(:params) { super().merge(server_puppetserver_trusted_agents: ['jenkins', 'octocatalog-diff']) }
+            it { should contain_file(auth_conf).with_content(%r{^(\ *)allow: \["jenkins", "octocatalog-diff"\]\n(\ *)sort-order: 500\n(\ *)name: "puppetlabs v4 catalog for services"}) }
+          end
         end
 
         context 'when server_puppetserver_version < 6.3' do

spec/classes/puppet_server_spec.rb

@@ -12,11 +12,6 @@
         confdir             = '/usr/local/etc/puppet'
         environments_dir    = '/usr/local/etc/puppet/environments'
         etcdir              = '/usr/local/etc/puppet'
-        if facts[:puppetversion] >= '6.0'
-          puppetcacmd         = '/usr/local/bin/puppetserver ca setup'
-        else
-          puppetcacmd         = '/usr/local/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names'
-        end
         puppetserver_logdir = '/var/log/puppetserver'
         puppetserver_rundir = '/var/run/puppetserver'
         puppetserver_vardir = '/var/puppet/server/data/puppetserver'
@@ -25,18 +20,20 @@
         vardir              = '/var/puppet'
         rubydir             = %r{^/usr/local/lib/ruby/site_ruby/\d+\.\d+/puppet$}
         puppetserver_pkg    = puppet_major > 4 ? "puppetserver#{puppet_major}" : 'puppetserver'
+        if facts[:puppetversion] >= '6.0'
+          puppetcacmd         = '/usr/local/bin/puppetserver ca setup'
+          cert_to_create      = "#{ssldir}/ca/ca_crt.pem"
+        else
+          puppetcacmd         = '/usr/local/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names'
+          cert_to_create      = "#{ssldir}/certs/puppetmaster.example.com.pem"
+        end
       else
         codedir             = '/etc/puppetlabs/code'
         conf_d_dir          = '/etc/puppetlabs/puppetserver/conf.d'
         conf_file           = '/etc/puppetlabs/puppet/puppet.conf'
         confdir             = '/etc/puppetlabs/puppet'
         environments_dir    = '/etc/puppetlabs/code/environments'
         etcdir              = '/etc/puppetlabs/puppet'
-        if facts[:puppetversion] >= '6.0'
-          puppetcacmd         = '/opt/puppetlabs/bin/puppetserver ca setup'
-        else
-          puppetcacmd         = '/opt/puppetlabs/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names'
-        end
         puppetserver_logdir = '/var/log/puppetlabs/puppetserver'
         puppetserver_rundir = '/var/run/puppetlabs/puppetserver'
         puppetserver_vardir = '/opt/puppetlabs/server/data/puppetserver'
@@ -45,6 +42,13 @@
         vardir              = '/opt/puppetlabs/puppet/cache'
         rubydir             = '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet'
         puppetserver_pkg    = 'puppetserver'
+        if facts[:puppetversion] >= '6.0'
+          puppetcacmd         = '/opt/puppetlabs/bin/puppetserver ca setup'
+          cert_to_create      = "#{ssldir}/ca/ca_crt.pem"
+        else
+          puppetcacmd         = '/opt/puppetlabs/bin/puppet cert --generate puppetmaster.example.com --allow-dns-alt-names'
+          cert_to_create      = "#{ssldir}/certs/puppetmaster.example.com.pem"
+        end
       end
 
       let(:facts) { facts }
@@ -109,7 +113,7 @@
             .with_umask('0022')
 
           should contain_exec('puppet_server_config-generate_ca_cert') \
-            .with_creates("#{ssldir}/certs/puppetmaster.example.com.pem") \
+            .with_creates(cert_to_create) \
             .with_command(puppetcacmd) \
             .with_umask('0022') \
             .that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]'])

templates/server/puppetserver/conf.d/auth.conf.erb

@@ -12,7 +12,7 @@ authorization: {
                 type: regex
                 method: [get, post]
             }
-            allow: <%= @server_trusted_agents << '$1' %>
+            allow: <%= @server_trusted_agents + ['$1'] %>
             sort-order: 500
             name: "puppetlabs v3 catalog from agents"
         },
@@ -24,7 +24,11 @@ authorization: {
                 type: regex
                 method: post
             }
+<%- if @server_trusted_agents.empty? -%>
             deny: "*"
+<%- else -%>
+            allow: <%= @server_trusted_agents %>
+<%- end -%>
             sort-order: 500
             name: "puppetlabs v4 catalog for services"
         },
@@ -119,7 +123,17 @@ authorization: {
                 type: regex
                 method: [delete]
             },
-            allow: "$2"
+            allow: [
+                "$2",
+<%- @server_admin_api_whitelist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+                {
+                    extensions: {
+                        pp_cli_auth: "true"
+                    }
+                }
+            ]
             sort-order: 500
         },
 <%- end -%>