1 change: 1 addition & 0 deletions .fixtures.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ fixtures:
puppetserver_foreman: 'https://github.com/theforeman/puppet-puppetserver_foreman.git'
stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git'
systemd: 'https://github.com/voxpupuli/puppet-systemd.git'
vcsrepo: 'https://github.com/puppetlabs/puppetlabs-vcsrepo.git'
10 changes: 10 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
# Changelog

## [18.0.0](https://github.com/theforeman/puppet-puppet/tree/18.0.0) (2023-08-16)

[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/17.1.0...18.0.0)

**Breaking changes:**

- Refs [\#36620](https://projects.theforeman.org/issues/36620) - Replace whitelist with allowlist [\#881](https://github.com/theforeman/puppet-puppet/pull/881) ([treydock](https://github.com/treydock))
- Refs [\#36573](https://projects.theforeman.org/issues/36573) - Drop default value for foreman\_url [\#880](https://github.com/theforeman/puppet-puppet/pull/880) ([ekohl](https://github.com/ekohl))
- Fixes [\#35943](https://projects.theforeman.org/issues/35943) - Switch to puppetlabs vcsrepo for gitrepo tracking [\#860](https://github.com/theforeman/puppet-puppet/pull/860) ([jcpunk](https://github.com/jcpunk))

## [17.1.0](https://github.com/theforeman/puppet-puppet/tree/17.1.0) (2023-06-19)

[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/17.0.0...17.1.0)
Expand Down
54 changes: 50 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,10 @@ sets up `/var/lib/puppet/puppet.git` where each branch maps to one environment.
Avoid using 'server' as this name isn't permitted. On each push to the repo, a
hook updates `/etc/puppet/environments` with the contents of the branch.

Requires [theforeman/git](https://forge.puppetlabs.com/theforeman/git).
Permissions can be controlled via the `git_repo_{user,group,hook_mode,umask}`
parameters.

Requires [puppetlabs/vcsrepo](https://forge.puppetlabs.com/puppetlabs/vcsrepo) >= 5.2.0.

## Foreman integration

Expand Down Expand Up @@ -71,6 +74,50 @@ class { 'puppet::server::puppetdb':
}
```

Above example manages Puppetserver + PuppetDB integration. It won't install the
PuppetDB. To do so, you also need the `puppetdb` class

```puppet
class { 'puppet':
server => true,
server_reports => 'puppetdb,foreman',
server_storeconfigs => true,
}
include puppetdb
class { 'puppet::server::puppetdb':
server => 'mypuppetdb.example.com',
}
```

Then the PuppetDB module will also configure postgresql and setup the database.
If you want to manage postgresql installation on your own:

```puppet
class { 'postgresql::globals':
encoding => 'UTF-8',
locale => 'en_US.UTF-8',
version => '15',
manage_package_repo => true,
}
class { 'postgresql::server':
listen_addresses => '127.0.0.1',
}
postgresql::server::extension { 'pg_trgm':
database => 'puppetdb',
require => Postgresql::Server::Db['puppetdb'],
before => Service['puppetdb'],
}
class { 'puppetdb':
manage_dbserver => false,
}
class { 'puppet::server::puppetdb':
server => 'mypuppetdb.example.com',
}
```

Above code will install Puppetserver/PuppetDB/PostgreSQL on a single server. It
will use the upstream postgresql repositories. It was tested on Ubuntu.

Please also make sure your puppetdb ciphers are compatible with your puppet server ciphers, ie that the two following parameters match:
```
puppet::server::cipher_suites
Expand Down Expand Up @@ -136,10 +183,9 @@ To use this in standalone mode, edit a file (e.g. install.pp), put in a class re
as per the examples above, and the execute _puppet apply_ e.g:

```sh
cat > install.pp <<EOF
class { '::puppet': server => true }
puppet apply --modulepath /path_to/extracted_tarball <<EOF
class { 'puppet': server => true }
EOF
puppet apply install.pp --modulepath /path_to/extracted_tarball
```

# Advanced scenarios
Expand Down
23 changes: 13 additions & 10 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,9 +240,11 @@
#
# $server_common_modules_path:: Common modules paths
#
# $server_git_repo_path:: Git repository path
# $server_git_repo_path:: Git repository path on disk
#
# $server_git_repo_mode:: Git repository mode
# $server_git_repo_umask:: Umask used during git operations
#
# $server_git_repo_hook_mode:: Git repository hook mode
#
# $server_git_repo_group:: Git repository group
#
Expand Down Expand Up @@ -407,14 +409,14 @@
#
# $server_ruby_load_paths:: List of ruby paths
#
# $server_ca_client_whitelist:: The whitelist of client certificates that
# $server_ca_client_allowlist:: The allowlist of client certificates that
# can query the certificate-status endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
#
# $server_custom_trusted_oid_mapping:: A hash of custom trusted oid mappings. Defaults to undef
# Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } }
#
# $server_admin_api_whitelist:: The whitelist of clients that
# $server_admin_api_allowlist:: The allowlist of clients that
# can query the puppet-admin-api endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
#
Expand Down Expand Up @@ -544,7 +546,7 @@
# invokes when on static_file_content requests.
# Defaults to undef
#
# $server_jolokia_metrics_whitelist:: The whitelist of clients that
# $server_jolokia_metrics_allowlist:: The allowlist of clients that
# can query the jolokia /metrics/v2 endpoint
#
# === Usage:
Expand Down Expand Up @@ -634,7 +636,7 @@
Optional[String] $syslogfacility = $puppet::params::syslogfacility,
String $environment = $puppet::params::environment,
Boolean $server = $puppet::params::server,
Array[String] $server_admin_api_whitelist = $puppet::params::server_admin_api_whitelist,
Array[String] $server_admin_api_allowlist = $puppet::params::server_admin_api_allowlist,
Boolean $server_manage_user = $puppet::params::manage_user,
String $server_user = $puppet::params::user,
String $server_group = $puppet::params::group,
Expand All @@ -646,7 +648,7 @@
Optional[Boolean] $server_crl_enable = $puppet::params::server_crl_enable,
Boolean $server_ca_auth_required = $puppet::params::server_ca_auth_required,
Boolean $server_ca_client_self_delete = $puppet::params::server_ca_client_self_delete,
Array[String] $server_ca_client_whitelist = $puppet::params::server_ca_client_whitelist,
Array[String] $server_ca_client_allowlist = $puppet::params::server_ca_client_allowlist,
Optional[Puppet::Custom_trusted_oid_mapping] $server_custom_trusted_oid_mapping = $puppet::params::server_custom_trusted_oid_mapping,
Boolean $server_http = $puppet::params::server_http,
Stdlib::Port $server_http_port = $puppet::params::server_http_port,
Expand All @@ -671,8 +673,9 @@
Array[Stdlib::Absolutepath, 1] $server_envs_dir = $puppet::params::server_envs_dir,
Optional[Stdlib::Absolutepath] $server_envs_target = $puppet::params::server_envs_target,
Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $server_common_modules_path = $puppet::params::server_common_modules_path,
Pattern[/^[0-9]{3,4}$/] $server_git_repo_mode = $puppet::params::server_git_repo_mode,
Pattern[/^[0-9]{3,4}$/] $server_git_repo_hook_mode = $puppet::params::server_git_repo_hook_mode,
Stdlib::Absolutepath $server_git_repo_path = $puppet::params::server_git_repo_path,
Pattern[/^[0-9]{3,4}$/] $server_git_repo_umask = $puppet::params::server_git_repo_umask,
String $server_git_repo_group = $puppet::params::server_git_repo_group,
String $server_git_repo_user = $puppet::params::server_git_repo_user,
Hash[String, String] $server_git_branch_map = $puppet::params::server_git_branch_map,
Expand All @@ -693,7 +696,7 @@
Boolean $server_strict_variables = $puppet::params::server_strict_variables,
Hash[String, Data] $server_additional_settings = $puppet::params::server_additional_settings,
Boolean $server_foreman = $puppet::params::server_foreman,
Stdlib::HTTPUrl $server_foreman_url = $puppet::params::server_foreman_url,
Optional[Stdlib::HTTPUrl] $server_foreman_url = $puppet::params::server_foreman_url,
Optional[Stdlib::Absolutepath] $server_foreman_ssl_ca = $puppet::params::server_foreman_ssl_ca,
Optional[Stdlib::Absolutepath] $server_foreman_ssl_cert = $puppet::params::server_foreman_ssl_cert,
Optional[Stdlib::Absolutepath] $server_foreman_ssl_key = $puppet::params::server_foreman_ssl_key,
Expand Down Expand Up @@ -744,7 +747,7 @@
Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files,
Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef,
Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef,
Array[String[1]] $server_jolokia_metrics_whitelist = [],
Array[String[1]] $server_jolokia_metrics_allowlist = [],
Stdlib::Filemode $puppetconf_mode = $puppet::params::puppetconf_mode,
) inherits puppet::params {
contain puppet::config
Expand Down
14 changes: 8 additions & 6 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,10 +252,12 @@
$server_common_modules_path = unique(["${server_envs_dir[0]}/common", "${codedir}/modules", "${sharedir}/modules", '/usr/share/puppet/modules'])

# Dynamic environments config, ignore if the git_repo is 'false'
# Path to the repository
# Path to the repository on disk
$server_git_repo_path = "${vardir}/puppet.git"
# mode of the repository
$server_git_repo_mode = '0755'
# Umask for vcsrepo operations
$server_git_repo_umask = '0022'
# mode of the repository hooks
$server_git_repo_hook_mode = '0755'
# user of the repository
$server_git_repo_user = $user
# group of the repository
Expand Down Expand Up @@ -329,7 +331,7 @@
true => '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet',
false => undef,
}
$server_foreman_url = "https://${lower_fqdn}"
$server_foreman_url = undef
$server_foreman_ssl_ca = undef
$server_foreman_ssl_cert = undef
$server_foreman_ssl_key = undef
Expand Down Expand Up @@ -383,8 +385,8 @@
$server_connect_timeout = 120000
$server_ca_auth_required = true
$server_ca_client_self_delete = false
$server_admin_api_whitelist = ['localhost', $lower_fqdn]
$server_ca_client_whitelist = ['localhost', $lower_fqdn]
$server_admin_api_allowlist = ['localhost', $lower_fqdn]
$server_ca_client_allowlist = ['localhost', $lower_fqdn]
$server_cipher_suites = [
'TLS_AES_128_GCM_SHA256',
'TLS_AES_256_GCM_SHA384',
Expand Down
23 changes: 13 additions & 10 deletions manifests/server.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,11 @@
#
# $common_modules_path:: Common modules paths
#
# $git_repo_path:: Git repository path
# $git_repo_path:: Git repository path on disk
#
# $git_repo_mode:: Git repository mode
# $git_repo_umask:: Umask used during git operations
#
# $git_repo_hook_mode:: Git repository hook mode
#
# $git_repo_group:: Git repository group
#
Expand Down Expand Up @@ -230,14 +232,14 @@
#
# $ruby_load_paths:: List of ruby paths
#
# $ca_client_whitelist:: The whitelist of client certificates that
# $ca_client_allowlist:: The allowlist of client certificates that
# can query the certificate-status endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
#
# $custom_trusted_oid_mapping:: A hash of custom trusted oid mappings.
# Example: { 1.3.6.1.4.1.34380.1.2.1.1 => { shortname => 'myshortname' } }
#
# $admin_api_whitelist:: The whitelist of clients that
# $admin_api_allowlist:: The allowlist of clients that
# can query the puppet-admin-api endpoint
# Defaults to [ '127.0.0.1', '::1', $::ipaddress ]
#
Expand Down Expand Up @@ -333,7 +335,7 @@
# a static_file_content API request for the contents of a file resource that
# has a source attribute with a puppet:/// URI value.
#
# $jolokia_metrics_whitelist:: The whitelist of clients that
# $jolokia_metrics_allowlist:: The allowlist of clients that
# can query the jolokia /metrics/v2 endpoint
class puppet::server (
Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::autosign,
Expand All @@ -342,7 +344,7 @@
Optional[String] $autosign_content = $puppet::autosign_content,
Optional[String] $autosign_source = $puppet::autosign_source,
String $hiera_config = $puppet::hiera_config,
Array[String] $admin_api_whitelist = $puppet::server_admin_api_whitelist,
Array[String] $admin_api_allowlist = $puppet::server_admin_api_allowlist,
Boolean $manage_user = $puppet::server_manage_user,
String $user = $puppet::server_user,
String $group = $puppet::server_group,
Expand All @@ -356,7 +358,7 @@
Optional[Boolean] $crl_enable = $puppet::server_crl_enable,
Boolean $ca_auth_required = $puppet::server_ca_auth_required,
Boolean $ca_client_self_delete = $puppet::server_ca_client_self_delete,
Array[String] $ca_client_whitelist = $puppet::server_ca_client_whitelist,
Array[String] $ca_client_allowlist = $puppet::server_ca_client_allowlist,
Optional[Puppet::Custom_trusted_oid_mapping] $custom_trusted_oid_mapping = $puppet::server_custom_trusted_oid_mapping,
Boolean $http = $puppet::server_http,
Stdlib::Port $http_port = $puppet::server_http_port,
Expand All @@ -382,8 +384,9 @@
Array[Stdlib::Absolutepath, 1] $envs_dir = $puppet::server_envs_dir,
Optional[Stdlib::Absolutepath] $envs_target = $puppet::server_envs_target,
Variant[Undef, String[0], Array[Stdlib::Absolutepath]] $common_modules_path = $puppet::server_common_modules_path,
Pattern[/^[0-9]{3,4}$/] $git_repo_mode = $puppet::server_git_repo_mode,
Pattern[/^[0-9]{3,4}$/] $git_repo_hook_mode = $puppet::server_git_repo_hook_mode,
Stdlib::Absolutepath $git_repo_path = $puppet::server_git_repo_path,
Pattern[/^[0-9]{3,4}$/] $git_repo_umask = $puppet::server_git_repo_umask,
String $git_repo_group = $puppet::server_git_repo_group,
String $git_repo_user = $puppet::server_git_repo_user,
Hash[String, String] $git_branch_map = $puppet::server_git_branch_map,
Expand All @@ -404,7 +407,7 @@
Boolean $strict_variables = $puppet::server_strict_variables,
Hash[String, Data] $additional_settings = $puppet::server_additional_settings,
Boolean $foreman = $puppet::server_foreman,
Stdlib::HTTPUrl $foreman_url = $puppet::server_foreman_url,
Optional[Stdlib::HTTPUrl] $foreman_url = $puppet::server_foreman_url,
Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $puppet::server_foreman_ssl_ca,
Optional[Stdlib::Absolutepath] $foreman_ssl_cert = $puppet::server_foreman_ssl_cert,
Optional[Stdlib::Absolutepath] $foreman_ssl_key = $puppet::server_foreman_ssl_key,
Expand Down Expand Up @@ -454,7 +457,7 @@
Optional[Integer[1]] $max_open_files = $puppet::server_max_open_files,
Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id,
Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,
Array[String[1]] $jolokia_metrics_whitelist = $puppet::server_jolokia_metrics_whitelist,
Array[String[1]] $jolokia_metrics_allowlist = $puppet::server_jolokia_metrics_allowlist,
) {
$cadir = "${puppetserver_dir}/ca"

Expand Down
25 changes: 10 additions & 15 deletions manifests/server/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,25 +229,20 @@
}

if $puppet::server::git_repo {
include git

if $puppet::server::manage_user {
Class['git'] -> User[$puppet::server::user]
}

file { $puppet::vardir:
ensure => directory,
owner => 'root',
group => 'root',
}

git::repo { 'puppet_repo':
bare => true,
target => $puppet::server::git_repo_path,
mode => $puppet::server::git_repo_mode,
user => $puppet::server::git_repo_user,
group => $puppet::server::git_repo_group,
require => File[$puppet::vardir, $primary_envs_dir],
vcsrepo { 'puppet_repo':
ensure => 'bare',
provider => 'git',
path => $puppet::server::git_repo_path,
user => $puppet::server::git_repo_user,
group => $puppet::server::git_repo_group,
umask => $puppet::server::git_repo_umask,
require => File[$puppet::vardir, $primary_envs_dir],
}

$git_branch_map = $puppet::server::git_branch_map
Expand All @@ -256,8 +251,8 @@
content => template($puppet::server::post_hook_content),
owner => $puppet::server::git_repo_user,
group => $puppet::server::git_repo_group,
mode => $puppet::server::git_repo_mode,
require => Git::Repo['puppet_repo'],
mode => $puppet::server::git_repo_hook_mode,
require => Vcsrepo['puppet_repo'],
}
}

Expand Down
8 changes: 8 additions & 0 deletions manifests/server/install.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@
Class['puppet::server::install'] -> Class['foreman::config']
}

if $puppet::server::git_repo {
ensure_packages(['git'])
}

if $puppet::server::manage_user {
$shell = $puppet::server::git_repo ? {
true => $facts['os']['family'] ? {
Expand All @@ -22,6 +26,10 @@
user { $puppet::server::user:
shell => $shell,
}

if $puppet::server::git_repo {
Package['git'] -> User[$puppet::server::user]
}
}

if $puppet::manage_packages == true or $puppet::manage_packages == 'server' {
Expand Down
6 changes: 3 additions & 3 deletions manifests/server/puppetserver.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,8 @@
Integer[0] $server_connect_timeout = $puppet::server::connect_timeout,
Boolean $server_ca_auth_required = $puppet::server::ca_auth_required,
Boolean $server_ca_client_self_delete = $puppet::server::ca_client_self_delete,
Array[String] $server_ca_client_whitelist = $puppet::server::ca_client_whitelist,
Array[String] $server_admin_api_whitelist = $puppet::server::admin_api_whitelist,
Array[String] $server_ca_client_allowlist = $puppet::server::ca_client_allowlist,
Array[String] $server_admin_api_allowlist = $puppet::server::admin_api_allowlist,
Boolean $server_check_for_updates = $puppet::server::check_for_updates,
Boolean $server_environment_class_cache_enabled = $puppet::server::environment_class_cache_enabled,
Optional[Boolean] $server_metrics = $puppet::server::puppetserver_metrics,
Expand Down Expand Up @@ -143,7 +143,7 @@
Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server::versioned_code_id,
Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server::versioned_code_content,
Boolean $disable_fips = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8',
Array[String[1]] $jolokia_metrics_whitelist = $puppet::server::jolokia_metrics_whitelist,
Array[String[1]] $jolokia_metrics_allowlist = $puppet::server::jolokia_metrics_allowlist,
) {
include puppet::server

Expand Down
Loading