diff --git a/manifests/init.pp b/manifests/init.pp index 80e171f..db4a877 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -11,6 +11,10 @@ String $puppetmaster = $::puppet::params::puppetmaster, # Server + String $autosign = $::puppet::params::autosign, + Boolean $autosign_runnable = $::puppet::params::autosign_runnable, + Optional[Array[String]] $autosign_list = $::puppet::params::autosign_list, + Optional[String] $autosign_script = $::puppet::params::autosign_script, Optional[Array[String]] $dns_alt_names = $::puppet::params::dns_alt_names, Optional[Hash[String, Hash[String, String]]] $fileserver_conf = $::puppet::params::fileserver_conf, Boolean $manage_hiera = $::puppet::params::manage_hiera, @@ -41,19 +45,31 @@ fail('Puppet: fileserver_conf must be a of hash of mountpoints') } + if $autosign_runnable == true and $autosign_script == '' { + fail('Puppet: autosign_runnable requires autosign_script') + } + + if is_array($autosign_list) and !empty($autosign_list) and $autosign_script != '' { + fail('Puppet: autosign_list and autosign_script can not both be specified') + } + if ( $agent or $server ) { $ensure = 'present' } else { $ensure = 'absent' } + if ($server and $runmode == 'service') { + Service['puppetserver'] -> Service['puppet'] + } + class { '::puppet::common': } - class { '::puppet::agent': + class { '::puppet::server': require => Class['puppet::common'], } -> - class { '::puppet::server': + class { '::puppet::agent': require => Class['puppet::common'], } diff --git a/manifests/params.pp b/manifests/params.pp index 7492a95..2c9d540 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -9,6 +9,10 @@ $environment = undef $puppetmaster = "puppet.${::domain}" + $autosign = '/etc/puppetlabs/puppet/autosign.conf' + $autosign_runnable = false + $autosign_list = [] + $autosign_script = '' $dns_alt_names = undef $fileserver_conf = undef $manage_hiera = true diff --git a/manifests/server/config.pp b/manifests/server/config.pp index e727d72..f2b8890 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,24 +1,28 @@ # document me class puppet::server::config ( - $ca_enabled = $::puppet::server_ca_enabled, - $config_dir = $::puppet::params::server_config_dir, - $dns_alt_names = $::puppet::dns_alt_names, - $fileserver = $::puppet::fileserver_conf, - $manage_hiera = $::puppet::manage_hiera, - $hiera_source = $::puppet::hiera_source, - $java_opts = $::puppet::server_java_opts, - $log_dir = $::puppet::server_log_dir, - $log_file = $::puppet::server_log_file, - $server = $::puppet::server, - $runinterval = $::puppet::runinterval, - $puppetdb = $::puppet::puppetdb, - $puppetdb_port = $::puppet::puppetdb_port, - $puppetdb_server = $::puppet::puppetdb_server, - $manage_puppetdb = $::puppet::manage_puppetdb, - $reports = $::puppet::server_reports, - $firewall = $::puppet::firewall, - $jruby_instances = $::puppet::jruby_instances, - $use_legacy_auth = $::puppet::use_legacy_auth, + $autosign = $::puppet::autosign, + $autosign_runnable = $::puppet::autosign_runnable, + $autosign_list = $::puppet::autosign_list, + $autosign_script = $::puppet::autosign_script, + $ca_enabled = $::puppet::server_ca_enabled, + $config_dir = $::puppet::params::server_config_dir, + $dns_alt_names = $::puppet::dns_alt_names, + $fileserver = $::puppet::fileserver_conf, + $manage_hiera = $::puppet::manage_hiera, + $hiera_source = $::puppet::hiera_source, + $java_opts = $::puppet::server_java_opts, + $log_dir = $::puppet::server_log_dir, + $log_file = $::puppet::server_log_file, + $server = $::puppet::server, + $runinterval = $::puppet::runinterval, + $puppetdb = $::puppet::puppetdb, + $puppetdb_port = $::puppet::puppetdb_port, + $puppetdb_server = $::puppet::puppetdb_server, + $manage_puppetdb = $::puppet::manage_puppetdb, + $reports = $::puppet::server_reports, + $firewall = $::puppet::firewall, + $jruby_instances = $::puppet::jruby_instances, + $use_legacy_auth = $::puppet::use_legacy_auth, ) { $file_ensure = $server ? { @@ -103,6 +107,22 @@ } } + if ( $autosign_runnable ) { + $autosign_mode = '0550' + $autosign_content = $autosign_script + } + else { + $autosign_mode = '0440' + $autosign_content = join($autosign_list, '\n') + } + + if ($server and ($autosign_list != [] or $autosign_script != '' )) { + file { $autosign: + content => $autosign_content, + mode => $autosign_mode, + } + } + if ( $server and $fileserver ) { # Template uses # - $fileserver diff --git a/spec/classes/puppet_init_spec.rb b/spec/classes/puppet_init_spec.rb index 919ad40..1fbefe2 100644 --- a/spec/classes/puppet_init_spec.rb +++ b/spec/classes/puppet_init_spec.rb @@ -32,6 +32,36 @@ it { expect { should create_class('puppet') }.to raise_error(/expects a match for Enum/) } end + context 'bad autosign' do + let(:params) { { :autosign => false } } + it { expect { should create_class('puppet') }.to raise_error(/expects a String value/) } + end + + context 'bad autosign_runnable' do + let(:params) { { :autosign_runnable => 'breakme' } } + it { expect { should create_class('puppet') }.to raise_error(/expects a Boolean value/) } + end + + context 'bad autosign_list' do + let(:params) { { :autosign_list => 'breakme' } } + it { expect { should create_class('puppet') }.to raise_error(/expects an Array value/) } + end + + context 'bad autosign_script' do + let(:params) { { :autosign_script => false } } + it { expect { should create_class('puppet') }.to raise_error(/expects a String value/) } + end + + context 'autosign_runnable, no autosign_script' do + let(:params) { { :autosign_runnable => true } } + it { expect { should create_class('puppet')}.to raise_error(/requires autosign_script/) } + end + + context 'autosign_list, autosign_script' do + let(:params) { { :autosign_list => ["blah", "blah"], :autosign_script => '/bin/false' } } + it { expect { should create_class('puppet')}.to raise_error(/autosign_list and autosign_script/) } + end + context 'bad hiera_source' do let(:params) { { :hiera_source => 'breakme' } } it { expect { should create_class('puppet') }.to raise_error(/expects a match for Pattern/) } diff --git a/spec/classes/puppet_server_config_spec.rb b/spec/classes/puppet_server_config_spec.rb index 70a3773..76e2cb6 100644 --- a/spec/classes/puppet_server_config_spec.rb +++ b/spec/classes/puppet_server_config_spec.rb @@ -69,6 +69,16 @@ it { should contain_file('/etc/sysconfig/puppetserver').with(:content => /JAVA_ARGS="blah"/) } end + context 'set autosign list' do + let(:pre_condition) { 'class { "puppet": server => true, autosign_list => [ "blah", "blah2" ] }'} + it { should contain_file('/etc/puppetlabs/puppet/autosign.conf').with(:content => /blah\\nblah2/, :mode => '0440') } + end + + context 'set autosign script' do + let(:pre_condition) { 'class { "puppet": server => true, autosign_runnable => true, autosign_script => "/bin/false" }'} + it { should contain_file('/etc/puppetlabs/puppet/autosign.conf').with(:content => "/bin/false", :mode => '0550') } + end + context 'set disable ca' do let(:pre_condition) { 'class { "puppet": server => true, server_ca_enabled => false }'} it { should_not contain_file('/etc/puppetlabs/puppetserver/bootstrap.cfg').with(:content => /puppetlabs\.services\.ca\.certificate\-authority\-service\/certificate\-authority\-service/) } diff --git a/templates/puppet.master.erb b/templates/puppet.master.erb index b58f61e..cbc28bb 100644 --- a/templates/puppet.master.erb +++ b/templates/puppet.master.erb @@ -6,6 +6,7 @@ codedir = /etc/puppetlabs/code always_cache_features = true + autosign = <%= @autosign %> ca = <%= @ca_enabled %> <% if @dns_alt_names && @dns_alt_names.length > 0-%> dns_alt_names = <%= @dns_alt_names.join(', ') %> diff --git a/templates/server/puppetserver.sysconfig.erb b/templates/server/puppetserver.sysconfig.erb index 452900b..f1e822c 100644 --- a/templates/server/puppetserver.sysconfig.erb +++ b/templates/server/puppetserver.sysconfig.erb @@ -6,3 +6,5 @@ INSTALL_DIR="/opt/puppetlabs/server/apps/puppetserver" JARFILE="server/apps/puppetserver/puppet-server-release.jar" CONFIG="/etc/puppetlabs/puppetserver/conf.d" BOOTSTRAP_CONFIG="/etc/puppetlabs/puppetserver/bootstrap.cfg" +USER="puppet" +GROUP="puppet"