From f4f3f497799576dcee51628e0af66a15392b3acc Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 19 Mar 2026 16:31:12 +1100 Subject: [PATCH] git commit -m "fix: configure PuppetDB HTTPS connections and add Puppetboard SSL support - Update PuppetDB connections from HTTP (8080) to HTTPS (8081) - Add automatic certificate generation for Puppetboard using Puppet CA - Implement initContainers for proper certificate provisioning before app start - Add dedicated PVC for Puppetboard certificates with RWX access - Configure SSL verification and client authentication for secure PuppetDB access --- .../puppet/configmap_puppetboard-config.yaml | 5 +- ...onfigmap_puppetserver-compiler-config.yaml | 2 +- .../configmap_puppetserver-master-config.yaml | 2 +- apps/base/puppet/deployment_puppetboard.yaml | 112 ++++++++++++++++++ apps/base/puppet/persistentvolumeclaims.yaml | 18 +++ .../statefulset_puppetserver-compiler.yaml | 2 +- 6 files changed, 137 insertions(+), 4 deletions(-) diff --git a/apps/base/puppet/configmap_puppetboard-config.yaml b/apps/base/puppet/configmap_puppetboard-config.yaml index c68b7a3..00f3ff8 100644 --- a/apps/base/puppet/configmap_puppetboard-config.yaml +++ b/apps/base/puppet/configmap_puppetboard-config.yaml @@ -11,7 +11,10 @@ metadata: namespace: puppet data: PUPPETDB_HOST: "puppetdb" - PUPPETDB_PORT: "8080" + PUPPETDB_PORT: "8081" + PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem" + PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key" + PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem" LOGLEVEL: "info" PUPPETDB_TIMEOUT: "20" UNRESPONSIVE_HOURS: "3" diff --git a/apps/base/puppet/configmap_puppetserver-compiler-config.yaml b/apps/base/puppet/configmap_puppetserver-compiler-config.yaml index 856a525..2f3decd 100644 --- a/apps/base/puppet/configmap_puppetserver-compiler-config.yaml +++ b/apps/base/puppet/configmap_puppetserver-compiler-config.yaml @@ -12,7 +12,7 @@ metadata: data: OPENVOXSERVER_PORT: "8140" DNS_ALT_NAMES: "puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet,puppet.k8s.syd1.au.unkin.net" - OPENVOXDB_SERVER_URLS: "http://puppetdb:8080" + OPENVOXDB_SERVER_URLS: "https://puppetdb:8081" CA_ENABLED: "false" CA_HOSTNAME: "puppetca" CA_PORT: "8140" diff --git a/apps/base/puppet/configmap_puppetserver-master-config.yaml b/apps/base/puppet/configmap_puppetserver-master-config.yaml index 9683f6f..2bf4ce7 100644 --- a/apps/base/puppet/configmap_puppetserver-master-config.yaml +++ b/apps/base/puppet/configmap_puppetserver-master-config.yaml @@ -13,6 +13,6 @@ data: OPENVOXSERVER_HOSTNAME: "puppet" OPENVOXSERVER_PORT: "8140" DNS_ALT_NAMES: "puppet,puppetserver-agents-to-puppet,puppetca,puppet-headless,puppetca.k8s.syd1.au.unkin.net,puppet.k8s.syd1.au.unkin.net" - OPENVOXDB_SERVER_URLS: "http://puppetdb:8080" + OPENVOXDB_SERVER_URLS: "https://puppetdb:8081" CA_ALLOW_SUBJECT_ALT_NAMES: "true" PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false" diff --git a/apps/base/puppet/deployment_puppetboard.yaml b/apps/base/puppet/deployment_puppetboard.yaml index 3aec1c8..1d8bb50 100644 --- a/apps/base/puppet/deployment_puppetboard.yaml +++ b/apps/base/puppet/deployment_puppetboard.yaml @@ -29,6 +29,110 @@ spec: app.kubernetes.io/version: 8.8.0 spec: enableServiceLinks: false + initContainers: + - name: wait-puppetserver + image: curlimages/curl:8.11.1 + imagePullPolicy: IfNotPresent + command: + - sh + - -c + - | + echo 'Waiting for puppetserver to become ready...' + until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do + sleep 2; + done; + echo 'Puppetserver OK ✓' + resources: + limits: + cpu: 20m + memory: 32Mi + requests: + cpu: 20m + memory: 32Mi + - name: cert-generator + image: git.unkin.net/unkin/almalinux9-base:20260308 + imagePullPolicy: IfNotPresent + command: + - sh + - -c + - | + set -e + + # Set the hostname for the certificate + HOSTNAME="puppetboard" + CERT_DIR="/opt/puppetboard/ssl" + + # Create certificate directory + mkdir -p ${CERT_DIR} + + # Check if certificates already exist + if [ -f "${CERT_DIR}/${HOSTNAME}.pem" ] && [ -f "${CERT_DIR}/${HOSTNAME}.key" ] && [ -f "${CERT_DIR}/ca.pem" ]; then + echo "Certificates already exist for ${HOSTNAME}, skipping generation" + exit 0 + fi + + # Request certificate from Puppet CA for Puppetboard + echo "Requesting certificate for ${HOSTNAME} from puppetca service" + + # Generate private key + openssl genrsa -out ${CERT_DIR}/${HOSTNAME}.key 2048 + + # Create certificate signing request (CSR) + openssl req -new -key ${CERT_DIR}/${HOSTNAME}.key \ + -out /tmp/${HOSTNAME}.csr \ + -subj "/CN=${HOSTNAME}" + + # Submit CSR to Puppet CA + echo "Submitting certificate request to Puppet CA..." + curl -X PUT \ + --insecure \ + --data-binary @/tmp/${HOSTNAME}.csr \ + -H "Content-Type: text/plain" \ + https://puppetca:8140/puppet-ca/v1/certificate_request/${HOSTNAME} + + # Wait for certificate to be signed (poll the CA) + echo "Waiting for certificate to be signed..." + for i in {1..30}; do + if curl --insecure -f -s https://puppetca:8140/puppet-ca/v1/certificate/${HOSTNAME} > ${CERT_DIR}/${HOSTNAME}.pem; then + echo "Certificate received for ${HOSTNAME}" + break + fi + echo "Attempt $i: Certificate not ready yet, waiting 10 seconds..." + sleep 10 + done + + # Verify we got the certificate + if [ ! -f "${CERT_DIR}/${HOSTNAME}.pem" ] || [ ! -s "${CERT_DIR}/${HOSTNAME}.pem" ]; then + echo "Failed to obtain certificate for ${HOSTNAME}" + exit 1 + fi + + # Get CA certificate + curl --insecure -f https://puppetca:8140/puppet-ca/v1/certificate/ca > ${CERT_DIR}/ca.pem + + # Set appropriate permissions + chmod 644 ${CERT_DIR}/${HOSTNAME}.pem + chmod 600 ${CERT_DIR}/${HOSTNAME}.key + chmod 644 ${CERT_DIR}/ca.pem + + # Change ownership to puppetboard user (1000:1000) + chown -R 1000:1000 ${CERT_DIR} + + echo "Certificate generation completed for ${HOSTNAME}" + volumeMounts: + - name: puppetboard-certs + mountPath: /opt/puppetboard/ssl + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + securityContext: + runAsUser: 0 + runAsGroup: 0 + allowPrivilegeEscalation: true containers: - name: puppetboard image: ghcr.io/voxpupuli/puppetboard:7.0.1 @@ -56,3 +160,11 @@ spec: capabilities: drop: - all + volumeMounts: + - name: puppetboard-certs + mountPath: /opt/puppetboard/ssl + readOnly: true + volumes: + - name: puppetboard-certs + persistentVolumeClaim: + claimName: puppetboard-certs diff --git a/apps/base/puppet/persistentvolumeclaims.yaml b/apps/base/puppet/persistentvolumeclaims.yaml index 9277ef7..d89b812 100644 --- a/apps/base/puppet/persistentvolumeclaims.yaml +++ b/apps/base/puppet/persistentvolumeclaims.yaml @@ -88,3 +88,21 @@ spec: requests: storage: 1Gi storageClassName: cephrbd-fast-delete +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/component: puppetboard + app.kubernetes.io/instance: puppetserver + app.kubernetes.io/name: puppetserver + app.kubernetes.io/version: 8.8.0 + name: puppetboard-certs + namespace: puppet +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: cephfs-raid6-delete diff --git a/apps/base/puppet/statefulset_puppetserver-compiler.yaml b/apps/base/puppet/statefulset_puppetserver-compiler.yaml index 94bbbf2..38824e6 100644 --- a/apps/base/puppet/statefulset_puppetserver-compiler.yaml +++ b/apps/base/puppet/statefulset_puppetserver-compiler.yaml @@ -52,7 +52,7 @@ spec: - name: DNS_ALT_NAMES value: puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net - name: OPENVOXDB_SERVER_URLS - value: http://puppetdb:8080 + value: https://puppetdb:8081 - name: CA_ENABLED value: "false" - name: CA_HOSTNAME -- 2.47.3