diff --git a/hieradata/common.yaml b/hieradata/common.yaml index ef0a1f5..cc16e0e 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -90,6 +90,9 @@ lookup_options: profiles::consul::prepared_query::rules: merge: strategy: deep + profiles::puppet::server::dns_alt_names: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' @@ -180,6 +183,8 @@ profiles::packages::remove: profiles::base::scripts::scripts: puppet: puppetwrapper.py +profiles::puppet::client::server: 'puppet.query.consul' +profiles::puppet::client::ca_server: 'puppetca.query.consul' profiles::puppet::client::environment: 'develop' profiles::puppet::client::runinterval: 1800 profiles::puppet::client::runtimeout: 3600 diff --git a/hieradata/country/au/region/drw1/infra/dns/resolver.yaml b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml index 49afb06..157667c 100644 --- a/hieradata/country/au/region/drw1/infra/dns/resolver.yaml +++ b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml @@ -42,3 +42,11 @@ profiles::dns::resolver::zones: - 198.18.17.23 - 198.18.17.24 forward: 'only' + consul-forward: + domain: 'consul' + zone_type: 'forward' + forwarders: + - 198.18.17.34 + - 198.18.17.35 + - 198.18.17.36 + forward: 'only' diff --git a/hieradata/country/au/region/drw1/infra/puppet/master.yaml b/hieradata/country/au/region/drw1/infra/puppet/master.yaml new file mode 100644 index 0000000..1b3d42c --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/puppet/master.yaml @@ -0,0 +1,4 @@ +--- +profiles::puppet::server::dns_alt_names: + - puppetca.main.unkin.net + - puppetca diff --git a/hieradata/country/au/region/syd1/infra/dns/resolver.yaml b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml index ddde7f5..088f065 100644 --- a/hieradata/country/au/region/syd1/infra/dns/resolver.yaml +++ b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml @@ -42,3 +42,11 @@ profiles::dns::resolver::zones: - 198.18.13.14 - 198.18.13.15 forward: 'only' + consul-forward: + domain: 'consul' + zone_type: 'forward' + forwarders: + - 198.18.13.19 + - 198.18.13.20 + - 198.18.13.21 + forward: 'only' diff --git a/hieradata/country/au/region/syd1/infra/puppet/master.yaml b/hieradata/country/au/region/syd1/infra/puppet/master.yaml new file mode 100644 index 0000000..1b3d42c --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/puppet/master.yaml @@ -0,0 +1,4 @@ +--- +profiles::puppet::server::dns_alt_names: + - puppetca.main.unkin.net + - puppetca diff --git a/hieradata/nodes/prodinf01n01.main.unkin.net.yaml b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml new file mode 100644 index 0000000..a909eb0 --- /dev/null +++ b/hieradata/nodes/prodinf01n01.main.unkin.net.yaml @@ -0,0 +1,9 @@ +--- +profiles::puppet::server::dns_alt_names: + - puppetca.main.unkin.net + - puppetca.service.consul + - puppetca.query.consul + - puppetca + +profiles::puppet::puppetca::is_puppetca: true +profiles::puppet::puppetca::allow_subject_alt_names: true diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index ceb8863..10751b9 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -61,14 +61,6 @@ profiles::dns::resolver::zones: - 10.10.16.32 - 10.10.16.33 forward: 'only' - service.consul-forward: - domain: 'service.consul' - zone_type: 'forward' - forwarders: - - 198.18.13.19 - - 198.18.13.20 - - 198.18.13.21 - forward: 'only' profiles::dns::resolver::views: openforwarder: @@ -79,7 +71,7 @@ profiles::dns::resolver::views: - dmz.unkin.net-forward - network.unkin.net-forward - prod.unkin.net-forward - - service.consul-forward + - consul-forward - 13.18.198.in-addr.arpa-forward - 14.18.198.in-addr.arpa-forward - 15.18.198.in-addr.arpa-forward diff --git a/hieradata/roles/infra/puppet.yaml b/hieradata/roles/infra/puppet.yaml new file mode 100644 index 0000000..6ae5977 --- /dev/null +++ b/hieradata/roles/infra/puppet.yaml @@ -0,0 +1,3 @@ +--- +profiles::packages::install: + - puppetserver diff --git a/hieradata/roles/infra/puppet/master.eyaml b/hieradata/roles/infra/puppet/master.eyaml index 46f1d03..8f8fdd4 100644 --- a/hieradata/roles/infra/puppet/master.eyaml +++ b/hieradata/roles/infra/puppet/master.eyaml @@ -1,3 +1,5 @@ --- certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl] certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=] +profiles::puppet::eyaml::publickey: ENC[PKCS7,MIIFjQYJKoZIhvcNAQcDoIIFfjCCBXoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAizhVN1svMJqLlkDWcm/qhMNajKL9G7GvBxG04dOdYLUu99wgmIlD1vetNIoJrQ6defmVuMMzT3IxzIDrRf8QEVL7hstIFoGlhv0ObBewjLJY34v3B7Sxj0nv8XPTLd8Q6LZQb+KSo0SLQxbjEw60qAl5DbDqXUNOx2OIV3yP1IaCzzi6llb1ZOWPcBESt6HEnLzqkwzEK+2/QGBOMqChP1EP7JHFrWQw5YYCLUcYCLVts1K57Q7ThFwckUA0v8Vh9HdlZqA0XPxKyVK7nfw/Y1CpwRTwZ8GYnry1/iLNYjFGkDU0V5pf+ZhlZfIChVccma9NCSlQtA+7DikNcpLTfTCCBE4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJQ4jJz/oSqW79tDOSv2pWCAggQgvi+p2P7tkIY4c0yNEIFjnXa3Imopg4bZ29TQJnPLAqVM7Bexh0XhxAjWk8YFvxQ0Yio+3JKlvqlsFVpecumV6NHwVPe521Hl7l88eRvgCHBC3tVm98+N2A0GdGbT+begqsj0nPTDScixJE79dGZK6/qgf3NuYPCj+drFwWrDuZXpIYMHJcOrVhqlg4RFW4ZYUxbsAC2eNFXUF0bYpKej3voCnlj/o6RxLEC/Gv2T66e9sFjeANo9W84uAfZ1t4cweVzYh1h6Yiw+0ewWA6ndg8thgr2Uk9JdpjXzS0QTtElGmNv+tZmCH45o0HUunPZs0gkn5unT0pzZosqgSeu0HdHcsImJpuJVRIVjAXypku7LtBKnP3VA5iXi2lld/suEOeeU18Aw3pxFQrKV3cexiWLa4mpKn8JR1HBxw4NcLj3/fes41fxW0zLyY8m4MksaIpc4BXz33uup5rHdVblbD1raZJPAg7k8KufStsRBmeokdysF+PJebrCfTH8goR3BWGfCVWQEoDjB2wAhVTQKuzAh3d51k+s4uvJchNBDgfGt/s9hdBFU/VQTZUyOoSEOwxB1857sOF3iPLM1233XEhZd2AOl4h5xy1z3+aSOG0jiihWt6QdosUig/IHxyO4gWaEO37iaLlF0ZVSJKjOV/IBCHJAaAG476uSNv+kTKgvu0PQtIfcKHpa1ppHi96fO8FKX76l26VoGKf/kMi6bWdTObYZnyiN7fz342ewMpwu70wQQWo33riK0hhF6bRu40J/KmgoUaUz3jSnErv+EeeREYww5SSNlMhpQNBNj+WfEDRC4Zx9VsF1cjtTY1um0kYdoyTHBLH6V1oAEiFIScHqkW1zKVAEiBh2v6C1U3fwAzOyAbnDlBrsuhnVxbJa8O1d5yw+U2py6xdC3Wq6FsAP9kdfDu+mjNDOwwJWZa8iTj3NHum1G6xklF2JHtmp2p1gY0e/JCETIk5Xh1okf404F9Xi+CWvlmlPXie9SdwgyJWpXOM60pJN2iMOFKPGn4chppMka38HakDKbdNNTELxNE+/yVECT0uQ8iBvETX1FU+y4LpGFghmwAIiKB1HZXx/0Gof0+txj/p9AgnpeVvDbq4iiZOulcu2BepsrFDg2zNLollfhAo+6QvElpk2MI1yHrg3OaTt7U8JV1dxHyIWjbtRvbiiS1E6mKGiOpkIQd/IHBjkujvEd7LVeE721HrLdGRaTR9QJfTR8jPZGHMlZa14a2pcxliyYd9RFSVOkVZH2LetuSWStQ1gPdBEeKDSWyFBA0Rxzlw2Sl25MJ4PAIpimyUYrnxTa2XgHyavMa0kjVAhX15+ywze2ypOVnB9/q3L3M5JCq+eaOBicJQiERX4h7Yj499S9Y/2nxk2DOUxi965BDIZGSG3/qOtl] +profiles::puppet::eyaml::privatekey: ENC[PKCS7,MIIH/QYJKoZIhvcNAQcDoIIH7jCCB+oCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAkH2q64bYf5Es/YNK6c6d5t9PYcbc9NGzC6F2AzjWeLV9rdT+DBNmhPeyHN4jR6edzLRaNL+u3cuur3mTxwSJcEXdyHQSbXJLlGpd9CPEjuerqdsXkFvamP//nHjwvSosBUo4PKtllphX0XHP6JS0Mm+nukv0YyDk+63+cETuyP5M1FVsLSK8ZWblOn1uBgNhhjGZF5nNeayjJKloWdVY8+pS8L6/y0QprF05oLDvI0JgK9wud8NID+LCNtb2Z5/mq2ScpMB/r/ji/oPHs40zhANqOiAuy/sUWwIivdB2iKKvcLfJ8tbtCanXuQxboqnulL1+C87Y4m1rmk4cNtKU3DCCBr4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEELXUERpdYNf8m2IXbCw/MxiAggaQ187hqDCftN9RvnFRHnlHyPZijykRgs558tdh0yA8GscJ9vim8kxQXrxM6gqAGgmV7xYnpyK0pvEn0/6cEFkcBkpkQOtlyil+4WB9bcLJIF4LzPut0pz4Eq/6zMSM9PGWCRFe3ufkdoDq5M1SlHa/Aoi/LwNu5EFFlFZeeDiZyUMupLJUHbTQ+wt2JgQLfpBzeCGb5BRLvSPH0+Y7ShwHgp2ZCtxc/tT5cdQq5a3+tt9ZYSy5Hj+c8I2WBPm3wghA7QULCB1+42K4A8BJ7HQucaT1mRMc0QnCt68xQkhBulxGnADPaRAWICmuAF2KBv/eS74TdYj3z0OCSZW5k1wDBz8FCSIodn2a1LgBMrFRCAS2fwRn7Hc0yguCRl9ppERW+8K3pg7aAiBqJbeTwQN/VICNan92y+cbUndO9a/U16zKD4SxfW8PMwSu/qz6i45gUjQ83THjwNAE6el0lYFYivBsEEg66Sqo2cXtPQlAdB8lOsS34TQq21zipikgAAii0mGoH738t2CYL6tMUGthpcfXLioU0AhXjLVED1PIpmWxieFENWO8SUx3NjXyoefBVQrzc1PPAgeVGSaOBoJSN7xNx3/RQhWck0240DZmi+41z5CF1z91eZY+ZJYa/SaHVWWZ7GgQDEXGnWKQkMZce6RK0qw0/8B0x5O6aIlBrB7aSVQIkDLSUw8bq7N5dAeKXLu+2QHhG1yl+Bmn1xDMILFphJNT2ZNXkoSd0r1WUePWBEFCOBPsu3cHaK9DZiXSdfJ3dY+1NYuVZDQshQ1Fe4IKpHm/0mtz60DjrTTaJ3kAsPLCpeFGJ+1U/TdO+IgPAsiHUIaDRtv19ZeH7/Pa/kAceIe16F8CRNkzJ62D8CH4RYEXxTJ7oogYbhsw+5WQ3ZGzJHNvxcX4EVofjIsr2uIQEAVTu9VSDY2LyihJBEs0EBw25dai52u2g1Jjtteod9p6B+rwrcVGKAzdEo7nF9qK6+dS8VlfFbmbU1/ulIpM0hUr3ZFsUSv1qUGqUmYdgndvE0+gHop71fsnQRmT9wTdQlUs7RC0+BPWvf7eGljJT+omDwv+wSShikWku9ZSk58HqZ74f2RizxL7Ny8SWCkOf1u+Gi8kalMhr+1p8e39S6WTws8rJHxIQrzfY7aqZwYIZzLl4JMnqBvbkUlCEKNHmVAVt6AgPGfTmoEzSgulHEMCETuBQl4dS8mtFvWRKCy0jC2fAUfIAoihoh/2g3MTbKQCM3aSHrqyPTAduN2VkQwTM4JmgU6YYWy4kXjPWsgEm+FjqOKQqd5Q5bwIOoFLSVQgrTtoKVUXzK8VbTDNDhLj+LggB9MMncr5X44LkdtrktYWeQ1CbBGYUTNHyXxT2nbJm7DJos4zjSIqnkSiR2VyRAkxF9TSXjnZwtsziXC4gdonjA+ImV5aUvL5aTO2zbTYQOqgrauS/SWS4tXbZ4Thw86d2zbO32Kvuu4bfHVTN087eiRuiFmjtz43PwBRMxjABLDe/ZRUHLDomAVydTS98aIswUb33jHoPtEkz4bWEtZlhwrqguvPzLSJT1SNZnDhNsdzO96GDB2vtvXmIiQq+/8jh0LKIoOCFWKsFfB0GrkZZvLnF6oQQ/MiYNNY1TLnHMAg2uSF+ap/g8QRvfE5FX2UquYE1ATeD+8iRw0g2crNXGVRynBo6ESd5O+zwcMitO/Re9tQM4rfNj83VgWeSUNLxhOZmbYs0hDEbS0lXIWa1NbASuXWk/FBXzr8X/ZdlZPWAMWe3J9Bqh6e1FhgGD6ZZmSTYxHzlz5TNCf+aMqnJRb5eyN+UM5iWgW/VpAlKWMl98c1lsKwccAS/SH2zugKwBT8Bf/4wnbpHrZe817vVF7raVcaYvNnYTzdSQCcnvRK/D40sqleOhtfX/vdjOFWfoukbEJnXNytkTZeKrBm83z6tmYe4siQdfn4X9/lGNWEDyjYiJX8czH6yMlRW+FposOpE4Y9Dgs694iPHmYt1/1VbuW240uG6VT/d+OjSD5L6JfTT47pghoWTl0dQGbKd3kmoku7C7ll5etCdz5UIY2JOmS1gx6NgvsElJyflgQHgXLiSKpB0iSZ7zTRKlBmRG7uiU582nkbXHQ7BwZkP3nq95bgtCmk+0pvioYYg/jK8hvuiv+b8Ez2pHaTLabn/jYww8ewIZz0W5mWgcCDwdebtP2CCSnB2IPjyzAh2TW8JTljeoJAe9ai+iqiX4400R2hXZl6KMpC] diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 9d5468b..07ae874 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -36,3 +36,40 @@ profiles::helpers::certmanager::vault_config: role_name: 'servers_default' output_path: '/tmp/certmanager' role_id: "%{lookup('certmanager::role_id')}" + +profiles::puppet::server::agent_server: 'puppet.query.consul' +profiles::puppet::server::report_server: 'puppet.query.consul' +profiles::puppet::server::ca_server: 'puppetca.query.consul' +profiles::puppet::server::dns_alt_names: + - "%{facts.networking.fqdn}" + - "%{facts.networking.hostname}" + - puppetmaster.main.unkin.net + - puppet.main.unkin.net + - puppet.service.consul + - puppet.query.consul + - puppetmaster + - puppet + +consul::services: + puppet: + service_name: 'puppet' + tags: + - 'puppet' + - 'master' + address: "%{facts.networking.ip}" + port: 8140 + checks: + - id: 'puppet_https_check' + name: 'Puppet HTTPS Check' + http: "https://%{facts.networking.fqdn}:8140/status/v1/simple" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: puppet + disposition: write + - resource: service + segment: puppetca + disposition: write diff --git a/site/profiles/manifests/puppet/autosign.pp b/site/profiles/manifests/puppet/autosign.pp index 0c75d25..b154aea 100644 --- a/site/profiles/manifests/puppet/autosign.pp +++ b/site/profiles/manifests/puppet/autosign.pp @@ -4,35 +4,6 @@ # based on specified subnet ranges and domain patterns. # It is useful in environments where nodes are dynamically provisioned and # require automatic certificate signing without manual intervention. -# -# Parameters: -# - `subnet_ranges`: An array of IP subnet ranges in CIDR notation. -# Nodes with IP addresses within these ranges will have their -# certificates autosigned. -# Default: [] -# Example: ['198.18.17.0/24'] -# -# - `domains`: An array of domain patterns. -# Nodes with hostnames matching these patterns will have their -# certificates autosigned. -# Default: [] -# Example: ['*.main.unkin.net', '*.secondary.unkin.net'] -# -# - `nodes`: An array of specific node names. -# Nodes with hostnames matching these will have their -# certificates autosigned. -# Default: [] -# Example: ['somenode.main.unkin.net', 'othernode.secondary.unkin.net'] -# Usage: -# -# To include this class with custom parameters: -# class { 'profiles::puppet::autosign': -# subnet_ranges => ['198.18.17.0/24', '198.18.18.0/24'], -# domains => ['*.main.unkin.net', '*.dev.unkin.net'], -# nodes => ['somenode.main.unkin.net', 'othernode.dev.unkin.net'], -# } -# -# Alternatively, configure subnet ranges and domains through Hiera. class profiles::puppet::autosign ( Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges = [], Array[String[1]] $domains = [], diff --git a/site/profiles/manifests/puppet/client.pp b/site/profiles/manifests/puppet/client.pp index 973f621..e0f1dd2 100644 --- a/site/profiles/manifests/puppet/client.pp +++ b/site/profiles/manifests/puppet/client.pp @@ -14,14 +14,18 @@ class profiles::puppet::client ( Boolean $usecacheonfailure = false, ) { - # Assuming you want to manage puppet.conf with this profile - file { '/etc/puppetlabs/puppet/puppet.conf': - ensure => 'present', - content => template('profiles/puppet/client/puppet.conf.erb'), - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['puppet'], + # dont manage puppet.conf if this is a puppetmaster + if $facts['enc_role'] != 'roles::infra::puppet::master' { + + # Assuming you want to manage puppet.conf with this profile + file { '/etc/puppetlabs/puppet/puppet.conf': + ensure => 'present', + content => template('profiles/puppet/client/puppet.conf.erb'), + owner => 'root', + group => 'root', + mode => '0644', + notify => Service['puppet'], + } } } diff --git a/site/profiles/manifests/puppet/enc.pp b/site/profiles/manifests/puppet/enc.pp index b0a4a49..fcfeec7 100644 --- a/site/profiles/manifests/puppet/enc.pp +++ b/site/profiles/manifests/puppet/enc.pp @@ -4,35 +4,6 @@ # systemd service and timer to keep the repository updated every minute. # The Git package is installed if not present, and the repository at the given # location will always reflect the state of the remote Git repository. -# -# Parameters: -# - enc_repo: The URL of the Git repository to clone. -# -# Actions: -# - Ensures the Git package is installed. -# - Ensures the /opt/puppetlabs/enc directory is a clone of the given Git repository. -# - Creates a helper script '/opt/puppetlabs/bin/git_update' for updating the Git repository. -# - Creates a systemd service and timer that runs the git update script every minute. -# -# Usage: -# Directly include the class in your node definitions or classify your nodes -# using an ENC or Hiera. -# Example: -# node 'puppet.example.com' { -# class { 'profiles::puppet::enc': -# enc_repo => 'https://github.com/user/repo.git', -# } -# } -# -# Requirements: -# - The 'puppet-vcsrepo' module should be installed on your puppetmaster. -# - The 'puppet-systemd' module should be installed on your puppetmaster. -# - '/opt/puppetlabs/bin/' directory must exist and be writable. -# - Puppet master must have access to the specified Git URL. -# -# Limitations: -# This is designed to work on Unix-like systems only. -# class profiles::puppet::enc ( String $repo, String $release = 'master', diff --git a/site/profiles/manifests/puppet/eyaml.pp b/site/profiles/manifests/puppet/eyaml.pp new file mode 100644 index 0000000..093e9c2 --- /dev/null +++ b/site/profiles/manifests/puppet/eyaml.pp @@ -0,0 +1,41 @@ +# profiles::puppet::eyaml +class profiles::puppet::eyaml ( + String $privatekey = '', + String $publickey = '', +) { + + # create the /var/lib/puppet/keys directory + file { '/var/lib/puppet': + ensure => 'directory', + owner => 'puppet', + group => 'root', + mode => '0755', + } + file { '/var/lib/puppet/keys': + ensure => 'directory', + owner => 'puppet', + group => 'root', + mode => '0755', + require => File['/var/lib/puppet'] + } + # manage the eyaml private key + file { '/var/lib/puppet/keys/private_key.pkcs7.pem': + ensure => 'file', + owner => 'puppet', + group => 'root', + mode => '0400', + content => Sensitive($privatekey), + before => Service['puppetserver'], + require => File['/var/lib/puppet/keys'], + } + # manage the eyaml private key + file { '/var/lib/puppet/keys/public_key.pkcs7.pem': + ensure => 'file', + owner => 'puppet', + group => 'root', + mode => '0400', + content => Sensitive($publickey), + before => Service['puppetserver'], + require => File['/var/lib/puppet/keys'], + } +} diff --git a/site/profiles/manifests/puppet/g10k.pp b/site/profiles/manifests/puppet/g10k.pp index eddb6f1..3a2af5e 100644 --- a/site/profiles/manifests/puppet/g10k.pp +++ b/site/profiles/manifests/puppet/g10k.pp @@ -5,31 +5,6 @@ # The latest release of g10k is downloaded from GitHub and placed into '/opt/puppetlabs/bin'. # Additionally, it creates a helper script to easily run g10k with the appropriate configuration. # It also creates a systemd service and timer that runs the g10k script every minute. -# -# Parameters: None -# -# Actions: -# - Downloads the latest g10k release from GitHub. -# - Extracts the download and places the executable in '/opt/puppetlabs/bin'. -# - Creates a helper script '/opt/puppetlabs/bin/puppet-g10k' for easy usage of g10k. -# - Creates a systemd service and timer that runs the g10k script every minute. -# -# Usage: -# Directly including the class in your node definitions or classify your nodes -# using an ENC or Hiera. -# Example: -# node 'puppet.example.com' { -# include profiles::puppet::g10k -# } -# -# Requirements: -# - The 'puppet-archive' module should be installed in your puppetmaster. -# - The 'puppet-systemd' module should be installed on your puppetmaster. -# - '/opt/puppetlabs/bin/' directory must exist and be writable. -# - Puppet master must have access to the GitHub URL. -# -# Limitations: -# This is designed to work on Unix-like systems only. class profiles::puppet::g10k ( String $bin_path, String $cfg_path, diff --git a/site/profiles/manifests/puppet/puppetca.pp b/site/profiles/manifests/puppet/puppetca.pp new file mode 100644 index 0000000..e94ecad --- /dev/null +++ b/site/profiles/manifests/puppet/puppetca.pp @@ -0,0 +1,56 @@ +# Class: profiles::puppet::puppetca +# +# This class manages Puppet CA +class profiles::puppet::puppetca ( + Boolean $allow_subject_alt_names = false, + Boolean $allow_authorization_extensions = false, + Boolean $enable_infra_crl = false, + Boolean $is_puppetca = false, +) { + + # manage the ca.cfg file + file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + content => template('profiles/puppet/puppet_ca.cfg.erb'), + notify => Service['puppetserver'], + } + + # manage the crl file + if $is_puppetca { + # export the puppet crl.pem + @@file { '/etc/puppetlabs/puppet/ssl/crl.pem': + ensure => file, + content => file('/etc/puppetlabs/puppet/ssl/crl.pem'), + tag => 'crl_pem_export', + } + }else{ + # import the puppet crl.pem + File <<| tag == 'crl_pem_export' |>> { + require => Service['puppetserver'], + } + } + + # register the PuppetCA service with consul + if $is_puppetca { + consul::service { 'puppetca': + service_name => 'puppetca', + tags => ['ca', 'puppet', 'ssl'], + address => $facts['networking']['ip'], + port => 8140, + checks => [ + { + id => 'puppetca_https_check', + name => 'PuppetCA HTTPS Check', + http => "https://${facts['networking']['fqdn']}:8140/status/v1/simple", + method => 'GET', + tls_skip_verify => true, + interval => '10s', + timeout => '1s', + } + ], + } + } +} diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp index a5b7c74..79ce387 100644 --- a/site/profiles/manifests/puppet/puppetmaster.pp +++ b/site/profiles/manifests/puppet/puppetmaster.pp @@ -2,66 +2,37 @@ # # This class manages the puppetmaster using the ghoneycutt-puppet module. # It manages the server settings in the puppet.conf file. -# -# Parameters: None -# -# Actions: -# - Sets up the server, main, agent, and master sections in the puppet.conf file -# -# Usage: -# Directly include the class in your node definitions or classify your nodes -# using an ENC or Hiera. -# Example: -# node 'puppet.example.com' { -# include profiles::puppet::puppetmaster -# } -# -# Requirements: -# - The 'ghoneycutt/puppet' module should be installed in your Puppet master. -# - Puppet master must have access to the necessary directories. -# -# Limitations: -# This is designed to work on Unix-like systems. class profiles::puppet::puppetmaster ( - String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'), + Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef), ) { - include profiles::puppet::r10k - include profiles::puppet::g10k - include profiles::puppet::enc - include profiles::puppet::cobbler_enc - include profiles::puppet::autosign - include profiles::puppet::gems - include profiles::helpers::certmanager - class { 'puppetdb::master::config': - puppetdb_server => $puppetdb_host, - manage_storeconfigs => false, + if $facts['enc_role'] == 'roles::infra::puppet::master' { + + include profiles::puppet::r10k + include profiles::puppet::g10k + include profiles::puppet::enc + include profiles::puppet::cobbler_enc + include profiles::puppet::autosign + include profiles::puppet::gems + include profiles::helpers::certmanager + include profiles::puppet::server + include profiles::puppet::puppetca + include profiles::puppet::eyaml + + class { 'puppetdb::master::config': + puppetdb_server => $puppetdb_host, + manage_storeconfigs => false, + } + + Package['puppetserver'] + -> Class['profiles::puppet::gems'] + -> Class['profiles::puppet::r10k'] + -> Class['profiles::puppet::g10k'] + -> Class['profiles::puppet::enc'] + -> Class['profiles::puppet::cobbler_enc'] + -> Class['profiles::puppet::autosign'] + -> Class['puppetdb::master::config'] + -> Class['profiles::puppet::server'] } - class { 'profiles::puppet::server': - vardir => '/opt/puppetlabs/server/data/puppetserver', - logdir => '/var/log/puppetlabs/puppetserver', - rundir => '/var/run/puppetlabs/puppetserver', - pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid', - codedir => '/etc/puppetlabs/code', - dns_alt_names => [ - 'prodinf01n01.main.unkin.net', - 'puppet.main.unkin.net', - 'puppetca.main.unkin.net', - 'puppetmaster.main.unkin.net', - 'puppet', - 'puppetca', - 'puppetmaster', - ], - server => 'prodinf01n01.main.unkin.net', - node_terminus => 'exec', - external_nodes => '/opt/cobbler-enc/cobbler-enc', - autosign => '/etc/puppetlabs/puppet/autosign.conf', - default_manifest => '/etc/puppetlabs/code/environments/develop/manifests', - default_environment => 'develop', - storeconfigs => true, - storeconfigs_backend => 'puppetdb', - reports => 'puppetdb', - usecacheonfailure => false, - } } diff --git a/site/profiles/manifests/puppet/r10k.pp b/site/profiles/manifests/puppet/r10k.pp index baa16d5..e366953 100644 --- a/site/profiles/manifests/puppet/r10k.pp +++ b/site/profiles/manifests/puppet/r10k.pp @@ -4,35 +4,6 @@ # systemd service and timer to keep the repository updated every minute. # The Git package is installed if not present, and the repository at the given # location will always reflect the state of the remote Git repository. -# -# Parameters: -# - r10k_repo: The URL of the Git repository to clone. -# -# Actions: -# - Ensures the Git package is installed. -# - Ensures the /etc/puppetlabs/r10k directory is a clone of the given Git repository. -# - Creates a helper script '/opt/puppetlabs/bin/puppet-r10k' for updating the Git repository. -# - Creates a systemd service and timer that runs the git update script every minute. -# -# Usage: -# Directly include the class in your node definitions or classify your nodes -# using an enc or Hiera. -# Example: -# node 'puppet.example.com' { -# class { 'profiles::puppet::r10k': -# r10k_repo => 'https://github.com/user/repo.git', -# } -# } -# -# Requirements: -# - The 'puppet-vcsrepo' module should be installed on your puppetmaster. -# - The 'puppet-systemd' module should be installed on your puppetmaster. -# - '/opt/puppetlabs/bin/' directory must exist and be writable. -# - Puppet master must have access to the specified Git URL. -# -# Limitations: -# This is designed to work on Unix-like systems only. -# class profiles::puppet::r10k ( String $r10k_repo, ){ diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index 4930582..771d41a 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -1,36 +1,33 @@ # Class: profiles::puppet::server # # This class manages Puppet server's configuration and service. -# -# Parameters: -# vardir - Directory path for variable data. -# logdir - Directory path for logs. -# rundir - Directory path for run-time data. -# pidfile - File path for the PID file. -# codedir - Directory path for code data. -# dns_alt_names - Array of alternate DNS names for the server. -# server - Server's name. -# node_terminus - Node terminus. -# external_nodes - Path to the external node classifier script. -# autosign - Path to the autosign script. -# class profiles::puppet::server ( - String $vardir, - String $logdir, - String $rundir, - String $pidfile, - String $codedir, - Array[String[1]] $dns_alt_names, - String $server, - String $node_terminus, - String $external_nodes, - String $autosign, - String $default_manifest, - String $default_environment, - Boolean $storeconfigs, - String $storeconfigs_backend, - String $reports, - Boolean $usecacheonfailure, + Stdlib::Absolutepath $vardir = '/opt/puppetlabs/server/data/puppetserver', + Stdlib::Absolutepath $logdir = '/var/log/puppetlabs/puppetserver', + Stdlib::Absolutepath $rundir = '/var/run/puppetlabs/puppetserver', + Stdlib::Absolutepath $pidfile = '/var/run/puppetlabs/puppetserver/puppetserver.pid', + Stdlib::Absolutepath $codedir = '/etc/puppetlabs/code', + Array[String] $dns_alt_names = [ + $facts['networking']['fqdn'], + $facts['networking']['hostname'], + ], + Stdlib::Fqdn $agent_server = 'puppetmaster', + Stdlib::Fqdn $report_server = $agent_server, + Stdlib::Fqdn $ca_server = 'puppetca', + String $node_terminus = 'exec', + String $external_nodes = '/opt/cobbler-enc/cobbler-enc', + String $default_environment = 'develop', + String $environment = 'develop', + Stdlib::Absolutepath $autosign = '/etc/puppetlabs/puppet/autosign.conf', + Stdlib::Absolutepath $default_manifest = "${codedir}/environments/${default_environment}/manifests", + String $reports = 'puppetdb', + Boolean $storeconfigs = true, + String $storeconfigs_backend = 'puppetdb', + Boolean $usecacheonfailure = false, + Boolean $report = true, + Integer $runinterval = 1800, + Integer $runtimeout = 3600, + Boolean $show_diff = true, ) { file { '/etc/puppetlabs/puppet/puppet.conf': @@ -44,8 +41,15 @@ class profiles::puppet::server ( 'rundir' => $rundir, 'pidfile' => $pidfile, 'codedir' => $codedir, - 'dns_alt_names' => join($dns_alt_names, ','), - 'server' => $server, + 'dns_alt_names' => join(sort($dns_alt_names), ','), + 'server' => $agent_server, + 'ca_server' => $ca_server, + 'environment' => $environment, + 'report' => $report, + 'runinterval' => $runinterval, + 'runtimeout' => $runtimeout, + 'show_diff' => $show_diff, + 'report_server' => $report_server, 'node_terminus' => $node_terminus, 'external_nodes' => $external_nodes, 'autosign' => $autosign, diff --git a/site/profiles/templates/puppet/puppet_ca.cfg.erb b/site/profiles/templates/puppet/puppet_ca.cfg.erb new file mode 100644 index 0000000..a119784 --- /dev/null +++ b/site/profiles/templates/puppet/puppet_ca.cfg.erb @@ -0,0 +1,10 @@ +certificate-authority: { + # allow CA to sign certificate requests that have subject alternative names. + allow-subject-alt-names: <%= @allow_subject_alt_names %> + + # allow CA to sign certificate requests that have authorization extensions. + allow-authorization-extensions: <%= @allow_authorization_extensions %> + + # enable the separate CRL for Puppet infrastructure nodes + enable-infra-crl: <%= @enable_infra_crl %> +} diff --git a/site/profiles/templates/puppet/server/puppet.conf.epp b/site/profiles/templates/puppet/server/puppet.conf.epp index 226346d..dbb93ee 100644 --- a/site/profiles/templates/puppet/server/puppet.conf.epp +++ b/site/profiles/templates/puppet/server/puppet.conf.epp @@ -10,9 +10,16 @@ dns_alt_names = <%= $dns_alt_names %> [agent] server = <%= $server %> +ca_server = <%= $ca_server %> +environment = <%= $environment %> +report = <%= $report %> +report_server = <%= $report_server %> +runinterval = <%= $runinterval %> +runtimeout = <%= $runtimeout %> +show_diff = <%= $show_diff %> [master] -node_terminus = exec +node_terminus = <%= $node_terminus %> external_nodes = <%= $external_nodes %> autosign = <%= $autosign %> default_manifest = <%= $default_manifest %>