Merge branch 'develop' into neoloc/consul_wan

Conflicts:
	hieradata/common.yaml
This commit is contained in:
2024-05-05 18:01:41 +10:00
21 changed files with 271 additions and 218 deletions
@@ -4,35 +4,6 @@
# based on specified subnet ranges and domain patterns.
# It is useful in environments where nodes are dynamically provisioned and
# require automatic certificate signing without manual intervention.
#
# Parameters:
# - `subnet_ranges`: An array of IP subnet ranges in CIDR notation.
# Nodes with IP addresses within these ranges will have their
# certificates autosigned.
# Default: []
# Example: ['198.18.17.0/24']
#
# - `domains`: An array of domain patterns.
# Nodes with hostnames matching these patterns will have their
# certificates autosigned.
# Default: []
# Example: ['*.main.unkin.net', '*.secondary.unkin.net']
#
# - `nodes`: An array of specific node names.
# Nodes with hostnames matching these will have their
# certificates autosigned.
# Default: []
# Example: ['somenode.main.unkin.net', 'othernode.secondary.unkin.net']
# Usage:
#
# To include this class with custom parameters:
# class { 'profiles::puppet::autosign':
# subnet_ranges => ['198.18.17.0/24', '198.18.18.0/24'],
# domains => ['*.main.unkin.net', '*.dev.unkin.net'],
# nodes => ['somenode.main.unkin.net', 'othernode.dev.unkin.net'],
# }
#
# Alternatively, configure subnet ranges and domains through Hiera.
class profiles::puppet::autosign (
Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges = [],
Array[String[1]] $domains = [],
+12 -8
View File
@@ -14,14 +14,18 @@ class profiles::puppet::client (
Boolean $usecacheonfailure = false,
) {
# Assuming you want to manage puppet.conf with this profile
file { '/etc/puppetlabs/puppet/puppet.conf':
ensure => 'present',
content => template('profiles/puppet/client/puppet.conf.erb'),
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['puppet'],
# dont manage puppet.conf if this is a puppetmaster
if $facts['enc_role'] != 'roles::infra::puppet::master' {
# Assuming you want to manage puppet.conf with this profile
file { '/etc/puppetlabs/puppet/puppet.conf':
ensure => 'present',
content => template('profiles/puppet/client/puppet.conf.erb'),
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['puppet'],
}
}
}
-29
View File
@@ -4,35 +4,6 @@
# systemd service and timer to keep the repository updated every minute.
# The Git package is installed if not present, and the repository at the given
# location will always reflect the state of the remote Git repository.
#
# Parameters:
# - enc_repo: The URL of the Git repository to clone.
#
# Actions:
# - Ensures the Git package is installed.
# - Ensures the /opt/puppetlabs/enc directory is a clone of the given Git repository.
# - Creates a helper script '/opt/puppetlabs/bin/git_update' for updating the Git repository.
# - Creates a systemd service and timer that runs the git update script every minute.
#
# Usage:
# Directly include the class in your node definitions or classify your nodes
# using an ENC or Hiera.
# Example:
# node 'puppet.example.com' {
# class { 'profiles::puppet::enc':
# enc_repo => 'https://github.com/user/repo.git',
# }
# }
#
# Requirements:
# - The 'puppet-vcsrepo' module should be installed on your puppetmaster.
# - The 'puppet-systemd' module should be installed on your puppetmaster.
# - '/opt/puppetlabs/bin/' directory must exist and be writable.
# - Puppet master must have access to the specified Git URL.
#
# Limitations:
# This is designed to work on Unix-like systems only.
#
class profiles::puppet::enc (
String $repo,
String $release = 'master',
+41
View File
@@ -0,0 +1,41 @@
# profiles::puppet::eyaml
class profiles::puppet::eyaml (
String $privatekey = '',
String $publickey = '',
) {
# create the /var/lib/puppet/keys directory
file { '/var/lib/puppet':
ensure => 'directory',
owner => 'puppet',
group => 'root',
mode => '0755',
}
file { '/var/lib/puppet/keys':
ensure => 'directory',
owner => 'puppet',
group => 'root',
mode => '0755',
require => File['/var/lib/puppet']
}
# manage the eyaml private key
file { '/var/lib/puppet/keys/private_key.pkcs7.pem':
ensure => 'file',
owner => 'puppet',
group => 'root',
mode => '0400',
content => Sensitive($privatekey),
before => Service['puppetserver'],
require => File['/var/lib/puppet/keys'],
}
# manage the eyaml private key
file { '/var/lib/puppet/keys/public_key.pkcs7.pem':
ensure => 'file',
owner => 'puppet',
group => 'root',
mode => '0400',
content => Sensitive($publickey),
before => Service['puppetserver'],
require => File['/var/lib/puppet/keys'],
}
}
-25
View File
@@ -5,31 +5,6 @@
# The latest release of g10k is downloaded from GitHub and placed into '/opt/puppetlabs/bin'.
# Additionally, it creates a helper script to easily run g10k with the appropriate configuration.
# It also creates a systemd service and timer that runs the g10k script every minute.
#
# Parameters: None
#
# Actions:
# - Downloads the latest g10k release from GitHub.
# - Extracts the download and places the executable in '/opt/puppetlabs/bin'.
# - Creates a helper script '/opt/puppetlabs/bin/puppet-g10k' for easy usage of g10k.
# - Creates a systemd service and timer that runs the g10k script every minute.
#
# Usage:
# Directly including the class in your node definitions or classify your nodes
# using an ENC or Hiera.
# Example:
# node 'puppet.example.com' {
# include profiles::puppet::g10k
# }
#
# Requirements:
# - The 'puppet-archive' module should be installed in your puppetmaster.
# - The 'puppet-systemd' module should be installed on your puppetmaster.
# - '/opt/puppetlabs/bin/' directory must exist and be writable.
# - Puppet master must have access to the GitHub URL.
#
# Limitations:
# This is designed to work on Unix-like systems only.
class profiles::puppet::g10k (
String $bin_path,
String $cfg_path,
@@ -0,0 +1,56 @@
# Class: profiles::puppet::puppetca
#
# This class manages Puppet CA
class profiles::puppet::puppetca (
Boolean $allow_subject_alt_names = false,
Boolean $allow_authorization_extensions = false,
Boolean $enable_infra_crl = false,
Boolean $is_puppetca = false,
) {
# manage the ca.cfg file
file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0644',
content => template('profiles/puppet/puppet_ca.cfg.erb'),
notify => Service['puppetserver'],
}
# manage the crl file
if $is_puppetca {
# export the puppet crl.pem
@@file { '/etc/puppetlabs/puppet/ssl/crl.pem':
ensure => file,
content => file('/etc/puppetlabs/puppet/ssl/crl.pem'),
tag => 'crl_pem_export',
}
}else{
# import the puppet crl.pem
File <<| tag == 'crl_pem_export' |>> {
require => Service['puppetserver'],
}
}
# register the PuppetCA service with consul
if $is_puppetca {
consul::service { 'puppetca':
service_name => 'puppetca',
tags => ['ca', 'puppet', 'ssl'],
address => $facts['networking']['ip'],
port => 8140,
checks => [
{
id => 'puppetca_https_check',
name => 'PuppetCA HTTPS Check',
http => "https://${facts['networking']['fqdn']}:8140/status/v1/simple",
method => 'GET',
tls_skip_verify => true,
interval => '10s',
timeout => '1s',
}
],
}
}
}
+28 -57
View File
@@ -2,66 +2,37 @@
#
# This class manages the puppetmaster using the ghoneycutt-puppet module.
# It manages the server settings in the puppet.conf file.
#
# Parameters: None
#
# Actions:
# - Sets up the server, main, agent, and master sections in the puppet.conf file
#
# Usage:
# Directly include the class in your node definitions or classify your nodes
# using an ENC or Hiera.
# Example:
# node 'puppet.example.com' {
# include profiles::puppet::puppetmaster
# }
#
# Requirements:
# - The 'ghoneycutt/puppet' module should be installed in your Puppet master.
# - Puppet master must have access to the necessary directories.
#
# Limitations:
# This is designed to work on Unix-like systems.
class profiles::puppet::puppetmaster (
String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef),
) {
include profiles::puppet::r10k
include profiles::puppet::g10k
include profiles::puppet::enc
include profiles::puppet::cobbler_enc
include profiles::puppet::autosign
include profiles::puppet::gems
include profiles::helpers::certmanager
class { 'puppetdb::master::config':
puppetdb_server => $puppetdb_host,
manage_storeconfigs => false,
if $facts['enc_role'] == 'roles::infra::puppet::master' {
include profiles::puppet::r10k
include profiles::puppet::g10k
include profiles::puppet::enc
include profiles::puppet::cobbler_enc
include profiles::puppet::autosign
include profiles::puppet::gems
include profiles::helpers::certmanager
include profiles::puppet::server
include profiles::puppet::puppetca
include profiles::puppet::eyaml
class { 'puppetdb::master::config':
puppetdb_server => $puppetdb_host,
manage_storeconfigs => false,
}
Package['puppetserver']
-> Class['profiles::puppet::gems']
-> Class['profiles::puppet::r10k']
-> Class['profiles::puppet::g10k']
-> Class['profiles::puppet::enc']
-> Class['profiles::puppet::cobbler_enc']
-> Class['profiles::puppet::autosign']
-> Class['puppetdb::master::config']
-> Class['profiles::puppet::server']
}
class { 'profiles::puppet::server':
vardir => '/opt/puppetlabs/server/data/puppetserver',
logdir => '/var/log/puppetlabs/puppetserver',
rundir => '/var/run/puppetlabs/puppetserver',
pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
codedir => '/etc/puppetlabs/code',
dns_alt_names => [
'prodinf01n01.main.unkin.net',
'puppet.main.unkin.net',
'puppetca.main.unkin.net',
'puppetmaster.main.unkin.net',
'puppet',
'puppetca',
'puppetmaster',
],
server => 'prodinf01n01.main.unkin.net',
node_terminus => 'exec',
external_nodes => '/opt/cobbler-enc/cobbler-enc',
autosign => '/etc/puppetlabs/puppet/autosign.conf',
default_manifest => '/etc/puppetlabs/code/environments/develop/manifests',
default_environment => 'develop',
storeconfigs => true,
storeconfigs_backend => 'puppetdb',
reports => 'puppetdb',
usecacheonfailure => false,
}
}
-29
View File
@@ -4,35 +4,6 @@
# systemd service and timer to keep the repository updated every minute.
# The Git package is installed if not present, and the repository at the given
# location will always reflect the state of the remote Git repository.
#
# Parameters:
# - r10k_repo: The URL of the Git repository to clone.
#
# Actions:
# - Ensures the Git package is installed.
# - Ensures the /etc/puppetlabs/r10k directory is a clone of the given Git repository.
# - Creates a helper script '/opt/puppetlabs/bin/puppet-r10k' for updating the Git repository.
# - Creates a systemd service and timer that runs the git update script every minute.
#
# Usage:
# Directly include the class in your node definitions or classify your nodes
# using an enc or Hiera.
# Example:
# node 'puppet.example.com' {
# class { 'profiles::puppet::r10k':
# r10k_repo => 'https://github.com/user/repo.git',
# }
# }
#
# Requirements:
# - The 'puppet-vcsrepo' module should be installed on your puppetmaster.
# - The 'puppet-systemd' module should be installed on your puppetmaster.
# - '/opt/puppetlabs/bin/' directory must exist and be writable.
# - Puppet master must have access to the specified Git URL.
#
# Limitations:
# This is designed to work on Unix-like systems only.
#
class profiles::puppet::r10k (
String $r10k_repo,
){
+35 -31
View File
@@ -1,36 +1,33 @@
# Class: profiles::puppet::server
#
# This class manages Puppet server's configuration and service.
#
# Parameters:
# vardir - Directory path for variable data.
# logdir - Directory path for logs.
# rundir - Directory path for run-time data.
# pidfile - File path for the PID file.
# codedir - Directory path for code data.
# dns_alt_names - Array of alternate DNS names for the server.
# server - Server's name.
# node_terminus - Node terminus.
# external_nodes - Path to the external node classifier script.
# autosign - Path to the autosign script.
#
class profiles::puppet::server (
String $vardir,
String $logdir,
String $rundir,
String $pidfile,
String $codedir,
Array[String[1]] $dns_alt_names,
String $server,
String $node_terminus,
String $external_nodes,
String $autosign,
String $default_manifest,
String $default_environment,
Boolean $storeconfigs,
String $storeconfigs_backend,
String $reports,
Boolean $usecacheonfailure,
Stdlib::Absolutepath $vardir = '/opt/puppetlabs/server/data/puppetserver',
Stdlib::Absolutepath $logdir = '/var/log/puppetlabs/puppetserver',
Stdlib::Absolutepath $rundir = '/var/run/puppetlabs/puppetserver',
Stdlib::Absolutepath $pidfile = '/var/run/puppetlabs/puppetserver/puppetserver.pid',
Stdlib::Absolutepath $codedir = '/etc/puppetlabs/code',
Array[String] $dns_alt_names = [
$facts['networking']['fqdn'],
$facts['networking']['hostname'],
],
Stdlib::Fqdn $agent_server = 'puppetmaster',
Stdlib::Fqdn $report_server = $agent_server,
Stdlib::Fqdn $ca_server = 'puppetca',
String $node_terminus = 'exec',
String $external_nodes = '/opt/cobbler-enc/cobbler-enc',
String $default_environment = 'develop',
String $environment = 'develop',
Stdlib::Absolutepath $autosign = '/etc/puppetlabs/puppet/autosign.conf',
Stdlib::Absolutepath $default_manifest = "${codedir}/environments/${default_environment}/manifests",
String $reports = 'puppetdb',
Boolean $storeconfigs = true,
String $storeconfigs_backend = 'puppetdb',
Boolean $usecacheonfailure = false,
Boolean $report = true,
Integer $runinterval = 1800,
Integer $runtimeout = 3600,
Boolean $show_diff = true,
) {
file { '/etc/puppetlabs/puppet/puppet.conf':
@@ -44,8 +41,15 @@ class profiles::puppet::server (
'rundir' => $rundir,
'pidfile' => $pidfile,
'codedir' => $codedir,
'dns_alt_names' => join($dns_alt_names, ','),
'server' => $server,
'dns_alt_names' => join(sort($dns_alt_names), ','),
'server' => $agent_server,
'ca_server' => $ca_server,
'environment' => $environment,
'report' => $report,
'runinterval' => $runinterval,
'runtimeout' => $runtimeout,
'show_diff' => $show_diff,
'report_server' => $report_server,
'node_terminus' => $node_terminus,
'external_nodes' => $external_nodes,
'autosign' => $autosign,
@@ -0,0 +1,10 @@
certificate-authority: {
# allow CA to sign certificate requests that have subject alternative names.
allow-subject-alt-names: <%= @allow_subject_alt_names %>
# allow CA to sign certificate requests that have authorization extensions.
allow-authorization-extensions: <%= @allow_authorization_extensions %>
# enable the separate CRL for Puppet infrastructure nodes
enable-infra-crl: <%= @enable_infra_crl %>
}
@@ -10,9 +10,16 @@ dns_alt_names = <%= $dns_alt_names %>
[agent]
server = <%= $server %>
ca_server = <%= $ca_server %>
environment = <%= $environment %>
report = <%= $report %>
report_server = <%= $report_server %>
runinterval = <%= $runinterval %>
runtimeout = <%= $runtimeout %>
show_diff = <%= $show_diff %>
[master]
node_terminus = exec
node_terminus = <%= $node_terminus %>
external_nodes = <%= $external_nodes %>
autosign = <%= $autosign %>
default_manifest = <%= $default_manifest %>