Merge branch 'develop' into neoloc/consul_wan
Conflicts: hieradata/common.yaml
This commit is contained in:
@@ -4,35 +4,6 @@
|
||||
# based on specified subnet ranges and domain patterns.
|
||||
# It is useful in environments where nodes are dynamically provisioned and
|
||||
# require automatic certificate signing without manual intervention.
|
||||
#
|
||||
# Parameters:
|
||||
# - `subnet_ranges`: An array of IP subnet ranges in CIDR notation.
|
||||
# Nodes with IP addresses within these ranges will have their
|
||||
# certificates autosigned.
|
||||
# Default: []
|
||||
# Example: ['198.18.17.0/24']
|
||||
#
|
||||
# - `domains`: An array of domain patterns.
|
||||
# Nodes with hostnames matching these patterns will have their
|
||||
# certificates autosigned.
|
||||
# Default: []
|
||||
# Example: ['*.main.unkin.net', '*.secondary.unkin.net']
|
||||
#
|
||||
# - `nodes`: An array of specific node names.
|
||||
# Nodes with hostnames matching these will have their
|
||||
# certificates autosigned.
|
||||
# Default: []
|
||||
# Example: ['somenode.main.unkin.net', 'othernode.secondary.unkin.net']
|
||||
# Usage:
|
||||
#
|
||||
# To include this class with custom parameters:
|
||||
# class { 'profiles::puppet::autosign':
|
||||
# subnet_ranges => ['198.18.17.0/24', '198.18.18.0/24'],
|
||||
# domains => ['*.main.unkin.net', '*.dev.unkin.net'],
|
||||
# nodes => ['somenode.main.unkin.net', 'othernode.dev.unkin.net'],
|
||||
# }
|
||||
#
|
||||
# Alternatively, configure subnet ranges and domains through Hiera.
|
||||
class profiles::puppet::autosign (
|
||||
Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges = [],
|
||||
Array[String[1]] $domains = [],
|
||||
|
||||
@@ -14,14 +14,18 @@ class profiles::puppet::client (
|
||||
Boolean $usecacheonfailure = false,
|
||||
) {
|
||||
|
||||
# Assuming you want to manage puppet.conf with this profile
|
||||
file { '/etc/puppetlabs/puppet/puppet.conf':
|
||||
ensure => 'present',
|
||||
content => template('profiles/puppet/client/puppet.conf.erb'),
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
notify => Service['puppet'],
|
||||
# dont manage puppet.conf if this is a puppetmaster
|
||||
if $facts['enc_role'] != 'roles::infra::puppet::master' {
|
||||
|
||||
# Assuming you want to manage puppet.conf with this profile
|
||||
file { '/etc/puppetlabs/puppet/puppet.conf':
|
||||
ensure => 'present',
|
||||
content => template('profiles/puppet/client/puppet.conf.erb'),
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
notify => Service['puppet'],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -4,35 +4,6 @@
|
||||
# systemd service and timer to keep the repository updated every minute.
|
||||
# The Git package is installed if not present, and the repository at the given
|
||||
# location will always reflect the state of the remote Git repository.
|
||||
#
|
||||
# Parameters:
|
||||
# - enc_repo: The URL of the Git repository to clone.
|
||||
#
|
||||
# Actions:
|
||||
# - Ensures the Git package is installed.
|
||||
# - Ensures the /opt/puppetlabs/enc directory is a clone of the given Git repository.
|
||||
# - Creates a helper script '/opt/puppetlabs/bin/git_update' for updating the Git repository.
|
||||
# - Creates a systemd service and timer that runs the git update script every minute.
|
||||
#
|
||||
# Usage:
|
||||
# Directly include the class in your node definitions or classify your nodes
|
||||
# using an ENC or Hiera.
|
||||
# Example:
|
||||
# node 'puppet.example.com' {
|
||||
# class { 'profiles::puppet::enc':
|
||||
# enc_repo => 'https://github.com/user/repo.git',
|
||||
# }
|
||||
# }
|
||||
#
|
||||
# Requirements:
|
||||
# - The 'puppet-vcsrepo' module should be installed on your puppetmaster.
|
||||
# - The 'puppet-systemd' module should be installed on your puppetmaster.
|
||||
# - '/opt/puppetlabs/bin/' directory must exist and be writable.
|
||||
# - Puppet master must have access to the specified Git URL.
|
||||
#
|
||||
# Limitations:
|
||||
# This is designed to work on Unix-like systems only.
|
||||
#
|
||||
class profiles::puppet::enc (
|
||||
String $repo,
|
||||
String $release = 'master',
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
# profiles::puppet::eyaml
|
||||
class profiles::puppet::eyaml (
|
||||
String $privatekey = '',
|
||||
String $publickey = '',
|
||||
) {
|
||||
|
||||
# create the /var/lib/puppet/keys directory
|
||||
file { '/var/lib/puppet':
|
||||
ensure => 'directory',
|
||||
owner => 'puppet',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
file { '/var/lib/puppet/keys':
|
||||
ensure => 'directory',
|
||||
owner => 'puppet',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
require => File['/var/lib/puppet']
|
||||
}
|
||||
# manage the eyaml private key
|
||||
file { '/var/lib/puppet/keys/private_key.pkcs7.pem':
|
||||
ensure => 'file',
|
||||
owner => 'puppet',
|
||||
group => 'root',
|
||||
mode => '0400',
|
||||
content => Sensitive($privatekey),
|
||||
before => Service['puppetserver'],
|
||||
require => File['/var/lib/puppet/keys'],
|
||||
}
|
||||
# manage the eyaml private key
|
||||
file { '/var/lib/puppet/keys/public_key.pkcs7.pem':
|
||||
ensure => 'file',
|
||||
owner => 'puppet',
|
||||
group => 'root',
|
||||
mode => '0400',
|
||||
content => Sensitive($publickey),
|
||||
before => Service['puppetserver'],
|
||||
require => File['/var/lib/puppet/keys'],
|
||||
}
|
||||
}
|
||||
@@ -5,31 +5,6 @@
|
||||
# The latest release of g10k is downloaded from GitHub and placed into '/opt/puppetlabs/bin'.
|
||||
# Additionally, it creates a helper script to easily run g10k with the appropriate configuration.
|
||||
# It also creates a systemd service and timer that runs the g10k script every minute.
|
||||
#
|
||||
# Parameters: None
|
||||
#
|
||||
# Actions:
|
||||
# - Downloads the latest g10k release from GitHub.
|
||||
# - Extracts the download and places the executable in '/opt/puppetlabs/bin'.
|
||||
# - Creates a helper script '/opt/puppetlabs/bin/puppet-g10k' for easy usage of g10k.
|
||||
# - Creates a systemd service and timer that runs the g10k script every minute.
|
||||
#
|
||||
# Usage:
|
||||
# Directly including the class in your node definitions or classify your nodes
|
||||
# using an ENC or Hiera.
|
||||
# Example:
|
||||
# node 'puppet.example.com' {
|
||||
# include profiles::puppet::g10k
|
||||
# }
|
||||
#
|
||||
# Requirements:
|
||||
# - The 'puppet-archive' module should be installed in your puppetmaster.
|
||||
# - The 'puppet-systemd' module should be installed on your puppetmaster.
|
||||
# - '/opt/puppetlabs/bin/' directory must exist and be writable.
|
||||
# - Puppet master must have access to the GitHub URL.
|
||||
#
|
||||
# Limitations:
|
||||
# This is designed to work on Unix-like systems only.
|
||||
class profiles::puppet::g10k (
|
||||
String $bin_path,
|
||||
String $cfg_path,
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
# Class: profiles::puppet::puppetca
|
||||
#
|
||||
# This class manages Puppet CA
|
||||
class profiles::puppet::puppetca (
|
||||
Boolean $allow_subject_alt_names = false,
|
||||
Boolean $allow_authorization_extensions = false,
|
||||
Boolean $enable_infra_crl = false,
|
||||
Boolean $is_puppetca = false,
|
||||
) {
|
||||
|
||||
# manage the ca.cfg file
|
||||
file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf':
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => template('profiles/puppet/puppet_ca.cfg.erb'),
|
||||
notify => Service['puppetserver'],
|
||||
}
|
||||
|
||||
# manage the crl file
|
||||
if $is_puppetca {
|
||||
# export the puppet crl.pem
|
||||
@@file { '/etc/puppetlabs/puppet/ssl/crl.pem':
|
||||
ensure => file,
|
||||
content => file('/etc/puppetlabs/puppet/ssl/crl.pem'),
|
||||
tag => 'crl_pem_export',
|
||||
}
|
||||
}else{
|
||||
# import the puppet crl.pem
|
||||
File <<| tag == 'crl_pem_export' |>> {
|
||||
require => Service['puppetserver'],
|
||||
}
|
||||
}
|
||||
|
||||
# register the PuppetCA service with consul
|
||||
if $is_puppetca {
|
||||
consul::service { 'puppetca':
|
||||
service_name => 'puppetca',
|
||||
tags => ['ca', 'puppet', 'ssl'],
|
||||
address => $facts['networking']['ip'],
|
||||
port => 8140,
|
||||
checks => [
|
||||
{
|
||||
id => 'puppetca_https_check',
|
||||
name => 'PuppetCA HTTPS Check',
|
||||
http => "https://${facts['networking']['fqdn']}:8140/status/v1/simple",
|
||||
method => 'GET',
|
||||
tls_skip_verify => true,
|
||||
interval => '10s',
|
||||
timeout => '1s',
|
||||
}
|
||||
],
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2,66 +2,37 @@
|
||||
#
|
||||
# This class manages the puppetmaster using the ghoneycutt-puppet module.
|
||||
# It manages the server settings in the puppet.conf file.
|
||||
#
|
||||
# Parameters: None
|
||||
#
|
||||
# Actions:
|
||||
# - Sets up the server, main, agent, and master sections in the puppet.conf file
|
||||
#
|
||||
# Usage:
|
||||
# Directly include the class in your node definitions or classify your nodes
|
||||
# using an ENC or Hiera.
|
||||
# Example:
|
||||
# node 'puppet.example.com' {
|
||||
# include profiles::puppet::puppetmaster
|
||||
# }
|
||||
#
|
||||
# Requirements:
|
||||
# - The 'ghoneycutt/puppet' module should be installed in your Puppet master.
|
||||
# - Puppet master must have access to the necessary directories.
|
||||
#
|
||||
# Limitations:
|
||||
# This is designed to work on Unix-like systems.
|
||||
class profiles::puppet::puppetmaster (
|
||||
String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
|
||||
Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef),
|
||||
) {
|
||||
include profiles::puppet::r10k
|
||||
include profiles::puppet::g10k
|
||||
include profiles::puppet::enc
|
||||
include profiles::puppet::cobbler_enc
|
||||
include profiles::puppet::autosign
|
||||
include profiles::puppet::gems
|
||||
include profiles::helpers::certmanager
|
||||
|
||||
class { 'puppetdb::master::config':
|
||||
puppetdb_server => $puppetdb_host,
|
||||
manage_storeconfigs => false,
|
||||
if $facts['enc_role'] == 'roles::infra::puppet::master' {
|
||||
|
||||
include profiles::puppet::r10k
|
||||
include profiles::puppet::g10k
|
||||
include profiles::puppet::enc
|
||||
include profiles::puppet::cobbler_enc
|
||||
include profiles::puppet::autosign
|
||||
include profiles::puppet::gems
|
||||
include profiles::helpers::certmanager
|
||||
include profiles::puppet::server
|
||||
include profiles::puppet::puppetca
|
||||
include profiles::puppet::eyaml
|
||||
|
||||
class { 'puppetdb::master::config':
|
||||
puppetdb_server => $puppetdb_host,
|
||||
manage_storeconfigs => false,
|
||||
}
|
||||
|
||||
Package['puppetserver']
|
||||
-> Class['profiles::puppet::gems']
|
||||
-> Class['profiles::puppet::r10k']
|
||||
-> Class['profiles::puppet::g10k']
|
||||
-> Class['profiles::puppet::enc']
|
||||
-> Class['profiles::puppet::cobbler_enc']
|
||||
-> Class['profiles::puppet::autosign']
|
||||
-> Class['puppetdb::master::config']
|
||||
-> Class['profiles::puppet::server']
|
||||
}
|
||||
|
||||
class { 'profiles::puppet::server':
|
||||
vardir => '/opt/puppetlabs/server/data/puppetserver',
|
||||
logdir => '/var/log/puppetlabs/puppetserver',
|
||||
rundir => '/var/run/puppetlabs/puppetserver',
|
||||
pidfile => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
|
||||
codedir => '/etc/puppetlabs/code',
|
||||
dns_alt_names => [
|
||||
'prodinf01n01.main.unkin.net',
|
||||
'puppet.main.unkin.net',
|
||||
'puppetca.main.unkin.net',
|
||||
'puppetmaster.main.unkin.net',
|
||||
'puppet',
|
||||
'puppetca',
|
||||
'puppetmaster',
|
||||
],
|
||||
server => 'prodinf01n01.main.unkin.net',
|
||||
node_terminus => 'exec',
|
||||
external_nodes => '/opt/cobbler-enc/cobbler-enc',
|
||||
autosign => '/etc/puppetlabs/puppet/autosign.conf',
|
||||
default_manifest => '/etc/puppetlabs/code/environments/develop/manifests',
|
||||
default_environment => 'develop',
|
||||
storeconfigs => true,
|
||||
storeconfigs_backend => 'puppetdb',
|
||||
reports => 'puppetdb',
|
||||
usecacheonfailure => false,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,35 +4,6 @@
|
||||
# systemd service and timer to keep the repository updated every minute.
|
||||
# The Git package is installed if not present, and the repository at the given
|
||||
# location will always reflect the state of the remote Git repository.
|
||||
#
|
||||
# Parameters:
|
||||
# - r10k_repo: The URL of the Git repository to clone.
|
||||
#
|
||||
# Actions:
|
||||
# - Ensures the Git package is installed.
|
||||
# - Ensures the /etc/puppetlabs/r10k directory is a clone of the given Git repository.
|
||||
# - Creates a helper script '/opt/puppetlabs/bin/puppet-r10k' for updating the Git repository.
|
||||
# - Creates a systemd service and timer that runs the git update script every minute.
|
||||
#
|
||||
# Usage:
|
||||
# Directly include the class in your node definitions or classify your nodes
|
||||
# using an enc or Hiera.
|
||||
# Example:
|
||||
# node 'puppet.example.com' {
|
||||
# class { 'profiles::puppet::r10k':
|
||||
# r10k_repo => 'https://github.com/user/repo.git',
|
||||
# }
|
||||
# }
|
||||
#
|
||||
# Requirements:
|
||||
# - The 'puppet-vcsrepo' module should be installed on your puppetmaster.
|
||||
# - The 'puppet-systemd' module should be installed on your puppetmaster.
|
||||
# - '/opt/puppetlabs/bin/' directory must exist and be writable.
|
||||
# - Puppet master must have access to the specified Git URL.
|
||||
#
|
||||
# Limitations:
|
||||
# This is designed to work on Unix-like systems only.
|
||||
#
|
||||
class profiles::puppet::r10k (
|
||||
String $r10k_repo,
|
||||
){
|
||||
|
||||
@@ -1,36 +1,33 @@
|
||||
# Class: profiles::puppet::server
|
||||
#
|
||||
# This class manages Puppet server's configuration and service.
|
||||
#
|
||||
# Parameters:
|
||||
# vardir - Directory path for variable data.
|
||||
# logdir - Directory path for logs.
|
||||
# rundir - Directory path for run-time data.
|
||||
# pidfile - File path for the PID file.
|
||||
# codedir - Directory path for code data.
|
||||
# dns_alt_names - Array of alternate DNS names for the server.
|
||||
# server - Server's name.
|
||||
# node_terminus - Node terminus.
|
||||
# external_nodes - Path to the external node classifier script.
|
||||
# autosign - Path to the autosign script.
|
||||
#
|
||||
class profiles::puppet::server (
|
||||
String $vardir,
|
||||
String $logdir,
|
||||
String $rundir,
|
||||
String $pidfile,
|
||||
String $codedir,
|
||||
Array[String[1]] $dns_alt_names,
|
||||
String $server,
|
||||
String $node_terminus,
|
||||
String $external_nodes,
|
||||
String $autosign,
|
||||
String $default_manifest,
|
||||
String $default_environment,
|
||||
Boolean $storeconfigs,
|
||||
String $storeconfigs_backend,
|
||||
String $reports,
|
||||
Boolean $usecacheonfailure,
|
||||
Stdlib::Absolutepath $vardir = '/opt/puppetlabs/server/data/puppetserver',
|
||||
Stdlib::Absolutepath $logdir = '/var/log/puppetlabs/puppetserver',
|
||||
Stdlib::Absolutepath $rundir = '/var/run/puppetlabs/puppetserver',
|
||||
Stdlib::Absolutepath $pidfile = '/var/run/puppetlabs/puppetserver/puppetserver.pid',
|
||||
Stdlib::Absolutepath $codedir = '/etc/puppetlabs/code',
|
||||
Array[String] $dns_alt_names = [
|
||||
$facts['networking']['fqdn'],
|
||||
$facts['networking']['hostname'],
|
||||
],
|
||||
Stdlib::Fqdn $agent_server = 'puppetmaster',
|
||||
Stdlib::Fqdn $report_server = $agent_server,
|
||||
Stdlib::Fqdn $ca_server = 'puppetca',
|
||||
String $node_terminus = 'exec',
|
||||
String $external_nodes = '/opt/cobbler-enc/cobbler-enc',
|
||||
String $default_environment = 'develop',
|
||||
String $environment = 'develop',
|
||||
Stdlib::Absolutepath $autosign = '/etc/puppetlabs/puppet/autosign.conf',
|
||||
Stdlib::Absolutepath $default_manifest = "${codedir}/environments/${default_environment}/manifests",
|
||||
String $reports = 'puppetdb',
|
||||
Boolean $storeconfigs = true,
|
||||
String $storeconfigs_backend = 'puppetdb',
|
||||
Boolean $usecacheonfailure = false,
|
||||
Boolean $report = true,
|
||||
Integer $runinterval = 1800,
|
||||
Integer $runtimeout = 3600,
|
||||
Boolean $show_diff = true,
|
||||
) {
|
||||
|
||||
file { '/etc/puppetlabs/puppet/puppet.conf':
|
||||
@@ -44,8 +41,15 @@ class profiles::puppet::server (
|
||||
'rundir' => $rundir,
|
||||
'pidfile' => $pidfile,
|
||||
'codedir' => $codedir,
|
||||
'dns_alt_names' => join($dns_alt_names, ','),
|
||||
'server' => $server,
|
||||
'dns_alt_names' => join(sort($dns_alt_names), ','),
|
||||
'server' => $agent_server,
|
||||
'ca_server' => $ca_server,
|
||||
'environment' => $environment,
|
||||
'report' => $report,
|
||||
'runinterval' => $runinterval,
|
||||
'runtimeout' => $runtimeout,
|
||||
'show_diff' => $show_diff,
|
||||
'report_server' => $report_server,
|
||||
'node_terminus' => $node_terminus,
|
||||
'external_nodes' => $external_nodes,
|
||||
'autosign' => $autosign,
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
certificate-authority: {
|
||||
# allow CA to sign certificate requests that have subject alternative names.
|
||||
allow-subject-alt-names: <%= @allow_subject_alt_names %>
|
||||
|
||||
# allow CA to sign certificate requests that have authorization extensions.
|
||||
allow-authorization-extensions: <%= @allow_authorization_extensions %>
|
||||
|
||||
# enable the separate CRL for Puppet infrastructure nodes
|
||||
enable-infra-crl: <%= @enable_infra_crl %>
|
||||
}
|
||||
@@ -10,9 +10,16 @@ dns_alt_names = <%= $dns_alt_names %>
|
||||
|
||||
[agent]
|
||||
server = <%= $server %>
|
||||
ca_server = <%= $ca_server %>
|
||||
environment = <%= $environment %>
|
||||
report = <%= $report %>
|
||||
report_server = <%= $report_server %>
|
||||
runinterval = <%= $runinterval %>
|
||||
runtimeout = <%= $runtimeout %>
|
||||
show_diff = <%= $show_diff %>
|
||||
|
||||
[master]
|
||||
node_terminus = exec
|
||||
node_terminus = <%= $node_terminus %>
|
||||
external_nodes = <%= $external_nodes %>
|
||||
autosign = <%= $autosign %>
|
||||
default_manifest = <%= $default_manifest %>
|
||||
|
||||
Reference in New Issue
Block a user