Merge pull request 'neoloc/syd1_puppet' (#195) from neoloc/syd1_puppet into develop

Reviewed-on: unkinben/puppet-prod#195

hieradata/common.yaml

@@ -87,6 +87,9 @@ lookup_options:
   profiles::consul::client::node_rules:
     merge:
       strategy: deep
+  profiles::puppet::server::dns_alt_names:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
@@ -177,6 +180,8 @@ profiles::packages::remove:
 profiles::base::scripts::scripts:
   puppet: puppetwrapper.py
 
+profiles::puppet::client::server: 'puppet.query.consul'
+profiles::puppet::client::ca_server: 'puppetca.query.consul'
 profiles::puppet::client::environment: 'develop'
 profiles::puppet::client::runinterval: 1800
 profiles::puppet::client::runtimeout: 3600

hieradata/country/au/region/drw1/infra/puppet/master.yaml

@@ -0,0 +1,4 @@
+---
+profiles::puppet::server::dns_alt_names:
+  - puppetca.main.unkin.net
+  - puppetca

hieradata/country/au/region/syd1/infra/puppet/master.yaml

@@ -0,0 +1,4 @@
+---
+profiles::puppet::server::dns_alt_names:
+  - puppetca.main.unkin.net
+  - puppetca

hieradata/nodes/prodinf01n01.main.unkin.net.yaml

@@ -0,0 +1,9 @@
+---
+profiles::puppet::server::dns_alt_names:
+  - puppetca.main.unkin.net
+  - puppetca.service.consul
+  - puppetca.query.consul
+  - puppetca
+
+profiles::puppet::puppetca::is_puppetca: true
+profiles::puppet::puppetca::allow_subject_alt_names: true

hieradata/roles/infra/puppet.yaml

@@ -0,0 +1,3 @@
+---
+profiles::packages::install:
+  - puppetserver

hieradata/roles/infra/puppet/master.eyaml

@@ -1,3 +1,5 @@
 ---
 certmanager::vault_token: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWh7bsttz/JCBo/CPoCgA2doo3jO6jT6NsOoE3/06W2IW+Ij6KHKYILMkG3tS4NAegMI48QR9n++4Xa7u+97w1HO4ENpfLrkuKUcWUFCxxb2OdWhxucIlt3Ay/2+tofOSvqiRKeEISBtOK//Q1a4Iu5GwEP+lvDQ5rcoS0dryNie/okXaLratWOsmctJ6LFuUw5siCcFyUzfvr2ROsB14YoF989np+X1dJqBWxcLmbVNKx766GrRhb1WGeF0qxounCmWEKGt0zY4Zk27KNFlFu7XByDWZoSCVCMvkQaRKhvdNA39Y9vscZJGPGFhz+qKPoeqwUidz0IY51CaFSXewmzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQC+e2iOlFLlr9inVU8nEVWIBgqb0u/ICsLtxZqOpN9OIFWl+4hVrvTo24JzTc1jMSCONeL4Ab7jtTMbsweE9zUf6XlwhHLXfxfg7FL3WBsOWCUBXIAh338cZCXUGX7m0Qvtgg3VTEbTNDJhZle8Sjo6Gl]
 certmanager::role_id: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAQC5vU3lOdQOOqw/m42V9JK72TVoR7eGA6wNXz1VQeI5pIcOrDzXjWcfrtY1xbMI9EfvDEeJ5lpiSfSbvejLHJPkIi2efrkUMpB2lhxvxm8xxQVVU6UVEqHFAEIQynSDuq2I3UCPCD3KweGnAa73GuytugzswVvNSdXuBzLuMgt36ufNctmMLsqgY2YVAkUPfmud+a18L//ut6Z85TCcv74am9XBb4+Yd7g3QHLxvbtoNzlAStk9fUcbCurmsEGjuccV4VHe9C4Nxloai0wNXAu2XMRjsZWD77Swc5dDVhtXXs7MPO8DntTHpYIb3Q3UJLSVf2NyPwQQ5VQiGrs0Z5DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBuj+gOJRwlvgUBPHO7SOJegDC8dKDpyooSYlgoe07UYir5xSRxPynnR9c83s20F+H7K8ng4G5PALRJRQNNsf82EGQ=]
+profiles::puppet::eyaml::publickey: ENC[PKCS7,MIIFjQYJKoZIhvcNAQcDoIIFfjCCBXoCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAizhVN1svMJqLlkDWcm/qhMNajKL9G7GvBxG04dOdYLUu99wgmIlD1vetNIoJrQ6defmVuMMzT3IxzIDrRf8QEVL7hstIFoGlhv0ObBewjLJY34v3B7Sxj0nv8XPTLd8Q6LZQb+KSo0SLQxbjEw60qAl5DbDqXUNOx2OIV3yP1IaCzzi6llb1ZOWPcBESt6HEnLzqkwzEK+2/QGBOMqChP1EP7JHFrWQw5YYCLUcYCLVts1K57Q7ThFwckUA0v8Vh9HdlZqA0XPxKyVK7nfw/Y1CpwRTwZ8GYnry1/iLNYjFGkDU0V5pf+ZhlZfIChVccma9NCSlQtA+7DikNcpLTfTCCBE4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJQ4jJz/oSqW79tDOSv2pWCAggQgvi+p2P7tkIY4c0yNEIFjnXa3Imopg4bZ29TQJnPLAqVM7Bexh0XhxAjWk8YFvxQ0Yio+3JKlvqlsFVpecumV6NHwVPe521Hl7l88eRvgCHBC3tVm98+N2A0GdGbT+begqsj0nPTDScixJE79dGZK6/qgf3NuYPCj+drFwWrDuZXpIYMHJcOrVhqlg4RFW4ZYUxbsAC2eNFXUF0bYpKej3voCnlj/o6RxLEC/Gv2T66e9sFjeANo9W84uAfZ1t4cweVzYh1h6Yiw+0ewWA6ndg8thgr2Uk9JdpjXzS0QTtElGmNv+tZmCH45o0HUunPZs0gkn5unT0pzZosqgSeu0HdHcsImJpuJVRIVjAXypku7LtBKnP3VA5iXi2lld/suEOeeU18Aw3pxFQrKV3cexiWLa4mpKn8JR1HBxw4NcLj3/fes41fxW0zLyY8m4MksaIpc4BXz33uup5rHdVblbD1raZJPAg7k8KufStsRBmeokdysF+PJebrCfTH8goR3BWGfCVWQEoDjB2wAhVTQKuzAh3d51k+s4uvJchNBDgfGt/s9hdBFU/VQTZUyOoSEOwxB1857sOF3iPLM1233XEhZd2AOl4h5xy1z3+aSOG0jiihWt6QdosUig/IHxyO4gWaEO37iaLlF0ZVSJKjOV/IBCHJAaAG476uSNv+kTKgvu0PQtIfcKHpa1ppHi96fO8FKX76l26VoGKf/kMi6bWdTObYZnyiN7fz342ewMpwu70wQQWo33riK0hhF6bRu40J/KmgoUaUz3jSnErv+EeeREYww5SSNlMhpQNBNj+WfEDRC4Zx9VsF1cjtTY1um0kYdoyTHBLH6V1oAEiFIScHqkW1zKVAEiBh2v6C1U3fwAzOyAbnDlBrsuhnVxbJa8O1d5yw+U2py6xdC3Wq6FsAP9kdfDu+mjNDOwwJWZa8iTj3NHum1G6xklF2JHtmp2p1gY0e/JCETIk5Xh1okf404F9Xi+CWvlmlPXie9SdwgyJWpXOM60pJN2iMOFKPGn4chppMka38HakDKbdNNTELxNE+/yVECT0uQ8iBvETX1FU+y4LpGFghmwAIiKB1HZXx/0Gof0+txj/p9AgnpeVvDbq4iiZOulcu2BepsrFDg2zNLollfhAo+6QvElpk2MI1yHrg3OaTt7U8JV1dxHyIWjbtRvbiiS1E6mKGiOpkIQd/IHBjkujvEd7LVeE721HrLdGRaTR9QJfTR8jPZGHMlZa14a2pcxliyYd9RFSVOkVZH2LetuSWStQ1gPdBEeKDSWyFBA0Rxzlw2Sl25MJ4PAIpimyUYrnxTa2XgHyavMa0kjVAhX15+ywze2ypOVnB9/q3L3M5JCq+eaOBicJQiERX4h7Yj499S9Y/2nxk2DOUxi965BDIZGSG3/qOtl]
+profiles::puppet::eyaml::privatekey: ENC[PKCS7,MIIH/QYJKoZIhvcNAQcDoIIH7jCCB+oCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAkH2q64bYf5Es/YNK6c6d5t9PYcbc9NGzC6F2AzjWeLV9rdT+DBNmhPeyHN4jR6edzLRaNL+u3cuur3mTxwSJcEXdyHQSbXJLlGpd9CPEjuerqdsXkFvamP//nHjwvSosBUo4PKtllphX0XHP6JS0Mm+nukv0YyDk+63+cETuyP5M1FVsLSK8ZWblOn1uBgNhhjGZF5nNeayjJKloWdVY8+pS8L6/y0QprF05oLDvI0JgK9wud8NID+LCNtb2Z5/mq2ScpMB/r/ji/oPHs40zhANqOiAuy/sUWwIivdB2iKKvcLfJ8tbtCanXuQxboqnulL1+C87Y4m1rmk4cNtKU3DCCBr4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEELXUERpdYNf8m2IXbCw/MxiAggaQ187hqDCftN9RvnFRHnlHyPZijykRgs558tdh0yA8GscJ9vim8kxQXrxM6gqAGgmV7xYnpyK0pvEn0/6cEFkcBkpkQOtlyil+4WB9bcLJIF4LzPut0pz4Eq/6zMSM9PGWCRFe3ufkdoDq5M1SlHa/Aoi/LwNu5EFFlFZeeDiZyUMupLJUHbTQ+wt2JgQLfpBzeCGb5BRLvSPH0+Y7ShwHgp2ZCtxc/tT5cdQq5a3+tt9ZYSy5Hj+c8I2WBPm3wghA7QULCB1+42K4A8BJ7HQucaT1mRMc0QnCt68xQkhBulxGnADPaRAWICmuAF2KBv/eS74TdYj3z0OCSZW5k1wDBz8FCSIodn2a1LgBMrFRCAS2fwRn7Hc0yguCRl9ppERW+8K3pg7aAiBqJbeTwQN/VICNan92y+cbUndO9a/U16zKD4SxfW8PMwSu/qz6i45gUjQ83THjwNAE6el0lYFYivBsEEg66Sqo2cXtPQlAdB8lOsS34TQq21zipikgAAii0mGoH738t2CYL6tMUGthpcfXLioU0AhXjLVED1PIpmWxieFENWO8SUx3NjXyoefBVQrzc1PPAgeVGSaOBoJSN7xNx3/RQhWck0240DZmi+41z5CF1z91eZY+ZJYa/SaHVWWZ7GgQDEXGnWKQkMZce6RK0qw0/8B0x5O6aIlBrB7aSVQIkDLSUw8bq7N5dAeKXLu+2QHhG1yl+Bmn1xDMILFphJNT2ZNXkoSd0r1WUePWBEFCOBPsu3cHaK9DZiXSdfJ3dY+1NYuVZDQshQ1Fe4IKpHm/0mtz60DjrTTaJ3kAsPLCpeFGJ+1U/TdO+IgPAsiHUIaDRtv19ZeH7/Pa/kAceIe16F8CRNkzJ62D8CH4RYEXxTJ7oogYbhsw+5WQ3ZGzJHNvxcX4EVofjIsr2uIQEAVTu9VSDY2LyihJBEs0EBw25dai52u2g1Jjtteod9p6B+rwrcVGKAzdEo7nF9qK6+dS8VlfFbmbU1/ulIpM0hUr3ZFsUSv1qUGqUmYdgndvE0+gHop71fsnQRmT9wTdQlUs7RC0+BPWvf7eGljJT+omDwv+wSShikWku9ZSk58HqZ74f2RizxL7Ny8SWCkOf1u+Gi8kalMhr+1p8e39S6WTws8rJHxIQrzfY7aqZwYIZzLl4JMnqBvbkUlCEKNHmVAVt6AgPGfTmoEzSgulHEMCETuBQl4dS8mtFvWRKCy0jC2fAUfIAoihoh/2g3MTbKQCM3aSHrqyPTAduN2VkQwTM4JmgU6YYWy4kXjPWsgEm+FjqOKQqd5Q5bwIOoFLSVQgrTtoKVUXzK8VbTDNDhLj+LggB9MMncr5X44LkdtrktYWeQ1CbBGYUTNHyXxT2nbJm7DJos4zjSIqnkSiR2VyRAkxF9TSXjnZwtsziXC4gdonjA+ImV5aUvL5aTO2zbTYQOqgrauS/SWS4tXbZ4Thw86d2zbO32Kvuu4bfHVTN087eiRuiFmjtz43PwBRMxjABLDe/ZRUHLDomAVydTS98aIswUb33jHoPtEkz4bWEtZlhwrqguvPzLSJT1SNZnDhNsdzO96GDB2vtvXmIiQq+/8jh0LKIoOCFWKsFfB0GrkZZvLnF6oQQ/MiYNNY1TLnHMAg2uSF+ap/g8QRvfE5FX2UquYE1ATeD+8iRw0g2crNXGVRynBo6ESd5O+zwcMitO/Re9tQM4rfNj83VgWeSUNLxhOZmbYs0hDEbS0lXIWa1NbASuXWk/FBXzr8X/ZdlZPWAMWe3J9Bqh6e1FhgGD6ZZmSTYxHzlz5TNCf+aMqnJRb5eyN+UM5iWgW/VpAlKWMl98c1lsKwccAS/SH2zugKwBT8Bf/4wnbpHrZe817vVF7raVcaYvNnYTzdSQCcnvRK/D40sqleOhtfX/vdjOFWfoukbEJnXNytkTZeKrBm83z6tmYe4siQdfn4X9/lGNWEDyjYiJX8czH6yMlRW+FposOpE4Y9Dgs694iPHmYt1/1VbuW240uG6VT/d+OjSD5L6JfTT47pghoWTl0dQGbKd3kmoku7C7ll5etCdz5UIY2JOmS1gx6NgvsElJyflgQHgXLiSKpB0iSZ7zTRKlBmRG7uiU582nkbXHQ7BwZkP3nq95bgtCmk+0pvioYYg/jK8hvuiv+b8Ez2pHaTLabn/jYww8ewIZz0W5mWgcCDwdebtP2CCSnB2IPjyzAh2TW8JTljeoJAe9ai+iqiX4400R2hXZl6KMpC]

hieradata/roles/infra/puppet/master.yaml

@@ -36,3 +36,40 @@ profiles::helpers::certmanager::vault_config:
   role_name: 'servers_default'
   output_path: '/tmp/certmanager'
   role_id: "%{lookup('certmanager::role_id')}"
+
+profiles::puppet::server::agent_server: 'puppet.query.consul'
+profiles::puppet::server::report_server: 'puppet.query.consul'
+profiles::puppet::server::ca_server: 'puppetca.query.consul'
+profiles::puppet::server::dns_alt_names:
+  - "%{facts.networking.fqdn}"
+  - "%{facts.networking.hostname}"
+  - puppetmaster.main.unkin.net
+  - puppet.main.unkin.net
+  - puppet.service.consul
+  - puppet.query.consul
+  - puppetmaster
+  - puppet
+
+consul::services:
+  puppet:
+    service_name: 'puppet'
+    tags:
+      - 'puppet'
+      - 'master'
+    address: "%{facts.networking.ip}"
+    port: 8140
+    checks:
+      - id: 'puppet_https_check'
+        name: 'Puppet HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:8140/status/v1/simple"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppet
+    disposition: write
+  - resource: service
+    segment: puppetca
+    disposition: write

site/profiles/manifests/puppet/autosign.pp

@@ -4,35 +4,6 @@
 # based on specified subnet ranges and domain patterns. 
 # It is useful in environments where nodes are dynamically provisioned and 
 # require automatic certificate signing without manual intervention.
-#
-# Parameters:
-#   - `subnet_ranges`: An array of IP subnet ranges in CIDR notation.
-#       Nodes with IP addresses within these ranges will have their 
-#       certificates autosigned. 
-#       Default: []
-#       Example: ['198.18.17.0/24']
-#
-#   - `domains`: An array of domain patterns.
-#       Nodes with hostnames matching these patterns will have their
-#       certificates autosigned.
-#       Default: []
-#       Example: ['*.main.unkin.net', '*.secondary.unkin.net']
-#
-#   - `nodes`: An array of specific node names.
-#       Nodes with hostnames matching these will have their
-#       certificates autosigned.
-#       Default: []
-#       Example: ['somenode.main.unkin.net', 'othernode.secondary.unkin.net']
-# Usage:
-# 
-# To include this class with custom parameters:
-#   class { 'profiles::puppet::autosign':
-#     subnet_ranges => ['198.18.17.0/24', '198.18.18.0/24'],
-#     domains       => ['*.main.unkin.net', '*.dev.unkin.net'],
-#     nodes         => ['somenode.main.unkin.net', 'othernode.dev.unkin.net'],
-#   }
-#
-# Alternatively, configure subnet ranges and domains through Hiera.
 class profiles::puppet::autosign (
   Array[Stdlib::IP::Address::V4::CIDR] $subnet_ranges = [],
   Array[String[1]] $domains = [],

site/profiles/manifests/puppet/client.pp

@@ -14,14 +14,18 @@ class profiles::puppet::client (
   Boolean $usecacheonfailure  = false,
 ) {
 
-  # Assuming you want to manage puppet.conf with this profile
-  file { '/etc/puppetlabs/puppet/puppet.conf':
-    ensure  => 'present',
-    content => template('profiles/puppet/client/puppet.conf.erb'),
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    notify  => Service['puppet'],
+  # dont manage puppet.conf if this is a puppetmaster
+  if $facts['enc_role'] != 'roles::infra::puppet::master' {
+
+    # Assuming you want to manage puppet.conf with this profile
+    file { '/etc/puppetlabs/puppet/puppet.conf':
+      ensure  => 'present',
+      content => template('profiles/puppet/client/puppet.conf.erb'),
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      notify  => Service['puppet'],
+    }
   }
 }
 

site/profiles/manifests/puppet/enc.pp

@@ -4,35 +4,6 @@
 # systemd service and timer to keep the repository updated every minute.
 # The Git package is installed if not present, and the repository at the given 
 # location will always reflect the state of the remote Git repository.
-#
-# Parameters:
-# - enc_repo: The URL of the Git repository to clone.
-#
-# Actions:
-# - Ensures the Git package is installed.
-# - Ensures the /opt/puppetlabs/enc directory is a clone of the given Git repository.
-# - Creates a helper script '/opt/puppetlabs/bin/git_update' for updating the Git repository.
-# - Creates a systemd service and timer that runs the git update script every minute.
-#
-# Usage:
-#   Directly include the class in your node definitions or classify your nodes 
-#   using an ENC or Hiera.
-#   Example:
-#     node 'puppet.example.com' {
-#       class { 'profiles::puppet::enc':
-#         enc_repo => 'https://github.com/user/repo.git',
-#       }
-#     }
-#
-# Requirements:
-# - The 'puppet-vcsrepo' module should be installed on your puppetmaster.
-# - The 'puppet-systemd' module should be installed on your puppetmaster.
-# - '/opt/puppetlabs/bin/' directory must exist and be writable.
-# - Puppet master must have access to the specified Git URL.
-#
-# Limitations:
-# This is designed to work on Unix-like systems only.
-#
 class profiles::puppet::enc (
   String $repo,
   String $release = 'master',

site/profiles/manifests/puppet/eyaml.pp

@@ -0,0 +1,41 @@
+# profiles::puppet::eyaml
+class profiles::puppet::eyaml (
+  String $privatekey = '',
+  String $publickey = '',
+) {
+
+  # create the /var/lib/puppet/keys directory
+  file { '/var/lib/puppet':
+    ensure => 'directory',
+    owner  => 'puppet',
+    group  => 'root',
+    mode   => '0755',
+  }
+  file { '/var/lib/puppet/keys':
+    ensure  => 'directory',
+    owner   => 'puppet',
+    group   => 'root',
+    mode    => '0755',
+    require => File['/var/lib/puppet']
+  }
+  # manage the eyaml private key
+  file { '/var/lib/puppet/keys/private_key.pkcs7.pem':
+    ensure  => 'file',
+    owner   => 'puppet',
+    group   => 'root',
+    mode    => '0400',
+    content => Sensitive($privatekey),
+    before  => Service['puppetserver'],
+    require => File['/var/lib/puppet/keys'],
+  }
+  # manage the eyaml private key
+  file { '/var/lib/puppet/keys/public_key.pkcs7.pem':
+    ensure  => 'file',
+    owner   => 'puppet',
+    group   => 'root',
+    mode    => '0400',
+    content => Sensitive($publickey),
+    before  => Service['puppetserver'],
+    require => File['/var/lib/puppet/keys'],
+  }
+}

site/profiles/manifests/puppet/g10k.pp

@@ -5,31 +5,6 @@
 # The latest release of g10k is downloaded from GitHub and placed into '/opt/puppetlabs/bin'.
 # Additionally, it creates a helper script to easily run g10k with the appropriate configuration.
 # It also creates a systemd service and timer that runs the g10k script every minute.
-#
-# Parameters: None
-#
-# Actions:
-# - Downloads the latest g10k release from GitHub.
-# - Extracts the download and places the executable in '/opt/puppetlabs/bin'.
-# - Creates a helper script '/opt/puppetlabs/bin/puppet-g10k' for easy usage of g10k.
-# - Creates a systemd service and timer that runs the g10k script every minute.
-#
-# Usage:
-#   Directly including the class in your node definitions or classify your nodes 
-#   using an ENC or Hiera.
-#   Example:
-#     node 'puppet.example.com' {
-#       include profiles::puppet::g10k
-#     }
-#
-# Requirements:
-# - The 'puppet-archive' module should be installed in your puppetmaster.
-# - The 'puppet-systemd' module should be installed on your puppetmaster.
-# - '/opt/puppetlabs/bin/' directory must exist and be writable.
-# - Puppet master must have access to the GitHub URL.
-#
-# Limitations:
-# This is designed to work on Unix-like systems only.
 class profiles::puppet::g10k (
   String $bin_path,
   String $cfg_path,

site/profiles/manifests/puppet/puppetca.pp

@@ -0,0 +1,56 @@
+# Class: profiles::puppet::puppetca
+#
+# This class manages Puppet CA
+class profiles::puppet::puppetca (
+  Boolean $allow_subject_alt_names = false,
+  Boolean $allow_authorization_extensions = false,
+  Boolean $enable_infra_crl = false,
+  Boolean $is_puppetca      = false,
+) {
+
+  # manage the ca.cfg file
+  file { '/etc/puppetlabs/puppetserver/conf.d/ca.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('profiles/puppet/puppet_ca.cfg.erb'),
+    notify  => Service['puppetserver'],
+  }
+
+  # manage the crl file
+  if $is_puppetca {
+    # export the puppet crl.pem
+    @@file { '/etc/puppetlabs/puppet/ssl/crl.pem':
+      ensure  => file,
+      content => file('/etc/puppetlabs/puppet/ssl/crl.pem'),
+      tag     => 'crl_pem_export',
+    }
+  }else{
+    # import the puppet crl.pem
+    File <<| tag == 'crl_pem_export' |>> {
+      require => Service['puppetserver'],
+    }
+  }
+
+  # register the PuppetCA service with consul
+  if $is_puppetca {
+    consul::service { 'puppetca':
+      service_name => 'puppetca',
+      tags         => ['ca', 'puppet', 'ssl'],
+      address      => $facts['networking']['ip'],
+      port         => 8140,
+      checks       => [
+        {
+          id              => 'puppetca_https_check',
+          name            => 'PuppetCA HTTPS Check',
+          http            => "https://${facts['networking']['fqdn']}:8140/status/v1/simple",
+          method          => 'GET',
+          tls_skip_verify => true,
+          interval        => '10s',
+          timeout         => '1s',
+        }
+      ],
+    }
+  }
+}

site/profiles/manifests/puppet/puppetmaster.pp

@@ -2,66 +2,37 @@
 #
 # This class manages the puppetmaster using the ghoneycutt-puppet module.
 # It manages the server settings in the puppet.conf file.
-#
-# Parameters: None
-#
-# Actions:
-# - Sets up the server, main, agent, and master sections in the puppet.conf file
-#
-# Usage:
-#   Directly include the class in your node definitions or classify your nodes 
-#   using an ENC or Hiera.
-#   Example:
-#     node 'puppet.example.com' {
-#       include profiles::puppet::puppetmaster
-#     }
-#
-# Requirements:
-# - The 'ghoneycutt/puppet' module should be installed in your Puppet master.
-# - Puppet master must have access to the necessary directories.
-#
-# Limitations:
-# This is designed to work on Unix-like systems.
 class profiles::puppet::puppetmaster (
-  String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef),
 ) {
-  include profiles::puppet::r10k
-  include profiles::puppet::g10k
-  include profiles::puppet::enc
-  include profiles::puppet::cobbler_enc
-  include profiles::puppet::autosign
-  include profiles::puppet::gems
-  include profiles::helpers::certmanager
 
-  class { 'puppetdb::master::config':
-    puppetdb_server     => $puppetdb_host,
-    manage_storeconfigs => false,
+  if $facts['enc_role'] == 'roles::infra::puppet::master' {
+
+    include profiles::puppet::r10k
+    include profiles::puppet::g10k
+    include profiles::puppet::enc
+    include profiles::puppet::cobbler_enc
+    include profiles::puppet::autosign
+    include profiles::puppet::gems
+    include profiles::helpers::certmanager
+    include profiles::puppet::server
+    include profiles::puppet::puppetca
+    include profiles::puppet::eyaml
+
+    class { 'puppetdb::master::config':
+      puppetdb_server     => $puppetdb_host,
+      manage_storeconfigs => false,
+    }
+
+    Package['puppetserver']
+    -> Class['profiles::puppet::gems']
+    -> Class['profiles::puppet::r10k']
+    -> Class['profiles::puppet::g10k']
+    -> Class['profiles::puppet::enc']
+    -> Class['profiles::puppet::cobbler_enc']
+    -> Class['profiles::puppet::autosign']
+    -> Class['puppetdb::master::config']
+    -> Class['profiles::puppet::server']
   }
 
-  class { 'profiles::puppet::server':
-    vardir               => '/opt/puppetlabs/server/data/puppetserver',
-    logdir               => '/var/log/puppetlabs/puppetserver',
-    rundir               => '/var/run/puppetlabs/puppetserver',
-    pidfile              => '/var/run/puppetlabs/puppetserver/puppetserver.pid',
-    codedir              => '/etc/puppetlabs/code',
-    dns_alt_names        => [
-      'prodinf01n01.main.unkin.net',
-      'puppet.main.unkin.net',
-      'puppetca.main.unkin.net',
-      'puppetmaster.main.unkin.net',
-      'puppet',
-      'puppetca',
-      'puppetmaster',
-    ],
-    server               => 'prodinf01n01.main.unkin.net',
-    node_terminus        => 'exec',
-    external_nodes       => '/opt/cobbler-enc/cobbler-enc',
-    autosign             => '/etc/puppetlabs/puppet/autosign.conf',
-    default_manifest     => '/etc/puppetlabs/code/environments/develop/manifests',
-    default_environment  => 'develop',
-    storeconfigs         => true,
-    storeconfigs_backend => 'puppetdb',
-    reports              => 'puppetdb',
-    usecacheonfailure    => false,
-  }
 }

site/profiles/manifests/puppet/r10k.pp

@@ -4,35 +4,6 @@
 # systemd service and timer to keep the repository updated every minute.
 # The Git package is installed if not present, and the repository at the given 
 # location will always reflect the state of the remote Git repository.
-#
-# Parameters:
-# - r10k_repo: The URL of the Git repository to clone.
-#
-# Actions:
-# - Ensures the Git package is installed.
-# - Ensures the /etc/puppetlabs/r10k directory is a clone of the given Git repository.
-# - Creates a helper script '/opt/puppetlabs/bin/puppet-r10k' for updating the Git repository.
-# - Creates a systemd service and timer that runs the git update script every minute.
-#
-# Usage:
-#   Directly include the class in your node definitions or classify your nodes 
-#   using an enc or Hiera.
-#   Example:
-#     node 'puppet.example.com' {
-#       class { 'profiles::puppet::r10k':
-#         r10k_repo => 'https://github.com/user/repo.git',
-#       }
-#     }
-#
-# Requirements:
-# - The 'puppet-vcsrepo' module should be installed on your puppetmaster.
-# - The 'puppet-systemd' module should be installed on your puppetmaster.
-# - '/opt/puppetlabs/bin/' directory must exist and be writable.
-# - Puppet master must have access to the specified Git URL.
-#
-# Limitations:
-# This is designed to work on Unix-like systems only.
-#
 class profiles::puppet::r10k (
   String $r10k_repo,
 ){

site/profiles/manifests/puppet/server.pp

@@ -1,36 +1,33 @@
 # Class: profiles::puppet::server
 #
 # This class manages Puppet server's configuration and service.
-#
-# Parameters:
-#   vardir - Directory path for variable data.
-#   logdir - Directory path for logs.
-#   rundir - Directory path for run-time data.
-#   pidfile - File path for the PID file.
-#   codedir - Directory path for code data.
-#   dns_alt_names - Array of alternate DNS names for the server.
-#   server - Server's name.
-#   node_terminus - Node terminus.
-#   external_nodes - Path to the external node classifier script.
-#   autosign - Path to the autosign script.
-#
 class profiles::puppet::server (
-  String $vardir,
-  String $logdir,
-  String $rundir,
-  String $pidfile,
-  String $codedir,
-  Array[String[1]] $dns_alt_names,
-  String $server,
-  String $node_terminus,
-  String $external_nodes,
-  String $autosign,
-  String $default_manifest,
-  String $default_environment,
-  Boolean $storeconfigs,
-  String $storeconfigs_backend,
-  String $reports,
-  Boolean $usecacheonfailure,
+  Stdlib::Absolutepath $vardir    = '/opt/puppetlabs/server/data/puppetserver',
+  Stdlib::Absolutepath $logdir    = '/var/log/puppetlabs/puppetserver',
+  Stdlib::Absolutepath $rundir    = '/var/run/puppetlabs/puppetserver',
+  Stdlib::Absolutepath $pidfile   = '/var/run/puppetlabs/puppetserver/puppetserver.pid',
+  Stdlib::Absolutepath $codedir   = '/etc/puppetlabs/code',
+  Array[String] $dns_alt_names    = [
+    $facts['networking']['fqdn'],
+    $facts['networking']['hostname'],
+  ],
+  Stdlib::Fqdn $agent_server      = 'puppetmaster',
+  Stdlib::Fqdn $report_server     = $agent_server,
+  Stdlib::Fqdn $ca_server         = 'puppetca',
+  String  $node_terminus          = 'exec',
+  String  $external_nodes         = '/opt/cobbler-enc/cobbler-enc',
+  String  $default_environment    = 'develop',
+  String  $environment            = 'develop',
+  Stdlib::Absolutepath $autosign  = '/etc/puppetlabs/puppet/autosign.conf',
+  Stdlib::Absolutepath $default_manifest = "${codedir}/environments/${default_environment}/manifests",
+  String  $reports                = 'puppetdb',
+  Boolean $storeconfigs           = true,
+  String  $storeconfigs_backend   = 'puppetdb',
+  Boolean $usecacheonfailure      = false,
+  Boolean $report                 = true,
+  Integer $runinterval            = 1800,
+  Integer $runtimeout             = 3600,
+  Boolean $show_diff              = true,
 ) {
 
   file { '/etc/puppetlabs/puppet/puppet.conf':
@@ -44,8 +41,15 @@ class profiles::puppet::server (
       'rundir'               => $rundir,
       'pidfile'              => $pidfile,
       'codedir'              => $codedir,
-      'dns_alt_names'        => join($dns_alt_names, ','),
-      'server'               => $server,
+      'dns_alt_names'        => join(sort($dns_alt_names), ','),
+      'server'               => $agent_server,
+      'ca_server'            => $ca_server,
+      'environment'          => $environment,
+      'report'               => $report,
+      'runinterval'          => $runinterval,
+      'runtimeout'           => $runtimeout,
+      'show_diff'            => $show_diff,
+      'report_server'        => $report_server,
       'node_terminus'        => $node_terminus,
       'external_nodes'       => $external_nodes,
       'autosign'             => $autosign,

site/profiles/templates/puppet/puppet_ca.cfg.erb

@@ -0,0 +1,10 @@
+certificate-authority: {
+    # allow CA to sign certificate requests that have subject alternative names.
+    allow-subject-alt-names: <%= @allow_subject_alt_names %>
+
+    # allow CA to sign certificate requests that have authorization extensions.
+    allow-authorization-extensions: <%= @allow_authorization_extensions %>
+
+    # enable the separate CRL for Puppet infrastructure nodes
+    enable-infra-crl: <%= @enable_infra_crl %>
+}

site/profiles/templates/puppet/server/puppet.conf.epp

@@ -10,9 +10,16 @@ dns_alt_names = <%= $dns_alt_names %>
 
 [agent]
 server = <%= $server %>
+ca_server = <%= $ca_server %>
+environment = <%= $environment %>
+report = <%= $report %>
+report_server = <%= $report_server %>
+runinterval = <%= $runinterval %>
+runtimeout = <%= $runtimeout %>
+show_diff = <%= $show_diff %>
 
 [master]
-node_terminus = exec
+node_terminus = <%= $node_terminus %>
 external_nodes = <%= $external_nodes %>
 autosign = <%= $autosign %>
 default_manifest = <%= $default_manifest %>