Puppet Class: puppet::config

Inherits:
puppet::params
Defined in:
manifests/config.pp

Summary

Setup Puppet configuration file (puppet.conf)

Overview

puppet::config

Setup Puppet configuration file (puppet.conf)

Examples:

include puppet::config

Parameters:

  • puppet_server (Boolean) (defaults to: $puppet::master)

    Flag - if set to true then host will be set up as Puppet server

  • server (String) (defaults to: $puppet::server)
  • ca_server (Optional[String]) (defaults to: $puppet::ca_server)
  • basemodulepath (Optional[Stdlib::Absolutepath]) (defaults to: $puppet::basemodulepath)

    The search path for global modules. Should be specified as a list of directories separated by the system path separator character. (The POSIX path separator is ‘:’, and the Windows path separator is ‘;’.) These are the modules that will be used by all environments. Note that the modules directory of the active environment will have priority over any global directories. For more info, see docs.puppet.com/puppet/latest/environments.html Default: $codedir/modules:/opt/puppetlabs/puppet/modules

  • common_envname (String) (defaults to: $puppet::common_envname)

    String. Default is ‘common’. Name of common environment which will consists global Hiera config (data/global.yaml) and glomal modules (see use_common_env and basemodulepath)

  • use_common_env (Boolean) (defaults to: $puppet::use_common_env)

    If set to true then basemodulepath will set to “$environmentpath/$common_envname/modules” only if basemodulepath parameter (see above) is not defined.

  • dns_alt_names (Optional[Array[String]]) (defaults to: $puppet::dns_alt_names)

    Array of String or undef. A comma-separated list of alternate DNS names for Puppet Server. These are extra hostnames (in addition to its certname) that the server is allowed to use when serving agents. Puppet checks this setting when automatically requesting a certificate for Puppet agent or Puppet Server, and when manually generating a certificate with puppet cert generate. In order to handle agent requests at a given hostname (like “puppet.example.com”), Puppet Server needs a certificate that proves it’s allowed to use that name; if a server shows a certificate that doesn’t include its hostname, Puppet agents will refuse to trust it. If you use a single hostname for Puppet traffic but load-balance it to multiple Puppet Servers, each of those servers needs to include the official hostname in its list of extra names. Note: The list of alternate names is locked in when the server’s certificate is signed. If you need to change the list later, you can’t just change this setting; you also need to:

    * On the server: Stop Puppet Server.
* On the CA server: Revoke and clean the server’s old certificate. (puppet
  cert clean <NAME>)
* On the server: Delete the old certificate (and any old certificate signing
  requests) from the ssldir.
* On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to request a
  new certificate
* On the CA server: Sign the certificate request, explicitly allowing
  alternate names (puppet cert sign --allow-dns-alt-names <NAME>).
* On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to retrieve
  the cert.
* On the server: Start Puppet Server again.

    To see all the alternate names your servers are using, log into your CA server and run puppet cert list -a, then check the output for (alt names: …). Most agent nodes should NOT have alternate names; the only certs that should have them are Puppet Server nodes that you want other agents to trust.

  • strict (Puppet::Strictness) (defaults to: $puppet::strict)
  • strict_variables (Boolean) (defaults to: $puppet::strict_variables)
  • daemonize (Boolean) (defaults to: $puppet::daemonize)
  • onetime (Boolean) (defaults to: $puppet::onetime)
  • http_read_timeout (Puppet::TimeUnit) (defaults to: $puppet::http_read_timeout)
  • ordering (Puppet::Ordering) (defaults to: $puppet::ordering)
  • priority (Optional[Puppet::Priority]) (defaults to: $puppet::priority)
  • usecacheonfailure (Boolean) (defaults to: $puppet::usecacheonfailure)
  • environment_timeout (Puppet::TimeUnit) (defaults to: $puppet::environment_timeout)

    Puppet::TimeUnit. Default - 0. How long the Puppet server should cache data it loads from an environment. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y). A value of 0 will disable caching. This setting can also be set to unlimited, which will cache environments until the server is restarted or told to refresh the cache. You should change this setting once your Puppet deployment is doing non- trivial work. We chose the default value of 0 because it lets new users update their code without any extra steps, but it lowers the performance of your Puppet server. We recommend setting this to unlimited and explicitly refreshing your Puppet server as part of your code deployment process.

    * With Puppet Server, you should refresh environments by calling the
  environment-cache API endpoint. See the docs for the Puppet Server
  administrative API.
* With a Rack Puppet server, you should restart the web server or the
  application server. Passenger lets you touch a restart.txt file to refresh
  an application without restarting Apache; see the Passenger docs for
  details.

    We don’t recommend using any value other than 0 or unlimited, since most Puppet servers use a pool of Ruby interpreters which all have their own cache timers. When these timers drift out of sync, agents can be served inconsistent catalogs. Default: 0

  • sameca (Boolean) (defaults to: $puppet::sameca)

    Whether the server should function as a certificate authority. Default: true

  • autosign (Optional[Puppet::Autosign]) (defaults to: $puppet::autosign)
  • allow_duplicate_certs (Boolean) (defaults to: $puppet::allow_duplicate_certs)

    Whether to allow a new certificate request to overwrite an existing certificate. Default: false

  • use_enc (Boolean) (defaults to: $puppet::use_enc)

    When enabled, Puppet will use external nodes classifier script which defined in puppet::params::external_nodes variable

  • use_puppetdb (Boolean) (defaults to: $puppet::use_puppetdb)
  • puppet_config (Stdlib::Absolutepath) (defaults to: $puppet::params::puppet_config)
  • environmentpath (Stdlib::Absolutepath) (defaults to: $puppet::params::environmentpath)
  • external_nodes (Stdlib::Absolutepath) (defaults to: $puppet::params::external_nodes)
  • node_environment (Optional[String]) (defaults to: undef)
  • runtimeout (Optional[Puppet::TimeUnit]) (defaults to: $puppet::runtimeout)
  • static_certname (Boolean) (defaults to: $puppet::static_certname)

    When enabled, puppet.conf main section will contain certname directive

  • certname (String) (defaults to: $puppet::certname)

    certname directive value (default - $facts[‘fqdn’]) (www.puppet.com/docs/puppet/7/configuration.html#certname)

  • manage_webserver_conf (Boolean) (defaults to: $puppet::manage_webserver_conf)

    Whether to manage /etc/puppetlabs/puppetserver/conf.d/webserver.conf or not It is basic management aimed to add SSL settings into webserver.conf

  • manage_fileserver_config (Boolean) (defaults to: $puppet::manage_fileserver_config)

    Whether to manage /etc/puppetlabs/puppetserver/conf.d/fileserver.conf or not It allows to add file server mount points

  • mount_points (Hash[String, Stdlib::Absolutepath]) (defaults to: $puppet::mount_points)

    Set of mount points in form of pairs <NAME OF MOUNT POINT> => <PATH TO DIRECTORY>



143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
 
# File 'manifests/config.pp', line 143

class puppet::config (
  Boolean $puppet_server = $puppet::master,
  String $server = $puppet::server,
  Optional[String] $ca_server = $puppet::ca_server,
  Boolean $use_common_env = $puppet::use_common_env,
  String $common_envname = $puppet::common_envname,
  Optional[Stdlib::Absolutepath] $basemodulepath = $puppet::basemodulepath,
  Optional[Array[String]] $dns_alt_names = $puppet::dns_alt_names,
  Puppet::Strictness $strict = $puppet::strict,
  Boolean $strict_variables = $puppet::strict_variables,
  Boolean $daemonize = $puppet::daemonize,
  Boolean $onetime = $puppet::onetime,
  Puppet::TimeUnit $http_read_timeout = $puppet::http_read_timeout,
  Puppet::Ordering $ordering = $puppet::ordering,
  Optional[Puppet::Priority] $priority = $puppet::priority,
  Boolean $usecacheonfailure = $puppet::usecacheonfailure,
  Puppet::TimeUnit $environment_timeout = $puppet::environment_timeout,
  Boolean $sameca = $puppet::sameca,
  Optional[Puppet::Autosign] $autosign = $puppet::autosign,
  Boolean $allow_duplicate_certs = $puppet::allow_duplicate_certs,
  Boolean $use_enc = $puppet::use_enc,
  Boolean $use_puppetdb = $puppet::use_puppetdb,
  # predefined via params
  Stdlib::Absolutepath $puppet_config = $puppet::params::puppet_config,
  Stdlib::Absolutepath $environmentpath = $puppet::params::environmentpath,
  Stdlib::Absolutepath $external_nodes = $puppet::params::external_nodes,
  Optional[String] $node_environment = undef,
  Optional[Puppet::TimeUnit] $runtimeout = $puppet::runtimeout,
  Boolean $static_certname = $puppet::static_certname,
  String  $certname = $puppet::certname,
  Boolean $manage_webserver_conf = $puppet::manage_webserver_conf,
  Boolean $manage_fileserver_config = $puppet::manage_fileserver_config,
  Hash[String, Stdlib::Absolutepath] $mount_points = $puppet::mount_points,
) inherits puppet::params {
  include puppet::agent::install
  include puppet::globals

  $platform_name = $puppet::globals::platform_name

  if $platform_name == 'puppet5' {
    $server_section = 'master'
    $server_sameca  = $sameca
  }
  else {
    $server_section = 'server'
    # we do not want to have 'ca' directive in puppet.conf for Puppet 6+
    $server_sameca  = true
  }

  file { 'puppet-config':
    path    => $puppet_config,
    content => template('puppet/puppet.conf.erb'),
  }

  # https://www.puppet.com/docs/puppet/7/config_ssl_external_ca.html#config_puppet_server
  if $puppet_server {
    class { 'puppet::server::ca::allow':
      server    => $server,
      ca_server => $ca_server,
    }
    contain puppet::server::ca::allow

    # https://puppet.com/docs/puppet/7.5/server/configuration.html#service-bootstrapping
    file { '/etc/puppetlabs/puppetserver/services.d/ca.cfg':
      ensure  => file,
      content => template('puppet/services.ca.cfg.erb'),
    }

    if $manage_webserver_conf {
      include puppet::config::webserver
    }

    if $manage_fileserver_config {
      class { 'puppet::config::fileserver':
        mount_points => $mount_points,
      }
      contain puppet::config::fileserver
    }
  }

  Class['puppet::agent::install'] -> File['puppet-config']
}