Puppet Class: puppet_agent::osfamily::debian

Defined in:
manifests/osfamily/debian.pp

Summary

Determines the puppet-agent package location for Debian OSes.

Overview



2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
 
# File 'manifests/osfamily/debian.pp', line 2

class puppet_agent::osfamily::debian {
  assert_private()

  if $puppet_agent::absolute_source {
    # Absolute sources are expected to be actual packages (not repos)
    # so when absolute_source is set just download the package to the
    # system and finish with this class.
    $source = $puppet_agent::absolute_source
    class { 'puppet_agent::prepare::package':
      source => $source,
    }
    contain puppet_agent::prepare::package
  } else {
    if getvar('::puppet_agent::manage_repo') == true {
      include apt
      if ($puppet_agent::is_pe and (!$puppet_agent::use_alternate_sources)) {
        $pe_server_version = pe_build_version()
        if $puppet_agent::source {
          $source = "${puppet_agent::source}/packages/${pe_server_version}/${facts['platform_tag']}"
        } elsif $puppet_agent::alternate_pe_source {
          $source = "${puppet_agent::alternate_pe_source}/packages/${pe_server_version}/${facts['platform_tag']}"
        } else {
          $source = "https://${facts['puppet_master_server']}:8140/packages/${pe_server_version}/${facts['platform_tag']}"
        }
        # In Puppet Enterprise, agent packages are served by the same server
        # as the master, which can be using either a self signed CA, or an external CA.
        # In order for apt to authenticate to the repo on the PE Master, it will need
        # to be configured to pass in the agents certificates. By the time this code is called,
        # the module has already moved the certs to $ssl_dir/{certs,private_keys}, which
        # happen to be the default in PE already.
        $_ssl_dir = $puppet_agent::params::ssldir
        $_sslcacert_path = "${_ssl_dir}/certs/ca.pem"
        $_sslclientcert_path = "${_ssl_dir}/certs/${facts['clientcert']}.pem"
        $_sslclientkey_path = "${_ssl_dir}/private_keys/${facts['clientcert']}.pem"

        # For debian based platforms, in order to add SSL verification, you need to add a
        # configuration file specific to just the sources host
        $source_host = uri_host_from_string($source)
        $_ca_cert_verification = [
          "Acquire::https::${source_host}::CaInfo \"${_sslcacert_path}\";",
        ]
        $_proxy_host = [
          "Acquire::http::proxy::${source_host} DIRECT;",
        ]

        $_apt_settings = concat(
          $_ca_cert_verification,
        $_proxy_host)

        apt::setting { 'conf-pc_repo':
          content  => $_apt_settings.join(''),
          priority => 90,
        }

        # Due to the file paths changing on the PE Master, the 3.8 repository is no longer valid.
        # On upgrade, remove the repo file so that a dangling reference is not left behind returning
        # a 404 on subsequent runs.

        # Pass in an empty content string since apt requires it even though we are removing it
        apt::setting { 'list-puppet-enterprise-installer':
          ensure  => absent,
          content => '',
        }

        apt::setting { 'conf-pe-repo':
          ensure   => absent,
          priority => '90',
          content  => '',
        }
      } else {
        $source = $puppet_agent::apt_source
      }
      $legacy_keyname = 'GPG-KEY-puppet'
      $legacy_gpg_path = "/etc/pki/deb-gpg/${legacy_keyname}"
      $keyname = 'GPG-KEY-puppet-20250406'
      $gpg_path = "/etc/pki/deb-gpg/${keyname}"

      if getvar('::puppet_agent::manage_pki_dir') == true {
        file { ['/etc/pki', '/etc/pki/deb-gpg']:
          ensure => directory,
        }
      }

      file { $legacy_gpg_path:
        ensure => file,
        owner  => 0,
        group  => 0,
        mode   => '0644',
        source => "puppet:///modules/puppet_agent/${legacy_keyname}",
      }

      apt::key { 'legacy key':
        id     => '6F6B15509CF8E59E6E469F327F438280EF8D349F',
        source => $legacy_gpg_path,
      }

      file { $gpg_path:
        ensure => file,
        owner  => 0,
        group  => 0,
        mode   => '0644',
        source => "puppet:///modules/puppet_agent/${keyname}",
      }

      apt::source { 'pc_repo':
        location => $source,
        repos    => $puppet_agent::collection,
        key      => {
          'id'     => 'D6811ED3ADEEB8441AF5AA8F4528B6CD9E61EF26',
          'source' => $gpg_path,
        },
        notify   => Exec['pc_repo_force'],
      }

      # apt_update doesn't inherit the future class dependency, so it
      # can wait until the end of the run to exec. Force it to happen now.
      exec { 'pc_repo_force':
        command     => "/bin/echo 'forcing apt update for pc_repo ${puppet_agent::collection}'",
        refreshonly => true,
        logoutput   => true,
        subscribe   => Exec['apt_update'],
      }
    }
  }
}