module-puppetdb/manifests/server/jetty.pp

# PRIVATE CLASS - do not use directly
class puppetdb::server::jetty (
  $listen_address     = $puppetdb::params::listen_address,
  $listen_port        = $puppetdb::params::listen_port,
  $disable_cleartext  = $puppetdb::params::disable_cleartext,
  $ssl_listen_address = $puppetdb::params::ssl_listen_address,
  $ssl_listen_port    = $puppetdb::params::ssl_listen_port,
  $disable_ssl        = $puppetdb::params::disable_ssl,
  $ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,
  $ssl_cert_path      = $puppetdb::params::ssl_cert_path,
  $ssl_key_path       = $puppetdb::params::ssl_key_path,
  $ssl_ca_cert_path   = $puppetdb::params::ssl_ca_cert_path,
  $ssl_protocols      = $puppetdb::params::ssl_protocols,
  $confdir            = $puppetdb::params::confdir,
  $max_threads        = $puppetdb::params::max_threads,
  $puppetdb_user      = $puppetdb::params::puppetdb_user,
  $puppetdb_group     = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params {

  $jetty_ini = "${confdir}/jetty.ini"

  file { $jetty_ini:
    ensure => file,
    owner  => $puppetdb_user,
    group  => $puppetdb_group,
    mode   => '0600',
  }

  # Set the defaults
  Ini_setting {
    path    => $jetty_ini,
    ensure  => present,
    section => 'jetty',
    require => File[$jetty_ini],
  }

  $cleartext_setting_ensure = $disable_cleartext ? {
    true    => 'absent',
    default => 'present',
  }

  ini_setting { 'puppetdb_host':
    ensure  => $cleartext_setting_ensure,
    setting => 'host',
    value   => $listen_address,
  }

  ini_setting { 'puppetdb_port':
    ensure  => $cleartext_setting_ensure,
    setting => 'port',
    value   => $listen_port,
  }

  $ssl_setting_ensure = $disable_ssl ? {
    true    => 'absent',
    default => 'present',
  }

  ini_setting { 'puppetdb_sslhost':
    ensure  => $ssl_setting_ensure,
    setting => 'ssl-host',
    value   => $ssl_listen_address,
  }

  ini_setting { 'puppetdb_sslport':
    ensure  => $ssl_setting_ensure,
    setting => 'ssl-port',
    value   => $ssl_listen_port,
  }

  if $ssl_protocols != undef {

    validate_string($ssl_protocols)

    ini_setting { 'puppetdb_sslprotocols':
      ensure  => $ssl_setting_ensure,
      setting => 'ssl-protocols',
      value   => $ssl_protocols,
    }
  }

  if str2bool($ssl_set_cert_paths) == true {
    # assume paths have been validated in calling class
    ini_setting { 'puppetdb_ssl_key':
      ensure  => present,
      setting => 'ssl-key',
      value   => $ssl_key_path,
    }
    ini_setting { 'puppetdb_ssl_cert':
      ensure  => present,
      setting => 'ssl-cert',
      value   => $ssl_cert_path,
    }
    ini_setting { 'puppetdb_ssl_ca_cert':
      ensure  => present,
      setting => 'ssl-ca-cert',
      value   => $ssl_ca_cert_path,
    }
  }

  if ($max_threads) {
    ini_setting { 'puppetdb_max_threads':
      setting => 'max-threads',
      value   => $max_threads,
    }
  } else {
    ini_setting { 'puppetdb_max_threads':
      ensure  => absent,
      setting => 'max-threads',
    }
  }
}
(GH-93) Switch to using puppetlabs-postgresql 3.x This updates the module to be able to use puppetlabs-postgresql. Since this change is a major change, it marks this patch as a breaking change. I have prepared a suitable amount of upgrade notes for upgrading to this later version of the module plus removed anything marked deprecated. As cleanup, I've removed the troublesome 'tests' directory in favour of good README.md documentation. I've also removed any puppet docs from each module until such times as puppet docs become automated through the forge. This is just to avoid contributors having to double their efforts - the README.md is the authority now. Signed-off-by: Ken Barber <ken@bob.sh> 2013-10-21 17:21:12 +02:00			`# PRIVATE CLASS - do not use directly`
(PDB-1913) manage vardir This updates the module to manage vardir, and also makes room for general management of the global ini section. 2015-09-16 00:21:33 +02:00			`class puppetdb::server::jetty (`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			`$listen_address = $puppetdb::params::listen_address,`
Style guideline fixes 2013-06-04 14:19:53 +02:00			`$listen_port = $puppetdb::params::listen_port,`
Add option to disable cleartext HTTP port 2015-10-13 19:39:15 +02:00			`$disable_cleartext = $puppetdb::params::disable_cleartext,`
complies with style guide 2012-09-20 23:46:26 +02:00			`$ssl_listen_address = $puppetdb::params::ssl_listen_address,`
			`$ssl_listen_port = $puppetdb::params::ssl_listen_port,`
(#51) Add option to disable SSL in Jetty This patch introduces the optional parameter $disable_ssl, which defaults to false. If set to true, the settings ssl-host and ssl-port are completely removed from the Jetty section of the PuppetDB config files. This disables serving of HTTPS requests by PuppetDB, which can be useful when SSL handling is offloaded to a reverse proxy server like Apache or Nginx, as suggested in the PuppetDB documentation (see http://docs.puppetlabs.com/puppetdb/1.2/connect_puppet_apply.html#option-a-set-up-an-ssl-proxy-for-puppetdb). 2013-04-09 00:39:04 +02:00			`$disable_ssl = $puppetdb::params::disable_ssl,`
Add the ability to a) deploy ssl keys, b) set paths to ssl keys in jetty.ini This also adds parameters for puppetdb user/group to support PE correctly. 2014-09-06 01:18:46 +02:00			`$ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,`
			`$ssl_cert_path = $puppetdb::params::ssl_cert_path,`
			`$ssl_key_path = $puppetdb::params::ssl_key_path,`
			`$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path,`
Add ability to specify SSL protocols. This is in response to CVE-2014-3566 - POODLE 2014-10-17 07:07:45 +02:00			`$ssl_protocols = $puppetdb::params::ssl_protocols,`
complies with style guide 2012-09-20 23:46:26 +02:00			`$confdir = $puppetdb::params::confdir,`
implement max_threads option for jetty 2014-06-26 17:15:34 +02:00			`$max_threads = $puppetdb::params::max_threads,`
(PDB-2571) Ensure all managed ini files have correct permissions Much like read-database.ini, we need to ensure the permissions for puppetdb.ini and others are set explicitly to ensure permissions are still correct after configuration. Without this users with different umask settings may find their files are no longer accessible after the module runs. This patch fixes the globally for all the ini files we currently manage (repl.ini is not managed fwiw). This also fixes a bug whereby we were missing puppetdb::server::global from the main server class, it adds this back and fixes the tests to ensure we don't lose it. Signed-off-by: Ken Barber <ken@bob.sh> 2016-04-28 13:39:54 +02:00			`$puppetdb_user = $puppetdb::params::puppetdb_user,`
			`$puppetdb_group = $puppetdb::params::puppetdb_group,`
Use ini_file to manage settings, and add validation This commit does the following: * Use the new inifile module to manage puppet.conf * More comprehensive management of config files * Validate database connectivity before applying puppetdb config changes * Validate puppetdb connectivity before applying puppet master config changes * Documentation 2012-09-18 00:26:32 +02:00			`) inherits puppetdb::params {`
complies with style guide 2012-09-20 23:46:26 +02:00
(PDB-2696) Remove the dependency cycle cause by typo This commit removes the dependency cycle caused by a typo in the config name for config.ini and properly threads through the vardir setting to the puppetdb::server::global class. 2016-05-13 21:23:49 +02:00			`$jetty_ini = "${confdir}/jetty.ini"`

			`file { $jetty_ini:`
(PDB-2571) Ensure all managed ini files have correct permissions Much like read-database.ini, we need to ensure the permissions for puppetdb.ini and others are set explicitly to ensure permissions are still correct after configuration. Without this users with different umask settings may find their files are no longer accessible after the module runs. This patch fixes the globally for all the ini files we currently manage (repl.ini is not managed fwiw). This also fixes a bug whereby we were missing puppetdb::server::global from the main server class, it adds this back and fixes the tests to ensure we don't lose it. Signed-off-by: Ken Barber <ken@bob.sh> 2016-04-28 13:39:54 +02:00			`ensure => file,`
(PDB-2696) Remove the dependency cycle cause by typo This commit removes the dependency cycle caused by a typo in the config name for config.ini and properly threads through the vardir setting to the puppetdb::server::global class. 2016-05-13 21:23:49 +02:00			`owner => $puppetdb_user,`
			`group => $puppetdb_group,`
			`mode => '0600',`
(PDB-2571) Ensure all managed ini files have correct permissions Much like read-database.ini, we need to ensure the permissions for puppetdb.ini and others are set explicitly to ensure permissions are still correct after configuration. Without this users with different umask settings may find their files are no longer accessible after the module runs. This patch fixes the globally for all the ini files we currently manage (repl.ini is not managed fwiw). This also fixes a bug whereby we were missing puppetdb::server::global from the main server class, it adds this back and fixes the tests to ensure we don't lose it. Signed-off-by: Ken Barber <ken@bob.sh> 2016-04-28 13:39:54 +02:00			`}`

Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`# Set the defaults`
Use ini_file to manage settings, and add validation This commit does the following: * Use the new inifile module to manage puppet.conf * More comprehensive management of config files * Validate database connectivity before applying puppetdb config changes * Validate puppetdb connectivity before applying puppet master config changes * Documentation 2012-09-18 00:26:32 +02:00			`Ini_setting {`
(PDB-2696) Remove the dependency cycle cause by typo This commit removes the dependency cycle caused by a typo in the config name for config.ini and properly threads through the vardir setting to the puppetdb::server::global class. 2016-05-13 21:23:49 +02:00			`path => $jetty_ini,`
complies with style guide 2012-09-20 23:46:26 +02:00			`ensure => present,`
			`section => 'jetty',`
(PDB-2696) Remove the dependency cycle cause by typo This commit removes the dependency cycle caused by a typo in the config name for config.ini and properly threads through the vardir setting to the puppetdb::server::global class. 2016-05-13 21:23:49 +02:00			`require => File[$jetty_ini],`
Use ini_file to manage settings, and add validation This commit does the following: * Use the new inifile module to manage puppet.conf * More comprehensive management of config files * Validate database connectivity before applying puppetdb config changes * Validate puppetdb connectivity before applying puppet master config changes * Documentation 2012-09-18 00:26:32 +02:00			`}`

Add option to disable cleartext HTTP port 2015-10-13 19:39:15 +02:00			`$cleartext_setting_ensure = $disable_cleartext ? {`
			`true => 'absent',`
			`default => 'present',`
			`}`

Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`ini_setting { 'puppetdb_host':`
Add option to disable cleartext HTTP port 2015-10-13 19:39:15 +02:00			`ensure => $cleartext_setting_ensure,`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			`setting => 'host',`
			`value => $listen_address,`
			`}`

Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`ini_setting { 'puppetdb_port':`
Add option to disable cleartext HTTP port 2015-10-13 19:39:15 +02:00			`ensure => $cleartext_setting_ensure,`
17594 - PuppetDB - Add ability to set standard host listen address and open firewall to standard port Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This commit allows users to not only bind to an address and port other than localhost and 8080, but it also opens the firewall if explicitly requested. 2012-11-13 21:38:38 +01:00			`setting => 'port',`
			`value => $listen_port,`
			`}`

(#51) Add option to disable SSL in Jetty This patch introduces the optional parameter $disable_ssl, which defaults to false. If set to true, the settings ssl-host and ssl-port are completely removed from the Jetty section of the PuppetDB config files. This disables serving of HTTPS requests by PuppetDB, which can be useful when SSL handling is offloaded to a reverse proxy server like Apache or Nginx, as suggested in the PuppetDB documentation (see http://docs.puppetlabs.com/puppetdb/1.2/connect_puppet_apply.html#option-a-set-up-an-ssl-proxy-for-puppetdb). 2013-04-09 00:39:04 +02:00			`$ssl_setting_ensure = $disable_ssl ? {`
			`true => 'absent',`
			`default => 'present',`
			`}`

Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`ini_setting { 'puppetdb_sslhost':`
			`ensure => $ssl_setting_ensure,`
			`setting => 'ssl-host',`
			`value => $ssl_listen_address,`
			`}`

			`ini_setting { 'puppetdb_sslport':`
			`ensure => $ssl_setting_ensure,`
			`setting => 'ssl-port',`
			`value => $ssl_listen_port,`
			`}`

Add ability to specify SSL protocols. This is in response to CVE-2014-3566 - POODLE 2014-10-17 07:07:45 +02:00			`if $ssl_protocols != undef {`

			`validate_string($ssl_protocols)`

			`ini_setting { 'puppetdb_sslprotocols':`
			`ensure => $ssl_setting_ensure,`
			`setting => 'ssl-protocols',`
			`value => $ssl_protocols,`
			`}`
			`}`

Add the ability to a) deploy ssl keys, b) set paths to ssl keys in jetty.ini This also adds parameters for puppetdb user/group to support PE correctly. 2014-09-06 01:18:46 +02:00			`if str2bool($ssl_set_cert_paths) == true {`
Remove invisible unicode character to prevent "invalid byte sequence in US-ASCII" 2014-10-16 13:36:23 +02:00			`# assume paths have been validated in calling class`
Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`ini_setting { 'puppetdb_ssl_key':`
Add the ability to a) deploy ssl keys, b) set paths to ssl keys in jetty.ini This also adds parameters for puppetdb user/group to support PE correctly. 2014-09-06 01:18:46 +02:00			`ensure => present,`
			`setting => 'ssl-key',`
			`value => $ssl_key_path,`
			`}`
Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`ini_setting { 'puppetdb_ssl_cert':`
Add the ability to a) deploy ssl keys, b) set paths to ssl keys in jetty.ini This also adds parameters for puppetdb user/group to support PE correctly. 2014-09-06 01:18:46 +02:00			`ensure => present,`
			`setting => 'ssl-cert',`
			`value => $ssl_cert_path,`
			`}`
Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`ini_setting { 'puppetdb_ssl_ca_cert':`
Add the ability to a) deploy ssl keys, b) set paths to ssl keys in jetty.ini This also adds parameters for puppetdb user/group to support PE correctly. 2014-09-06 01:18:46 +02:00			`ensure => present,`
			`setting => 'ssl-ca-cert',`
			`value => $ssl_ca_cert_path,`
			`}`
			`}`

implement max_threads option for jetty 2014-06-26 17:15:34 +02:00			`if ($max_threads) {`
Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`ini_setting { 'puppetdb_max_threads':`
implement max_threads option for jetty 2014-06-26 17:15:34 +02:00			`setting => 'max-threads',`
			`value => $max_threads,`
			`}`
			`} else {`
Cleanups, missing doc items and new test_url capability This provides a number of cleanups as the code has been unloved for a while. I've added the ssl-* parameters the robinbowes added in his last patch to the docs, and found some other cleanups as well where applicable. I've added the ability to override the test_url also, so that in the future if a user wishes to they can customize this. Signed-off-by: Ken Barber <ken@bob.sh> 2014-10-07 16:06:54 +02:00			`ini_setting { 'puppetdb_max_threads':`
implement max_threads option for jetty 2014-06-26 17:15:34 +02:00			`ensure => absent,`
			`setting => 'max-threads',`
			`}`
			`}`
Use ini_file to manage settings, and add validation This commit does the following: * Use the new inifile module to manage puppet.conf * More comprehensive management of config files * Validate database connectivity before applying puppetdb config changes * Validate puppetdb connectivity before applying puppet master config changes * Documentation 2012-09-18 00:26:32 +02:00			`}`