opuppet/module-puppetdb
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add the ability to a) deploy ssl keys, b) set paths to ssl keys in jetty.ini

Browse source 
This also adds parameters for puppetdb user/group to support PE correctly.
This commit is contained in:
Robin Bowes 2014-09-06 00:18:46 +01:00 committed by Ken Barber
parent 422d40083f
commit 8c68fc1dd2
4 changed files with 101 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
manifests/params.pp
View file

@ -7,6 +7,15 @@ class puppetdb::params {
$ssl_listen_port = '8081' $ssl_listen_port = '8081'
$disable_ssl = false $disable_ssl = false
$open_ssl_listen_port = undef $open_ssl_listen_port = undef
$ssl_dir = '/etc/puppetdb/ssl'
$ssl_set_cert_paths = false
$ssl_cert_path = "${ssl_dir}/public.pem"
$ssl_key_path = "${ssl_dir}/private.pem"
$ssl_ca_cert_path = "${ssl_dir}/ca.pem"
$ssl_deploy_certs = false
$ssl_key = undef
$ssl_cert = undef
$ssl_ca_cert = undef
$postgres_listen_addresses = 'localhost' $postgres_listen_addresses = 'localhost'
$database = 'postgres' $database = 'postgres'
@ -68,6 +77,8 @@ class puppetdb::params {
if defined('$is_pe') and str2bool($::is_pe) == true { if defined('$is_pe') and str2bool($::is_pe) == true {
$puppetdb_package = 'pe-puppetdb' $puppetdb_package = 'pe-puppetdb'
$puppetdb_service = 'pe-puppetdb' $puppetdb_service = 'pe-puppetdb'
$puppetdb_user = 'pe-puppetdb'
$puppetdb_group = 'pe-puppetdb'
$confdir = '/etc/puppetlabs/puppetdb/conf.d' $confdir = '/etc/puppetlabs/puppetdb/conf.d'
$puppet_service_name = 'pe-httpd' $puppet_service_name = 'pe-httpd'
$puppet_confdir = '/etc/puppetlabs/puppet' $puppet_confdir = '/etc/puppetlabs/puppet'
@ -88,6 +99,8 @@ class puppetdb::params {
} else { } else {
$puppetdb_package = 'puppetdb' $puppetdb_package = 'puppetdb'
$puppetdb_service = 'puppetdb' $puppetdb_service = 'puppetdb'
$puppetdb_user = 'puppetdb'
$puppetdb_group = 'puppetdb'
$confdir = '/etc/puppetdb/conf.d' $confdir = '/etc/puppetdb/conf.d'
$puppet_confdir = '/etc/puppet' $puppet_confdir = '/etc/puppet'
$terminus_package = 'puppetdb-terminus' $terminus_package = 'puppetdb-terminus'

51
manifests/server.pp
View file

@ -7,6 +7,15 @@ class puppetdb::server(
$ssl_listen_port = $puppetdb::params::ssl_listen_port, $ssl_listen_port = $puppetdb::params::ssl_listen_port,
$disable_ssl = $puppetdb::params::disable_ssl, $disable_ssl = $puppetdb::params::disable_ssl,
$open_ssl_listen_port = $puppetdb::params::open_ssl_listen_port, $open_ssl_listen_port = $puppetdb::params::open_ssl_listen_port,
$ssl_dir = $puppetdb::params::ssl_dir,
$ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,
$ssl_cert_path = $puppetdb::params::ssl_cert_path,
$ssl_key_path = $puppetdb::params::ssl_key_path,
$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path,
$ssl_deploy_certs = $puppetdb::params::ssl_deploy_certs,
$ssl_key = $puppetdb::params::ssl_key,
$ssl_cert = $puppetdb::params::ssl_cert,
$ssl_ca_cert = $puppetdb::params::ssl_ca_cert,
$database = $puppetdb::params::database, $database = $puppetdb::params::database,
$database_host = $puppetdb::params::database_host, $database_host = $puppetdb::params::database_host,
$database_port = $puppetdb::params::database_port, $database_port = $puppetdb::params::database_port,
@ -36,6 +45,8 @@ class puppetdb::server(
$puppetdb_package = $puppetdb::params::puppetdb_package, $puppetdb_package = $puppetdb::params::puppetdb_package,
$puppetdb_version = $puppetdb::params::puppetdb_version, $puppetdb_version = $puppetdb::params::puppetdb_version,
$puppetdb_service = $puppetdb::params::puppetdb_service, $puppetdb_service = $puppetdb::params::puppetdb_service,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$puppetdb_service_status = $puppetdb::params::puppetdb_service_status, $puppetdb_service_status = $puppetdb::params::puppetdb_service_status,
$confdir = $puppetdb::params::confdir, $confdir = $puppetdb::params::confdir,
$manage_firewall = true, $manage_firewall = true,
@ -89,7 +100,6 @@ class puppetdb::server(
} }
if $manage_firewall { if $manage_firewall {
class { 'puppetdb::server::firewall': class { 'puppetdb::server::firewall':
http_port => $listen_port, http_port => $listen_port,
open_http_port => $open_listen_port, open_http_port => $open_listen_port,
@ -134,11 +144,50 @@ class puppetdb::server(
notify => Service[$puppetdb_service], notify => Service[$puppetdb_service],
} }
if str2bool($ssl_set_cert_paths) == true or str2bool($ssl_deploy_certs) == true {
validate_absolute_path($ssl_key_path)
validate_absolute_path($ssl_cert_path)
validate_absolute_path($ssl_ca_cert_path)
}
if str2bool($ssl_deploy_certs) == true {
validate_absolute_path($ssl_dir)
file{
$ssl_dir:
ensure => directory,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0700';
$ssl_key_path:
ensure => file,
content => $ssl_key,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600';
$ssl_cert_path:
ensure => file,
content => $ssl_cert,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600';
$ssl_ca_cert_path:
ensure => file,
content => $ssl_ca_cert,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600';
}
}
class { 'puppetdb::server::jetty_ini': class { 'puppetdb::server::jetty_ini':
listen_address => $listen_address, listen_address => $listen_address,
listen_port => $listen_port, listen_port => $listen_port,
ssl_listen_address => $ssl_listen_address, ssl_listen_address => $ssl_listen_address,
ssl_listen_port => $ssl_listen_port, ssl_listen_port => $ssl_listen_port,
ssl_set_cert_paths => $ssl_set_cert_paths,
ssl_key_path => $ssl_key_path,
ssl_cert_path => $ssl_cert_path,
ssl_ca_cert_path => $ssl_ca_cert_path,
disable_ssl => $disable_ssl, disable_ssl => $disable_ssl,
confdir => $confdir, confdir => $confdir,
max_threads => $max_threads, max_threads => $max_threads,

23
manifests/server/jetty_ini.pp
View file

@ -5,6 +5,10 @@ class puppetdb::server::jetty_ini(
$ssl_listen_address = $puppetdb::params::ssl_listen_address, $ssl_listen_address = $puppetdb::params::ssl_listen_address,
$ssl_listen_port = $puppetdb::params::ssl_listen_port, $ssl_listen_port = $puppetdb::params::ssl_listen_port,
$disable_ssl = $puppetdb::params::disable_ssl, $disable_ssl = $puppetdb::params::disable_ssl,
$ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,
$ssl_cert_path = $puppetdb::params::ssl_cert_path,
$ssl_key_path = $puppetdb::params::ssl_key_path,
$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path,
$confdir = $puppetdb::params::confdir, $confdir = $puppetdb::params::confdir,
$max_threads = $puppetdb::params::max_threads, $max_threads = $puppetdb::params::max_threads,
) inherits puppetdb::params { ) inherits puppetdb::params {
@ -34,6 +38,25 @@ class puppetdb::server::jetty_ini(
default => 'present', default => 'present',
} }
if str2bool($ssl_set_cert_paths) == true {
# assume paths have been validated in calling class
ini_setting {'puppetdb_ssl_key':
ensure => present,
setting => 'ssl-key',
value => $ssl_key_path,
}
ini_setting {'puppetdb_ssl_cert':
ensure => present,
setting => 'ssl-cert',
value => $ssl_cert_path,
}
ini_setting {'puppetdb_ssl_ca_cert':
ensure => present,
setting => 'ssl-ca-cert',
value => $ssl_ca_cert_path,
}
}
ini_setting {'puppetdb_sslhost': ini_setting {'puppetdb_sslhost':
ensure => $ssl_setting_ensure, ensure => $ssl_setting_ensure,
setting => 'ssl-host', setting => 'ssl-host',

28
manifests/server/read_database_ini.pp
View file

@ -1,17 +1,19 @@
# PRIVATE CLASS - do not use directly # PRIVATE CLASS - do not use directly
class puppetdb::server::read_database_ini( class puppetdb::server::read_database_ini(
$database = $puppetdb::params::read_database, $database = $puppetdb::params::read_database,
$database_host = $puppetdb::params::read_database_host, $database_host = $puppetdb::params::read_database_host,
$database_port = $puppetdb::params::read_database_port, $database_port = $puppetdb::params::read_database_port,
$database_username = $puppetdb::params::read_database_username, $database_username = $puppetdb::params::read_database_username,
$database_password = $puppetdb::params::read_database_password, $database_password = $puppetdb::params::read_database_password,
$database_name = $puppetdb::params::read_database_name, $database_name = $puppetdb::params::read_database_name,
$database_ssl = $puppetdb::params::read_database_ssl, $database_ssl = $puppetdb::params::read_database_ssl,
$log_slow_statements = $puppetdb::params::read_log_slow_statements, $log_slow_statements = $puppetdb::params::read_log_slow_statements,
$conn_max_age = $puppetdb::params::read_conn_max_age, $conn_max_age = $puppetdb::params::read_conn_max_age,
$conn_keep_alive = $puppetdb::params::read_conn_keep_alive, $conn_keep_alive = $puppetdb::params::read_conn_keep_alive,
$conn_lifetime = $puppetdb::params::read_conn_lifetime, $conn_lifetime = $puppetdb::params::read_conn_lifetime,
$confdir = $puppetdb::params::confdir, $confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params { ) inherits puppetdb::params {
# Only add the read database configuration if database host is defined. # Only add the read database configuration if database host is defined.
@ -35,8 +37,8 @@ class puppetdb::server::read_database_ini(
file { "${confdir}/read_database.ini": file { "${confdir}/read_database.ini":
ensure => file, ensure => file,
owner => 'puppetdb', owner => $puppetdb_user,
group => 'puppetdb', group => $puppetdb_group,
mode => '0600'; mode => '0600';
} }