the param manage_firewall was added in an earlier release to puppetdb::server. The class isn't called directly but via the init.pp. the puppetdb class had already the param manage_firewall but this wasn't forwarded to puppetdb::server
puppetdb::server calls puppetdb::server:jetty_ini,
jetty_ini is able to set ssl_protocols, but this param isn't
present in the puppetdb::server class nor in the puppetdb class
For some reasons we switched this to use /usr/share/puppetdb/db, which has a
softlink to /var/lib/puppetdb/db. This is not aligned with the PuppetDB core
nor is it following FHS.
Signed-off-by: Ken Barber <ken@bob.sh>
Previously the defined check wasn't working as expected, this patches fixes
this by relying on the check for the `puppetdb` class instead.
Tests have been added, and the README has been updated to include the new
puppetdb_disable_ssl parameter for the `puppetdb::master::config` class.
This provides a number of cleanups as the code has been unloved for a while.
I've added the ssl-* parameters the robinbowes added in his last patch to the
docs, and found some other cleanups as well where applicable.
I've added the ability to override the test_url also, so that in the future
if a user wishes to they can customize this.
Signed-off-by: Ken Barber <ken@bob.sh>
is_pe being a fact, its smarter her to coerce the value of it too a boolean, in
case we still receive the value as a string. In the future structured facts
will become the norm.
I've also removed the patch against the values for puppetdb_service_status, matching
against a bareword boolean while it looks good, if the value is indeed a boolean the
in will fail in the current parser. This can be brought up again in the future.
Signed-off-by: Ken Barber <ken@bob.sh>
Ensure that for PostgreSQL backends, the database validation functions
are not run until the initial database creation and user role creation
has been completed.
Closes-Bug: #1298605
...rather than the custom logic that was used previously. Using a
uniform canon fact across all modules that need to differentiate between
PE and POSS makes unusual situations (such as having a missing
/opt/puppet/pe_version file) more, well, uniform.
The tests were failing on Ubuntu, and I noticed that the OOM killer
was killing java. This patch increases the memory size for each
image to avoid this.
Signed-off-by: Ken Barber <ken@bob.sh>
This updates the module to be able to use puppetlabs-postgresql.
Since this change is a major change, it marks this patch as a breaking change.
I have prepared a suitable amount of upgrade notes for upgrading to this later
version of the module plus removed anything marked deprecated.
As cleanup, I've removed the troublesome 'tests' directory in favour of good
README.md documentation. I've also removed any puppet docs from each module
until such times as puppet docs become automated through the forge. This is
just to avoid contributors having to double their efforts - the README.md
is the authority now.
Signed-off-by: Ken Barber <ken@bob.sh>
PostgreSQL supports secure connections through SSL. For PuppetDB
to connect with SSL, "?ssl=true" has to be specified on the
connection string.
This patch adds such a switch, by default PuppetDB will not use SSL
to connect to the database.
In some cases it may not be possible to securely specify a password for
PuppetDB. When that is true, it's impossible to use the module to manage
PuppetDB, because specifying undef for the password will cause database
validation to fail, or for the setting in database.ini to be overridden.
This change will simply check that database_password is set, and will
skip validation and changing database.ini in the case where it is not.
This patch adds all the missing parameters now defined in the 1.4.0 release.
This includes some new database parameters mainly, but also adds gc_interval
to the `puppetdb` and `puppetdb::server` classes, as previously this wasn't
configurable using this method.
To avoid documentation duplication the Puppet headers have been removed in
favour of documenting classes from the README.md. Until such times as the
forge can turn Puppet docs into HTML automatically, this is just duplicate
noise and prone to update slippage. The README.md is more authoritative in
this area and is pubicly displayed on the forge project page so it should be
used for now.
Signed-off-by: Ken Barber <ken@bob.sh>
Chris Barker reported that the default value of `$::clientcert`
was not the best choice for some things we were using it for
in the module; specifically, for the default value of
the jetty ssl listen address. He suggested using `$::fqdn` instead.
This commit makes that change; rspec-system tests pass, but I'm
not 100% sure that there aren't edge cases that would be
affected by this.
This adds a basic test to run the standard 1 node setup until it succeeds.
This also fixes a bug with the connection validation facilities. Before this
patch we would keep retrying the connection to PuppetDB until the timeout
expired, this patch fixes that bug making provisioning faster and well, more
reliable. I've also increased the timeout as some systems take longer than
15 seconds for PuppetDB to start.
Signed-off-by: Ken Barber <ken@bob.sh>
This patch introduces the optional parameter $disable_ssl, which
defaults to false. If set to true, the settings ssl-host and ssl-port
are completely removed from the Jetty section of the PuppetDB config
files.
This disables serving of HTTPS requests by PuppetDB, which can be useful
when SSL handling is offloaded to a reverse proxy server like Apache or
Nginx, as suggested in the PuppetDB documentation (see
http://docs.puppetlabs.com/puppetdb/1.2/connect_puppet_apply.html#option-a-set-up-an-ssl-proxy-for-puppetdb).
Prior to this commit, the deprecated `manage_redhat_firewall` param
was not actually backward compatible because there were several
cases where we couldn't tell the difference between the user
explicitly specifying `false` for that parameter as opposed to
not specifying it at all. This commit is a bit ugly because it
sets some defaults to `undef` in order to allow us to tell the
difference between the two cases, but it should resolve backwards
compatibility issues.
Prior to this commit the module did not provide a way to set a bind address for the HTTP port. This
commit allows users to not only bind to an address and port other than localhost and 8080, but it also
opens the firewall if explicitly requested.
Prior to this commit if you tried to use the classes
`puppetdb::master::routes` or `puppetdb::master::storeconfigs`
directly (rather than implicitly through
`puppetdb::master::config`), you would get a failure about
`puppetdb::params` not having been evaluated. This is because
the classes were missing an `inherits` statement; this commit
fixes both of them.
Prior to this commit if you tried to use the class
`puppetdb::master::puppetdb_conf` directly (rather than
implicitly through `puppetdb::master::config`), you would
get a failure about `puppetdb::params` not having been
evaluated. This is because the class was missing an
`inherits` statement; this commit fixes the bug.
The subname value in database.ini when using an embedded database varies
between the Puppet Enterprise package and the FOSS Puppet package.
Previously, the PuppetDB module could not successfully manage an
embedded database on a PE master. This commit adds an additional
parameter and utilization to account for this.
In some environments, puppetdb can take longer than 10 seconds
to start up. Prior to this commit, that value was hard coded
and the module would sometimes fail when it wouldn't have failed
with a slightly larger timeout. This commit makes the timeout
configurable, and also increases the default value to 15 seconds.
This is just a small add-on to Hunter's commits where he added
extra parameters to support PE. This commit just cleans up
some of my old comments that were made irrelevant or inaccurate
due to the work that he did, and adds a bit of documentation to
the new test manifest that he created.
Prior to this commit, the module always attempted
to restart the puppet master service whenever it
managed the master config files. This commit
disables that behavior since our acceptance nodes
don't have the service installed.
Prior to this commit, if you allowed the puppetdb module
to manage postgres for you, it would always try to manage
the firewall for the postgres port on redhat systems.
This commit exposes that as a parameter in a few more
spots, and passes it through to the postgres module.
Prior to this commit, users needed to be aware that the puppet
master service would need a restart if certain config files
were changed (routes.yaml, puppetdb.conf). This commit
adds a notification that will trigger a service restart if
those files are modified.
Prior to this commit, all of the puppetdb packages were being
installed with 'ensure=present'. This commit changes things
so that you can explicitly specify a version if you desire;
the default is still 'present'.
This commit does the following:
* Use the new inifile module to manage puppet.conf
* More comprehensive management of config files
* Validate database connectivity before applying puppetdb
config changes
* Validate puppetdb connectivity before applying puppet
master config changes
* Documentation
