opuppet/module-puppetdb
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
module-puppetdb/manifests/server.pp
Ken Barber 59100fd6bc (PDB-2571) Ensure all managed ini files have correct permissions 
Much like read-database.ini, we need to ensure the permissions for puppetdb.ini and others are set explicitly
to ensure permissions are still correct after configuration. Without this users with different umask
settings may find their files are no longer accessible after the module runs.

This patch fixes the globally for all the ini files we currently manage (repl.ini is not managed fwiw).

This also fixes a bug whereby we were missing puppetdb::server::global from the main server class, it adds this
back and fixes the tests to ensure we don't lose it.

Signed-off-by: Ken Barber <ken@bob.sh>
2016-05-12 18:31:50 +01:00

316 lines
14 KiB
Puppet
Raw Blame History

# Class to configure a PuppetDB server. See README.md for more details.
class puppetdb::server (
$listen_address = $puppetdb::params::listen_address,
$listen_port = $puppetdb::params::listen_port,
$disable_cleartext = $puppetdb::params::disable_cleartext,
$open_listen_port = $puppetdb::params::open_listen_port,
$ssl_listen_address = $puppetdb::params::ssl_listen_address,
$ssl_listen_port = $puppetdb::params::ssl_listen_port,
$disable_ssl = $puppetdb::params::disable_ssl,
$open_ssl_listen_port = $puppetdb::params::open_ssl_listen_port,
$ssl_dir = $puppetdb::params::ssl_dir,
$ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,
$ssl_cert_path = $puppetdb::params::ssl_cert_path,
$ssl_key_path = $puppetdb::params::ssl_key_path,
$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path,
$ssl_deploy_certs = $puppetdb::params::ssl_deploy_certs,
$ssl_key = $puppetdb::params::ssl_key,
$ssl_cert = $puppetdb::params::ssl_cert,
$ssl_ca_cert = $puppetdb::params::ssl_ca_cert,
$ssl_protocols = $puppetdb::params::ssl_protocols,
$database = $puppetdb::params::database,
$database_host = $puppetdb::params::database_host,
$database_port = $puppetdb::params::database_port,
$database_username = $puppetdb::params::database_username,
$database_password = $puppetdb::params::database_password,
$database_name = $puppetdb::params::database_name,
$database_ssl = $puppetdb::params::database_ssl,
$jdbc_ssl_properties = $puppetdb::params::jdbc_ssl_properties,
$database_validate = $puppetdb::params::database_validate,
$database_embedded_path = $puppetdb::params::database_embedded_path,
$node_ttl = $puppetdb::params::node_ttl,
$node_purge_ttl = $puppetdb::params::node_purge_ttl,
$report_ttl = $puppetdb::params::report_ttl,
$gc_interval = $puppetdb::params::gc_interval,
$log_slow_statements = $puppetdb::params::log_slow_statements,
$conn_max_age = $puppetdb::params::conn_max_age,
$conn_keep_alive = $puppetdb::params::conn_keep_alive,
$conn_lifetime = $puppetdb::params::conn_lifetime,
$puppetdb_package = $puppetdb::params::puppetdb_package,
$puppetdb_service = $puppetdb::params::puppetdb_service,
$puppetdb_service_status = $puppetdb::params::puppetdb_service_status,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$read_database = $puppetdb::params::read_database,
$read_database_host = $puppetdb::params::read_database_host,
$read_database_port = $puppetdb::params::read_database_port,
$read_database_username = $puppetdb::params::read_database_username,
$read_database_password = $puppetdb::params::read_database_password,
$read_database_name = $puppetdb::params::read_database_name,
$read_database_ssl = $puppetdb::params::read_database_ssl,
$read_database_jdbc_ssl_properties = $puppetdb::params::read_database_jdbc_ssl_properties,
$read_database_validate = $puppetdb::params::read_database_validate,
$read_log_slow_statements = $puppetdb::params::read_log_slow_statements,
$read_conn_max_age = $puppetdb::params::read_conn_max_age,
$read_conn_keep_alive = $puppetdb::params::read_conn_keep_alive,
$read_conn_lifetime = $puppetdb::params::read_conn_lifetime,
$confdir = $puppetdb::params::confdir,
$manage_firewall = $puppetdb::params::manage_firewall,
$java_args = $puppetdb::params::java_args,
$merge_default_java_args = $puppetdb::params::merge_default_java_args,
$max_threads = $puppetdb::params::max_threads,
$command_threads = $puppetdb::params::command_threads,
$store_usage = $puppetdb::params::store_usage,
$temp_usage = $puppetdb::params::temp_usage,
$certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
) inherits puppetdb::params {
# deprecation warnings
if $database_ssl != undef {
warning('$database_ssl is deprecated and will be removed in the next major release. Please use $jdbc_ssl_properties = "?ssl=true" instead.')
}
if $read_database_ssl != undef {
warning('$read_database_ssl is deprecated and will be removed in the next major release. Please use $read_database_jdbc_ssl_properties = "?ssl=true" instead.')
}
# Apply necessary suffix if zero is specified.
if $node_ttl == '0' {
$node_ttl_real = '0s'
} else {
$node_ttl_real = downcase($node_ttl)
}
# Validate node_ttl
validate_re ($node_ttl_real, ['^\d+(d|h|m|s|ms)$'], "node_ttl is <${node_ttl}> which does not match the regex validation")
# Apply necessary suffix if zero is specified.
if $node_purge_ttl == '0' {
$node_purge_ttl_real = '0s'
} else {
$node_purge_ttl_real = downcase($node_purge_ttl)
}
# Validate node_purge_ttl
validate_re ($node_purge_ttl_real, ['^\d+(d|h|m|s|ms)$'], "node_purge_ttl is <${node_purge_ttl}> which does not match the regex validation")
# Apply necessary suffix if zero is specified.
if $report_ttl == '0' {
$report_ttl_real = '0s'
} else {
$report_ttl_real = downcase($report_ttl)
}
# Validate report_ttl
validate_re ($report_ttl_real, ['^\d+(d|h|m|s|ms)$'], "report_ttl is <${report_ttl}> which does not match the regex validation")
# Validate puppetdb_service_status
$service_enabled = $puppetdb_service_status ? {
/(running|true)/ => true,
/(stopped|false)/ => false,
default => fail("puppetdb_service_status valid values are 'true', 'running', 'false', and 'stopped'. You provided '${puppetdb_service_status}'"),
}
# Validate database type (Currently only postgres and embedded are supported)
if !($database in ['postgres', 'embedded']) {
fail("database must must be 'postgres' or 'embedded'. You provided '${database}'")
}
# Validate read-database type (Currently only postgres is supported)
if !($read_database in ['postgres']) {
fail("read_database must be 'postgres'. You provided '${read_database}'")
}
package { $puppetdb_package:
ensure => $puppetdb::params::puppetdb_version,
notify => Service[$puppetdb_service],
}
if $manage_firewall {
class { 'puppetdb::server::firewall':
http_port => $listen_port,
open_http_port => $open_listen_port,
ssl_port => $ssl_listen_port,
open_ssl_port => $open_ssl_listen_port,
}
}
class { 'puppetdb::server::global':
vardir => $vardir,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
}
class { 'puppetdb::server::command_processing':
command_threads => $command_threads,
store_usage => $store_usage,
temp_usage => $temp_usage,
confdir => $confdir,
notify => Service[$puppetdb_service],
}
class { 'puppetdb::server::database':
database => $database,
database_host => $database_host,
database_port => $database_port,
database_username => $database_username,
database_password => $database_password,
database_name => $database_name,
database_ssl => $database_ssl,
jdbc_ssl_properties => $jdbc_ssl_properties,
database_validate => $database_validate,
database_embedded_path => $database_embedded_path,
node_ttl => $node_ttl,
node_purge_ttl => $node_purge_ttl,
report_ttl => $report_ttl,
gc_interval => $gc_interval,
log_slow_statements => $log_slow_statements,
conn_max_age => $conn_max_age,
conn_keep_alive => $conn_keep_alive,
conn_lifetime => $conn_lifetime,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
}
class { 'puppetdb::server::read_database':
database => $read_database,
database_host => $read_database_host,
database_port => $read_database_port,
database_username => $read_database_username,
database_password => $read_database_password,
database_name => $read_database_name,
database_ssl => $read_database_ssl,
jdbc_ssl_properties => $read_database_jdbc_ssl_properties,
database_validate => $read_database_validate,
log_slow_statements => $read_log_slow_statements,
conn_max_age => $read_conn_max_age,
conn_keep_alive => $read_conn_keep_alive,
conn_lifetime => $read_conn_lifetime,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
}
if str2bool($ssl_set_cert_paths) == true
or str2bool($ssl_deploy_certs) == true {
validate_absolute_path($ssl_key_path)
validate_absolute_path($ssl_cert_path)
validate_absolute_path($ssl_ca_cert_path)
}
if str2bool($ssl_deploy_certs) == true {
validate_absolute_path($ssl_dir)
file {
$ssl_dir:
ensure => directory,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0700';
$ssl_key_path:
ensure => file,
content => $ssl_key,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600',
notify => Service[$puppetdb_service];
$ssl_cert_path:
ensure => file,
content => $ssl_cert,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600',
notify => Service[$puppetdb_service];
$ssl_ca_cert_path:
ensure => file,
content => $ssl_ca_cert,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0600',
notify => Service[$puppetdb_service];
}
}
class { 'puppetdb::server::jetty':
listen_address => $listen_address,
listen_port => $listen_port,
disable_cleartext => $disable_cleartext,
ssl_listen_address => $ssl_listen_address,
ssl_listen_port => $ssl_listen_port,
ssl_set_cert_paths => $ssl_set_cert_paths,
ssl_key_path => $ssl_key_path,
ssl_cert_path => $ssl_cert_path,
ssl_ca_cert_path => $ssl_ca_cert_path,
ssl_protocols => $ssl_protocols,
disable_ssl => $disable_ssl,
confdir => $confdir,
max_threads => $max_threads,
notify => Service[$puppetdb_service],
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
}
class { 'puppetdb::server::puppetdb':
certificate_whitelist_file => $certificate_whitelist_file,
certificate_whitelist => $certificate_whitelist,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
}
if !empty($java_args) {
if $merge_default_java_args {
create_resources(
'ini_subsetting',
puppetdb_create_subsetting_resource_hash(
$java_args, {
ensure => present,
section => '',
key_val_separator => '=',
path => $puppetdb::params::puppetdb_initconf,
setting => 'JAVA_ARGS',
require => Package[$puppetdb_package],
notify => Service[$puppetdb_service],
}))
} else {
ini_setting { 'java_args':
ensure => present,
section => '',
path => $puppetdb::params::puppetdb_initconf,
setting => 'JAVA_ARGS',
require => Package[$puppetdb_package],
notify => Service[$puppetdb_service],
value => puppetdb_flatten_java_args($java_args),
}
}
}
service { $puppetdb_service:
ensure => $puppetdb_service_status,
enable => $service_enabled,
}
if $manage_firewall {
Package[$puppetdb_package] ->
Class['puppetdb::server::firewall'] ->
Class['puppetdb::server::command_processing'] ->
Class['puppetdb::server::database'] ->
Class['puppetdb::server::read_database'] ->
Class['puppetdb::server::jetty'] ->
Class['puppetdb::server::puppetdb'] ->
Service[$puppetdb_service]
} else {
Package[$puppetdb_package] ->
Class['puppetdb::server::command_processing'] ->
Class['puppetdb::server::database'] ->
Class['puppetdb::server::read_database'] ->
Class['puppetdb::server::jetty'] ->
Class['puppetdb::server::puppetdb'] ->
Service[$puppetdb_service]
}
}
Reference in a new issue View git blame Copy permalink