Defined Type: profile::puppetdb::site

Defined in:
modules/profile/manifests/puppetdb/site.pp

Summary

define to configure secondary proxies to the local puppetdb. This allows puppetserveres with different CA infrastructure to submit to the same puppetdb. In order to use this you will need to generate additional private keys and certs for the puppetdb servers. This can be done from the puppetca server using the following command puppetserver ca generate $fqdn The command should output the location of the certificates paths. You should copy these to the necessary location in puppet and the private repo.

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • port (Stdlib::Port)

    the port to listen

  • cert_source (Stdlib::Filesource)

    the puppet source location to the cert file to use.

  • key_secret_path (Optional[String[1]]) (defaults to: undef)

    a path to be passed to the secret function to get the content of the private key

  • key_source (Optional[Stdlib::Filesource]) (defaults to: undef)

    if specified, will be used to 'source' the key instead of key_secret_path

  • ca_source (Stdlib::Filesource)

    The puppet source location of the ca cert ot use for client auth. You can get this by running the following on the puppet ca server `cat $(sudo facter -p puppet_config.hostpubkey.localcacert)`

  • jetty_port (Stdlib::Port) (defaults to: 8080)

    the port of the backend jetty server

  • allowed_hosts (Array[Stdlib::Host]) (defaults to: [])

    a list of hosts allowed to use this site



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'modules/profile/manifests/puppetdb/site.pp', line 19

define profile::puppetdb::site (
    Stdlib::Port                 $port,
    Stdlib::Filesource           $cert_source,
    Optional[String[1]]          $key_secret_path = undef,
    Optional[Stdlib::Filesource] $key_source = undef,
    Stdlib::Filesource           $ca_source,
    Stdlib::Port                 $jetty_port    = 8080,
    Array[Stdlib::Host]          $allowed_hosts = [],
) {
    include sslcert::dhparam  # lint:ignore:wmf_styleguide

    $ssl_dir = "/etc/nginx/ssl/${title}"
    wmflib::dir::mkdir_p($ssl_dir)
    $params = {
        'site_name'    => $title,
        'port'         => $port,
        'jetty_port'   => $jetty_port,
        'cert'         => "${ssl_dir}/cert.pem",
        'key'          => "${ssl_dir}/key.pem",
        'ca'           => "${ssl_dir}/ca.pem",
        'ssl_settings' => ssl_ciphersuite('nginx', 'mid'),
    }

    if $key_secret_path != undef and $key_source != undef {
        fail('Specify either $key_secret_path or $key_source, not both')
    }

    if $key_secret_path == undef and $key_source == undef {
        fail('One of $key_secret_path or $key_source must be defined')
    }

    if $key_secret_path != undef {
        file { $params['key']:
            ensure    => file,
            owner     => 'puppetdb',
            group     => 'puppetdb',
            show_diff => false,
            mode      => '0550',
            content   => secret($key_secret_path),
        }
    } else {
        file { $params['key']:
            ensure    => file,
            owner     => 'puppetdb',
            group     => 'puppetdb',
            show_diff => false,
            mode      => '0550',
            source    => $key_source,
        }
    }

    file {
        default:
            ensure    => file,
            owner     => 'puppetdb',
            group     => 'puppetdb',
            show_diff => false,
            mode      => '0550';
        $params['cert']:
            source => $cert_source;
        $params['ca']:
            source => $ca_source;
    }

    nginx::site { $title:
        ensure  => present,
        content => epp('profile/puppetdb/secondary.epp', $params),
    }
    unless $allowed_hosts.empty() {
        ferm::service { "puppetdb_${title}":
            proto  => tcp,
            port   => $port,
            srange => $allowed_hosts,
        }
    }
}