Defined Type: profile::puppetdb::site
- Defined in:
- modules/profile/manifests/puppetdb/site.pp
Summary
define to configure secondary proxies to the local puppetdb. This allows puppetserveres with different CA infrastructure to submit to the same puppetdb. In order to use this you will need to generate additional private keys and certs for the puppetdb servers. This can be done from the puppetca server using the following command puppetserver ca generate $fqdn The command should output the location of the certificates paths. You should copy these to the necessary location in puppet and the private repo.Overview
SPDX-License-Identifier: Apache-2.0
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'modules/profile/manifests/puppetdb/site.pp', line 19
define profile::puppetdb::site (
Stdlib::Port $port,
Stdlib::Filesource $cert_source,
Optional[String[1]] $key_secret_path = undef,
Optional[Stdlib::Filesource] $key_source = undef,
Stdlib::Filesource $ca_source,
Stdlib::Port $jetty_port = 8080,
Array[Stdlib::Host] $allowed_hosts = [],
) {
include sslcert::dhparam # lint:ignore:wmf_styleguide
$ssl_dir = "/etc/nginx/ssl/${title}"
wmflib::dir::mkdir_p($ssl_dir)
$params = {
'site_name' => $title,
'port' => $port,
'jetty_port' => $jetty_port,
'cert' => "${ssl_dir}/cert.pem",
'key' => "${ssl_dir}/key.pem",
'ca' => "${ssl_dir}/ca.pem",
'ssl_settings' => ssl_ciphersuite('nginx', 'mid'),
}
if $key_secret_path != undef and $key_source != undef {
fail('Specify either $key_secret_path or $key_source, not both')
}
if $key_secret_path == undef and $key_source == undef {
fail('One of $key_secret_path or $key_source must be defined')
}
if $key_secret_path != undef {
file { $params['key']:
ensure => file,
owner => 'puppetdb',
group => 'puppetdb',
show_diff => false,
mode => '0550',
content => secret($key_secret_path),
}
} else {
file { $params['key']:
ensure => file,
owner => 'puppetdb',
group => 'puppetdb',
show_diff => false,
mode => '0550',
source => $key_source,
}
}
file {
default:
ensure => file,
owner => 'puppetdb',
group => 'puppetdb',
show_diff => false,
mode => '0550';
$params['cert']:
source => $cert_source;
$params['ca']:
source => $ca_source;
}
nginx::site { $title:
ensure => present,
content => epp('profile/puppetdb/secondary.epp', $params),
}
unless $allowed_hosts.empty() {
ferm::service { "puppetdb_${title}":
proto => tcp,
port => $port,
srange => $allowed_hosts,
}
}
}
|