diff --git a/manifests/config.pp b/manifests/config.pp index 555459f69..5563e5129 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -90,6 +90,7 @@ if $::foreman_proxy::puppetca_modular { foreman_proxy::settings_file { [ 'puppetca_hostname_whitelisting', + 'puppetca_token_whitelisting', ]: module => false, } diff --git a/manifests/init.pp b/manifests/init.pp index 728b5fc66..4c9cc2fdb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -83,6 +83,8 @@ # # $autosignfile:: Hostname-Whitelisting only: Location of puppets autosign.conf # +# $puppetca_tokens_file:: Token-Whitelisting only: Location of the tokens.yaml +# # $manage_puppet_group:: Whether to ensure the $puppet_group exists. Also ensures group owner of ssl keys and certs is $puppet_group # Not applicable when ssl is false. # @@ -295,6 +297,8 @@ # # $puppetca_provider:: Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting # +# $puppetca_sign_all:: Token-whitelisting only: Whether to sign all CSRs without checking their token +# class foreman_proxy ( String $repo = $::foreman_proxy::params::repo, Boolean $gpgcheck = $::foreman_proxy::params::gpgcheck, @@ -335,6 +339,8 @@ Boolean $puppetca_modular = $::foreman_proxy::params::puppetca_modular, String $puppetca_provider = $::foreman_proxy::params::puppetca_provider, Stdlib::Absolutepath $autosignfile = $::foreman_proxy::params::autosignfile, + Boolean $puppetca_sign_all = $::foreman_proxy::params::puppetca_sign_all, + Stdlib::Absolutepath $puppetca_tokens_file = $::foreman_proxy::params::puppetca_tokens_file, Boolean $manage_puppet_group = $::foreman_proxy::params::manage_puppet_group, Boolean $puppet = $::foreman_proxy::params::puppet, Foreman_proxy::ListenOn $puppet_listen_on = $::foreman_proxy::params::puppet_listen_on, diff --git a/manifests/params.pp b/manifests/params.pp index 33f1c6fce..fa2536029 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -244,6 +244,8 @@ $puppetca_cmd = "${puppet_cmd} cert" $puppet_group = 'puppet' $autosignfile = "${puppetdir}/autosign.conf" + $puppetca_sign_all = false + $puppetca_tokens_file = '/var/lib/foreman-proxy/tokens.yml' # The puppet-agent package, (puppet 4 AIO) doesn't create a puppet group $manage_puppet_group = versioncmp($::puppetversion, '4.0') > 0 diff --git a/spec/classes/foreman_proxy__config__spec.rb b/spec/classes/foreman_proxy__config__spec.rb index 9fb3286ae..fe0e766b6 100644 --- a/spec/classes/foreman_proxy__config__spec.rb +++ b/spec/classes/foreman_proxy__config__spec.rb @@ -83,7 +83,7 @@ 'settings.d/dns_libvirt.yml', 'settings.d/dhcp.yml', 'settings.d/dhcp_isc.yml', 'settings.d/dhcp_libvirt.yml', 'settings.d/logs.yml', 'settings.d/puppet.yml', 'settings.d/puppetca.yml', 'settings.d/puppetca_hostname_whitelisting.yml', - 'settings.d/puppet_proxy_customrun.yml', + 'settings.d/puppetca_token_whitelisting.yml', 'settings.d/puppet_proxy_customrun.yml', 'settings.d/puppet_proxy_legacy.yml', 'settings.d/puppet_proxy_mcollective.yml', 'settings.d/puppet_proxy_puppet_api.yml', 'settings.d/puppet_proxy_puppetrun.yml', 'settings.d/puppet_proxy_salt.yml', 'settings.d/puppet_proxy_ssh.yml', @@ -265,6 +265,14 @@ ]) end + it 'should generate correct puppetca_token_whitelisting.yml' do + verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_token_whitelisting.yml", [ + '---', + ':tokens_file: /var/lib/foreman-proxy/tokens.yml', + ':sign_all: false' + ]) + end + tftp_root = case facts[:osfamily] when 'Debian' case facts[:operatingsystem] @@ -803,6 +811,45 @@ it 'should not generate a puppetca_hostname_whitelisting' do should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_hostname_whitelisting") end + + it 'should not generate a puppetca_hostname_whitelisting' do + should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_token_whitelisting") + end + end + + context 'with custom puppetca params' do + let :pre_condition do + 'class { "foreman_proxy": + puppetca_provider => "puppetca_token_whitelisting", + puppetca_sign_all => true, + puppetca_tokens_file => "/foo/bar.yml", + autosignfile => "/bar/baz.conf", + }' + end + + it 'should generate correct puppetca.yml' do + verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [ + '---', + ':enabled: https', + ':use_provider: puppetca_token_whitelisting', + ":ssldir: #{ssl_dir}", + ]) + end + + it 'should generate correct puppetca_hostname_whitelisting.yml' do + verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml", [ + '---', + ":autosignfile: /bar/baz.conf", + ]) + end + + it 'should generate correct puppetca_token_whitelisting.yml' do + verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_token_whitelisting.yml", [ + '---', + ':tokens_file: /foo/bar.yml', + ':sign_all: true' + ]) + end end context 'when puppetrun_provider and puppetrun_cmd set' do diff --git a/templates/puppetca_token_whitelisting.yml.erb b/templates/puppetca_token_whitelisting.yml.erb new file mode 100644 index 000000000..17c199fb7 --- /dev/null +++ b/templates/puppetca_token_whitelisting.yml.erb @@ -0,0 +1,7 @@ +--- +# +# Configuration of the PuppetCA token_whitelisting provider +# + +:sign_all: <%= scope.lookupvar('foreman_proxy::puppetca_sign_all') %> +:tokens_file: <%= scope.lookupvar('foreman_proxy::puppetca_tokens_file') %>