Add puppet http api support

README.md

@@ -10,14 +10,17 @@ Part of the Foreman installer: <https://github.com/theforeman/foreman-installer>
 
 ## Compatibility
 
-| Module version | Proxy versions | Notes                                           |
-|----------------|----------------|-------------------------------------------------|
-| 10.x           | 1.19 and newer |                                                 |
-| 5.x - 9.x      | 1.16 - 1.20    | See compatibility notes here for 1.16-1.18      |
-| 4.x            | 1.12 - 1.17    | See compatibility notes in its README for 1.15+ |
-| 3.x            | 1.11           |                                                 |
-| 2.x            | 1.5 - 1.10     |                                                 |
-| 1.x            | 1.4 and older  |                                                 |
+| Module version | Proxy versions | Notes                                               |
+|----------------|----------------|-----------------------------------------------------|
+| 11.x           | 1.19 and newer | See compatibility notes in its README for 1.19-1.21 |
+| 10.x           | 1.19 - 1.21    |                                                     |
+| 5.x - 9.x      | 1.16 - 1.20    | See compatibility notes in its README for 1.16-1.18 |
+| 4.x            | 1.12 - 1.17    | See compatibility notes in its README for 1.15+     |
+| 3.x            | 1.11           |                                                     |
+| 2.x            | 1.5 - 1.10     |                                                     |
+| 1.x            | 1.4 and older  |                                                     |
+
+Starting version 1.22 the Puppet CA configuration is split depending on the provider. When using the module with 1.19 - 1.21, set `puppetca_split_configs` to `false`.
 
 ## Examples
 

manifests/config.pp

@@ -113,8 +113,17 @@
     listen_on => $::foreman_proxy::logs_listen_on,
   }
 
+  if $foreman_proxy::puppetca_split_configs {
+    foreman_proxy::settings_file { [
+        'puppetca_http_api',
+        'puppetca_puppet_cert',
+      ]:
+        module => false,
+    }
+  }
+
   if $foreman_proxy::puppetca or $foreman_proxy::puppet {
-    $puppetca_sudo = $foreman_proxy::puppetca
+    $puppetca_sudo = $foreman_proxy::puppetca and versioncmp($facts['puppetversion'], '6.0') < 0
     $puppetrun_sudo = $foreman_proxy::puppet and $foreman_proxy::puppetrun_provider == 'puppetrun'
     $uses_sudo = $puppetrun_sudo or $puppetca_sudo
 

manifests/init.pp

@@ -301,6 +301,9 @@
 #
 # $dhcp_manage_acls::           Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750.
 #
+# $puppetca_split_configs::     Whether to split the puppetca configs. This is only supported on 1.22+.
+#                               Set to false for older versions.
+#
 # $puppetca_provider::          Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
 #
 # $puppetca_sign_all::          Token-whitelisting only: Whether to sign all CSRs without checking their token
@@ -340,6 +343,7 @@
   Boolean $use_sudoersd = $::foreman_proxy::params::use_sudoersd,
   Boolean $use_sudoers = $::foreman_proxy::params::use_sudoers,
   Boolean $puppetca = $::foreman_proxy::params::puppetca,
+  Boolean $puppetca_split_configs = $::foreman_proxy::params::puppetca_split_configs,
   Foreman_proxy::ListenOn $puppetca_listen_on = $::foreman_proxy::params::puppetca_listen_on,
   Stdlib::Absolutepath $ssldir = $::foreman_proxy::params::ssldir,
   Stdlib::Absolutepath $puppetdir = $::foreman_proxy::params::puppetdir,

manifests/params.pp

@@ -202,6 +202,7 @@
 
   # puppetca settings
   $puppetca              = true
+  $puppetca_split_configs = true
   $puppetca_provider     = 'puppetca_hostname_whitelisting'
   $puppetca_listen_on    = 'https'
   $puppetca_cmd          = "${puppet_cmd} cert"

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "theforeman-foreman_proxy",
-  "version": "10.0.0",
+  "version": "11.0.0",
   "author": "theforeman",
   "summary": "Foreman Smart Proxy configuration",
   "license": "GPL-3.0+",

spec/classes/foreman_proxy__spec.rb

@@ -78,24 +78,30 @@
         end
 
         it 'should create configuration files' do
-          [ 'settings.yml', 'settings.d/bmc.yml', 'settings.d/dns.yml',
-            'settings.d/dns_nsupdate.yml', 'settings.d/dns_nsupdate_gss.yml',
-            'settings.d/dns_libvirt.yml', 'settings.d/dhcp.yml', 'settings.d/dhcp_isc.yml',
-            'settings.d/dhcp_libvirt.yml', 'settings.d/logs.yml', 'settings.d/puppet.yml',
-            'settings.d/puppetca.yml', 'settings.d/puppetca_hostname_whitelisting.yml',
-            'settings.d/puppetca_token_whitelisting.yml', 'settings.d/puppet_proxy_customrun.yml',
-            'settings.d/puppet_proxy_legacy.yml', 'settings.d/puppet_proxy_mcollective.yml',
-            'settings.d/puppet_proxy_puppet_api.yml', 'settings.d/puppet_proxy_puppetrun.yml',
-            'settings.d/puppet_proxy_salt.yml', 'settings.d/puppet_proxy_ssh.yml',
-            'settings.d/realm.yml', 'settings.d/templates.yml', 'settings.d/tftp.yml' ].each do |cfile|
-            should contain_file("#{etc_dir}/foreman-proxy/#{cfile}").
-              with({
-                :owner   => 'root',
-                :group   => "#{proxy_user_name}",
-                :mode    => '0640',
-                :require => 'Class[Foreman_proxy::Install]',
-                :notify  => 'Class[Foreman_proxy::Service]',
-              })
+          should contain_file("#{etc_dir}/foreman-proxy/settings.yml")
+            .with_owner('root')
+            .with_group(proxy_user_name)
+            .with_mode('0640')
+            .that_requires('Class[Foreman_proxy::Install]')
+            .that_notifies('Class[Foreman_proxy::Service]')
+
+          [
+            'bmc',
+            'dns', 'dns_libvirt', 'dns_nsupdate', 'dns_nsupdate_gss',
+            'dhcp', 'dhcp_isc', 'dhcp_libvirt',
+            'logs',
+            'puppet', 'puppet_proxy_legacy', 'puppet_proxy_puppet_api',
+            'puppet_proxy_customrun', 'puppet_proxy_mcollective', 'puppet_proxy_puppetrun', 'puppet_proxy_salt', 'puppet_proxy_ssh',
+            'puppetca', 'puppetca_http_api', 'puppetca_puppet_cert',
+            'puppetca_hostname_whitelisting', 'puppetca_token_whitelisting',
+            'realm', 'templates', 'tftp'
+          ].each do |cfile|
+            should contain_file("#{etc_dir}/foreman-proxy/settings.d/#{cfile}.yml")
+              .with_owner('root')
+              .with_group(proxy_user_name)
+              .with_mode('0640')
+              .that_requires('Class[Foreman_proxy::Install]')
+              .that_notifies('Class[Foreman_proxy::Service]')
           end
         end
 
@@ -290,6 +296,23 @@
             '---',
             ':enabled: https',
             ':use_provider: puppetca_hostname_whitelisting',
+            ":puppet_version: #{Puppet.version}",
+          ])
+        end
+
+        it 'should generate correct puppetca_http_api.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_http_api.yml", [
+            '---',
+            ":puppet_url: https://#{facts[:fqdn]}:8140",
+            ":puppet_ssl_ca: #{ssl_dir}/certs/ca.pem",
+            ":puppet_ssl_cert: #{ssl_dir}/certs/#{facts[:fqdn]}.pem",
+            ":puppet_ssl_key: #{ssl_dir}/private_keys/#{facts[:fqdn]}.pem",
+          ])
+        end
+
+        it 'should generate correct puppetca_puppet_cert.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_puppet_cert.yml", [
+            '---',
             ":ssldir: #{ssl_dir}",
           ])
         end
@@ -376,23 +399,8 @@
         end
 
         it 'should set up sudo rules' do
-          should contain_file("#{etc_dir}/sudoers.d").with_ensure('directory')
-
-          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with({
-            :ensure  => 'file',
-            :owner   => 'root',
-            :group   => 0,
-            :mode    => '0440',
-          })
-
-          verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
-            "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
-            "Defaults:#{proxy_user_name} !requiretty",
-          ])
-        end
-
-        it "should manage #{etc_dir}/sudoers.d" do
-          should contain_file("#{etc_dir}/sudoers.d").with_ensure('directory')
+          should_not contain_file("#{etc_dir}/sudoers.d")
+          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent')
         end
 
         it "should not manage puppet group" do
@@ -764,7 +772,7 @@
         end
       end
 
-      context 'when puppetca_cmd set' do
+      context 'when puppetca_cmd set', if: Puppet.version < '6.0' do
         let(:params) { super().merge(puppetca_cmd: 'pup cert') }
 
         it "should set puppetca_cmd" do
@@ -792,7 +800,7 @@
             '---',
             ':enabled: https',
             ':use_provider: puppetca_token_whitelisting',
-            ":ssldir: #{ssl_dir}",
+            ":puppet_version: #{Puppet.version}",
           ])
         end
 
@@ -815,7 +823,7 @@
       end
 
       context 'when puppetrun_provider => puppetrun' do
-        let(:params) { super().merge(puppetrun_provider: 'puppetrun') }
+        let(:params) { super().merge(puppetrun_provider: 'puppetrun', puppetca: false) }
 
         context 'when puppetrun_provider and puppetrun_cmd set' do
           let(:params) do
@@ -829,7 +837,6 @@
           it "should set puppetrun_cmd" do
             should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('file')
             verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
-              "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
               "#{proxy_user_name} ALL = (root) NOPASSWD : mco puppet runonce *",
               "Defaults:#{proxy_user_name} !requiretty",
             ])
@@ -842,7 +849,6 @@
           it "should set puppetrun_cmd" do
             should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('file')
             verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
-              "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
               "#{proxy_user_name} ALL = (some_puppet_user) NOPASSWD : #{puppetrun_command}",
               "Defaults:#{proxy_user_name} !requiretty",
             ])
@@ -858,25 +864,33 @@
       context 'when puppet disabled' do
         let(:params) { super().merge(puppet: false) }
 
-        it "should not set puppetrun" do
+        it "should not set puppetrun", if: Puppet.version < '6.0' do
           should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('file')
           verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
             "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
             "Defaults:#{proxy_user_name} !requiretty",
           ])
         end
+
+        it "should remove sudoers.d", if: Puppet.version >= '6.0' do
+          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent')
+        end
       end
 
       context 'when puppet enabled, but not provider puppetrun' do
         let(:params) { super().merge(puppetrun_provider: 'salt') }
 
-        it "should not set puppetrun" do
+        it "should not set puppetrun", if: Puppet.version < '6.0' do
           should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('file')
           verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
             "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
             "Defaults:#{proxy_user_name} !requiretty",
           ])
         end
+
+        it "should remove sudoers.d", if: Puppet.version >= '6.0' do
+          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent')
+        end
       end
 
       context 'when puppetca and puppet disabled' do
@@ -902,7 +916,7 @@
           should_not contain_file("#{etc_dir}/sudoers.d/foreman-proxy")
         end
 
-        it "should modify #{etc_dir}/sudoers" do
+        it "should modify #{etc_dir}/sudoers", if: Puppet.version < '6.0' do
           should contain_augeas('sudo-foreman-proxy').with_context("/files#{etc_dir}/sudoers")
 
           changes = catalogue.resource('augeas', 'sudo-foreman-proxy').send(:parameters)[:changes]
@@ -919,6 +933,17 @@
           ])
         end
 
+        it "should modify #{etc_dir}/sudoers", if: Puppet.version >= '6.0' do
+          should contain_augeas('sudo-foreman-proxy').with_context("/files#{etc_dir}/sudoers")
+
+          changes = catalogue.resource('augeas', 'sudo-foreman-proxy').send(:parameters)[:changes]
+          expect(changes.split("\n")).to match_array([
+            "rm spec[user = '#{proxy_user_name}'][position() > 0]",
+            "set Defaults[type = ':#{proxy_user_name}']/type :#{proxy_user_name}",
+            "set Defaults[type = ':#{proxy_user_name}']/requiretty/negate ''",
+          ])
+        end
+
         context 'when use_sudoers => false' do
           let(:params) { super().merge(use_sudoers: false) }
 
@@ -943,7 +968,7 @@
         context 'when puppetrun_provider == puppetrun' do
           let(:params) { super().merge(puppetrun_provider: 'puppetrun') }
 
-          it "should modify #{etc_dir}/sudoers for puppetca and puppetrun" do
+          it "should modify #{etc_dir}/sudoers for puppetca and puppetrun", if: Puppet.version < '6.0' do
             changes = catalogue.resource('augeas', 'sudo-foreman-proxy').send(:parameters)[:changes]
             expect(changes.split("\n")).to match_array([
               "set spec[user = '#{proxy_user_name}'][1]/user #{proxy_user_name}",
@@ -963,6 +988,21 @@
               "set Defaults[type = ':#{proxy_user_name}']/requiretty/negate ''",
             ])
           end
+
+          it "should modify #{etc_dir}/sudoers for puppetrun", if: Puppet.version >= '6.0' do
+            changes = catalogue.resource('augeas', 'sudo-foreman-proxy').send(:parameters)[:changes]
+            expect(changes.split("\n")).to match_array([
+              "set spec[user = '#{proxy_user_name}'][1]/user #{proxy_user_name}",
+              "set spec[user = '#{proxy_user_name}'][1]/host_group/host ALL",
+              "set spec[user = '#{proxy_user_name}'][1]/host_group/command '#{puppetrun_command}'",
+              "set spec[user = '#{proxy_user_name}'][1]/host_group/command/runas_user root",
+              "set spec[user = '#{proxy_user_name}'][1]/host_group/command/tag NOPASSWD",
+              "rm spec[user = '#{proxy_user_name}'][1]/host_group/command[position() > 1]",
+              "rm spec[user = '#{proxy_user_name}'][position() > 1]",
+              "set Defaults[type = ':#{proxy_user_name}']/type :#{proxy_user_name}",
+              "set Defaults[type = ':#{proxy_user_name}']/requiretty/negate ''",
+            ])
+          end
         end
       end
 

templates/puppetca.yml.erb

@@ -1,5 +1,17 @@
 ---
 # PuppetCA management
+# Can be true, false, or http/https to enable just one of the protocols
 :enabled: <%= @module_enabled %>
+<% unless scope.lookupvar("foreman_proxy::puppetca_split_configs") -%>
 :ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+<% end -%>
+
+# valid providers:
+#   - puppetca_hostname_whitelisting (verify CSRs based on a hostname whitelist)
+#   - puppetca_token_whitelisting (verify CSRs based on a token whitelist)
 :use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %>
+<% if scope.lookupvar("foreman_proxy::puppetca_split_configs") -%>
+
+# Puppet version used
+:puppet_version: <%= @puppetversion %>
+<% end -%>

templates/puppetca_http_api.yml.erb

@@ -0,0 +1,8 @@
+---
+# URL of the puppet master itself for API requests.
+:puppet_url: <%= scope.lookupvar("foreman_proxy::puppet_url") %>
+#
+# SSL certificates used to access the CA API.
+:puppet_ssl_ca: <%= scope.lookupvar("foreman_proxy::puppet_ssl_ca") %>
+:puppet_ssl_cert: <%= scope.lookupvar("foreman_proxy::puppet_ssl_cert") %>
+:puppet_ssl_key: <%= scope.lookupvar("foreman_proxy::puppet_ssl_key") %>

templates/puppetca_puppet_cert.yml.erb

@@ -0,0 +1,4 @@
+---
+:ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+#:puppetca_use_sudo: true
+#:sudo_command: /usr/bin/sudo