[WIP] Add puppet http api support

manifests/config.pp

@@ -80,6 +80,8 @@
       'puppet_proxy_salt',
       'puppet_proxy_ssh',
       'puppetca_hostname_whitelisting',
+      'puppetca_http_api',
+      'puppetca_puppet_cert',
       'puppetca_token_whitelisting',
     ]:
       module => false,
@@ -113,14 +115,17 @@
     listen_on => $::foreman_proxy::logs_listen_on,
   }
 
-  if $foreman_proxy::puppetca or $foreman_proxy::puppet {
+  if $foreman_proxy::puppet or $foreman_proxy::puppetca {
+    $puppetca_sudo = $foreman_proxy::puppetca and versioncmp($facts['puppetversion'], '6.0') < 0
+    $puppetrun_sudo = $foreman_proxy::puppet and $foreman_proxy::puppetrun_provider == 'puppetrun'
+
     if $foreman_proxy::use_sudoersd {
       if $foreman_proxy::manage_sudoersd {
         ensure_resource('file', "${::foreman_proxy::sudoers}.d", {'ensure' => 'directory'})
       }
 
       file { "${::foreman_proxy::sudoers}.d/foreman-proxy":
-        ensure  => file,
+        ensure  => bool2str($puppetrun_sudo or $puppetca_sudo, 'file', 'absent'),
         owner   => 'root',
         group   => 0,
         mode    => '0440',

templates/puppetca.yml.erb

@@ -1,5 +1,11 @@
 ---
-# PuppetCA management
+# Can be true, false, or http/https to enable just one of the protocols
 :enabled: <%= @module_enabled %>
-:ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+
+# valid providers:
+#   - puppetca_hostname_whitelisting (verify CSRs based on a hostname whitelist)
+#   - puppetca_token_whitelisting (verify CSRs based on a token whitelist)
 :use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %>
+
+# Puppet version used
+:puppet_version: <%= @puppetversion %>

templates/puppetca_http_api.yml.erb

@@ -0,0 +1,8 @@
+---
+# URL of the puppet master itself for API requests.
+:puppet_url: <%= scope.lookupvar("foreman_proxy::puppet_url") %>
+#
+# SSL certificates used to access the CA API.
+:puppet_ssl_ca: <%= scope.lookupvar("foreman_proxy::puppet_ssl_ca") %>
+:puppet_ssl_cert: <%= scope.lookupvar("foreman_proxy::puppet_ssl_cert") %>
+:puppet_ssl_key: <%= scope.lookupvar("foreman_proxy::puppet_ssl_key") %>

templates/puppetca_puppet_cert.yml.erb

@@ -0,0 +1,4 @@
+---
+:ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+#:puppetca_use_sudo: true
+#:sudo_command: /usr/bin/sudo

templates/sudo.erb

@@ -1,7 +1,7 @@
-<% if scope.lookupvar("foreman_proxy::puppetca") -%>
+<% if @puppetca_sudo -%>
 <%= scope.lookupvar("foreman_proxy::user") %> ALL = (root) NOPASSWD : <%= scope.lookupvar("foreman_proxy::puppetca_cmd") %> *
 <% end -%>
-<% if scope.lookupvar("foreman_proxy::puppet") and scope.lookupvar("foreman_proxy::puppetrun_provider") == 'puppetrun' -%>
+<% if @puppetrun_sudo -%>
 <%= scope.lookupvar("foreman_proxy::user") %> ALL = (<%= scope.lookupvar("foreman_proxy::puppet_user") %>) NOPASSWD : <%= scope.lookupvar("foreman_proxy::puppetrun_cmd") %> *
 <% end -%>
 Defaults:<%= scope.lookupvar("foreman_proxy::user") %> !requiretty

templates/sudo_augeas.erb

@@ -2,7 +2,7 @@
   user = scope.lookupvar('foreman_proxy::user')
   index = 0
 -%>
-<% if scope.lookupvar('foreman_proxy::puppetca')
+<% if @puppetca_sudo
   index += 1
 -%>
 set spec[user = '<%= user %>'][<%=index%>]/user <%= user %>
@@ -12,7 +12,7 @@ set spec[user = '<%= user %>'][<%=index%>]/host_group/command/runas_user root
 set spec[user = '<%= user %>'][<%=index%>]/host_group/command/tag NOPASSWD
 rm spec[user = '<%= user %>'][<%=index%>]/host_group/command[position() > 1]<%# delete any other command in the rule %>
 <% end -%>
-<% if scope.lookupvar("foreman_proxy::puppet") and scope.lookupvar("foreman_proxy::puppetrun_provider") == 'puppetrun'
+<% if @puppetca_sudo
   index += 1
 -%>
 set spec[user = '<%= user %>'][<%=index%>]/user <%= user %>