theforeman · ekohl · Feb 25, 2019 · Feb 22, 2019 · Feb 22, 2019 · Feb 19, 2019
diff --git a/README.md b/README.md
@@ -10,14 +10,17 @@ Part of the Foreman installer: <https://github.com/theforeman/foreman-installer>
 
 ## Compatibility
 
-| Module version | Proxy versions | Notes                                           |
-|----------------|----------------|-------------------------------------------------|
-| 10.x           | 1.19 and newer |                                                 |
-| 5.x - 9.x      | 1.16 - 1.20    | See compatibility notes here for 1.16-1.18      |
-| 4.x            | 1.12 - 1.17    | See compatibility notes in its README for 1.15+ |
-| 3.x            | 1.11           |                                                 |
-| 2.x            | 1.5 - 1.10     |                                                 |
-| 1.x            | 1.4 and older  |                                                 |
+| Module version | Proxy versions | Notes                                               |
+|----------------|----------------|-----------------------------------------------------|
+| 11.x           | 1.19 and newer | See compatibility notes in its README for 1.19-1.21 |
+| 10.x           | 1.19 - 1.21    |                                                     |
+| 5.x - 9.x      | 1.16 - 1.20    | See compatibility notes in its README for 1.16-1.18 |
+| 4.x            | 1.12 - 1.17    | See compatibility notes in its README for 1.15+     |
+| 3.x            | 1.11           |                                                     |
+| 2.x            | 1.5 - 1.10     |                                                     |
+| 1.x            | 1.4 and older  |                                                     |
+
+Starting version 1.22 the Puppet CA configuration is split depending on the provider. When using the module with 1.19 - 1.21, set `puppetca_split_configs` to `false`.
 
 ## Examples
 

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -113,14 +113,27 @@
     listen_on => $::foreman_proxy::logs_listen_on,
   }
 
+  if $foreman_proxy::puppetca_split_configs {
+    foreman_proxy::settings_file { [
+        'puppetca_http_api',
+        'puppetca_puppet_cert',
+      ]:
+        module => false,
+    }
+  }
+
   if $foreman_proxy::puppetca or $foreman_proxy::puppet {
+    $puppetca_sudo = $foreman_proxy::puppetca and versioncmp($facts['puppetversion'], '6.0') < 0
+    $puppetrun_sudo = $foreman_proxy::puppet and $foreman_proxy::puppetrun_provider == 'puppetrun'
+    $uses_sudo = $puppetrun_sudo or $puppetca_sudo
+
     if $foreman_proxy::use_sudoersd {
-      if $foreman_proxy::manage_sudoersd {
+      if $uses_sudo and $foreman_proxy::manage_sudoersd {
         ensure_resource('file', "${::foreman_proxy::sudoers}.d", {'ensure' => 'directory'})
       }
 
       file { "${::foreman_proxy::sudoers}.d/foreman-proxy":
-        ensure  => file,
+        ensure  => bool2str($uses_sudo, 'file', 'absent'),
         owner   => 'root',
         group   => 0,
         mode    => '0440',

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -301,6 +301,9 @@
 #
 # $dhcp_manage_acls::           Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750.
 #
+# $puppetca_split_configs::     Whether to split the puppetca configs. This is only supported on 1.22+.
+#                               Set to false for older versions.
+#
 # $puppetca_provider::          Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
 #
 # $puppetca_sign_all::          Token-whitelisting only: Whether to sign all CSRs without checking their token
@@ -340,6 +343,7 @@
   Boolean $use_sudoersd = $::foreman_proxy::params::use_sudoersd,
   Boolean $use_sudoers = $::foreman_proxy::params::use_sudoers,
   Boolean $puppetca = $::foreman_proxy::params::puppetca,
+  Boolean $puppetca_split_configs = $::foreman_proxy::params::puppetca_split_configs,
   Foreman_proxy::ListenOn $puppetca_listen_on = $::foreman_proxy::params::puppetca_listen_on,
   Stdlib::Absolutepath $ssldir = $::foreman_proxy::params::ssldir,
   Stdlib::Absolutepath $puppetdir = $::foreman_proxy::params::puppetdir,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -202,6 +202,7 @@
 
   # puppetca settings
   $puppetca              = true
+  $puppetca_split_configs = true
   $puppetca_provider     = 'puppetca_hostname_whitelisting'
   $puppetca_listen_on    = 'https'
   $puppetca_cmd          = "${puppet_cmd} cert"

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "theforeman-foreman_proxy",
-  "version": "10.0.0",
+  "version": "11.0.0",
   "author": "theforeman",
   "summary": "Foreman Smart Proxy configuration",
   "license": "GPL-3.0+",
@@ -79,7 +79,6 @@
     {
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
-        "8",
         "9"
       ]
     },

diff --git a/spec/classes/foreman_proxy__plugin__ansible_spec.rb b/spec/classes/foreman_proxy__plugin__ansible_spec.rb
@@ -2,7 +2,7 @@
 
 describe 'foreman_proxy::plugin::ansible' do
 
-  ['redhat-7-x86_64', 'debian-8-x86_64'].each do |os|
+  ['redhat-7-x86_64', 'debian-9-x86_64'].each do |os|
     context "on #{os}" do
       let :facts do
         on_supported_os[os]

diff --git a/spec/classes/foreman_proxy__spec.rb b/spec/classes/foreman_proxy__spec.rb
@@ -78,24 +78,30 @@
         end
 
         it 'should create configuration files' do
-          [ 'settings.yml', 'settings.d/bmc.yml', 'settings.d/dns.yml',
-            'settings.d/dns_nsupdate.yml', 'settings.d/dns_nsupdate_gss.yml',
-            'settings.d/dns_libvirt.yml', 'settings.d/dhcp.yml', 'settings.d/dhcp_isc.yml',
-            'settings.d/dhcp_libvirt.yml', 'settings.d/logs.yml', 'settings.d/puppet.yml',
-            'settings.d/puppetca.yml', 'settings.d/puppetca_hostname_whitelisting.yml',
-            'settings.d/puppetca_token_whitelisting.yml', 'settings.d/puppet_proxy_customrun.yml',
-            'settings.d/puppet_proxy_legacy.yml', 'settings.d/puppet_proxy_mcollective.yml',
-            'settings.d/puppet_proxy_puppet_api.yml', 'settings.d/puppet_proxy_puppetrun.yml',
-            'settings.d/puppet_proxy_salt.yml', 'settings.d/puppet_proxy_ssh.yml',
-            'settings.d/realm.yml', 'settings.d/templates.yml', 'settings.d/tftp.yml' ].each do |cfile|
-            should contain_file("#{etc_dir}/foreman-proxy/#{cfile}").
-              with({
-                :owner   => 'root',
-                :group   => "#{proxy_user_name}",
-                :mode    => '0640',
-                :require => 'Class[Foreman_proxy::Install]',
-                :notify  => 'Class[Foreman_proxy::Service]',
-              })
+          should contain_file("#{etc_dir}/foreman-proxy/settings.yml")
+            .with_owner('root')
+            .with_group(proxy_user_name)
+            .with_mode('0640')
+            .that_requires('Class[Foreman_proxy::Install]')
+            .that_notifies('Class[Foreman_proxy::Service]')
+
+          [
+            'bmc',
+            'dns', 'dns_libvirt', 'dns_nsupdate', 'dns_nsupdate_gss',
+            'dhcp', 'dhcp_isc', 'dhcp_libvirt',
+            'logs',
+            'puppet', 'puppet_proxy_legacy', 'puppet_proxy_puppet_api',
+            'puppet_proxy_customrun', 'puppet_proxy_mcollective', 'puppet_proxy_puppetrun', 'puppet_proxy_salt', 'puppet_proxy_ssh',
+            'puppetca', 'puppetca_http_api', 'puppetca_puppet_cert',
+            'puppetca_hostname_whitelisting', 'puppetca_token_whitelisting',
+            'realm', 'templates', 'tftp'
+          ].each do |cfile|
+            should contain_file("#{etc_dir}/foreman-proxy/settings.d/#{cfile}.yml")
+              .with_owner('root')
+              .with_group(proxy_user_name)
+              .with_mode('0640')
+              .that_requires('Class[Foreman_proxy::Install]')
+              .that_notifies('Class[Foreman_proxy::Service]')
           end
         end
 
@@ -290,6 +296,23 @@
             '---',
             ':enabled: https',
             ':use_provider: puppetca_hostname_whitelisting',
+            ":puppet_version: #{Puppet.version}",
+          ])
+        end
+
+        it 'should generate correct puppetca_http_api.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_http_api.yml", [
+            '---',
+            ":puppet_url: https://#{facts[:fqdn]}:8140",
+            ":puppet_ssl_ca: #{ssl_dir}/certs/ca.pem",
+            ":puppet_ssl_cert: #{ssl_dir}/certs/#{facts[:fqdn]}.pem",
+            ":puppet_ssl_key: #{ssl_dir}/private_keys/#{facts[:fqdn]}.pem",
+          ])
+        end
+
+        it 'should generate correct puppetca_puppet_cert.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_puppet_cert.yml", [
+            '---',
             ":ssldir: #{ssl_dir}",
           ])
         end
@@ -375,7 +398,7 @@
           ])
         end
 
-        it 'should set up sudo rules' do
+        it 'should set up sudo rules', if: Puppet.version < '6.0' do
           should contain_file("#{etc_dir}/sudoers.d").with_ensure('directory')
 
           should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with({
@@ -391,8 +414,9 @@
           ])
         end
 
-        it "should manage #{etc_dir}/sudoers.d" do
-          should contain_file("#{etc_dir}/sudoers.d").with_ensure('directory')
+        it 'should not set up sudo rules', if: Puppet.version >= '6.0' do
+          should_not contain_file("#{etc_dir}/sudoers.d")
+          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent')
         end
 
         it "should not manage puppet group" do
@@ -764,7 +788,7 @@
         end
       end
 
-      context 'when puppetca_cmd set' do
+      context 'when puppetca_cmd set', if: Puppet.version < '6.0' do
         let(:params) { super().merge(puppetca_cmd: 'pup cert') }
 
         it "should set puppetca_cmd" do
@@ -792,7 +816,7 @@
             '---',
             ':enabled: https',
             ':use_provider: puppetca_token_whitelisting',
-            ":ssldir: #{ssl_dir}",
+            ":puppet_version: #{Puppet.version}",
           ])
         end
 
@@ -815,7 +839,7 @@
       end
 
       context 'when puppetrun_provider => puppetrun' do
-        let(:params) { super().merge(puppetrun_provider: 'puppetrun') }
+        let(:params) { super().merge(puppetrun_provider: 'puppetrun', puppetca: false) }
 
         context 'when puppetrun_provider and puppetrun_cmd set' do
           let(:params) do
@@ -827,8 +851,8 @@
           end
 
           it "should set puppetrun_cmd" do
+            should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('file')
             verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
-              "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
               "#{proxy_user_name} ALL = (root) NOPASSWD : mco puppet runonce *",
               "Defaults:#{proxy_user_name} !requiretty",
             ])
@@ -839,8 +863,8 @@
           let(:params) { super().merge(puppet_user: 'some_puppet_user') }
 
           it "should set puppetrun_cmd" do
+            should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('file')
             verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
-              "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
               "#{proxy_user_name} ALL = (some_puppet_user) NOPASSWD : #{puppetrun_command}",
               "Defaults:#{proxy_user_name} !requiretty",
             ])
@@ -850,34 +874,39 @@
 
       context 'when puppetca disabled' do
         let(:params) { super().merge(puppetca: false) }
-
-        it "should not set puppetca" do
-          verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
-            "Defaults:#{proxy_user_name} !requiretty",
-          ])
-        end
+        it { should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent') }
       end
 
       context 'when puppet disabled' do
         let(:params) { super().merge(puppet: false) }
 
-        it "should not set puppetrun" do
+        it "should not set puppetrun", if: Puppet.version < '6.0' do
+          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('file')
           verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
             "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
             "Defaults:#{proxy_user_name} !requiretty",
           ])
         end
+
+        it "should remove sudoers.d", if: Puppet.version >= '6.0' do
+          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent')
+        end
       end
 
       context 'when puppet enabled, but not provider puppetrun' do
         let(:params) { super().merge(puppetrun_provider: 'salt') }
 
-        it "should not set puppetrun" do
+        it "should not set puppetrun", if: Puppet.version < '6.0' do
+          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('file')
           verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
             "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
             "Defaults:#{proxy_user_name} !requiretty",
           ])
         end
+
+        it "should remove sudoers.d", if: Puppet.version >= '6.0' do
+          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent')
+        end
       end
 
       context 'when puppetca and puppet disabled' do
@@ -903,7 +932,7 @@
           should_not contain_file("#{etc_dir}/sudoers.d/foreman-proxy")
         end
 
-        it "should modify #{etc_dir}/sudoers" do
+        it "should modify #{etc_dir}/sudoers", if: Puppet.version < '6.0' do
           should contain_augeas('sudo-foreman-proxy').with_context("/files#{etc_dir}/sudoers")
 
           changes = catalogue.resource('augeas', 'sudo-foreman-proxy').send(:parameters)[:changes]
@@ -920,6 +949,17 @@
           ])
         end
 
+        it "should modify #{etc_dir}/sudoers", if: Puppet.version >= '6.0' do
+          should contain_augeas('sudo-foreman-proxy').with_context("/files#{etc_dir}/sudoers")
+
+          changes = catalogue.resource('augeas', 'sudo-foreman-proxy').send(:parameters)[:changes]
+          expect(changes.split("\n")).to match_array([
+            "rm spec[user = '#{proxy_user_name}'][position() > 0]",
+            "set Defaults[type = ':#{proxy_user_name}']/type :#{proxy_user_name}",
+            "set Defaults[type = ':#{proxy_user_name}']/requiretty/negate ''",
+          ])
+        end
+
         context 'when use_sudoers => false' do
           let(:params) { super().merge(use_sudoers: false) }
 
@@ -944,7 +984,7 @@
         context 'when puppetrun_provider == puppetrun' do
           let(:params) { super().merge(puppetrun_provider: 'puppetrun') }
 
-          it "should modify #{etc_dir}/sudoers for puppetca and puppetrun" do
+          it "should modify #{etc_dir}/sudoers for puppetca and puppetrun", if: Puppet.version < '6.0' do
             changes = catalogue.resource('augeas', 'sudo-foreman-proxy').send(:parameters)[:changes]
             expect(changes.split("\n")).to match_array([
               "set spec[user = '#{proxy_user_name}'][1]/user #{proxy_user_name}",
@@ -964,6 +1004,21 @@
               "set Defaults[type = ':#{proxy_user_name}']/requiretty/negate ''",
             ])
           end
+
+          it "should modify #{etc_dir}/sudoers for puppetrun", if: Puppet.version >= '6.0' do
+            changes = catalogue.resource('augeas', 'sudo-foreman-proxy').send(:parameters)[:changes]
+            expect(changes.split("\n")).to match_array([
+              "set spec[user = '#{proxy_user_name}'][1]/user #{proxy_user_name}",
+              "set spec[user = '#{proxy_user_name}'][1]/host_group/host ALL",
+              "set spec[user = '#{proxy_user_name}'][1]/host_group/command '#{puppetrun_command}'",
+              "set spec[user = '#{proxy_user_name}'][1]/host_group/command/runas_user root",
+              "set spec[user = '#{proxy_user_name}'][1]/host_group/command/tag NOPASSWD",
+              "rm spec[user = '#{proxy_user_name}'][1]/host_group/command[position() > 1]",
+              "rm spec[user = '#{proxy_user_name}'][position() > 1]",
+              "set Defaults[type = ':#{proxy_user_name}']/type :#{proxy_user_name}",
+              "set Defaults[type = ':#{proxy_user_name}']/requiretty/negate ''",
+            ])
+          end
         end
       end
 

diff --git a/templates/puppetca.yml.erb b/templates/puppetca.yml.erb
@@ -1,5 +1,17 @@
 ---
 # PuppetCA management
+# Can be true, false, or http/https to enable just one of the protocols
 :enabled: <%= @module_enabled %>
+<% unless scope.lookupvar("foreman_proxy::puppetca_split_configs") -%>
 :ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+<% end -%>
+
+# valid providers:
+#   - puppetca_hostname_whitelisting (verify CSRs based on a hostname whitelist)
+#   - puppetca_token_whitelisting (verify CSRs based on a token whitelist)
 :use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %>
+<% if scope.lookupvar("foreman_proxy::puppetca_split_configs") -%>
+
+# Puppet version used
+:puppet_version: <%= @puppetversion %>
+<% end -%>
diff --git a/templates/puppetca_http_api.yml.erb b/templates/puppetca_http_api.yml.erb
@@ -0,0 +1,8 @@
+---
+# URL of the puppet master itself for API requests.
+:puppet_url: <%= scope.lookupvar("foreman_proxy::puppet_url") %>
+#
+# SSL certificates used to access the CA API.
+:puppet_ssl_ca: <%= scope.lookupvar("foreman_proxy::puppet_ssl_ca") %>
+:puppet_ssl_cert: <%= scope.lookupvar("foreman_proxy::puppet_ssl_cert") %>
+:puppet_ssl_key: <%= scope.lookupvar("foreman_proxy::puppet_ssl_key") %>
diff --git a/templates/puppetca_puppet_cert.yml.erb b/templates/puppetca_puppet_cert.yml.erb
@@ -0,0 +1,4 @@
+---
+:ssldir: <%= scope.lookupvar("foreman_proxy::ssldir") %>
+#:puppetca_use_sudo: true
+#:sudo_command: /usr/bin/sudo
diff --git a/templates/sudo.erb b/templates/sudo.erb
@@ -1,7 +1,7 @@
-<% if scope.lookupvar("foreman_proxy::puppetca") -%>
+<% if @puppetca_sudo -%>
 <%= scope.lookupvar("foreman_proxy::user") %> ALL = (root) NOPASSWD : <%= scope.lookupvar("foreman_proxy::puppetca_cmd") %> *
 <% end -%>
-<% if scope.lookupvar("foreman_proxy::puppet") and scope.lookupvar("foreman_proxy::puppetrun_provider") == 'puppetrun' -%>
+<% if @puppetrun_sudo -%>
 <%= scope.lookupvar("foreman_proxy::user") %> ALL = (<%= scope.lookupvar("foreman_proxy::puppet_user") %>) NOPASSWD : <%= scope.lookupvar("foreman_proxy::puppetrun_cmd") %> *
 <% end -%>
 Defaults:<%= scope.lookupvar("foreman_proxy::user") %> !requiretty