fixes #15132 - support services.d/ configuration in Puppet Server 2.5 (…

…theforeman#402)

PS 2.5 moves CA configuration from bootstrap.cfg to a services.d/ca.cfg
file, separating user config (CA) from app config (e.g. versioned code
service). This is now configured instead of bootstrap.cfg when the
server_puppetserver_version parameter is set to 2.5.

A special version value of 2.4.99 (now the default) configures both the
2.4 and 2.5 files simultaneously, creating both bootstrap.cfg and
services.d/ca.cfg so the module works across both versions, albeit with
logged warnings about duplicate CA definitions. This ensures the module
will still work on the release of 2.5, after which time the parameter
default can be changed to 2.5.0 to remove the duplicate configuration.

README.md

@@ -14,9 +14,10 @@ The Puppet master is configured under Apache and Passenger by default, unless
 to switch to the JVM-based Puppet Server.
 
 When using Puppet Server 2 (version 2.0 was the first version to support Puppet 4),
-the module supports and assumes you will be installing the latest version (currently 2.3.1).
-If you know you'll be installing an earlier version, you will need to override
-`server_puppetserver_version`.
+the module supports and assumes you will be installing the latest version.
+If you know you'll be installing an earlier or specific version, you will
+need to override `server_puppetserver_version`. More information in the Puppet
+Server section below.
 
 Many puppet.conf options for agents, masters and other are parameterized, with
 class documentation provided at the top of the manifests. In addition, there
@@ -161,6 +162,23 @@ host can access all client catalogues and client certificates. **
       server_http_allow    => ['10.20.30.1', 'puppetbalancer.my.corp'],
     }
 
+## Puppet Server configuration
+
+Puppet Server requires slightly different configuration between different
+versions, which this module supports. It's recommended that you set the
+`server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version
+you have installed. By default the module will configure for the latest
+version available.
+
+Currently supported values and configuration behaviours are:
+
+* `2.5.x` - configures the certificate authority in `ca.cfg`
+* `2.4.99` (default) - configures for both 2.4 and 2.5, with `bootstrap.cfg`
+  and `ca.cfg`
+* `2.3.x`, `2.4.x` - configures the certificate authority and
+  versioned-code-service in `bootstrap.cfg`
+* `2.2.x` or lower - configures the certificate authority in `bootstrap.cfg`
+
 # Contributing
 
 * Fork the project

manifests/params.pp

@@ -361,5 +361,5 @@
   $server_use_legacy_auth_conf     = false
 
   # For puppetserver 2, certain configuration parameters are version specific. We assume a particular version here.
-  $server_puppetserver_version     = '2.3.1'
+  $server_puppetserver_version     = '2.4.99'
 }

manifests/server.pp

@@ -510,7 +510,7 @@
     validate_bool($enable_ruby_profiler)
     validate_bool($ca_auth_required)
     validate_bool($use_legacy_auth_conf)
-    validate_re($puppetserver_version, '^[\d]\.[\d]\.[\d]$')
+    validate_re($puppetserver_version, '^[\d]\.[\d]+\.[\d]+$')
   } else {
     if $ip != $puppet::params::ip {
       notify {

manifests/server/puppetserver.pp

@@ -88,38 +88,82 @@
     ],
   }
 
-  $ca_enabled_ensure = $server_ca ? {
-    true    => present,
-    default => absent,
+  if versioncmp($server_puppetserver_version, '2.4.99') == 0 {
+    $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg,${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"
+  } elsif versioncmp($server_puppetserver_version, '2.5') >= 0 {
+    $bootstrap_paths = "${server_puppetserver_dir}/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"
+  } else {  # 2.4
+    $bootstrap_paths = "${server_puppetserver_dir}/bootstrap.cfg"
   }
-
-  $ca_disabled_ensure = $server_ca ? {
-    false   => present,
-    default => absent,
+  augeas { 'puppet::server::puppetserver::bootstrap':
+    lens    => 'Shellvars.lns',
+    incl    => $config,
+    context => "/files${config}",
+    changes => "set BOOTSTRAP_CONFIG '\"${bootstrap_paths}\"'",
   }
 
-  file_line { 'ca_enabled':
-    ensure => $ca_enabled_ensure,
-    path   => "${server_puppetserver_dir}/bootstrap.cfg",
-    line   => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service',
-  }
+  # 2.4.99 configures for both 2.4 and 2.5 making upgrades and new installations easier when the
+  # precise version available isn't known
+  if versioncmp($server_puppetserver_version, '2.4.99') >= 0 {
+    $servicesd = "${server_puppetserver_dir}/services.d"
+    file { $servicesd:
+      ensure => directory,
+    }
+    file { "${servicesd}/ca.cfg":
+      ensure  => file,
+      content => template('puppet/server/puppetserver/services.d/ca.cfg.erb'),
+    }
 
-  file_line { 'ca_disabled':
-    ensure => $ca_disabled_ensure,
-    path   => "${server_puppetserver_dir}/bootstrap.cfg",
-    line   => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service',
+    file { '/opt/puppetlabs/server/apps/puppetserver/config':
+      ensure => directory,
+    }
+    file { '/opt/puppetlabs/server/apps/puppetserver/config/services.d':
+      ensure => directory,
+    }
   }
 
-  if versioncmp($server_puppetserver_version, '2.3') >= 0 {
-    $versioned_code_service_ensure = present
-  } else {
-    $versioned_code_service_ensure = absent
-  }
+  if versioncmp($server_puppetserver_version, '2.5') < 0 {
+    $bootstrapcfg = "${server_puppetserver_dir}/bootstrap.cfg"
+    file { $bootstrapcfg:
+      ensure => file,
+    }
+
+    $ca_enabled_ensure = $server_ca ? {
+      true    => present,
+      default => absent,
+    }
+
+    $ca_disabled_ensure = $server_ca ? {
+      false   => present,
+      default => absent,
+    }
+
+    file_line { 'ca_enabled':
+      ensure  => $ca_enabled_ensure,
+      path    => $bootstrapcfg,
+      line    => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service',
+      require => File[$bootstrapcfg],
+    }
+
+    file_line { 'ca_disabled':
+      ensure  => $ca_disabled_ensure,
+      path    => $bootstrapcfg,
+      line    => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service',
+      require => File[$bootstrapcfg],
+    }
+
+    if versioncmp($server_puppetserver_version, '2.3') >= 0 {
+      $versioned_code_service_ensure = present
+    } else {
+      $versioned_code_service_ensure = absent
+    }
 
-  file_line { 'versioned_code_service':
-    ensure => $versioned_code_service_ensure,
-    path   => "${server_puppetserver_dir}/bootstrap.cfg",
-    line   => 'puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service',
+    file_line { 'versioned_code_service':
+      ensure  => $versioned_code_service_ensure,
+      path    => $bootstrapcfg,
+      line    => 'puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service',
+      require => File[$bootstrapcfg],
+    }
   }
 
   file { "${server_puppetserver_dir}/conf.d/ca.conf":

spec/classes/puppet_server_puppetserver_spec.rb

@@ -41,7 +41,7 @@
                                           'TLS_RSA_WITH_AES_128_CBC_SHA', ],
         :server_max_active_instances => 2,
         :server_ca                   => true,
-        :server_puppetserver_version => '2.3.1',
+        :server_puppetserver_version => '2.4.99',
         :server_use_legacy_auth_conf => false,
       } end
 
@@ -51,15 +51,15 @@
             :server_puppetserver_dir => '/etc/custom/puppetserver',
           })
         end
-        it {
-          should contain_file_line('ca_enabled').
-            with_ensure('present').
-            with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service')
-        }
-        it {
-          should contain_file_line('ca_disabled').
-            with_ensure('absent').
-            with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service')
+        it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
+        it { should contain_file_line('ca_enabled').with_ensure('present') }
+        it { should contain_file_line('ca_disabled'). with_ensure('absent') }
+        it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') }
+        it { should contain_file('/etc/custom/puppetserver/services.d/ca.cfg') }
+        it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') }
+        it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') }
+        it { should contain_augeas('puppet::server::puppetserver::bootstrap').
+                with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg,/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'')
         }
         it { should contain_augeas('puppet::server::puppetserver::jvm').
                 with_changes([
@@ -71,6 +71,7 @@
                 with_lens('Shellvars.lns').
                 with({})
         }
+
         it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf') }
         it { should contain_file('/etc/custom/puppetserver/conf.d/puppetserver.conf') }
         it { should contain_file('/etc/custom/puppetserver/conf.d/web-routes.conf') }
@@ -118,16 +119,29 @@
       end
 
       describe 'versioned-code-service' do
-        context 'when server_puppetserver_version >= 2.3' do
+        context 'when server_puppetserver_version >= 2.5' do
+          let(:params) do
+            default_params.merge({
+                                     :server_puppetserver_version => '2.5.0',
+                                     :server_puppetserver_dir => '/etc/custom/puppetserver',
+                                 })
+          end
+          it { should_not contain_file_line('versioned_code_service') }
+        end
+
+        context 'when server_puppetserver_version >= 2.3 and < 2.5' do
           let(:params) do
             default_params.merge({
+                                     :server_puppetserver_version => '2.3.1',
                                      :server_puppetserver_dir => '/etc/custom/puppetserver',
                                  })
           end
           it 'should have versioned-code-service in bootstrap.cfg' do
             should contain_file_line('versioned_code_service').
                 with_ensure('present').
-                with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service')
+                with_path('/etc/custom/puppetserver/bootstrap.cfg').
+                with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service').
+                that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
           end
         end
 
@@ -141,8 +155,109 @@
           it 'should not have versioned-code-service in bootstrap.cfg' do
             should contain_file_line('versioned_code_service').
                 with_ensure('absent').
-                with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service')
+                with_path('/etc/custom/puppetserver/bootstrap.cfg').
+                with_line('puppetlabs.services.versioned-code-service.versioned-code-service/versioned-code-service').
+                that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
+          end
+        end
+      end
+
+      describe 'bootstrap.cfg' do
+        context 'when server_puppetserver_version >= 2.5' do
+          let(:params) do
+            default_params.merge({
+                                     :server_puppetserver_version => '2.5.0',
+                                     :server_puppetserver_dir => '/etc/custom/puppetserver',
+                                 })
+          end
+          it { should_not contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
+          it { should_not contain_file_line('ca_enabled') }
+          it { should_not contain_file_line('ca_disabled') }
+        end
+
+        context 'when server_puppetserver_version < 2.4.99' do
+          let(:params) do
+            default_params.merge({
+                                     :server_puppetserver_version => '2.4.98',
+                                     :server_puppetserver_dir => '/etc/custom/puppetserver',
+                                 })
+          end
+          it { should contain_file('/etc/custom/puppetserver/bootstrap.cfg') }
+          it {
+            should contain_file_line('ca_enabled').
+              with_ensure('present').
+              with_path('/etc/custom/puppetserver/bootstrap.cfg').
+              with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service').
+              that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
+          }
+          it {
+            should contain_file_line('ca_disabled').
+              with_ensure('absent').
+              with_path('/etc/custom/puppetserver/bootstrap.cfg').
+              with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service').
+              that_requires('File[/etc/custom/puppetserver/bootstrap.cfg]')
+          }
+          it { should contain_augeas('puppet::server::puppetserver::bootstrap').
+                  with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/bootstrap.cfg"\'').
+                  with_context('/files/etc/default/puppetserver').
+                  with_incl('/etc/default/puppetserver').
+                  with_lens('Shellvars.lns').
+                  with({})
+          }
+        end
+      end
+
+      describe 'ca.cfg' do
+        context 'when server_puppetserver_version >= 2.5' do
+          let(:params) do
+            default_params.merge({
+                                     :server_puppetserver_version => '2.5.0',
+                                     :server_puppetserver_dir => '/etc/custom/puppetserver',
+                                 })
+          end
+          it { should contain_file('/etc/custom/puppetserver/services.d').with_ensure('directory') }
+          it {
+            should contain_file('/etc/custom/puppetserver/services.d/ca.cfg').
+              with_content(%r{^puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}).
+              with_content(%r{^#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service})
+          }
+          it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config').with_ensure('directory') }
+          it { should contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d').with_ensure('directory') }
+          it { should contain_augeas('puppet::server::puppetserver::bootstrap').
+                  with_changes('set BOOTSTRAP_CONFIG \'"/etc/custom/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/"\'').
+                  with_context('/files/etc/default/puppetserver').
+                  with_incl('/etc/default/puppetserver').
+                  with_lens('Shellvars.lns').
+                  with({})
+          }
+        end
+
+        context 'when server_puppetserver_version >= 2.5 and server_ca => false' do
+          let(:params) do
+            default_params.merge({
+                                     :server_puppetserver_version => '2.5.0',
+                                     :server_puppetserver_dir => '/etc/custom/puppetserver',
+                                     :server_ca => false,
+                                 })
+          end
+          it {
+            should contain_file('/etc/custom/puppetserver/services.d/ca.cfg').
+              with_content(%r{^#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service}).
+              with_content(%r{^puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service})
+          }
+        end
+
+        context 'when server_puppetserver_version < 2.4.99' do
+          let(:params) do
+            default_params.merge({
+                                     :server_puppetserver_version => '2.4.98',
+                                     :server_puppetserver_dir => '/etc/custom/puppetserver',
+                                 })
           end
+          it { should_not contain_file('/etc/custom/puppetserver/services.d') }
+          it { should_not contain_file('/etc/custom/puppetserver/services.d/ca.cfg') }
+          it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config') }
+          it { should_not contain_file('/opt/puppetlabs/server/apps/puppetserver/config/services.d') }
         end
       end
 

templates/server/puppetserver/services.d/ca.cfg.erb

@@ -0,0 +1,5 @@
+# To enable the CA service, leave the following line uncommented
+<%= '#' unless @server_ca -%>puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
+# To disable the CA service, comment out the above line and uncomment the line below
+<%= '#' if @server_ca -%>puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
+