diff --git a/.fixtures.yml b/.fixtures.yml index d4574a77..3e6b2e74 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,12 +1,8 @@ fixtures: repositories: - augeas_core: - repo: 'https://github.com/puppetlabs/puppetlabs-augeas_core' - puppet_version: '>= 6.0.0' + augeas_core: 'https://github.com/puppetlabs/puppetlabs-augeas_core' concat: 'https://github.com/puppetlabs/puppetlabs-concat.git' - cron_core: - repo: 'https://github.com/puppetlabs/puppetlabs-cron_core' - puppet_version: '>= 6.0.0' + cron_core: 'https://github.com/puppetlabs/puppetlabs-cron_core' extlib: 'https://github.com/voxpupuli/puppet-extlib.git' git: 'https://github.com/theforeman/puppet-git.git' inifile: 'https://github.com/puppetlabs/puppetlabs-inifile.git' diff --git a/README.md b/README.md index b79fae09..9b3137ef 100644 --- a/README.md +++ b/README.md @@ -7,26 +7,15 @@ Installs and configures the Puppet agent and optionally a Puppet server (when `server` is true). Part of the [Foreman installer](https://github.com/theforeman/foreman-installer) or to be used as a Puppet module. -When using Puppet Server (version 5.3.6 is the lowest version, this module supports), -the module supports and assumes you will be installing the latest version. -If you know you'll be installing an earlier or specific version, you will -need to override `server_puppetserver_version`. More information in the Puppet -Server section below. - Many puppet.conf options for agents, servers and other are parameterized, with class documentation provided at the top of the manifests. In addition, there are hash parameters for each configuration section that can be used to supply any options that are not explicitly supported. -## Upgrading from Puppetserver 6 to 7 - -Puppetserver 7 moves the CA files from ssldir to its own. To move the existing -files, `puppetserver ca migrate` can be used but this requires the puppetserver -to be stopped. The module does run this command if needed, but doesn't stop the -service so the application will fail. +## Compatibility -It is recommended to run this command directly after updating the packages. It -leaves a symlink so the old config should continue to work. +See the module metadata for supported operating systems and compatible Puppet +versions. The Puppetserver version should also match this. ## Environments support @@ -178,14 +167,6 @@ class { '::puppet': } ``` -## Puppet Server configuration - -Puppet Server requires slightly different configuration between different -versions, which this module supports. It's recommended that you set the -`server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version -you have installed. By default the module will configure for the latest -version available. - # Contributing * Fork the project diff --git a/manifests/config.pp b/manifests/config.pp index d86b459c..e10d1c20 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -4,7 +4,6 @@ # lint:ignore:parameter_types $allow_any_crl_auth = $puppet::allow_any_crl_auth, $auth_allowed = $puppet::auth_allowed, - $auth_template = $puppet::auth_template, $ca_server = $puppet::ca_server, $ca_port = $puppet::ca_port, $dns_alt_names = $puppet::dns_alt_names, @@ -101,15 +100,4 @@ } } } - - if versioncmp($facts['puppetversion'], '7.0.0') >= 0 { - file { "${puppet_dir}/auth.conf": - ensure => absent, - } - } else { - file { "${puppet_dir}/auth.conf": - ensure => file, - content => template($auth_template), - } - } } diff --git a/manifests/init.pp b/manifests/init.pp index b222cc59..40d09e10 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -152,8 +152,6 @@ # Windows and ['systemd.timer'] on other # systems. # -# $auth_template:: Use a custom template for /etc/puppetlabs/puppet/auth.conf -# # $pluginsource:: URL to retrieve Puppet plugins from during pluginsync # # $pluginfactsource:: URL to retrieve Puppet facts from during pluginsync @@ -406,7 +404,6 @@ # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $server_ruby_load_paths:: List of ruby paths -# Defaults based on $::puppetversion # # $server_ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint @@ -425,10 +422,6 @@ # $server_ca_client_self_delete:: Adds a rule to auth.conf, that allows a client to delete its own certificate # Defaults to false # -# $server_use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? -# Defaults to false (the puppetserver will use its own conf.d/auth.conf) -# Note that Puppetserver 7 has dropped this option. -# # $server_check_for_updates:: Should the puppetserver phone home to check for available updates? # Defaults to true # @@ -448,16 +441,13 @@ # Defaults to 30000, using the Jetty default of 30s # # $server_puppetserver_metrics:: Enable puppetserver http-client metrics -# Defaults to true, matching defaults in Puppetserver 5+. # # $server_puppetserver_profiler:: Enable JRuby profiling. -# Defaults to true, matching defaults in Puppetserver 5+. # If set to false, compiler and function metrics will not be available, (eg. when enabling graphite metrics) # # $server_puppetserver_telemetry:: Enable Dropsonde telemetry. # Undef means disabled while booleans are explicit opt-in or opt-out. # This is different from Puppetserver's default values. -# Only valid since Puppetserver 7. # # $server_metrics_jmx_enable:: Enable or disable JMX metrics reporter. Defaults to true # @@ -571,7 +561,7 @@ # # class {'puppet': # agent_noop => true, -# version => '6.15.0-1', +# version => '7.24.0-1', # } # class puppet ( @@ -630,7 +620,6 @@ String $classfile = $puppet::params::classfile, String $hiera_config = $puppet::params::hiera_config, String $localconfig = $puppet::params::localconfig, - String $auth_template = $puppet::params::auth_template, Boolean $allow_any_crl_auth = $puppet::params::allow_any_crl_auth, Array[String] $auth_allowed = $puppet::params::auth_allowed, Variant[String, Array[String]] $client_package = $puppet::params::client_package, @@ -723,7 +712,6 @@ Integer[0] $server_max_queued_requests = $puppet::params::server_max_queued_requests, Integer[0] $server_max_retry_delay = $puppet::params::server_max_retry_delay, Boolean $server_multithreaded = $puppet::params::server_multithreaded, - Boolean $server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf, Boolean $server_check_for_updates = $puppet::params::server_check_for_updates, Boolean $server_environment_class_cache_enabled = $puppet::params::server_environment_class_cache_enabled, Boolean $server_allow_header_cert_info = $puppet::params::server_allow_header_cert_info, diff --git a/manifests/params.pp b/manifests/params.pp index 99e13535..d3f06294 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -189,9 +189,6 @@ $package_source = undef $package_install_options = undef - # Need your own config templates? Specify here: - $auth_template = 'puppet/auth.conf.erb' - # Allow any to the CRL. Needed in case of puppet CA proxy $allow_any_crl_auth = false @@ -399,9 +396,6 @@ $server_puppetserver_version = undef - # Which auth.conf shall we use? - $server_use_legacy_auth_conf = false - # Puppetserver metrics shipping $server_metrics_jmx_enable = true $server_metrics_graphite_enable = false diff --git a/manifests/server.pp b/manifests/server.pp index a5eb0818..70c15332 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -229,7 +229,6 @@ # 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ] # # $ruby_load_paths:: List of ruby paths -# Defaults based on $::puppetversion # # $ca_client_whitelist:: The whitelist of client certificates that # can query the certificate-status endpoint @@ -248,10 +247,6 @@ # $ca_client_self_delete:: Adds a rule to auth.conf, that allows a client to self delete its own certificate # Defaults to false # -# $use_legacy_auth_conf:: Should the puppetserver use the legacy puppet auth.conf? -# Defaults to false (the puppetserver will use its own conf.d/auth.conf) -# Note that Puppetserver 7 has dropped support for this. -# # $check_for_updates:: Should the puppetserver phone home to check for available updates? # # $environment_class_cache_enabled:: Enable environment class cache in conjunction with the use of the @@ -430,7 +425,6 @@ Integer[0] $max_queued_requests = $puppet::server_max_queued_requests, Integer[0] $max_retry_delay = $puppet::server_max_retry_delay, Boolean $multithreaded = $puppet::server_multithreaded, - Boolean $use_legacy_auth_conf = $puppet::server_use_legacy_auth_conf, Boolean $check_for_updates = $puppet::server_check_for_updates, Boolean $environment_class_cache_enabled = $puppet::server_environment_class_cache_enabled, Boolean $allow_header_cert_info = $puppet::server_allow_header_cert_info, @@ -462,21 +456,7 @@ Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content, Array[String[1]] $jolokia_metrics_whitelist = $puppet::server_jolokia_metrics_whitelist, ) { - # For Puppetserver, certain configuration parameters are version specific. We - # assume a particular version here. - if $puppetserver_version { - $real_puppetserver_version = $puppetserver_version - } elsif versioncmp($facts['puppetversion'], '7.0.0') >= 0 { - $real_puppetserver_version = '7.0.0' - } else { - $real_puppetserver_version = '6.15.0' - } - - if versioncmp($real_puppetserver_version, '7.0.0') >= 0 { - $cadir = "${puppetserver_dir}/ca" - } else { - $cadir = "${ssl_dir}/ca" - } + $cadir = "${puppetserver_dir}/ca" if $ca { $ssl_ca_cert = "${cadir}/ca_crt.pem" @@ -493,12 +473,6 @@ $ssl_cert = "${ssl_dir}/certs/${certname}.pem" $ssl_cert_key = "${ssl_dir}/private_keys/${certname}.pem" - if versioncmp($real_puppetserver_version, '7.0.0') >= 0 { - if $use_legacy_auth_conf { - fail('The jruby-puppet.use-legacy-auth-conf setting is removed in Puppetserver 7') - } - } - if $jvm_extra_args { $real_jvm_extra_args = $jvm_extra_args } else { diff --git a/manifests/server/config.pp b/manifests/server/config.pp index a484ec83..ab9b335c 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -164,19 +164,6 @@ Exec['puppet_server_config-create_ssl_dir'], ], } - - # In Puppet 7 the cadir was changed from $ssldir/ca to $puppetserver_dir/ca - # This migrates the directory if it was in the old location - # The migration command leaves a symlink in place - if versioncmp($puppet::server::real_puppetserver_version, '7.0') > 0 { - exec { 'migrate Puppetserver cadir': - command => "${puppet::puppetserver_cmd} ca migrate", - creates => $puppet::server::cadir, - onlyif => "test -d '${puppet::server::ssl_dir}/ca' && ! test -L '${puppet::server::ssl_dir}'", - path => $facts['path'], - before => Exec['puppet_server_config-generate_ca_cert'], - } - } } elsif $puppet::server::ca_crl_sync { # If not a ca AND sync the crl from the ca server if $server_facts['servername'] { diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index 3a63b920..3521c7f9 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -113,8 +113,6 @@ Boolean $server_ca_client_self_delete = $puppet::server::ca_client_self_delete, Array[String] $server_ca_client_whitelist = $puppet::server::ca_client_whitelist, Array[String] $server_admin_api_whitelist = $puppet::server::admin_api_whitelist, - String[1] $server_puppetserver_version = $puppet::server::real_puppetserver_version, - Boolean $server_use_legacy_auth_conf = $puppet::server::use_legacy_auth_conf, Boolean $server_check_for_updates = $puppet::server::check_for_updates, Boolean $server_environment_class_cache_enabled = $puppet::server::environment_class_cache_enabled, Optional[Boolean] $server_metrics = $puppet::server::puppetserver_metrics, @@ -149,10 +147,6 @@ ) { include puppet::server - if versioncmp($server_puppetserver_version, '6.15.0') < 0 { - fail('puppetserver <6.15.0 is not supported by this module version') - } - $puppetserver_package = pick($puppet::server::package, 'puppetserver') $jvm_heap_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}"] diff --git a/metadata.json b/metadata.json index d1a36063..92f35343 100644 --- a/metadata.json +++ b/metadata.json @@ -35,7 +35,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 6.15.0 < 8.0.0" + "version_requirement": ">= 7.0.0 < 8.0.0" } ], "operatingsystem_support": [ diff --git a/spec/acceptance/puppetserver_upgrade_spec.rb b/spec/acceptance/puppetserver_upgrade_spec.rb index 78cb10c8..d8d1e862 100644 --- a/spec/acceptance/puppetserver_upgrade_spec.rb +++ b/spec/acceptance/puppetserver_upgrade_spec.rb @@ -17,19 +17,12 @@ when 'puppet7' from_version = '7.0.0' to_version = '7.2.0' - when 'puppet6' - from_version = '6.7.0' - to_version = '6.7.2' else raise 'Unsupported Puppet collection' end case fact('osfamily') when 'Debian' - if ENV['BEAKER_PUPPET_COLLECTION'] == 'puppet6' - # Facter 3 needs lsb-release for the os.distro.codename fact - on default, puppet('resource package lsb-release ensure=installed') - end from_version_exact = "#{from_version}-1#{fact('os.distro.codename')}" to_version_exact = "#{to_version}-1#{fact('os.distro.codename')}" else diff --git a/spec/classes/puppet_config_spec.rb b/spec/classes/puppet_config_spec.rb index f3d3a0b4..d7f43ddc 100644 --- a/spec/classes/puppet_config_spec.rb +++ b/spec/classes/puppet_config_spec.rb @@ -59,33 +59,6 @@ it { is_expected.to contain_puppet__config__main('hostprivkey').with_value('$privatekeydir/$certname.pem { mode = 640 }') } it { is_expected.to contain_puppet__config__main('show_diff').with_value('false') } it { is_expected.to contain_puppet__config__main('server').with_value(facts[:networking]['fqdn']) } - - context 'puppet < 7', if: os_facts[:puppetversion].to_i < 7 do - it { is_expected.to contain_file("#{confdir}/auth.conf").with_ensure('file').with_content(%r{/puppet/v3/}) } - it { is_expected.not_to contain_file("#{confdir}/auth.conf").with_content(%r{^path /certificate_revocation_list/ca\nmethod find$}) } - end - - context 'puppet >= 7', if: os_facts[:puppetversion].to_i >= 7 do - it { is_expected.to contain_file("#{confdir}/auth.conf").with_ensure('absent') } - end - end - - context 'auth.conf parameters', if: os_facts[:puppetversion].to_i < 7 do - describe 'with allow_any_crl_auth' do - let :params do - super().merge(allow_any_crl_auth: true) - end - - it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(%r{^path /puppet-ca/v1/certificate_revocation_list/ca\nauth any$}) } - end - - describe 'with auth_allowed' do - let :params do - super().merge(auth_allowed: ['$1', 'puppetproxy']) - end - - it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(/^allow \$1, puppetproxy$/) } - end end describe "when dns_alt_names => ['foo','bar']" do diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb index f26deab4..916c0ea8 100644 --- a/spec/classes/puppet_server_puppetserver_spec.rb +++ b/spec/classes/puppet_server_puppetserver_spec.rb @@ -22,8 +22,6 @@ server_jvm_extra_args: '', server_max_active_instances: 2, server_puppetserver_dir: '/etc/custom/puppetserver', - # Keep this to the minimally supported version - server_puppetserver_version: '6.15.0', } end @@ -141,34 +139,6 @@ end end - describe 'use-legacy-auth-conf' do - context 'when server_puppetserver_version >= 6.15.0 and < 7.0.0' do - context 'with default parameters' do - it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: false$/) } - end - - context 'when use-legacy-auth-conf = true' do - let(:params) { super().merge(server_use_legacy_auth_conf: true) } - - it { should contain_file(puppetserver_conf).with_content(/^ use-legacy-auth-conf: true$/) } - end - end - - context 'when server_puppetserver_version == 7.0.0' do - let(:params) { super().merge(server_puppetserver_version: '7.0.0') } - - context 'with default parameters' do - it { should contain_file(puppetserver_conf).without_content(/use-legacy-auth-conf/) } - end - - context 'when use-legacy-auth-conf = true' do - let(:params) { super().merge(server_use_legacy_auth_conf: true) } - - it { should compile.and_raise_error(/jruby-puppet.use-legacy-auth-conf setting is removed/) } - end - end - end - describe 'environment-class-cache-enabled' do context 'with default parameters' do it { should contain_file(puppetserver_conf).with_content(/^ environment-class-cache-enabled: false$/) } @@ -305,34 +275,27 @@ end describe 'server_telemetry' do - context 'when server_puppetserver_version == 7.0.0' do - let(:params) { super().merge(server_puppetserver_version: '7.0.0') } - context 'with default parameters' do - it { - should contain_file(puppetserver_conf) - .with_content(/^dropsonde: \{\n # enable or disable telemetry\n enabled: false/) - } - end - - context 'when server_telemetry => true' do - let(:params) { super().merge(server_puppetserver_telemetry: true) } - it { - should contain_file(puppetserver_conf) - .with_content(/^dropsonde: \{\n # enable or disable telemetry\n enabled: true/) - } - end + context 'with default parameters' do + it { + should contain_file(puppetserver_conf) + .with_content(/^dropsonde: \{\n # enable or disable telemetry\n enabled: false/) + } + end - context 'when server_telemetry => false' do - let(:params) { super().merge(server_puppetserver_telemetry: false) } - it { - should contain_file(puppetserver_conf) - .with_content(/^dropsonde: \{\n # enable or disable telemetry\n enabled: false/) - } - end + context 'when server_telemetry => true' do + let(:params) { super().merge(server_puppetserver_telemetry: true) } + it { + should contain_file(puppetserver_conf) + .with_content(/^dropsonde: \{\n # enable or disable telemetry\n enabled: true/) + } end - context 'when server_puppetserver_version >= 6.15.0 and < 7.0.0' do - it { should contain_file(puppetserver_conf).without_content(/^dropsonde: \{/) } + context 'when server_telemetry => false' do + let(:params) { super().merge(server_puppetserver_telemetry: false) } + it { + should contain_file(puppetserver_conf) + .with_content(/^dropsonde: \{\n # enable or disable telemetry\n enabled: false/) + } end end @@ -559,11 +522,6 @@ end end - describe 'when server_puppetserver_version < 6.15.0' do - let(:params) { super().merge(server_puppetserver_version: '5.3.5') } - it { should compile.and_raise_error(/puppetserver <6\.15\.0 is not supported by this module version/) } - end - describe 'allow jetty specific server threads' do context 'with thread config' do let(:params) do diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb index eb8ed15f..e8193cb3 100644 --- a/spec/classes/puppet_server_spec.rb +++ b/spec/classes/puppet_server_spec.rb @@ -16,11 +16,7 @@ vardir = '/var/puppet' rubydir = %r{^/usr/local/lib/ruby/site_ruby/\d+\.\d+/puppet$} puppetserver_pkg = "puppetserver#{facts[:puppetversion].to_i}" - puppetcacmd = if facts[:puppetversion] >= '6.0' - '/usr/local/bin/puppetserver ca setup' - else - '/usr/local/bin/puppet cert --generate puppetserver.example.com --allow-dns-alt-names' - end + puppetcacmd = '/usr/local/bin/puppetserver ca setup' else codedir = '/etc/puppetlabs/code' confdir = '/etc/puppetlabs/puppet' @@ -34,21 +30,12 @@ vardir = '/opt/puppetlabs/puppet/cache' rubydir = '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet' puppetserver_pkg = 'puppetserver' - puppetcacmd = if facts[:puppetversion] >= '6.0' - '/opt/puppetlabs/bin/puppetserver ca setup' - else - '/opt/puppetlabs/bin/puppet cert --generate puppetserver.example.com --allow-dns-alt-names' - end + puppetcacmd = '/opt/puppetlabs/bin/puppetserver ca setup' end conf_file = "#{confdir}/puppet.conf" conf_d_dir = "#{puppetserver_etcdir}/conf.d" environments_dir = "#{codedir}/environments" - cadir = facts[:puppetversion] >= '7.0' ? "#{puppetserver_etcdir}/ca" : "#{ssldir}/ca" - if facts[:puppetversion] >= '6.0' - cert_to_create = "#{cadir}/ca_crt.pem" - else - cert_to_create = "#{ssldir}/certs/puppetserver.example.com.pem" - end + cadir = "#{puppetserver_etcdir}/ca" let(:facts) { facts } @@ -111,7 +98,7 @@ .with_umask('0022') should contain_exec('puppet_server_config-generate_ca_cert') \ - .with_creates(cert_to_create) \ + .with_creates("#{cadir}/ca_crt.pem") \ .with_command(puppetcacmd) \ .with_umask('0022') \ .that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]']) diff --git a/spec/support/acceptance/puppetserver.rb b/spec/support/acceptance/puppetserver.rb index 6d333d69..6bcf3b12 100644 --- a/spec/support/acceptance/puppetserver.rb +++ b/spec/support/acceptance/puppetserver.rb @@ -6,7 +6,5 @@ def unsupported_puppetserver true when 'Debian' host_inventory['facter']['os']['release']['major'] == '11' - when 'Ubuntu' - ENV['BEAKER_PUPPET_COLLECTION'] == 'puppet6' && host_inventory['facter']['os']['release']['major'] == '20.04' end end diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb deleted file mode 100644 index 9b29c964..00000000 --- a/templates/auth.conf.erb +++ /dev/null @@ -1,156 +0,0 @@ -# -# Managed by Puppet -# -# This is the default auth.conf file, which implements the default rules -# used by the puppet server. (That is, the rules below will still apply -# even if this file is deleted.) -# -# The ACLs are evaluated in top-down order. More specific stanzas should -# be towards the top of the file and more general ones at the bottom; -# otherwise, the general rules may "steal" requests that should be -# governed by the specific rules. -# -# See https://puppet.com/docs/puppet/latest/config_file_auth.html -# for a more complete description of auth.conf's behavior. -# -# Supported syntax: -# Each stanza in auth.conf starts with a path to match, followed -# by optional modifiers, and finally, a series of allow or deny -# directives. -# -# Example Stanza -# --------------------------------- -# path /path/to/resource # simple prefix match -# # path ~ regex # alternately, regex match -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|backreference|*|regex] -# deny [host|backreference|*|regex] -# allow_ip [ip|cidr|ip_wildcard|*] -# deny_ip [ip|cidr|ip_wildcard|*] -# -# The path match can either be a simple prefix match or a regular -# expression. `path /file` would match both `/file_metadata` and -# `/file_content`. Regex matches allow the use of backreferences -# in the allow/deny directives. -# -# The regex syntax is the same as for Ruby regex, and captures backreferences -# for use in the `allow` and `deny` lines of that stanza -# -# Examples: -# -# path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. -# allow * # Allow all authenticated nodes (since auth -# # defaults to `yes`). -# -# path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by -# allow $1 # certname), but not any other node's catalog. -# -# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to -# auth yes # access the "extra_files" -# allow /^(.+)\.example\.com$/ # mount point; note this must -# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, -# # since it is more specific. -# -# environment:: restrict an ACL to a comma-separated list of environments -# method:: restrict an ACL to a comma-separated list of HTTP methods -# auth:: restrict an ACL to an authenticated or unauthenticated request -# the default when unspecified is to restrict the ACL to authenticated requests -# (ie exactly as if auth yes was present). -# - -# CONTROLLING FILE ACCESS (previously in fileserver.conf) - -# In previous versions of Puppet, you controlled file access by adding -# rules to fileserver.conf. In Puppet 5 with Puppet Server, you can control -# file access in auth.conf by controlling the /file_metadata(s)/, -# /file_content(s)/, and /static_file_content/ paths. See the -# Puppet Server documentation at -# https://puppet.com/docs/puppetserver/latest/config_file_auth.html. -# -# If you are not using Puppet Server, or are using Puppet Server but with the -# "jruby-puppet.use-legacy-auth-conf" setting set to "true", you could set the -# desired file access in a new rule in this file. For example: -# -# path ~ ^/file_(metadata|content)s?/extra_files/ -# auth yes -# allow /^(.+)\.example\.com$/ -# allow_ip 192.168.100.0/24 -# -# If added to auth.conf BEFORE the default "path /file" rule, this rule -# will add stricter restrictions to the extra_files mount point. - -### Authenticated ACLs - these rules apply only when the client -### has a valid certificate and is thus authenticated - -path /puppet/v3/environments -method find -allow * - -# allow nodes to retrieve their own catalog -path ~ ^/puppet/v3/catalog/([^/]+)$ -method find -allow <%= @auth_allowed.join(', ') %> - -# allow nodes to retrieve their own node definition -path ~ ^/puppet/v3/node/([^/]+)$ -method find -allow <%= @auth_allowed.join(', ') %> - -# allow all nodes to store their own reports -path ~ ^/puppet/v3/report/([^/]+)$ -method save -allow <%= @auth_allowed.join(', ') %> - -# allow all nodes to update their own facts -path ~ ^/puppet/v3/facts/([^/]+)$ -method save -allow <%= @auth_allowed.join(', ') %> - -# Allow all nodes to access all file services; this is necessary for -# pluginsync, file serving from modules, and file serving from custom -# mount points (see fileserver.conf). Note that the `/file` prefix matches -# requests to both the file_metadata and file_content paths. See "Examples" -# above if you need more granular access control for custom mount points. -path /puppet/v3/file -allow * - -path /puppet/v3/status -method find -allow * - -# allow all nodes to access the certificates services -path /puppet-ca/v1/certificate_revocation_list/ca -<% if @allow_any_crl_auth -%> -auth any -<% end -%> -method find -allow * - -### Unauthenticated ACLs, for clients without valid certificates; authenticated -### clients can also access these paths, though they rarely need to. - -# allow access to the CA certificate; unauthenticated nodes need this -# in order to validate the puppet server's certificate -path /puppet-ca/v1/certificate/ca -auth any -method find -allow * - -# allow nodes to retrieve the certificate they requested earlier -path /puppet-ca/v1/certificate/ -auth any -method find -allow * - -# allow nodes to request a new certificate -path /puppet-ca/v1/certificate_request -auth any -method find, save -allow * - -# deny everything else; this ACL is not strictly necessary, but -# illustrates the default policy. -path / -auth any diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb index c1f03369..5138c8ef 100644 --- a/templates/server/puppetserver/conf.d/auth.conf.erb +++ b/templates/server/puppetserver/conf.d/auth.conf.erb @@ -315,16 +315,6 @@ authorization: { sort-order: 500 name: "puppetlabs facts" }, - { - match-request: { - path: "/puppet/v3/status" - type: path - method: get - } - allow-unauthenticated: true - sort-order: 500 - name: "puppetlabs status" - }, { match-request: { path: "/puppet/v3/static_file_content" diff --git a/templates/server/puppetserver/conf.d/puppetserver.conf.erb b/templates/server/puppetserver/conf.d/puppetserver.conf.erb index 78ed4da4..445f6534 100644 --- a/templates/server/puppetserver/conf.d/puppetserver.conf.erb +++ b/templates/server/puppetserver/conf.d/puppetserver.conf.erb @@ -62,14 +62,6 @@ jruby-puppet: { # (optional) Sets the upper limit for the random sleep set as a Retry-After header on 503 responses returned when max-queued-requests is enabled. max-retry-delay: <%= @server_max_retry_delay %> -<%- if scope.function_versioncmp([@server_puppetserver_version, '7.0']) < 0 -%> - - # (optional) Authorize access to Puppet server endpoints via rules - # specified in the legacy Puppet auth.conf file (if true) or via rules - # specified in the Puppet Server HOCON-formatted auth.conf (if false or not - # specified). - use-legacy-auth-conf: <%= @server_use_legacy_auth_conf %> -<%- end -%> # (optional) enable or disable environment class cache environment-class-cache-enabled: <%= @server_environment_class_cache_enabled %> @@ -139,11 +131,9 @@ profiler: { # enable or disable profiling for the Ruby code; enabled: <%= @server_profiler %> } -<%- if scope.function_versioncmp([@server_puppetserver_version, '7.0']) >= 0 -%> # Settings related to telemetry dropsonde: { # enable or disable telemetry enabled: <%= @server_telemetry %> } -<%- end -%>