Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.4.x
- Puppet >= 4.9.0
- ,
Start using this module
Add this module to your Puppetfile:
mod 'choria-discovery_proxy', '0.1.0'
Learn more about managing modules with a PuppetfileDocumentation
Choria Discovery Proxy
A basic module to install the Choria Discovery Proxy service and it's cli.
Overview
When configuring Choria to use PuppetDB as a discovery source it's required to expose the PuppetDB query interface to all users. This can be a source of potential secrets leak due to the vast amount of data stored in PuppetDB.
This proxy sits in front of PuppetDB and exposes a HTTPS secure REST service that Choria uses to do discovery. This service will only return certnames thus greatly reducing the possibility of sensitive information leaking. You now only have to allow this proxy to communicate with PuppetDB directly.
Additionally it allows named sets to be created that can later be referenced by name in Choria discovery.
Usage
By default this module sets up the proxy to listen on 0.0.0.0:8085
for incoming HTTPS requests from clients using HTTPS client certificates signed by the Puppet CA.
class{"choria_discovery_proxy": }
This sets it all up working with your PuppetDB on puppet:8081
.
There are many customizations available, you can specify custom PuppetDB location and ports for example:
class{"choria_discovery_proxy":
tls_port => 9292,
puppetdb_host => "puppetdb.example.net",
}
See the module source for other options available.
In the above cases the server process will be started, you can install just the client using this:
class{"choria_discovery_proxy":
manage_service => false
}
Then look at the discovery_proxy sets --help
output to see about maintaining sets.
MCollective
At present integration with MCollective is not yet released, but eventually to integrate with this service you'd add SRV records like:
_mcollective-discovery._tcp IN SRV 10 0 8085 puppetdb1.example.net.
And then enable use of the proxy by setting plugin.choria.discovery_proxy
to true
.
The host and port can also be set using plugin.choria.discovery_host
and plugin.choria.discovery_port
.
Further documentation will be written in the main choria docs about this integration.
A created set can be discovered using something like mco package update foo -I set:bobs_machines
where bobs_machines
were made using discovery_proxy sets create bobs_machines
.
Compatibility
This is a early release of the module and the proxy so for now the module embeds the compiled proxy as a binary and will only support Linux distributions using SystemD.
Dependencies
- puppetlabs/stdlib (>= 4.12.0 < 5.0.0)
- camptocamp/systemd (>= 0.3.0 < 1.0.0)