cfpuppetserver
Version information
This version is compatible with:
- Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >=4.0.0 <5.0.0
- ,
Start using this module
Add this module to your Puppetfile:
mod 'codingfuture-cfpuppetserver', '0.10.2'
Learn more about managing modules with a PuppetfileDocumentation
cfpuppetserver
Description
The package does standard procedure of installing Puppet Server, Puppet DB, PostgreSQL, r10k, librarian-puppet and making it work all togather. It also lives in peace with cfsystem and cfnetwork packages.
Environment configuration
The configurations expects you to provide Hiera version 4 configuration in environments. Example can be taken from codingfuture/puppe-test.
NOTE1: there is a known closed bug in puppet <=4.3.2 - please make sure that all Hiera hierarchy files exist and both empty YAML and JSON files include '{}' at least
VERY IMPORTANT!!!
Now, the modules uses [cfdb][] for High Availability support out-of-the-box. The consequences is that setup process is quite tricky - we need some facts and resources to be populated into Puppet DB while Puppet DB is malfunctioning until the stack is fully configured. Most likely, you will see some errors during conversion process and both Puppet DB & Puppet Server stop functioning.
In that case, you can continue re-provisioning previously compiled catalog until Puppet Server can continue compiling new catalogs with the following command:
/opt/puppetlabs/bin/puppet apply --catalog /opt/puppetlabs/puppet/cache/client_data/catalog/$(/bin/hostname --fqdn).json
/opt/puppetlabs/bin/puppet agent --test
Upgrade to puppetserver >= 2.5.0
As there is incompatible change related to bootstrap.cfg, please use cfpuppetserver
< v0.10 for puppetserver < 2.5.
Upgrade procedures:
- Update to
cfpuppetserver
>= v0.10 - Manually deploy to current Puppet servers:
puppet agent -t
- Puppet Server will fail to restart in 180 seconds
- Upgrade
puppetserver
/puppetdb
/puppet-agent
packages to latest versions - Manually start services:
- /bin/systemctl stop cfpuppetdb.service cfpuppetserver.service
- /bin/systemctl start cfpuppetdb.service cfpuppetserver.service
- Wait for services to startup monitoring
netstat -pletn
- Try Puppet deployment
Global Hiera config
Puppet 4 has own implementation of lookup() which goes through:
- Global Hiera
- Per-environment Data Providers (Hiera, custom function)
- Per-module Data Providers (Hiera, custom function)
You should not use global Hiera any more. All configurations should be set in environments as mentioned above.
Global Hiera config is as follows:
---
:backends:
- yaml
:hierarchy:
- global
:yaml:
# Make sure to use hiera.yaml in environments
:datadir: "/etc/puppetlabs/code/hieradata"
Adding new Puppet clients
This module also provides a handy tool to initalize new puppet client hosts:
~# /opt/codingfuture/bin/cf_gen_puppet_client_init
Usage: cf_gen_puppet_client_init <certname> [<cflocation> [<cflocationpool> [<http_proxy>]]
Manual (re-)deployment of Puppet environments
~# /opt/codingfuture/bin/cf_r10k_deploy
Automatic deployment via VCS (git) hook
~# ssh deploypuppet@puppet.example.com sudo /opt/codingfuture/bin/cf_r10k_deploy
Setup
Initial Puppet Server infrastructure
Either do manually (preferred for self-education) or use bundled setup script:
~# ./setup_puppetserver.sh
Usage: ./setup_puppetserver.sh <r10k_repo_url> [<certname=hostname> [<cflocation> [<cflocationpool> [<http_proxy=$http_proxy>] ] ] ]
Config for Puppet Server node
Please use librarian-puppet to deal with dependencies. If this module is used for server setup then librarian-puppet is installed automatically.
There is a known r10k issue RK-3 which prevents automatic dependencies of dependencies installation.
Examples
Please check codingufuture/puppet-test for example of a complete infrastructure configuration and Vagrant provisioning.
cfpuppetserver
class
deployuser = 'deploypuppet'
- user name for auto deploy user for VCS hookdeployuser_auth_keys = undef
- list of ssh_authorized_keys configurationsrepo_url = undef
- repository location in URI format (e.g. ssh://user@host/repo or file:///some/path)puppetserver = true
- if true then assume Puppet Server lives on this host (affects firewall)puppetdb = true
- if true then assume Puppet DB lives on this host (affects firewall)postgresql = true
- if true then PostgreSQL is setup on this nodeiface = 'any'
-cfnetwork::iface
name to listen for incoming client connectionscluster = 'cfpuppet'
-cfdb
cluster to usedatabase = 'puppetdb' -
cfdb::database` to use in clusteris_cluster = false
- goes directly tocfdb::instance
is_secondary = false
- goes directly tocfdb::instance
allow_update_check = false
- open firewall to connect to updates.puppetlabs.com, if enabled
cfpuppetserver::postgresql
class
NOTE: if PostgreSQL is setup through this module then you SHOULD NOT setup other cfdb instances on the same node.
$settings_tune = {}
- goes directly tocfdb::instance
$port = 5432
- goes directly tocfdb::instance
$node_id = undef
- required, if node ID cannot be retrieved from hostname in cluster mode$password = undef
- force specific password instead of random generated$memory_weight = 200
- goes directly tocfdb::instance
$memory_max = undef
- goes directly tocfdb::instance
$cpu_weight = 200
- goes directly tocfdb::instance
$io_weight = 200
- goes directly tocfdb::instance
cfpuppetserver::puppetdb
class
$use_proxy = 'secure'
- by default TLS channel is used for remote PostgreSQL connections. Seecfdb::access
.$port = 8081
- port to use for PuppetDB instance$max_connections = 30
- maximum number of connections per pool (there are two pools)$memory_weight = 100
- relative weight for auto-distribution of memory resources$memory_max = 256
- max memory in MB$cpu_weight = 100
- relative weight for auto-distribution of CPU resources$io_weight = 100
- relative weight for auto-distribution of I/O resources$cert_whitelist = undef
- specify the CNs of Puppet PKI to be accepted. If not set:- if Puppet Server runs the same node then
[$fqdn]
- otherwise, all nodes with Puppet Server configured
- if Puppet Server runs the same node then
$settings_tune = {}
- a tree structure of PuppetDB INI for fine control
cfpuppetserver::puppetserver
class
$autosign = false
- DO NOT use in production. Enable auto-sign of client certificates.$global_hiera_config = 'cfpuppetserver/hiera.yaml'
- default global Hiera config$memory_weight = 100
- relative weight for auto-distribution of memory resources$memory_max = undef
- max memory in MB$cpu_weight = 100
- relative weight for auto-distribution of CPU resources$io_weight = 100
- relative weight for auto-distribution of I/O resources$activesupport_ver = '4.2.7.1'
- version of activesupport gem to install
Types in this module release
Change Log
All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
[0.10.2]
- Removed PuppetDB defaults for
node-ttl
andnode-purge-ttl
as it led to "vanished" nodes in not so actually maintained deployments.
0.10.1
- Fixed to install activesupport <5.0
0.10.0
- Updated to backward incompatible setup of puppetserver 2.5.0
[0.9.7]
- Migrated to
cfdb
module for PostgreSQL provisioning and High Availability setup - Cpmpletely rewritten PuppetDB configuration
- Many parameters change!
- Security enforcement for PuppetDB access authorization
0.9.6
- Disabled scheduled agent runs safety purposes
- Added custom puppetserver.conf to mitigate memory leaks with JRuby tuning
0.9.5
- Updated to Puppet 4.5.0
- Enforced strict mode checking
- Minor fixes
- Added $allow_update_check option
- Fixed minor issues in puppet server bootstrap script
- Updated to latest deps
0.9.4
- Updated cfsystem to 0.9.9
- Changed to install all scripts under /opt/codingfuture/bin
- cf_r10k_deploy
- cf_gen_puppet_client_init
0.9.3
- Fixed issues in deploy.sh under some conditions
- Forcibly added Puppet bin folder to PATH
- Fixed deploy.sh created by setup_puppetserver.sh bootstrap script
0.9.2
- Fixed use_srv_records and ca_server puppet setting to depend on correct parameters
- Changed to use primary Puppet host for secondary Puppet servers
- Fixed dependency issues when installing Puppet Server from Puppet itself
0.9.1
- Implemented proper 3 level Global Hiera -> Environment Data Provider -> Module Data Provider configuration lookup instead of pure Hiera-based
- Moved main PuppetServer to cfsystem module and added support for more paramaters from there
- Added checks for minimal configured RAM of each service
- Added advanced PostgreSQL configuration with SSL support based on Puppet's PKI
- Fixed not to reload PuppetServer on configuration change as it leads to aborted deployment run
- Removed installation of deep_merge gem
- Fixed slave Puppet Server provisioning issues
- Added Puppet environments to etckeeeper ignore
- Fixed to properly disable CA service on slave Puppet Server
- Updated bootstrap script to be more verbose and support autosigning configuration (for testing)
- Changed to deploy dependencies though librarian-puppet instead of builtin in r10k
- Updated Puppet client configs to support ca_server
0.9.0
- Changed to use puppetlabs/postgresql and puppetlabs/puppetdb for installation
- Implemented full forceful setup of configuration
- Implemented
librarian-puppet
based dependency installation instead of not incomplete implementation in r10k. See RK-3.- No more need to include dependencies of dependencies in Puppetfile
- Puppetfile.lock is now supported
- Bugfixes for parameter handling
- Bugfix: opened HTTPS port for Puppet Forge
- Added automatic memory limit configuration for installed services
- Changed $puppet_git_host to $repo_url
- Added new configuration variables
0.1.2
- Added hiera.yaml version 4 support
- Added Puppt Server infrastructure initialization script
0.1.1
- No changes (missed merge)
0.1.0
Initial release
Dependencies
- puppetlabs-stdlib (>= 4.12.0)
- codingfuture-cfsystem (>= 0.9.17)
- codingfuture-cfdb (>= 0.9.5)
CodingFuture Infrastructure Automation Project cfpuppetserver: alternative Puppet Server setup module Copyright (c) 2016 Andrey Galkin Contacts: * support@codingfuture.net * andvgal@gmail.com Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.