This version is compatible with:
- Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.4.x
- Puppet >= 4.9.0
Choria Discovery Proxy
A basic module to install the Choria Discovery Proxy service and it's cli.
When configuring Choria to use PuppetDB as a discovery source it's required to expose the PuppetDB query interface to all users. This can be a source of potential secrets leak due to the vast amount of data stored in PuppetDB.
This proxy sits in front of PuppetDB and exposes a HTTPS secure REST service that Choria uses to do discovery. This service will only return certnames thus greatly reducing the possibility of sensitive information leaking. You now only have to allow this proxy to communicate with PuppetDB directly.
Additionally it allows named sets to be created that can later be referenced by name in Choria discovery.
By default this module sets up the proxy to listen on
0.0.0.0:8085 for incoming HTTPS requests from clients using HTTPS client certificates signed by the Puppet CA.
This sets it all up working with your PuppetDB on
There are many customizations available, you can specify custom PuppetDB location and ports for example:
tls_port => 9292,
puppetdb_host => "puppetdb.example.net",
See the module source for other options available.
In the above cases the server process will be started, you can install just the client using this:
manage_service => false
Then look at the
discovery_proxy sets --help output to see about maintaining sets.
At present integration with MCollective is not yet released, but eventually to integrate with this service you'd add SRV records like:
_mcollective-discovery._tcp IN SRV 10 0 8085 puppetdb1.example.net.
And then enable use of the proxy by setting
The host and port can also be set using
Further documentation will be written in the main choria docs about this integration.
A created set can be discovered using something like
mco package update foo -I set:bobs_machines where
bobs_machines were made using
discovery_proxy sets create bobs_machines.
This is a early release of the module and the proxy so for now the module embeds the compiled proxy as a binary and will only support Linux distributions using SystemD.