onceover 3.21.0 → 3.22.0

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/nginx.pp

@@ -0,0 +1,24 @@
+# # Generic Nginx profile
+#
+# Installs nginx base as per the module. To use nging in other profiles just do
+# the following:
+#
+# ```puppet
+# include profile::nginx
+#
+# nginx::resource::server { 'my-server.com':
+#   listen_port => 80,
+#   www_root    => '/var/www',
+# }
+# ```
+#
+class profile::nginx {
+  include ::nginx
+
+  file { 'default_config_file':
+    ensure  => absent,
+    path    => "${nginx::conf_dir}/conf.d/default.conf",
+    require => Class['nginx::config'],
+    notify  => Class['nginx::service'],
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/polar_clock.pp

@@ -0,0 +1,55 @@
+# # Polar Clock
+#
+# Serves a polar clock webpage using nginx.
+#
+# This also exports a resource for the polar_clock listening service in haproxy
+#
+# @param install_dir Where to install the website
+# @param port Which port to run on
+class profile::polar_clock (
+  Stdlib::Absolutepath $install_dir = '/var/clock',
+  Integer              $port        = 8080,
+) {
+  file { $install_dir:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  file { "${install_dir}/index.html":
+    ensure => file,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+    source => 'puppet:///modules/profile/polar_clock/index.html',
+  }
+
+  include profile::nginx
+
+  nginx::resource::server { $::fqdn:
+    listen_port => $port,
+    www_root    => $install_dir,
+  }
+
+  firewall { '100 allow http':
+    dport  => $port,
+    proto  => tcp,
+    action => accept,
+  }
+
+  # Detect the correct IP based on what virualisation we are using
+  $ip = $facts['virtual'] ? {
+    'virtualbox' => $facts['networking']['interfaces']['enp0s8']['ip'],
+    default      => $facts['networking']['ip'],
+  }
+
+  # Export balancer member in case this load balanced
+  @@haproxy::balancermember { "${facts['fqdn']}-polar_clock":
+    listening_service => 'polar_clock',
+    ports             => $port,
+    server_names      => $facts['fqdn'],
+    ipaddresses       => $ip,
+    options           => 'check',
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/puppetmaster/api_auth.pp

@@ -0,0 +1,82 @@
+#
+class profile::puppetmaster::api_auth {
+  hocon_setting { 'allow unauthenticated environment_classes':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppetserver/conf.d/auth.conf',
+    setting => 'authorization.rules',
+    type    => 'array_element',
+    value   => {
+      'allow-unauthenticated' => true,
+      'match-request'         => {
+        'method'       => 'get',
+        'path'         => '/puppet/v3/environment_classes',
+        'query-params' => {},
+        'type'         => 'path'
+      },
+      'name'                  => 'puppetlabs environment classes allow all',
+      'sort-order'            => 490
+    },
+    notify  => Service['pe-puppetserver'],
+  }
+
+  hocon_setting { 'allow unauthenticated environment-cache':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppetserver/conf.d/auth.conf',
+    setting => 'authorization.rules',
+    type    => 'array_element',
+    value   => {
+      'allow-unauthenticated' => true,
+      'match-request'         => {
+        'method'       => 'delete',
+        'path'         => '/puppet-admin-api/v1/environment-cache',
+        'query-params' => {},
+        'type'         => 'path'
+      },
+      'name'                  => 'puppetlabs environment cache allow all',
+      'sort-order'            => 490
+    },
+    notify  => Service['pe-puppetserver'],
+  }
+
+  hocon_setting { 'allow unauthenticated jruby-pool':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppetserver/conf.d/auth.conf',
+    setting => 'authorization.rules',
+    type    => 'array_element',
+    value   => {
+      'allow-unauthenticated' => true,
+      'match-request'         => {
+        'method'       => 'delete',
+        'path'         => '/puppet-admin-api/v1/jruby-pool',
+        'query-params' => {},
+        'type'         => 'path'
+      },
+      'name'                  => 'puppetlabs jruby pool allow all',
+      'sort-order'            => 490
+    },
+    notify  => Service['pe-puppetserver'],
+  }
+
+  hocon_setting { 'allow unauthenticated certificate_status':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppetserver/conf.d/auth.conf',
+    setting => 'authorization.rules',
+    type    => 'array_element',
+    value   => {
+      'allow-unauthenticated' => true,
+      'match-request'         => {
+        'method'       => [
+          'get',
+          'put',
+          'delete'
+        ],
+        'path'         => '/puppet-ca/v1/certificate_status',
+        'query-params' => {},
+        'type'         => 'path'
+      },
+      'name'                  => 'puppetlabs certificate status allow all',
+      'sort-order'            => 490
+    },
+    notify  => Service['pe-puppetserver'],
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/puppetmaster/autosign.pp

@@ -0,0 +1,33 @@
+class profile::puppetmaster::autosign (
+  String $logfile     = '/var/log/puppetlabs/puppetserver/autosign.log',
+  String $journalfile = '/etc/puppetlabs/puppetserver/autosign.journal',
+  String $confdir     = '/etc/puppetlabs/puppet',
+  String $password    = undef,
+) {
+  class { '::autosign':
+    ensure   => 'latest',
+    settings => {
+      'general'       => {
+        'loglevel' => 'INFO',
+        'logfile'  => $logfile,
+      },
+      'jwt_token'     => {
+        'secret'      => fqdn_rand_string(10),
+        'validity'    => '7200',
+        'journalfile' => $journalfile,
+      },
+      'password_list' => {
+        'password' => $password,
+      },
+    },
+  }
+
+  ini_setting {'policy-based autosigning':
+    setting => 'autosign',
+    path    => "${confdir}/puppet.conf",
+    section => 'master',
+    value   => '/opt/puppetlabs/puppet/bin/autosign-validator',
+    notify  => Service['pe-puppetserver'],
+    require => Class['::autosign'],
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/puppetmaster/aws.pp

@@ -0,0 +1,58 @@
+class profile::puppetmaster::aws (
+  String $confdir = '/etc/puppetlabs/puppet',
+) {
+  package { 'aws-sdk-core':
+    ensure   => present,
+    provider => 'puppetserver_gem',
+    notify   => Service['pe-puppetserver'],
+  }
+
+  if puppetdb_query('resources { type = "Class" and title = "autosign" }').count > 0 {
+    include profile::aws_nodes
+  }
+
+  # Set up the default config for the AWS module
+  # I will also need to do the following on the Puppet Master:
+  #
+  # export AWS_ACCESS_KEY_ID=your_access_key_id
+  # export AWS_SECRET_ACCESS_KEY=your_secret_access_key
+
+  ini_setting { 'aws region':
+    ensure  => present,
+    path    => "${confdir}/puppetlabs_aws_configuration.ini",
+    section => 'default',
+    setting => 'region',
+    value   => 'ap-southeast-2',
+  }
+
+  file { '/root/.aws':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0700',
+  }
+
+
+  # Add policy based autosigning using https://forge.puppet.com/danieldreier/autosign
+  class { 'autosign':
+    user     => 'pe-puppet',
+    group    => 'pe-puppet',
+    settings => {
+      'general'   => {
+        'loglevel' => 'DEBUG',
+      },
+      'jwt_token' => {
+        'secret' => 'DkCieMT9UyMvg(JDQeuJm%Qao>.p*GLxYg}kaw%ExAfRDvh7Mz'
+      },
+    },
+  }
+
+  ini_setting {'policy-based autosigning':
+    setting => 'autosign',
+    path    => "${confdir}/puppet.conf",
+    section => 'master',
+    value   => '/opt/puppetlabs/puppet/bin/autosign-validator',
+    require => Class['autosign'],
+    notify  => Service['pe-puppetserver'],
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/puppetmaster/tuning.pp

@@ -0,0 +1,139 @@
+# == Class: profile::puppetmaster::tuning
+#
+class profile::puppetmaster::tuning {
+  # Take the total system memory
+  $memory_mb = (($::memory['system']['total_bytes'] / 1024) / 1024)
+
+  # How much memory to leave for the system
+  $reserved_memory = $memory_mb / 8
+
+  # Subtract some memory to leave for the system
+  $available_memory = $memory_mb - $reserved_memory
+
+  # Calculate the subsystem memory split
+  $console_services_memory_proportion       = 0.2
+  $orchestration_services_memory_proportion = 0.2
+  $puppetdb_memory_proportion               = 0.2
+  $activemq_memory_proportion               = 0.4
+
+  # How much total memory should be allocated to the subsystems
+  $subsystem_base_memory = 1280
+
+  # Calculate how much the puppetserver and jrubies are going to need
+  $max_active_instances = $::processors['count']
+  $puppetserver_optimal_memory = (512 + ($max_active_instances * 512))
+
+  # Calculate how much memory we have to play with given:
+  #   - Puppetserver has optimal memory
+  #   - Everything else has base
+  $unallocated_memory_base = ($memory_mb - $reserved_memory
+                                    - $puppetserver_optimal_memory
+                                    - $subsystem_base_memory)
+
+  # Double the subsystem memory if possible
+  if ($unallocated_memory_base > $subsystem_base_memory) {
+    $subsystem_memory = $subsystem_base_memory * 2
+  } else {
+    $subsystem_memory = $subsystem_base_memory
+  }
+
+  # Finally: Set up all the variables
+  $console_services_memory       = Integer($subsystem_memory * $console_services_memory_proportion)
+  $orchestration_services_memory = Integer($subsystem_memory * $orchestration_services_memory_proportion)
+  $puppetdb_memory               = Integer($subsystem_memory * $puppetdb_memory_proportion)
+  $activemq_memory               = Integer($subsystem_memory * $activemq_memory_proportion)
+  $puppetserver_memory           = Integer($puppetserver_optimal_memory)
+
+  # TODO: Deal with overallocation
+
+  # Final config steps
+  $pe_master_group       = node_groups('PE Master')
+  $pe_console_group      = node_groups('PE Console')
+  $pe_orchestrator_group = node_groups('PE Orchestrator')
+  $pe_puppetdb_group     = node_groups('PE PuppetDB')
+  $pe_activemq_group     = node_groups('PE ActiveMQ Broker')
+
+  $pe_master_group_additions = {
+    'puppet_enterprise::profile::master' => {
+      'java_args' => {
+        'Xmx' => "${puppetserver_memory}m",
+        'Xms' => "${puppetserver_memory}m"
+      }
+    }
+  }
+
+  $pe_console_group_additions = {
+    'puppet_enterprise::profile::console' => {
+      'java_args' => {
+        'Xmx' => "${console_services_memory}m",
+        'Xms' => "${console_services_memory}m"
+      }
+    }
+  }
+
+  $pe_orchestrator_group_additions = {
+    'puppet_enterprise::profile::orchestrator' => {
+      'java_args' => {
+        'Xmx' => "${orchestration_services_memory}m",
+        'Xms' => "${orchestration_services_memory}m"
+      }
+    }
+  }
+
+  $pe_puppetdb_group_additions = {
+    'puppet_enterprise::profile::puppetdb' => {
+      'java_args' => {
+        'Xmx' => "${puppetdb_memory}m",
+        'Xms' => "${puppetdb_memory}m"
+      }
+    }
+  }
+
+  # lint:ignore:only_variable_string
+  $pe_activemq_group_additions = {
+    'puppet_enterprise::profile::amq::broker' => {
+      'heap_mb' => "${activemq_memory}"
+    }
+  }
+  # lint:endignore
+
+  node_group { 'PE Master':
+    ensure  => present,
+    classes => deep_merge($pe_master_group['PE Master']['classes'],$pe_master_group_additions),
+    parent  => 'PE Infrastructure',
+    require => Package['puppetclassify_server'],
+  }
+
+  node_group { 'PE Console':
+    ensure  => present,
+    classes => deep_merge($pe_console_group['PE Console']['classes'],$pe_console_group_additions),
+    parent  => 'PE Infrastructure',
+    require => Package['puppetclassify_server'],
+  }
+
+  node_group { 'PE Orchestrator':
+    ensure  => present,
+    classes => deep_merge($pe_orchestrator_group['PE Orchestrator']['classes'],$pe_orchestrator_group_additions),
+    parent  => 'PE Infrastructure',
+    require => Package['puppetclassify_server'],
+  }
+
+  node_group { 'PE PuppetDB':
+    ensure  => present,
+    classes => deep_merge($pe_puppetdb_group['PE PuppetDB']['classes'],$pe_puppetdb_group_additions),
+    parent  => 'PE Infrastructure',
+    require => Package['puppetclassify_server'],
+  }
+
+  node_group { 'PE ActiveMQ Broker':
+    ensure  => present,
+    classes => deep_merge($pe_activemq_group['PE ActiveMQ Broker']['classes'],$pe_activemq_group_additions),
+    parent  => 'PE Infrastructure',
+    require => Package['puppetclassify_server'],
+  }
+
+  Pe_hocon_setting <| title == 'jruby-puppet.max-active-instances' |> {
+    ensure => present,
+    value  => $max_active_instances,
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/puppetmaster.pp

@@ -0,0 +1,139 @@
+# Deals with the Puppet Master
+class profile::puppetmaster {
+  include pe_databases
+  # Wait until we have installed the stuff first before including this class
+  # if puppetdb_query('resources { type = "Package" and title = "puppetclassify_agent" }').count > 0 {
+  #   include profile::puppetmaster::tuning
+  # }
+
+  $server_gems = [
+    'puppetclassify',
+    'retries',
+  ]
+
+  # Create basic firewall rules
+  firewall { '100 allow https access':
+    dport  => 443,
+    proto  => tcp,
+    action => accept,
+  }
+
+  firewall { '101 allow mco access':
+    dport  => 61613,
+    proto  => tcp,
+    action => accept,
+  }
+
+  firewall { '102 allow puppet access':
+    dport  => 8140,
+    proto  => tcp,
+    action => accept,
+  }
+
+  $server_gems.each |$gem| {
+    package { "${gem}_server":
+      ensure   => present,
+      name     => $gem,
+      provider => 'puppetserver_gem',
+      notify   => Service['pe-puppetserver'],
+    }
+
+    package { "${gem}_agent":
+      ensure   => present,
+      name     => $gem,
+      provider => 'puppet_gem',
+      notify   => Service['pe-puppetserver'],
+    }
+  }
+
+  # Make sure that a user exists for me
+  rbac_user { 'dylan':
+    ensure       => 'present',
+    display_name => 'Dylan Ratcliffe',
+    email        => 'dylan.ratcliffe@puppet.com',
+    password     => 'puppetlabs',
+    roles        => [ 'Administrators' ],
+  }
+
+  # Create a Developers role
+  rbac_role { 'Developers':
+    ensure      => 'present',
+    name        => 'Developers',
+    description => 'Can run Puppet, deploy code and use PuppetDB',
+    permissions => [
+      {
+        'action'      => 'run',
+        'instance'    => '*',
+        'object_type' => 'puppet_agent'
+      }, {
+        'action'      => 'modify_children',
+        'instance'    => '*',
+        'object_type' => 'node_groups'
+      }, {
+        'action'      => 'edit_child_rules',
+        'instance'    => '*',
+        'object_type' => 'node_groups'
+      }, {
+        'action'      => 'deploy_code',
+        'instance'    => '*',
+        'object_type' => 'environment'
+      }, {
+        'action'      => 'accept_reject',
+        'instance'    => '*',
+        'object_type' => 'cert_requests'
+      }, {
+        'action'      => 'edit_params_and_vars',
+        'instance'    => '*',
+        'object_type' => 'node_groups'
+      }, {
+        'action'      => 'edit_classification',
+        'instance'    => '*',
+        'object_type' => 'node_groups'
+      }, {
+        'action'      => 'view',
+        'instance'    => '*',
+        'object_type' => 'node_groups'
+      }, {
+        'action'      => 'view_data',
+        'instance'    => '*',
+        'object_type' => 'nodes'
+      }, {
+        'action'      => 'view',
+        'instance'    => '*',
+        'object_type' => 'console_page'
+      }, {
+        'action'      => 'set_environment',
+        'instance'    => '*',
+        'object_type' => 'node_groups'
+      },
+    ],
+  }
+
+  # Import all exported console users
+  Console::User <<| |>>
+
+  # Configure default color scheme for puppetmaster logs
+  file_line { 'log4j_color_puppetlogs':
+    ensure  => present,
+    path    => '/etc/multitail.conf',
+    line    => 'scheme:log4j:/var/log/puppetlabs/',
+    after   => 'default colorschemes',
+    require => Package['multitail'],
+  }
+
+  class { 'deployment_signature':
+    signing_secret => Sensitive('hunter2'),
+    validators     => [
+      '/etc/puppetlabs/puppet/validate.sh',
+    ],
+  }
+
+  # Create a validator tah always passes
+  file { '/etc/puppetlabs/puppet/validate.sh':
+    ensure  => 'file',
+    owner   => 'pe-puppet',
+    group   => 'pe-puppet',
+    mode    => '0700',
+    content => "#!/bin/bash\nexit 0",
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/rvm.pp

@@ -0,0 +1,13 @@
+class profile::rvm {
+  include ::rvm
+
+  rvm_system_ruby { 'ruby-2.3.3':
+    ensure      => 'present',
+    default_use => true,
+  }
+
+  rvm_gem { 'ruby-2.3.3/bundler':
+      ensure  => latest,
+      require => Rvm_system_ruby['ruby-2.3.3'],
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/sumologic.pp

@@ -0,0 +1,11 @@
+#
+class profile::sumologic {
+  $sumologic_key = hiera('profile::sumologic::sumologic_key','NOT_FOUND')
+
+  # This data is completely made up, it will not work
+  class { '::sumologic::report_handler':
+    report_url => "https://collectors.au.sumologic.com/receiver/v1/http/${sumologic_key}",
+    mode       => 'json',
+    notify     => Service['pe-puppetserver'],
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/sunburst/windows.pp

@@ -0,0 +1,104 @@
+# == Class: profile::sunburst::windows
+#
+class profile::sunburst::windows (
+  String $install_dir = 'C:/inetpub/sunburst',
+  String $user        = 'sunburst',
+  String $group       = 'sunburst-admins',
+  String $password    = 'change3me',
+) {
+  require ::profile::windows::webserver
+
+  user { $user:
+    ensure   => present,
+    comment  => 'Sunburst Application Service Account',
+    groups   => ['Users',$group],
+    password => $password,
+    require  => Group[$group],
+  }
+
+  group { $group:
+    ensure => present,
+  }
+
+  exec { 'grant_SeBatchLogonRight':
+    command     => "Grant-Privilege -Identity ${user} -Privilege SeBatchLogonRight",
+    provider    => 'powershell',
+    refreshonly => true,
+    subscribe   => User[$user],
+    require     => Package['carbon'],
+  }
+
+  iis_application_pool { 'sunburst':
+    ensure        => present,
+    state         => 'started',
+    identity_type => 'SpecificUser',
+    user_name     => $user,
+    password      => $password,
+  }
+
+  # Create a new website
+  iis_site { 'sunburst':
+    ensure          => 'started',
+    physicalpath    => 'C:\\inetpub\\sunburst',
+    applicationpool => 'sunburst',
+    defaultpage     => 'index.html',
+    require         => [Iis_application_pool['sunburst'], Dsc_windowsfeature['IIS','AspNet45']],
+  }
+
+  iis_virtual_directory { 'sunburst_vdir':
+    ensure       => 'present',
+    sitename     => 'sunburst',
+    physicalpath => 'C:\\inetpub\\sunburst',
+    require      => File[$install_dir],
+  }
+
+  file { $install_dir:
+    ensure => directory,
+  }
+
+  acl { $install_dir:
+    inherit_parent_permissions => false,
+    purge                      => true,
+    owner                      => $user,
+    group                      => $group,
+    permissions                => [
+      {
+        'affects'  => 'all',
+        'identity' => 'NT AUTHORITY\SYSTEM',
+        'rights'   => ['full'],
+      },
+      {
+        'affects'  => 'all',
+        'identity' => 'BUILTIN\Administrators',
+        'rights'   => ['full'],
+      },
+      {
+        'affects'  => 'all',
+        'identity' => "${facts['hostname'].upcase}\\${user}",
+        'rights'   => ['full'],
+      },
+      {
+        'affects'  => 'all',
+        'identity' => "${facts['hostname'].upcase}\\${group}",
+        'rights'   => ['read', 'execute'],
+      },
+    ],
+    require                    => [User[$user],File[$install_dir]],
+  }
+
+  file { "${install_dir}/index.html":
+    ensure => file,
+    mode   => '0644',
+    owner  => $user,
+    group  => $group,
+    source => 'puppet:///modules/profile/sunburst/index.html',
+  }
+
+  file { "${install_dir}/flare.json":
+    ensure => file,
+    mode   => '0644',
+    owner  => $user,
+    group  => $group,
+    source => 'puppet:///modules/profile/sunburst/flare.json',
+  }
+}

data/spec/fixtures/controlrepos/puppet_controlrepo/site-modules/profile/manifests/vagrant.pp

@@ -0,0 +1,25 @@
+# NOTE: This is old and failing tests
+class profile::vagrant {
+  $version = '1.7.4'
+
+  file { ['/opt/vagrant','/opt/vagrant/packages']:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+  }
+
+  archive::download { "vagrant_${version}_x86_64.rpm":
+    url        => "https://releases.hashicorp.com/vagrant/1.7.4/vagrant_${version}_x86_64.rpm",
+    src_target => '/opt/vagrant/packages',
+    checksum   => false,
+    require    => File['/opt/vagrant/packages'],
+  }
+
+  class { '::vagrant':
+    ensure  => 'present',
+    version => $version,
+    source  => "/opt/vagrant/packages/vagrant_${version}_x86_64.rpm",
+    require => Archive::Download["vagrant_${version}_x86_64.rpm"],
+  }
+}