ghoneycutt · ghoneycutt · Jul 8, 2017 · Jul 10, 2017 · Jul 10, 2017 · Phil-Friderici
diff --git a/README.md b/README.md
@@ -143,6 +143,12 @@ Value of the graph option in puppet.conf.
 
 - *Default*: false
 
+---
+#### dns_alt_names (type: Optional[String])
+Value of the dns_alt_names option in puppet.conf.
+
+- *Default*: undef
+
 ---
 #### agent_sysconfig_path (type: String)
 The absolute path to the puppet agent sysconfig file.
@@ -187,9 +193,3 @@ external_nodes option in puppet.conf and the node_terminus option will
 be set to 'exec'.
 
 - *Default*: undef
-
----
-#### dns_alt_names (type: Optional[String])
-Value of the dns_alt_names option in puppet.conf.
-
-- *Default*: undef
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -12,6 +12,7 @@
   String                                  $server = 'puppet',
   String                                  $ca_server = 'puppet',
   String                                  $env = $environment,
+  Optional[String]                        $dns_alt_names = undef,
   Variant[Enum['true', 'false'], Boolean] $graph = false, #lint:ignore:quoted_booleans
   String                                  $agent_sysconfig_path = '/etc/sysconfig/puppet',
 ) {
@@ -87,15 +88,23 @@
   }
 
   $ini_settings = {
-    'server'              => { setting => 'server', value => $server,},
-    'ca_server'           => { setting => 'ca_server', value => $ca_server,},
-    'certname'            => { setting => 'certname', value => $certname,},
-    'environment'         => { setting => 'environment', value => $env,},
-    'trusted_node_data'   => { setting => 'trusted_node_data', value => true,},
-    'graph'               => { setting => 'graph', value => $graph,},
+    'server'            => { setting => 'server', value => $server,},
+    'ca_server'         => { setting => 'ca_server', value => $ca_server,},
+    'certname'          => { setting => 'certname', value => $certname,},
+    'environment'       => { setting => 'environment', value => $env,},
+    'trusted_node_data' => { setting => 'trusted_node_data', value => true,},
+    'graph'             => { setting => 'graph', value => $graph,},
   }
   create_resources('ini_setting', $ini_settings, $ini_defaults)
 
+  if $dns_alt_names != undef {
+    ini_setting { 'dns_alt_names':
+      setting => 'dns_alt_names',
+      value   => $dns_alt_names,
+      *       => $ini_defaults,
+    }
+  }
+
   file { 'puppet_config':
     ensure => 'file',
     path   => $config_path,

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -2,17 +2,18 @@
 #
 # Manages puppetserver
 #
-class puppet::server(
+class puppet::server (
   Variant[Enum['true', 'false'], Boolean] $ca = false, #lint:ignore:quoted_booleans
   Variant[Array[String, 1], Undef]        $autosign_entries = undef,
   String                                  $sysconfig_path = '/etc/sysconfig/puppetserver',
   String                                  $memory_size = '2g', # only m and g are appropriate for unit
   Optional[String]                        $enc = undef,
-  Optional[String]                        $dns_alt_names = undef,
 ) {
 
   include ::puppet
 
+  $_ca = str2bool($ca)
+
   if $sysconfig_path != undef {
     validate_absolute_path($sysconfig_path)
   }
@@ -34,7 +35,7 @@
     'rundir'  => { setting => 'rundir', value => '/var/run/puppetlabs/puppetserver',},
     'pidfile' => { setting => 'pidfile', value => '/var/run/puppetlabs/puppetserver/puppetserver.pid',},
     'codedir' => { setting => 'codedir', value =>'/etc/puppetlabs/code',},
-    'ca'      => { setting => 'ca', value => $ca,},
+    'ca'      => { setting => 'ca', value => $_ca,},
   }
 
   if $enc != undef {
@@ -47,15 +48,7 @@
     $ini_enc_settings = {}
   }
 
-  if $dns_alt_names != undef {
-    $ini_dns_alt_names_settings = {
-      'dns_alt_names' => { setting => 'dns_alt_names', value => $dns_alt_names },
-    }
-  } else {
-    $ini_dns_alt_names_settings = {}
-  }
-
-  $ini_settings_merged = $non_conditional_ini_settings + $ini_enc_settings + $ini_dns_alt_names_settings
+  $ini_settings_merged = $non_conditional_ini_settings + $ini_enc_settings
   create_resources('ini_setting', $ini_settings_merged, $ini_defaults)
 
   # Ensure that puppet.conf settings in [main] also trigger a restart of
@@ -81,6 +74,16 @@
     notify  => Service['puppetserver'],
   }
 
+  file { 'puppetserver_ca_cfg':
+    ensure  => 'file',
+    path    => '/etc/puppetlabs/puppetserver/services.d/ca.cfg',
+    content => template('puppet/ca.cfg.erb'),
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    notify  => Service['puppetserver'],
+  }
+
   service { 'puppetserver':
     ensure    => 'running',
     enable    => true,

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -61,6 +61,8 @@
         end
       end
 
+      it { should_not contain_ini_setting('dns_alt_names') }
+
       it do
         should contain_file('puppet_config').with({
           :ensure  => 'file',
@@ -187,7 +189,7 @@
   end
 
   describe 'with puppet.conf ini setting' do
-    %w(server ca_server certname graph).each do |setting|
+    %w(server ca_server certname graph dns_alt_names).each do |setting|
       context "#{setting} set to a valid entry" do
         # 'true' is used because it is acceptable to all of the above
         # parameters. Some of the settings are strings and some are boolean and
@@ -266,7 +268,7 @@
         :message => 'Error while evaluating a Resource Statement',
       },
       'strings' => {
-        :name    => %w(certname cron_command server ca_server env),
+        :name    => %w(certname cron_command server ca_server dns_alt_names env),
         :valid   => ['string'],
         :invalid => [true, %w(array), { 'ha' => 'sh' }, 3, 2.42],
         :message => 'Error while evaluating a Resource Statement',

diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb
@@ -1,5 +1,26 @@
 require 'spec_helper'
 describe 'puppet::server' do
+
+  ca_config_if_true = <<-END.gsub(/^\s+\|/, '')
+    |# This file is being maintained by Puppet.
+    |# DO NOT EDIT
+    |
+    |# To enable the CA service, leave the following line uncommented
+    |puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
+    |# To disable the CA service, comment out the above line and uncomment the line below
+    |#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
+  END
+
+  ca_config_if_false = <<-END.gsub(/^\s+\|/, '')
+    |# This file is being maintained by Puppet.
+    |# DO NOT EDIT
+    |
+    |# To enable the CA service, leave the following line uncommented
+    |#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
+    |# To disable the CA service, comment out the above line and uncomment the line below
+    |puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
+  END
+
   # Filter out duplicate platforms
   platforms = on_supported_os.select { |k, _v| !k.to_s.match(/^(RedHat|Scientific|OracleLinux)/i) }
 
@@ -36,7 +57,7 @@
         end
       end
 
-      %w(node_terminus external_nodes dns_alt_names).each do |setting|
+      %w(node_terminus external_nodes).each do |setting|
         it { should_not contain_ini_setting(setting) }
       end
 
@@ -57,6 +78,18 @@
         })
       end
 
+      it do
+        should contain_file('puppetserver_ca_cfg').with({
+          :ensure  => 'file',
+          :path    => '/etc/puppetlabs/puppetserver/services.d/ca.cfg',
+          :content => ca_config_if_false,
+          :owner   => 'root',
+          :group   => 'root',
+          :mode    => '0644',
+          :notify  => 'Service[puppetserver]',
+        })
+      end
+
       puppetserver_sysconfig = File.read(fixtures('puppetserver_sysconfig'))
       it do
         should contain_file('puppetserver_sysconfig').with({
@@ -83,19 +116,39 @@
   end
 
   describe 'with ca' do
-    [true, 'true', false, 'false'].each do |value|
+    [true, 'true'].each do |value|
       context "set to #{value} (as #{value.class})" do
         let(:params) { { :ca => value } }
 
+        it do
+          should contain_file('puppetserver_ca_cfg').with({
+            :content => ca_config_if_true,
+          })
+        end
+
         it do
           should contain_ini_setting('ca').with({
-            :ensure  => 'present',
             :setting => 'ca',
-            :value   => value,
-            :path    => '/etc/puppetlabs/puppet/puppet.conf',
-            :section => 'master',
-            :require => 'File[puppet_config]',
-            :notify  => 'Service[puppetserver]',
+            :value   => true,
+          })
+        end
+      end
+    end
+
+    [false, 'false'].each do |value|
+      context "set to #{value} (as #{value.class})" do
+        let(:params) { { :ca => value } }
+
+        it do
+          should contain_file('puppetserver_ca_cfg').with({
+            :content => ca_config_if_false,
+          })
+        end
+
+        it do
+          should contain_ini_setting('ca').with({
+            :setting => 'ca',
+            :value   => false,
           })
         end
       end
@@ -132,24 +185,6 @@
     end
   end
 
-  describe 'with dns_alt_names' do
-    context 'set to a valid path' do
-      let(:params) { { :dns_alt_names => 'foo,foo1,foo1.example.com,foo.example.com' } }
-
-      it do
-        should contain_ini_setting('dns_alt_names').with({
-          :ensure  => 'present',
-          :setting => 'dns_alt_names',
-          :value   => 'foo,foo1,foo1.example.com,foo.example.com',
-          :path    => '/etc/puppetlabs/puppet/puppet.conf',
-          :section => 'master',
-          :require => 'File[puppet_config]',
-          :notify  => 'Service[puppetserver]',
-        })
-      end
-    end
-  end
-
   describe 'with autosign_entries' do
     context 'set to a valid array of strings' do
       let(:params) { { :autosign_entries => ['*.example.org', '*.dev.example.org'] } }
@@ -179,12 +214,6 @@
         :invalid => ['string', %w(array), { 'ha' => 'sh' }, 3, 2.42],
         :message => 'Error while evaluating a Resource Statement',
       },
-      'strings' => {
-        :name    => %w(dns_alt_names),
-        :valid   => ['string'],
-        :invalid => [true, %w(array), { 'ha' => 'sh' }, 3, 2.42],
-        :message => 'Error while evaluating a Resource Statement',
-      },
       'non-empty array of strings' => {
         :name    => %w(autosign_entries),
         :valid   => [['array with one string'], %w(array with many strings)],

diff --git a/spec/fixtures/puppetserver_sysconfig b/spec/fixtures/puppetserver_sysconfig
@@ -9,7 +9,7 @@
 JAVA_BIN="/usr/bin/java"
 
 # Modify this if you'd like to change the memory allocation, enable JMX, etc
-JAVA_ARGS="-Xms2g -Xmx2g -XX:MaxPermSize=256m"
+JAVA_ARGS="-Xms2g -Xmx2g"
 
 # These normally shouldn't need to be edited if using OS packages
 USER="puppet"

diff --git a/templates/ca.cfg.erb b/templates/ca.cfg.erb
@@ -0,0 +1,15 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+
+# To enable the CA service, leave the following line uncommented
+<% if @_ca == true -%>
+puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
+<% else -%>
+#puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
+<% end -%>
+# To disable the CA service, comment out the above line and uncomment the line below
+<% if @_ca == true -%>
+#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
+<% else -%>
+puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
+<% end -%>
diff --git a/templates/puppetserver_sysconfig.erb b/templates/puppetserver_sysconfig.erb
@@ -9,7 +9,7 @@
 JAVA_BIN="/usr/bin/java"
 
 # Modify this if you'd like to change the memory allocation, enable JMX, etc
-JAVA_ARGS="-Xms<%= @memory_size -%> -Xmx<%= @memory_size -%> -XX:MaxPermSize=256m"
+JAVA_ARGS="-Xms<%= @memory_size -%> -Xmx<%= @memory_size -%>"
 
 # These normally shouldn't need to be edited if using OS packages
 USER="puppet"