Merge pull request #22 from bke-drewb/17594

cprice404 · cprice404 · commit a3138329df81 · 2012-12-04T14:32:20.000-08:00
This is great, thank you!
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -15,15 +15,50 @@
 # puppetdb.  You can use the `puppetdb::master::config` class to accomplish this.
 #
 # Parameters:
-#   ['database'] - Which database backend to use; legal values are
-#                  `postgres` (default) or `embedded`.  (The `embedded`
-#                  db can be used for very small installations or for
-#                  testing, but is not recommended for use in production
-#                  environments.  For more info, see the puppetdb docs.)
+#   ['listen_address']     - The address that the web server should bind to
+#                            for HTTP requests.  (defaults to `localhost`.
+#                            '0.0.0.0' = all)
+#   ['listen_port']        - The port on which the puppetdb web server should
+#                            accept HTTP requests (defaults to 8080).
+#   ['open_listen_port']   - If true, open the http listen port on the firewall. 
+#                            (defaults to false).
+#   ['ssl_listen_address'] - The address that the web server should bind to
+#                            for HTTPS requests.  (defaults to `$::clientcert`.)
+#                            Set to '0.0.0.0' to listen on all addresses.
+#   ['ssl_listen_port']    - The port on which the puppetdb web server should
+#                            accept HTTPS requests (defaults to 8081).
+#   ['open_ssl_listen_port'] - If true, open the ssl listen port on the firewall. 
+#                            (defaults to true).
+#   ['database']           - Which database backend to use; legal values are
+#                            `postgres` (default) or `embedded`.  (The `embedded`
+#                            db can be used for very small installations or for
+#                            testing, but is not recommended for use in production
+#                            environments.  For more info, see the puppetdb docs.)
+#   ['database_port']      - The port that the database server listens on.
+#                            (defaults to `5432`; ignored for `embedded` db)
+#   ['database_username']  - The name of the database user to connect as.
+#                            (defaults to `puppetdb`; ignored for `embedded` db)
+#   ['database_password']  - The password for the database user.
+#                            (defaults to `puppetdb`; ignored for `embedded` db)
+#   ['database_name']      - The name of the database instance to connect to.
+#                            (defaults to `puppetdb`; ignored for `embedded` db)
+#   ['database_package']   - The puppetdb package name in the package manager
 #   ['puppetdb_version']   - The version of the `puppetdb` package that should
-#                  be installed.  You may specify an explicit version
-#                  number, 'present', or 'latest'.  Defaults to
-#                  'present'.
+#                            be installed.  You may specify an explicit version
+#                            number, 'present', or 'latest'.  (defaults to
+#                            'present')
+#   ['puppetdb_service']   - The name of the puppetdb service.
+#   ['manage_redhat_firewall'] - DEPRECATED: Use open_ssl_listen_port instead.
+#                            boolean indicating whether or not the module
+#                            should open a port in the firewall on redhat-based
+#                            systems.  Defaults to `false`.  This parameter is
+#                            likely to change in future versions.  Possible
+#                            changes include support for non-RedHat systems and
+#                            finer-grained control over the firewall rule
+#                            (currently, it simply opens up the postgres port to
+#                            all TCP connections).
+#   ['confdir']            - The puppetdb configuration directory; defaults to
+#                            `/etc/puppetdb/conf.d`.
 #
 # Actions:
 # - Creates and manages a puppetdb server and its database server/instance.
@@ -34,30 +69,56 @@
 # Sample Usage:
 #   include puppetdb
 #
-#
-# TODO: expose more parameters
-#
 class puppetdb(
-  $database               = $puppetdb::params::database,
-  $puppetdb_package       = $puppetdb::params::puppetdb_package,
-  $puppetdb_version       = $puppetdb::params::puppetdb_version,
-  $puppetdb_service       = $puppetdb::params::puppetdb_service,
-  $confdir                = $puppetdb::params::confdir,
-  $manage_redhat_firewall = $puppetdb::params::manage_redhat_firewall,
+  $listen_address            = $puppetdb::params::listen_address,
+  $listen_port               = $puppetdb::params::listen_port,
+  $open_listen_port          = $puppetdb::params::open_listen_port,
+  $ssl_listen_address        = $puppetdb::params::ssl_listen_address,
+  $ssl_listen_port           = $puppetdb::params::ssl_listen_port,
+  $open_ssl_listen_port      = $puppetdb::params::open_ssl_listen_port,
+  $database                  = $puppetdb::params::database,
+  $database_port             = $puppetdb::params::database_port,
+  $database_username         = $puppetdb::params::database_username,
+  $database_password         = $puppetdb::params::database_password,
+  $database_name             = $puppetdb::params::database_name,
+  $puppetdb_package          = $puppetdb::params::puppetdb_package,
+  $puppetdb_version          = $puppetdb::params::puppetdb_version,
+  $puppetdb_service          = $puppetdb::params::puppetdb_service,
+  $open_postgres_port        = $puppetdb::params::open_postgres_port,
+  $manage_redhat_firewall    = $puppetdb::params::manage_redhat_firewall,
+  $confdir                   = $puppetdb::params::confdir
 ) inherits puppetdb::params {
 
+  if ($manage_redhat_firewall) {
+    notify {'Deprecation notice: `$manage_redhat_firewall` has been deprecated in `puppetdb` class and will be removed in a future versions. Use $open_ssl_listen_port and $open_postgres_port instead.':}
+  }
+
   class { 'puppetdb::server':
-    database               => $database,
-    puppetdb_package       => $puppetdb_package,
-    puppetdb_version       => $puppetdb_version,
-    puppetdb_service       => $puppetdb_service,
-    confdir                => $confdir,
-    manage_redhat_firewall => $manage_redhat_firewall,
+    listen_address          => $listen_address,
+    listen_port             => $listen_port,
+    open_listen_port        => $open_listen_port,
+    ssl_listen_address      => $ssl_listen_address,
+    ssl_listen_port         => $ssl_listen_port,
+    open_ssl_listen_port    => $open_ssl_listen_port,
+    database                => $database,
+    database_port           => $database_port,
+    database_username       => $database_username,
+    database_password       => $database_password,
+    database_name           => $database_name,
+    puppetdb_package        => $puppetdb_package,
+    puppetdb_version        => $puppetdb_version,
+    puppetdb_service        => $puppetdb_service,
+    manage_redhat_firewall  => $manage_redhat_firewall,
+    confdir                 => $confdir
   }
 
   if ($database == 'postgres') {
     class { 'puppetdb::database::postgresql':
-      manage_redhat_firewall => $manage_redhat_firewall,
+      manage_redhat_firewall => $manage_redhat_firewall ? {
+        true                 => $manage_redhat_firewall,
+        false                => $open_postgres_port,
+      },
+      listen_addresses       => $postgres_listen_addresses,
       before                 => Class['puppetdb::server']
     }
   }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -11,10 +11,16 @@
 # Sample Usage:
 #
 class puppetdb::params {
-  $ssl_listen_address    = $::clientcert
-  $ssl_listen_port       = '8081'
+  $listen_address            = 'localhost'
+  $listen_port               = '8080'
+  $open_listen_port          = false
+  $ssl_listen_address        = $::clientcert
+  $ssl_listen_port           = '8081'
+  $open_ssl_listen_port      = true
+  $postgres_listen_addresses = 'localhost'
+  $open_postgres_port        = true
 
-  $database          = 'postgres'
+  $database                  = 'postgres'
 
   # The remaining database settings are not used for an embedded database
   $database_host          = 'localhost'
@@ -26,7 +32,7 @@
   $puppetdb_version       = 'present'
 
   # TODO: figure out a way to make this not platform-specific
-  $manage_redhat_firewall = true
+  $manage_redhat_firewall = false
 
   $gc_interval            = '60'
 
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -22,10 +22,20 @@
 # use the `puppetdb::master::config` class to accomplish this.
 #
 # Parameters:
+#   ['listen_address']     - The address that the web server should bind to
+#                            for HTTP requests.  (defaults to `localhost`.)
+#                            Set to '0.0.0.0' to listen on all addresses.
+#   ['listen_port']        - The port on which the puppetdb web server should
+#                            accept HTTP requests (defaults to 8080).
+#   ['open_listen_port']   - If true, open the http listen port on the firewall. 
+#                            (defaults to false).
 #   ['ssl_listen_address'] - The address that the web server should bind to
 #                            for HTTPS requests.  (defaults to `$::clientcert`.)
+#                            Set to '0.0.0.0' to listen on all addresses.
 #   ['ssl_listen_port']    - The port on which the puppetdb web server should
-#                            accept HTTPS requests.
+#                            accept HTTPS requests (defaults to 8081).
+#   ['open_ssl_listen_port'] - If true, open the ssl listen port on the firewall. 
+#                            (defaults to true).
 #   ['database']           - Which database backend to use; legal values are
 #                            `postgres` (default) or `embedded`.  (The `embedded`
 #                            db can be used for very small installations or for
@@ -35,17 +45,20 @@
 #                            (defaults to `localhost`; ignored for `embedded` db)
 #   ['database_port']      - The port that the database server listens on.
 #                            (defaults to `5432`; ignored for `embedded` db)
-#   ['database_user']      - The name of the database user to connect as.
+#   ['database_username']  - The name of the database user to connect as.
 #                            (defaults to `puppetdb`; ignored for `embedded` db)
 #   ['database_password']  - The password for the database user.
 #                            (defaults to `puppetdb`; ignored for `embedded` db)
 #   ['database_name']      - The name of the database instance to connect to.
 #                            (defaults to `puppetdb`; ignored for `embedded` db)
+#   ['database_package']   - The puppetdb package name in the package manager
 #   ['puppetdb_version']   - The version of the `puppetdb` package that should
 #                            be installed.  You may specify an explicit version
 #                            number, 'present', or 'latest'.  Defaults to
 #                            'present'.
-#   ['manage_redhat_firewall'] - boolean indicating whether or not the module
+#   ['puppetdb_service']   - The name of the puppetdb service.
+#   ['manage_redhat_firewall'] - DEPRECATED: Use open_ssl_listen_port instead.
+#                            boolean indicating whether or not the module
 #                            should open a port in the firewall on redhat-based
 #                            systems.  Defaults to `true`.  This parameter is
 #                            likely to change in future versions.  Possible
@@ -68,8 +81,12 @@
 #     }
 #
 class puppetdb::server(
+  $listen_address          = $puppetdb::params::listen_address,
+  $listen_port             = $puppetdb::params::listen_port,
+  $open_listen_port        = $puppetdb::params::open_listen_port,
   $ssl_listen_address      = $puppetdb::params::ssl_listen_address,
   $ssl_listen_port         = $puppetdb::params::ssl_listen_port,
+  $open_ssl_listen_port    = $puppetdb::params::open_ssl_listen_port,
   $database                = $puppetdb::params::database,
   $database_host           = $puppetdb::params::database_host,
   $database_port           = $puppetdb::params::database_port,
@@ -81,7 +98,6 @@
   $puppetdb_service        = $puppetdb::params::puppetdb_service,
   $manage_redhat_firewall  = $puppetdb::params::manage_redhat_firewall,
   $confdir                 = $puppetdb::params::confdir,
-  $gc_interval             = $puppetdb::params::gc_interval,
 ) inherits puppetdb::params {
 
   package { $puppetdb_package:
@@ -90,8 +106,11 @@
   }
 
   class { 'puppetdb::server::firewall':
-    port                   => $ssl_listen_port,
-    manage_redhat_firewall => $manage_redhat_firewall,
+    http_port              => $listen_port,
+    open_http_port         => $open_listen_port,
+    ssl_port               => $ssl_listen_port,
+    open_ssl_port          => $open_ssl_listen_port,
+    manage_redhat_firewall => $manage_redhat_firewall
   }
 
   class { 'puppetdb::server::database_ini':
@@ -106,6 +125,8 @@
   }
 
   class { 'puppetdb::server::jetty_ini':
+    listen_address      => $listen_address,
+    listen_port         => $listen_port,
     ssl_listen_address  => $ssl_listen_address,
     ssl_listen_port     => $ssl_listen_port,
     confdir             => $confdir,
diff --git a/manifests/server/firewall.pp b/manifests/server/firewall.pp
@@ -1,11 +1,23 @@
 class puppetdb::server::firewall(
-    $port                   = $puppetdb::params::ssl_listen_port,
+    $port                   = '',
+    $http_port              = $puppetdb::params::listen_port,             
+    $open_http_port         = $puppetdb::params::open_listen_port,
+    $ssl_port               = $puppetdb::params::ssl_listen_port,
+    $open_ssl_port          = $puppetdb::params::open_ssl_listen_port,
     $manage_redhat_firewall = $puppetdb::params::manage_redhat_firewall,
 ) inherits puppetdb::params {
   # TODO: figure out a way to make this not platform-specific; debian and ubuntu
   # have an out-of-the-box firewall configuration that seems trickier to manage.
   # TODO: the firewall module should be able to handle this itself
-  if ($manage_redhat_firewall and $puppetdb::params::firewall_supported) {
+  if ($puppetdb::params::firewall_supported) {
+
+    if ($manage_redhat_firewall) {
+      notify {'Deprecation notice: `$manage_redhat_firewall` is deprecated in the `puppetdb::service::firewall` class and will be removed in a future version. Use `open_http_port` and `open_ssl_port` instead.':}
+
+      if ($open_ssl_port) {
+        fail('`$manage_redhat_firewall` and `$open_ssl_port` cannot both be specified.')
+      }
+    }
 
     exec { 'puppetdb-persist-firewall':
       command     => $puppetdb::params::persist_firewall_command,
@@ -15,11 +27,34 @@
     Firewall {
       notify => Exec['puppetdb-persist-firewall']
     }
+    
+    if ($port) {
+      notify { 'Deprecation notice: `port` parameter will be removed in future versions of the puppetdb module. Please use ssl_port instead.': }
+    }
+
+    if ($port and $ssl_port) {
+      fail('`port` and `ssl_port` cannot both be defined. `port` is deprecated in favor of `ssl_port`')
+    }
+    
+    if ($open_http_port) {
+      firewall { "${http_port} accept - puppetdb":
+        port   => $http_port,
+        proto  => 'tcp',
+        action => 'accept',
+      }
+    } 
 
-    firewall { "${port} accept - puppetdb":
-      port   => $port,
-      proto  => 'tcp',
-      action => 'accept',
+    if ($open_ssl_port or $manage_redhat_firewall) {
+      if ($ssl_port) {
+        $final_ssl_port = $ssl_port
+      } else {
+        $final_ssl_port = $port
+      }
+      firewall { "${final_ssl_port} accept - puppetdb":
+        port   => $final_ssl_port,
+        proto  => 'tcp',
+        action => 'accept',
+      }
     }
   }
 }
diff --git a/manifests/server/jetty_ini.pp b/manifests/server/jetty_ini.pp
@@ -4,6 +4,10 @@
 # for puppetdb's embedded web server.
 #
 # Parameters:
+#   ['listen_address']     - The address that the web server should bind to
+#                            for HTTP requests.  (defaults to `localhost`.)
+#   ['listen_port']        - The port on which the puppetdb web server should
+#                            accept HTTP requests (defaults to 8080).
 #   ['ssl_listen_address'] - The address that the web server should bind to
 #                            for HTTPS requests.  (defaults to `$::clientcert`.)
 #   ['ssl_listen_port']    - The port on which the puppetdb web server should
@@ -25,9 +29,9 @@
 #       ssl_listen_port         => 8081,
 #   }
 #
-#TODO add support for non-ssl config
-#
 class puppetdb::server::jetty_ini(
+  $listen_address     = $puppetdb::params::listen_address,
+  $listen_port        = $puppetdb::params::listen_port,  
   $ssl_listen_address = $puppetdb::params::ssl_listen_address,
   $ssl_listen_port    = $puppetdb::params::ssl_listen_port,
   $confdir            = $puppetdb::params::confdir,
@@ -43,6 +47,16 @@
   # TODO: figure out some way to make sure that the ini_file module is installed,
   #  because otherwise these will silently fail to do anything.
 
+  ini_setting {'puppetdb_host':
+    setting => 'host',
+    value   => $listen_address,
+  }
+
+  ini_setting {'puppetdb_port':
+    setting => 'port',
+    value   => $listen_port,
+  }
+
   ini_setting {'puppetdb_sslhost':
     setting => 'ssl-host',
     value   => $ssl_listen_address,
diff --git a/tests/puppetdb-postgres-distributed.pp b/tests/puppetdb-postgres-distributed.pp
@@ -11,16 +11,24 @@
 # This node is our postgres server
 node puppetdb-postgres {
     # Here we install and configure postgres and the puppetdb database instance
+    # Optionally, open the firewall port for postgres so puppetdb server can 
+    # gain access.
     class { 'puppetdb::database::postgresql':
-        listen_addresses => 'puppetdb-postgres',
+        listen_addresses       => 'puppetdb-postgres',
+        manage_redhat_firewall => true,
     }
 }
 
 # This node is our main puppetdb server
 node puppetdb {
     # Here we install and configure the puppetdb server, and tell it where to
     # find the postgres database.
+    # Set open_ssl_listen_port to allow the puppet master to gain access to 
+    # puppetdb.  Optionally, set open_listen_port to open the HTTP port so 
+    # you can access the PuppetDB dashboard.
     class { 'puppetdb::server':
-        database_host      => 'puppetdb-postgres',
+        database_host        => 'puppetdb-postgres',
+        open_ssl_listen_port => true,
+        open_listen_port     => true,
     }
 }
