Puppet
From GarrettHoneycutt
Contents |
Cheat Sheet
http://docs.puppetlabs.com/puppet_core_types_cheatsheet.pdf
Removing certs during provisioning process
It is generally advantageous to remove a cert, if it exists, with the name of a system that you are provisioning. If not, then when you reinstall a system with the same name you would have to remove the old cert manually. This involves configuring auth.conf to allow for a HTTP request and the query itself.
query to remove cert
PUPPETCA=puppetca.example.com curl -k -X DELETE -H "Accept :pson" https://${PUPPETCA}:8140/production/certificate_status/`hostname -f`
auth.conf
The important part are lines 51 - 57
1 # THIS FILE IS MANAGED BY PUPPET 2 # ANY CHANGES WILL BE OVERWRITTEN 3 # 4 # 5 # The ACL are checked in order of appearance in this file. 6 # # 7 # # For details on auth.conf syntax see: 8 # # http://docs.puppetlabs.com/guides/rest_auth_conf.html 9 # # 10 # ### Authenticated ACL - those applies only when the client 11 # ### has a valid certificate and is thus authenticated 12 path ~ ^/catalog/([^/]+)$ 13 method find 14 auth yes 15 allow $1 16 17 path ~ ^/node/([^/]+)$ 18 method find 19 auth yes 20 allow $1 21 22 path /certificate_revocation_list/ca 23 method find 24 auth yes 25 allow * 26 27 path /report 28 method save 29 auth yes 30 allow * 31 32 path /file 33 auth yes 34 allow * 35 36 path /certificate/ca 37 method find 38 auth any 39 allow * 40 41 path /certificate/ 42 method find 43 auth any 44 allow * 45 46 path /certificate_request 47 method find, save 48 auth any 49 allow * 50 51 # Allows nodes to clean up certificates of any node. This is being triggered 52 # at provisioning time in kickstart to remove the old certificate, since a new 53 # one is generated when the system is provisioned. 54 path /certificate_status/ 55 auth any 56 method find, save, destroy 57 allow *.example.com,pe-internal-dashboard 58 59 path /facts 60 method find, search 61 auth any 62 allow * 63 64 # allow all puppet systems to save facts 65 path /facts 66 method save 67 auth yes 68 allow puppetmaster.example.com,puppet1.example.com,puppet2.example.com,puppet3.example.com,puppetdb.example.com 69 70 # allow anyone to see if a puppet master is alive. 71 # used for load balancer health checks 72 path /status/no_key 73 method find 74 auth any 75 allow * 76 77 78 path / 79 auth any
Spec tests
Spec tests are unit tests that allow you to test what should be present in the catalog.
Tim's tutorial - http://rspec-puppet.com/
Setup
Install Puppet
Install some other tools
sudo gem install -V puppet-lint puppetlabs_spec_helper rake rspec-puppet bundler librarian-puppet-simple --no-ri --no-rdoc
Testing
You must be in the directory of the module you are testing.
rake spec
SPEC_OPTS="--format documentation" bundle exec rake specThis actually runs the equivalent of
rake spec_prep; rake spec_standalone; rake spec_cleanYou can see these commands by typing
rake -TIf your tests need to download dependencies, you might want to use
rake spec_preponce and then type
SPEC_OPTS="--format documentation" bundle exec rake spec_standaloneso you do not incur the cost of re-downloading stuff every time you want to run a test.
Dependencies / Fixtures
These should all be noted in your Modulefile and must be listed in .fixtures.yml. example
Examples
puppet-module-common has many different types of spec tests.
Example site manifest - site.pp
# Define filebucket 'main': filebucket { 'main': server => 'puppet.example.com', path => false, } # Ignoring version control artifacts File { backup => 'main', ignore => [ '.svn', '.git', 'CVS', '.bzr' ], } if $::osfamily == 'Suse' and $::lsbmajdistrelease == '11' { Package { provider => 'zypper', } } # include classes from hiera hiera_include('classes') node default { # look in fqdn level of hiera }