Config file updates and FreeBSD refactorings

manifests/init.pp

@@ -506,6 +506,10 @@
 #                                           Defaults to false
 #
 # $server_ca_allow_auth_extensions::        Allow CA to sign certificate requests that have authorization extensions
+#                                           Defaults to false
+#
+# $server_ca_enable_infra_crl::             Enable the separate CRL for Puppet infrastructure nodes
+#                                           Defaults to false
 #
 # === Usage:
 #
@@ -698,6 +702,7 @@
   Optional[Integer[1]] $server_max_threads = undef,
   Boolean $server_ca_allow_sans = $puppet::params::server_ca_allow_sans,
   Boolean $server_ca_allow_auth_extensions = $puppet::params::server_ca_allow_auth_extensions,
+  Boolean $server_ca_enable_infra_crl = $puppet::params::server_ca_enable_infra_crl,
 ) inherits puppet::params {
   contain puppet::config
 

manifests/params.pp

@@ -272,9 +272,16 @@
   # - puppetdb for puppetdb
   $server_storeconfigs_backend = undef
 
-  $server_ssl_dir  = $ssldir
-  $server_package     = undef
-  $server_version     = undef
+  $puppet_major = regsubst($::puppetversion, '^(\d+)\..*$', '\1')
+
+  if ($::osfamily =~ /(FreeBSD|DragonFly)/ and versioncmp($puppet_major, '5') >= 0) {
+    $server_package = "puppetserver${puppet_major}"
+  } else {
+    $server_package = undef
+  }
+
+  $server_ssl_dir = $ssldir
+  $server_version = undef
 
   if $aio_package {
     $client_package = ['puppet-agent']
@@ -284,11 +291,7 @@
       default => ['puppet-common', 'puppet']
     }
   } elsif ($::osfamily =~ /(FreeBSD|DragonFly)/) {
-    if (versioncmp($::puppetversion, '5.0') > 0) {
-      $client_package = ['puppet5']
-    } else {
-      $client_package = ['puppet4']
-    }
+    $client_package = ["puppet${puppet_major}"]
   } else {
     $client_package = ['puppet']
   }
@@ -419,12 +422,15 @@
   $server_allow_header_cert_info          = false
   $server_ca_allow_sans                   = false
   $server_ca_allow_auth_extensions        = false
+  $server_ca_enable_infra_crl             = false
 
   # Puppetserver >= 2.2 Which auth.conf shall we use?
   $server_use_legacy_auth_conf      = false
 
   # For Puppetserver, certain configuration parameters are version specific. We assume a particular version here.
-  if versioncmp($::puppetversion, '5.5.7') >= 0 {
+  if versioncmp($::puppetversion, '6.0.0') >= 0 {
+    $server_puppetserver_version = '6.0.0'
+  } elsif versioncmp($::puppetversion, '5.5.7') >= 0 {
     $server_puppetserver_version = '5.3.6'
   } elsif versioncmp($::puppetversion, '5.5.0') >= 0 {
     $server_puppetserver_version = '5.3.0'

manifests/server.pp

@@ -280,6 +280,9 @@
 # $ca_allow_auth_extensions::          Allow CA to sign certificate requests that have authorization extensions
 #                                      Defaults to false
 #
+# $ca_enable_infra_crl::               Enable the separate CRL for Puppet infrastructure nodes
+#                                      Defaults to false
+#
 class puppet::server(
   Variant[Boolean, Stdlib::Absolutepath] $autosign = $::puppet::autosign,
   Array[String] $autosign_entries = $::puppet::autosign_entries,
@@ -394,6 +397,7 @@
   Optional[Integer[1]] $max_threads = $::puppet::server_max_threads,
   Boolean $ca_allow_sans = $::puppet::server_ca_allow_sans,
   Boolean $ca_allow_auth_extensions = $::puppet::server_ca_allow_auth_extensions,
+  Boolean $ca_enable_infra_crl = $::puppet::server_ca_enable_infra_crl,
 ) {
   if $ca {
     $ssl_ca_cert     = "${ssl_dir}/ca/ca_crt.pem"

manifests/server/puppetserver.pp

@@ -129,6 +129,7 @@
   $max_threads                            = $::puppet::server::max_threads,
   $ca_allow_sans                          = $::puppet::server::ca_allow_sans,
   $ca_allow_auth_extensions               = $::puppet::server::ca_allow_auth_extensions,
+  $ca_enable_infra_crl                    = $::puppet::server::ca_enable_infra_crl,
 ) {
   include ::puppet::server
 

metadata.json

@@ -81,7 +81,8 @@
       "operatingsystem": "FreeBSD",
       "operatingsystemrelease": [
         "10",
-        "11"
+        "11",
+        "12"
       ]
     },
     {

spec/classes/puppet_agent_spec.rb

@@ -6,8 +6,10 @@
     context "on #{os}" do
       case facts[:osfamily]
       when 'FreeBSD'
+        puppet_major = facts[:puppetversion].to_i
+
         bindir = '/usr/local/bin'
-        client_package = Puppet.version < '5.0' ? 'puppet4' : 'puppet5'
+        client_package = "puppet#{puppet_major}"
         confdir = '/usr/local/etc/puppet'
         package_provider = nil
       when 'windows'

spec/classes/puppet_init_spec.rb

@@ -5,9 +5,11 @@
     context "on #{os}" do
       case facts[:osfamily]
       when 'FreeBSD'
+        puppet_major = facts[:puppetversion].to_i
+
         puppet_concat    = '/usr/local/etc/puppet/puppet.conf'
         puppet_directory = '/usr/local/etc/puppet'
-        puppet_package   = Puppet.version < '5.0' ? 'puppet4' : 'puppet5'
+        puppet_package   = "puppet#{puppet_major}"
       when 'windows'
         puppet_concat    = 'C:/ProgramData/PuppetLabs/puppet/etc/puppet.conf'
         puppet_directory = 'C:/ProgramData/PuppetLabs/puppet/etc'

spec/classes/puppet_server_puppetserver_spec.rb

@@ -489,13 +489,14 @@
           end
         end
 
-        context 'when server_puppetserver_version >= 5.3.6' do
+        context 'when server_puppetserver_version >= 5.3.6 and < 6.0.0' do
           let(:params) { super().merge(server_puppetserver_version: '5.3.6') }
           context 'with default parameters' do
             it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf')
                           .with_ensure('present')
                           .with_content(/^( *)allow-subject-alt-names: false$/)
                           .with_content(/^( *)allow-authorization-extensions: false$/)
+                          .without_content(/^( *)enable-infra-crl: false$/)
             }
             it { should contain_file(auth_conf).with_content(/^( *)pp_cli_auth: "true"$/) }
           end
@@ -513,6 +514,34 @@
             }
           end
         end
+
+        context 'when server_puppetserver_version >= 6.0.0' do
+          let(:params) { super().merge(server_puppetserver_version: '6.0.0') }
+          context 'with default parameters' do
+            it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf')
+                          .with_ensure('present')
+                          .with_content(/^( *)allow-subject-alt-names: false$/)
+                          .with_content(/^( *)allow-authorization-extensions: false$/)
+                          .with_content(/^( *)enable-infra-crl: false$/)
+            }
+            it { should contain_file(auth_conf).with_content(/^( *)pp_cli_auth: "true"$/) }
+          end
+
+          context 'with ca parameters set' do
+            let(:params) { super().merge(
+              server_ca_allow_sans: true,
+              server_ca_allow_auth_extensions: true,
+              server_ca_enable_infra_crl: true,
+              )
+            }
+            it { should contain_file('/etc/custom/puppetserver/conf.d/ca.conf')
+                          .with_ensure('present')
+                          .with_content(/^( *)allow-subject-alt-names: true$/)
+                          .with_content(/^( *)allow-authorization-extensions: true$/)
+                          .with_content(/^( *)enable-infra-crl: true$/)
+            }
+          end
+        end
       end
 
       describe 'when server_puppetserver_version < 2.7' do

spec/classes/puppet_server_spec.rb

@@ -4,6 +4,8 @@
   on_os_under_test.each do |os, facts|
     context "on #{os}", unless: unsupported_puppetmaster_osfamily(facts[:osfamily]) do
       if facts[:osfamily] == 'FreeBSD'
+        puppet_major = facts[:puppetversion].to_i
+
         codedir             = '/usr/local/etc/puppet'
         conf_d_dir          = '/usr/local/etc/puppetserver/conf.d'
         conf_file           = '/usr/local/etc/puppet/puppet.conf'
@@ -22,6 +24,7 @@
         ssldir              = '/var/puppet/ssl'
         vardir              = '/var/puppet'
         rubydir             = %r{^/usr/local/lib/ruby/site_ruby/\d+\.\d+/puppet$}
+        puppetserver_pkg    = puppet_major > 4 ? "puppetserver#{puppet_major}" : 'puppetserver'
       else
         codedir             = '/etc/puppetlabs/code'
         conf_d_dir          = '/etc/puppetlabs/puppetserver/conf.d'
@@ -41,6 +44,7 @@
         ssldir              = '/etc/puppetlabs/puppet/ssl'
         vardir              = '/opt/puppetlabs/puppet/cache'
         rubydir             = '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet'
+        puppetserver_pkg    = 'puppetserver'
       end
 
       let(:facts) { facts }
@@ -58,7 +62,7 @@
         # install
         it { should contain_class('puppet::server::install') }
         it { should contain_user('puppet') }
-        it { should contain_package('puppetserver') }
+        it { should contain_package(puppetserver_pkg) }
 
         # config
         it { should contain_class('puppet::server::config') }
@@ -205,9 +209,9 @@
 
             it { should compile.with_all_deps }
             if expected
-              it { should contain_package('puppetserver') }
+              it { should contain_package(puppetserver_pkg) }
             else
-              it { should_not contain_package('puppetserver') }
+              it { should_not contain_package(puppetserver_pkg) }
             end
           end
         end

templates/auth.conf.erb

@@ -105,6 +105,13 @@ allow <%= @auth_allowed.join(', ') %>
 path ~ ^/puppet/v3/report/([^/]+)$
 method save
 allow <%= @auth_allowed.join(', ') %>
+<% if @puppetversion.to_f >= 5.5 -%>
+
+# allow all nodes to update their own facts
+path ~ ^/puppet/v3/facts/([^/]+)$
+method save
+allow <%= @auth_allowed.join(', ') %>
+<% end -%>
 
 # Allow all nodes to access all file services; this is necessary for
 # pluginsync, file serving from modules, and file serving from custom

templates/server/puppetserver/conf.d/ca.conf.erb

@@ -4,4 +4,9 @@ certificate-authority: {
 
     # allow CA to sign certificate requests that have authorization extensions.
     allow-authorization-extensions: <%= @ca_allow_auth_extensions %>
+<%- if scope.function_versioncmp([@server_puppetserver_version, '6.0.0']) >= 0 -%>
+
+    # enable the separate CRL for Puppet infrastructure nodes
+    enable-infra-crl: <%= @ca_enable_infra_crl %>
+<%- end -%>
 }