update nginx vhost template

now it is possible to specify an endless amount of remote puppet masters and to disable the local one (so it only acts as a master)

Author: Tim Meusel

manifests/master.pp

@@ -39,6 +39,8 @@
 #  ['unicorn_package']          - package name of a unicorn rpm. if provided we install it, otherwise we built it via gem/gcc
 #  ['unicorn_path']             - custom path to the unicorn binary
 #  ['generate_ssl_certs']       - Generate ssl certs (false to disable)
+#  ['disable_master']           - this disables the normal master, the server will only act as a CA, currently only supported by nginx
+#  ['upstream']                 - define additional masters reachable via tcp as an array, currently only supported by nginx
 #
 # Requires:
 #
@@ -99,6 +101,8 @@
   $unicorn_package            = $::puppet::params::unicorn_package,
   $generate_ssl_certs         = true,
   $puppetdb_version           = 'present',
+  $disable_master             = $::puppet::params::disable_master,
+  $upstream                   = $::puppet::params::upstream,
 ) inherits puppet::params {
 
   anchor { 'puppet::master::begin': }
@@ -148,6 +152,8 @@
         backup_upstream   => $backup_upstream,
         unicorn_package   => $unicorn_package,
         unicorn_path      => $unicorn_path,
+        disable_master    => $disable_master,
+        upstream          => $upstream,
       } ->
       Anchor['puppet::master::end']
     }

manifests/params.pp

@@ -37,6 +37,8 @@
   $backup_upstream                  = []
   $unicorn_package                  = undef
   $unicorn_path                     = '/usr/local/bin/unicorn'
+  $disable_master                   = false
+  $upstream                         = []
 
   # Only used when environments == directory
   $environmentpath                  = "${confdir}/environments"

manifests/passenger.pp

@@ -3,14 +3,14 @@
 # This class installs and configures the puppetdb terminus pacakge
 #
 # Parameters:
-#   ['puppet_proxy_port']    - The port for the virtual host
-#   ['generate_ssl_certs']       - Generate ssl certs (false to disable)
-#   ['puppet_docroot']           - Apache documnet root
-#   ['apache_serveradmin']       - The apache server admin
-#   ['puppet_conf']              - The puppet config dir
-#   ['puppet_ssldir']            - The pupet ssl dir
-#   ['certname']                 - The puppet certname
-#   [conf_dir]                   - The configuration directory of the puppet install
+#   ['puppet_proxy_port']   - The port for the virtual host
+#   ['generate_ssl_certs']  - Generate ssl certs (false to disable)
+#   ['puppet_docroot']      - Apache documnet root
+#   ['apache_serveradmin']  - The apache server admin
+#   ['puppet_conf']         - The puppet config dir
+#   ['puppet_ssldir']       - The pupet ssl dir
+#   ['certname']            - The puppet certname
+#   [conf_dir]              - The configuration directory of the puppet install
 #
 # Actions:
 # - Configures apache and passenger for puppet master use.
@@ -45,7 +45,7 @@
 ){
   include apache
   include puppet::params
-  class { 'apache::mod::passenger': passenger_max_pool_size => 12, }
+  class { '::apache::mod::passenger': passenger_max_pool_size => 12, }
   include apache::mod::ssl
 
   if $::osfamily == 'redhat' {

manifests/unicorn.pp

@@ -1,15 +1,22 @@
 # Class: puppet::unicorn
 #
 # Parameters:
-#  ['listen_address']     - IP for binding the webserver, defaults to *
-#  ['puppet_proxy_port']  - The port for the virtual host
-#  ['disable_ssl']        - Disables SSL on the webserver. usefull if you use this master behind a loadbalancer. currently only supported by nginx, defaults to undef
-#  ['backup_upstream']    - specify another puppet master as fallback. currently only supported by nginx
-#  ['unicorn_package']    - package name of a unicorn rpm. if provided we install it, otherwise we built it via gem/gcc
-#  ['unicorn_path']       - custom path to the unicorn binary
+# ['certname']          -
+# ['puppet_conf']       -
+# ['puppet_ssldir']     -
+# ['dns_alt_names']     -
+# ['listen_address']    - IP for binding the webserver, defaults to *
+# ['puppet_proxy_port'] - The port for the virtual host
+# ['disable_ssl']       - Disables SSL on the webserver. usefull if you use this master behind a loadbalancer. currently only supported by nginx, defaults to undef
+# ['backup_upstream']   - specify several puppet master as fallback. currently only supported by nginx
+# ['unicorn_package']   - package name of a unicorn rpm. if provided we install it, otherwise we built it via gem/gcc
+# ['unicorn_path']      - custom path to the unicorn binary
+# ['disable_master']    - this disables the normal master, the server will only act as a CA
+# ['upstream']          - define additional masters reachable via tcp as an array
 #
 # Actions:
 # - Configures nginx and unicorn for puppet master use. Tested only on CentOS 7
+# - server can act as a simple LB with multiple puppet master backends and backups
 #
 # Requires:
 # - nginx
@@ -34,6 +41,8 @@
   $backup_upstream,
   $unicorn_package,
   $unicorn_path,
+  $disable_master,
+  $upstream,
 ){
   class { '::nginx':
     worker_processes  => $::processorcount,
@@ -96,10 +105,10 @@
   }
 
   # first we need to generate the cert
-  # Clean the installed certs out ifrst
+  # Clean the installed certs out first
   $crt_clean_cmd  = "puppet cert clean ${certname}"
   # I would have preferred to use puppet cert generate, but it does not
-  # return the corret exit code on some versions of puppet
+  # return the correct exit code on some versions of puppet
   $crt_gen_cmd   = "puppet certificate --ca-location=local --dns_alt_names=$dns_alt_names generate ${certname}"
   # I am using the sign command here b/c AFAICT, the sign command for certificate
   # does not work
@@ -116,9 +125,6 @@
     require   => File[$puppet_conf]
   }
 
-
-
-
   # hacky vhost
   file {'puppetmaster-vhost':
     path    => '/etc/nginx/sites-available/puppetmaster',

templates/puppetmaster

@@ -1,11 +1,20 @@
 # define the new unicorn backend
 upstream puppetmaster_unicorn {
+  <% unless @disable_master -%>
   server unix:/var/run/puppet/puppetmaster_unicorn.sock fail_timeout=5;
+  <% else -%>
+  <% @upstream.each do |server| -%>
+  server <%= server %>;
+  <% end -%>
   <% @backup_upstream.each do |server| -%>
   server <%= server %> backup;
   <% end -%>
 }
 
+# define our CA server
+upstream puppetca {
+  server unix:/var/run/puppet/puppetmaster_unicorn.sock;
+}
 # define our proxy for breaking up SSL
 server {
   <% unless @disable_ssl -%>
@@ -33,6 +42,10 @@ server {
     proxy_pass http://puppetmaster_unicorn;
     proxy_redirect off;
   }
+  location ~ ^/([^/]+/certificate.*)$ {
+    proxy_pass http://puppetca;
+    proxy_redirect off;
+  }
   access_log /var/log/nginx/puppetmaster-access.log;
   error_log  /var/log/nginx/puppetmaster-error.log;
 }