Step 1: Configure SSL:
PuppetDB requires client authentication (CA) for its SSL connections, and the PuppetDB-termini require SSL to talk to PuppetDB. You must configure Puppet and PuppetDB to work around this.
Set up an SSL proxy for PuppetDB
-
Edit the jetty section of the puppetdb vonfig files to remove all SSL-related settings.
-
Install a general-purpose web server (like Apache or NGINX) on the PuppetDB server.
-
Configure the web server to listen on port 8081 with SSL enabled and proxy all traffic to localhost:8080 (or whatever unencrypted hostname and port were set in jetty.ini). The proxy server can use any certificate — as long as Puppet has never downloaded a CA certificate from a Puppet master, it will not verify the proxy server’s certificate. If your nodes have downloaded CA certificates, you must either make sure the proxy server’s certificate was signed by the same CA, or delete the CA certificate.
Step 2: Install terminus plugins on every Puppet node:
Currently, Puppet needs extra Ruby plugins in order to use PuppetDB. Unlike custom facts or functions, these cannot be loaded from a module and must be installed in Puppet’s main source directory.
-
First, ensure that the appropriate Puppet collection repository is enabled. You can use a package resource to do this or the apt::source (from the puppetlabs- module) and yumrepo types.
-
Next, use Puppet to ensure that the puppetdb-termini package is installed:
package {'puppetdb-termini':
ensure => installed, }
On platforms without packages
-
If your Puppet master isn’t running Puppet from a supported package, you will need to install the plugins using file resources.
-
Download the PuppetDB source code; unzip it, locate the puppet/lib/puppet directory, and put it in the files directory of the Puppet module you are using to enable PuppetDB integration.
-
Identify the install location of Puppet on your nodes.
-
Create a file resource in your manifest(s) for each of the plugin files, to move them into place on each node.
# <modulepath>/puppetdb/manifests/terminus.pp
class puppetdb::terminus {
$puppetdir = "$rubysitedir/puppet"
file { $puppetdir:
ensure => directory,
recurse => remote, # Copy these files without deleting the existing files
source => "puppet:///modules/puppetdb/puppet",
owner => root,
group => root,
mode => 0644,
}
}
Step 3: Manage configuration files on every Puppet node:
All of the config files you need to manage will be in Puppet’s config directory (confdir). When managing these files with puppet apply, you can use the $settings::confdir variable to automatically discover the location of this directory.
Manage puppetdb.conf, puppet.conf, routes.yaml.
On how to manage these files have a look at: https://puppet.com/docs/puppetdb/5.2/connect_puppet_apply.html