Docker compose setup of the Puppet server stack

Most of this setup works out of the box, but there are some limitations/issues to get PuppetDB automatically up and running.

Start by copying the environment-template to .env and set the versions you want to use/build, postgres password, puppetserver hostname (should be set to what agents will be using), etc.

Further, edit docker-compose.yaml and ensure that the ssl folder volume mount for the puppetdb service is commented out

vim docker-compose.yaml
[...]
#    - ./data/puppetdb/ssl:/etc/puppetlabs/puppetdb/ssl
[...]

Then, optionally (otherwise, comment it out in docker-compose.yaml), build the Puppetboard application:

cd ..
git clone https://github.com/voxpupuli/puppetboard
cd puppetboard
docker build -t puppetboard .

Back in the folder where you checked out puppet, start the stack with:

docker-compose up -d

This will create and start postgres, puppet, puppetdb and puppetboard. Puppetdb will create certificates and act as though it were a puppet agent, and wait for the puppetserver to sign its CSR. So, while the containers is running, exec into the puppetserver and sign the puppetdb cert.

docker exec -it puppet bash
puppetserver ca sign --certname puppetdb

If you're tailing the logs, you'll see that puppetdb (eventually) continues its setup and starts the puppetdb service. At this point, the stack works, but the certificates for puppetdb isn't persistent, so copy out puppetdb's certs with:

docker cp puppetdb:/etc/puppetlabs/puppetdb/ssl data/puppetdb/ssl
chown -R 999:999 data/puppetdb/ssl

Now, edit docker-compose.yaml again and comment in the ssl cert volume mount for puppetdb:

vim docker-compose.yaml
[...]
    - ./data/puppetdb/ssl:/etc/puppetlabs/puppetdb/ssl
[...]

And, finally, reboot the whole stack to ensure that it's working as expected:

docker-compose down && docker-compose up -d && docker-compose logs -f

Setup according to https://github.com/voxpupuli/hiera-eyaml It basically boils down to:

• install the eyaml package (included in the Dockerfile)
• Create the keys with eyaml createkeys
• Start encrypting secrets described in https://github.com/voxpupuli/hiera-eyaml#basic-usage

First, install the latest Puppet yum repo (here Puppet6 on CentOS/RedHat7):

rpm -Uvh https://yum.puppet.com/puppet6/puppet6-release-el-7.noarch.rpm

Install the Puppet agent package

yum install puppet-agent

Tell the client where to find the Puppet Server and which environment it should join

vim /etc/puppetlabs/puppet/puppet.conf
[agent]
server=puppet.example.com
environment=production

Before you do a "puppet-run", ensure that you have a hostname --fqdn following the DNS name scheme used for your organization. You can change hostname with e.g.

hostnamectl set-hostname postgres01.prod.oslo.example.com

You can also specify a certname equal to or different from $(hostname --fqdn) in puppet.conf with certname=

Do the first puppet run, creating the certificates for this server:

/opt/puppetlabs/bin/puppet agent -t

At this stage, the certificates created is up for signing at the Puppet server. Log into the Puppet server and sign this certificate, e.g:

ssh puppet.example.com                                            # Log into the puppet server
docker exec -it puppet bash                                       # Exec into the container running puppet
puppetserver ca list --all                                        # Optional step, listing all certificates signed and unsigned
puppetserver ca sign --certname postgres01.prod.oslo.example.com  # Actuall signing of certificate
puppetserver ca list --all                                        # Optional step, listing all certificates (for verification)
exit                                                              # Exit out of container and server

At this stage, the relationship between the Puppet server and the agent is established. Back on the Puppet agent (postgres01.prod.oslo.example.com), do another puppet run

/opt/puppetlabs/bin/puppet agent -t

You should now see text flying across the screen with a bunch of Puppet-specific config but also the configuration you have defined for this host in your environment.

With policy based autosigning, incomming CSRs can be signed based on logic in an executable, e.g. bash For the puppetserver, set the $AUTOSIGN environment variable to the path to the script and volume mount this script in docker-compose. The script could look something like:

#!/usr/bin/env bash

re="^([a-z][a-z][a-z][a-z][a-z][a-z])\.(example)\.(com)$"

if [[ $1 =~ $re ]]; then
  # Autosign approved
  exit 0
else
  # Autosign denied
  exit 1
fi

Reference: policy based autosigning