The Puppet Enterprise Configuration Manager

The Puppet Enterprise configuration manager integrates CloudBolt with your Puppet Enterprise Master, enabling the association of Puppet node groups with servers and potentially the display of a servers’ facts and reports.

This page describes how to create a Puppet Enterprise configuration manager in CloudBolt and configure your Puppet Enterprise master to enable communication between the two systems. It also discusses how to customize the implementation of your Puppet Enterprise configuration manager if necessary.

Puppet Enterprise Version Support Matrix

Functionality PE 3.X PE 2015+
Bootstrap agent YES YES
Sign agent cert YES YES
Set groups during prov NO YES
Remove node from PE YES YES
Import groups YES YES
Sync servers YES YES
Node facts YES YES
Reports YES NO
Un/Install applications YES NO

Note that in many cases a functionality or version not supported out of the box can be implemented using actions, as described below in the Configuraton Manager Customization section.

Puppet Enterprise 2015+

Prerequisites

For integration to work correctly, your Puppet Enterprise 2015+ environment must meet these prerequisites:

  • Agents have a run interval of 30-minutes or less
  • Templates/images do not have the Puppet agent in them (CloudBolt will automatically install the Puppet agent on newly provisioned servers in environments with Puppet Enterprise)
  • The Puppet Console ‘admin’ user is restricted for use with API’s

Configuring Puppet Enterprise

In the Puppet Enterprise Console, set up a CB API user:

  1. Navigate to Access Control and select Users
  2. Enter the following information and select Add local user
PE RBAC User
  1. Navigate to Access Control and select User Roles
  2. Enter the following information and select Add role
PE RBAC User Role
  1. Navigate to the new user role and select the Member Users tab
  2. Enter the following information and select Add user
PE RBAC User Add
  1. Select the Permissions tab
  2. Enter the following information and select Add permission
PE RBAC User Role Permissions

Configuring CloudBolt

Create a Puppet Enterprise configuration manager:

  1. Navigate to the Configuration Managers admin page.
  2. Click the Add a configuration manager button, then click Puppet Enterprise in the resulting dialog.
  3. Fill out the form, then click the Create button to create your configuration manager and show its detail page.
  4. Use the pencil next to PE Master SSH Connection to provide the information necessary to run remote scripts on the Puppet Master. Note that the credentials need to be OS-level credentials with escalated privileges that can be used with SSH.
  5. Use the pencil button next to PE Master API Connection to provide the information necessary to interact with the Puppet Master API.
  6. If your PE is a split installation with the console and/or DB components residing on different systems from the master, you may also need to edit the PE Console API Connection and PE DB API Connection to provide the information for interacting with those APIs. If you do not, the actions that would use those APIs will default to the PE Master API Connection.

CloudBolt can now connect to and interact with your Puppet Enterprise master.

In order to be able to assign applications to servers using CloudBolt, you will need to use the Import Groups button on the Groups tab of the Configuration Manager details page to import groups from Puppet Enterprise and associate them with CB applications.

Puppet Enterprise 3.X

Prerequisites

For integration to work correctly, your Puppet Enterprise 3.X environment must meet these prerequisites:

  • the Puppet Enterprise master…
    • is version 3.3+
    • autosigns CSRs [1]
  • agents have a run interval of 30-minutes or less
  • Templates/images that do not have the Puppet agent in them (CloudBolt will automatically install the Puppet agent on newly provisioned servers in environments with Puppet Enterprise)
[1]future versions of CloudBolt will not require this configuration

Configuring CloudBolt

Create a Puppet Enterprise configuration manager:

  1. Navigate to the Configuration Managers admin page.
  2. Click the Add a configuration manager button, then click Puppet Enterprise in the resulting dialog.
  3. Fill out the form, then click the Create button to create your configuration manager and show its detail page.
  4. CloudBolt will automatically submit a CSR to the Puppet Enterprise master (just like your agents do!) so that CloudBolt and Puppet Enterprise can communicate with each other. Sign the request on the Puppet Enterprise master. Return to your configuration manager’s detail page and click the Fetch signed certificate button to finish that process.

CloudBolt can now connect with your Puppet Enterprise master, but the Puppet Enterprise master does not know to grant the appropriate permissions to CloudBolt. Make your configuration manager fully operational by continuing to the next section.

Configuring Puppet Enterprise

Edit rbac-certificate-whitelist

Edit /etc/puppetlabs/console-services/rbac-certificate-whitelist and add the name of the certificate on a line of its own.

Note

The certificate name can be found in the CB UI, on the details page for your Puppet Enterprise configuration manager

Edit puppet.conf

Edit /etc/puppetlabs/puppet/puppet.conf so that the following settings are in effect:

[master]
    autosign = true
    reports = http,console,puppetdb
    reporturl = http://{CLOUDBOLT-DOMAIN}/providers/puppet_ent/{PUPPET_CONF_ID}/reports/

[agent]
    report = true

Replace {CLOUDBOLT-DOMAIN} with the domain used to access your CloudBolt web interface and replace {PUPPET_CONF_ID} with the ID of the Puppet Enterprise configuration manager you created. The numeric ID is visible in the URL of your configuration manager’s detail page (e.g. the ID ‘1’ in /providers/1).

Note

The reports and reporturl properties make the Puppet Enterprise master forward agents’ reports to CloudBolt. Puppet Enterprise’s built in http report processor only supports a single destination. If you want to have a service receive reports over HTTP (in addition to CloudBolt), you can use the third-party Puppet plugin, ianunruh-multi_http, which provides a multi_http report processor that can send reports to multiple destinations.

To submit reports over HTTPS, install a CA on the Puppet Enterprise master that validates the SSL cert that has been installed on your CloudBolt instance and then update the report_url to use the https protocol.

Edit auth.conf

Edit /etc/puppetlabs/puppet/auth.conf to have these sections (note that these sections may already exist in your auth.conf file, in which case you will need to combine the rules):

# let CloudBolt manage certificates
path /certificate_
auth any
method find, search, save, destroy
allow {your-CloudBolt-cert-name}

# let CloudBolt discover node facts
path /facts
auth any
method find, search, save
allow {your-CloudBolt-cert-name}

Replace {your-CloudBolt-cert-name} with the certificate name your CloudBolt server uses to connect to this configuration manager.

Be mindful of Puppet Enterprise’s ACL matching behavior and interleave or combine the above rules with existing rules so that the paths are ordered in most-to-least specific.

Add CloudBolt to the client_whitelist in the Puppet Enterprise console

  1. Within the Puppet Enterprise console, click Classification > PE Certificate Authority > Classes.
  2. Find the parameter called “client_whitelist” (or add it, if it does not exist) and click the Edit link in that row.
  3. Add your cert name to that JSON-formatted list. Ex. if there are no other certificates in that list, the value would be [“{your-CloudBolt-cert-name}”]
  4. To make this change take effect, ssh to the Puppet master as root and run the command puppet agent -t

Restart Puppet Enterprise

To make the above configuration changes take effect, reboot the Puppet Enterprise server.

Configuration Manager Customization

Many pieces of functionality in the Puppet Enterprise configuration manager have been implemented using actions, which means that you can see and modify them, and add new ones for different versions. The pattern is that the action name should be “puppet_ent_<version>_<feature>”. For example, the action for bootstrapping the agent for PE 2015+ is named “puppet_ent_2015.3_auto_install_agent”. CloudBolt selects the correct action during different processes based on the correct feature and a version that matches that set on the configuration manager.

Currently, the 5 pieces of functionality where this is possible are for agent bootstrap during provision, removing the node from PE at decommission time, cleaning the node’s cert out of PE (typically used as part of decommissioning), discovering groups and getting node facts for a server during synchronization. Their feature name components are “auto_install_agent”, “delete_server_from_connector”, “clean_cert”, “discover_groups”, and “get_node_facts”, respectively.

The actions are stored in /opt/cloudbolt/cbhooks/hookmodules/puppet, if you need to modify them. If you wish to make a new action for a new version of PE, you will need to add that version as an option on the configuration manager. Note that /opt/cloudbolt is the product directory and will be overwritten on upgrade, so back up any modified files and/or store them in /var/opt/cloudbolt instead.