From 1538593eb9137351e2c35a4e224f693c78483c19 Mon Sep 17 00:00:00 2001 From: Nick Date: Mon, 20 Nov 2023 22:41:31 -0500 Subject: [PATCH 1/8] Add the ability to modify metrics.conf with a jolokia metrics policy location file --- manifests/init.pp | 3 +++ manifests/server.pp | 1 + manifests/server/puppetserver.pp | 1 + 3 files changed, 5 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 48a157cf..90bc9f50 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -552,6 +552,8 @@ # $server_jolokia_metrics_allowlist:: The allowlist of clients that # can query the jolokia /metrics/v2 endpoint # +# $server_jolokia_metrics_policy_location:: The path to the jolokia policy allowlist file +# # === Usage: # # * Simple usage: @@ -753,6 +755,7 @@ Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef, Array[String[1]] $server_jolokia_metrics_allowlist = [], Stdlib::Filemode $puppetconf_mode = $puppet::params::puppetconf_mode, + Optional[Stdlib::Absolutepath] $server_jolokia_metrics_policy_location = undef, ) inherits puppet::params { contain puppet::config diff --git a/manifests/server.pp b/manifests/server.pp index 551a8c38..5050aff6 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -458,6 +458,7 @@ Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id, Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content, Array[String[1]] $jolokia_metrics_allowlist = $puppet::server_jolokia_metrics_allowlist, + Optional[Stdlib::Absolutepath] $jolokia_metrics_allowlist = $puppet::server_jolokia_metrics_policy_location, ) { $cadir = "${puppetserver_dir}/ca" diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index d2b6d2a1..88974fe5 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -144,6 +144,7 @@ Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server::versioned_code_content, Boolean $disable_fips = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8', Array[String[1]] $jolokia_metrics_allowlist = $puppet::server::jolokia_metrics_allowlist, + Optional[Stdlib::Unixpath] $jolokia_metrics_policy_location = $puppet::server::jolokia_metrics_policy_location, ) { include puppet::server From 7198bc784eb28a4a153a7c0abd28fa426f70c310 Mon Sep 17 00:00:00 2001 From: Nick Date: Mon, 20 Nov 2023 22:45:11 -0500 Subject: [PATCH 2/8] fix dupe param --- manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index 5050aff6..d1a36628 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -458,7 +458,7 @@ Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id, Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content, Array[String[1]] $jolokia_metrics_allowlist = $puppet::server_jolokia_metrics_allowlist, - Optional[Stdlib::Absolutepath] $jolokia_metrics_allowlist = $puppet::server_jolokia_metrics_policy_location, + Optional[Stdlib::Absolutepath] $jolokia_metrics_policy_location = $puppet::server_jolokia_metrics_policy_location, ) { $cadir = "${puppetserver_dir}/ca" From 08ac329f11444926800be3aa635e5e79a0753a4c Mon Sep 17 00:00:00 2001 From: Nick Date: Mon, 20 Nov 2023 22:45:32 -0500 Subject: [PATCH 3/8] Aboslutepath instead of Unixpath --- manifests/server/puppetserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index 88974fe5..89e1699d 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -144,7 +144,7 @@ Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server::versioned_code_content, Boolean $disable_fips = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8', Array[String[1]] $jolokia_metrics_allowlist = $puppet::server::jolokia_metrics_allowlist, - Optional[Stdlib::Unixpath] $jolokia_metrics_policy_location = $puppet::server::jolokia_metrics_policy_location, + Optional[Stdlib::Absolutepath] $jolokia_metrics_policy_location = $puppet::server::jolokia_metrics_policy_location, ) { include puppet::server From 5a9c6f55652a0044dbf4ef4430966587c1940beb Mon Sep 17 00:00:00 2001 From: Nick Date: Mon, 20 Nov 2023 22:47:39 -0500 Subject: [PATCH 4/8] add class doc --- manifests/server.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/server.pp b/manifests/server.pp index d1a36628..bd7cebf3 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -337,6 +337,8 @@ # # $jolokia_metrics_allowlist:: The allowlist of clients that # can query the jolokia /metrics/v2 endpoint +# +# $jolokia_metrics_policy_location:: The path to a allowlist file for the jolokia metrics endpoint class puppet::server ( Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::autosign, Array[String] $autosign_entries = $puppet::autosign_entries, From 5b6d133db190044d0a89a26734a49e810387351d Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 21 Nov 2023 19:37:32 -0500 Subject: [PATCH 5/8] Enable jolokia metrics --- manifests/init.pp | 2 +- manifests/server.pp | 3 ++- manifests/server/puppetserver.pp | 1 + templates/server/puppetserver/conf.d/metrics.conf.erb | 4 ++++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 90bc9f50..fcf40d14 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -755,7 +755,7 @@ Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef, Array[String[1]] $server_jolokia_metrics_allowlist = [], Stdlib::Filemode $puppetconf_mode = $puppet::params::puppetconf_mode, - Optional[Stdlib::Absolutepath] $server_jolokia_metrics_policy_location = undef, + Optional[String] $server_jolokia_metrics_policy = undef, ) inherits puppet::params { contain puppet::config diff --git a/manifests/server.pp b/manifests/server.pp index bd7cebf3..6d4bda79 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -338,7 +338,7 @@ # $jolokia_metrics_allowlist:: The allowlist of clients that # can query the jolokia /metrics/v2 endpoint # -# $jolokia_metrics_policy_location:: The path to a allowlist file for the jolokia metrics endpoint +# $jolokia_metrics_policy:: The content of the jolokia-access.xml file for the jolokia metrics endpoint class puppet::server ( Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::autosign, Array[String] $autosign_entries = $puppet::autosign_entries, @@ -461,6 +461,7 @@ Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content, Array[String[1]] $jolokia_metrics_allowlist = $puppet::server_jolokia_metrics_allowlist, Optional[Stdlib::Absolutepath] $jolokia_metrics_policy_location = $puppet::server_jolokia_metrics_policy_location, + Optional[String] $jolokia_metrics_policy = $puppet::server_jolokia_metrics_policy, ) { $cadir = "${puppetserver_dir}/ca" diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index 89e1699d..7f7c7336 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -144,6 +144,7 @@ Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server::versioned_code_content, Boolean $disable_fips = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8', Array[String[1]] $jolokia_metrics_allowlist = $puppet::server::jolokia_metrics_allowlist, + Optional[String] $jolokia_metrics_policy = $puppet::server::jolokia_metrics_policy, Optional[Stdlib::Absolutepath] $jolokia_metrics_policy_location = $puppet::server::jolokia_metrics_policy_location, ) { include puppet::server diff --git a/templates/server/puppetserver/conf.d/metrics.conf.erb b/templates/server/puppetserver/conf.d/metrics.conf.erb index e1f33085..725c960a 100644 --- a/templates/server/puppetserver/conf.d/metrics.conf.erb +++ b/templates/server/puppetserver/conf.d/metrics.conf.erb @@ -56,7 +56,11 @@ metrics: { servlet-init-params: { # Specify a custom security policy: # https://jolokia.org/reference/html/security.html +<% if @jolokia_metrics_policy -%> + policyLocation: "file:///etc/puppetlabs/puppetserver/jolokia-access.xml" +<%- else -%> # policyLocation: "file:///etc/puppetlabs/puppetserver/jolokia-access.xml" +<% end -%> } } } From 7b7b4088ad04702116b56d573989d55e90563b60 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 21 Nov 2023 20:36:43 -0500 Subject: [PATCH 6/8] remove bad param --- manifests/server.pp | 1 - manifests/server/puppetserver.pp | 8 +++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index 6d4bda79..8e728c59 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -460,7 +460,6 @@ Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id, Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content, Array[String[1]] $jolokia_metrics_allowlist = $puppet::server_jolokia_metrics_allowlist, - Optional[Stdlib::Absolutepath] $jolokia_metrics_policy_location = $puppet::server_jolokia_metrics_policy_location, Optional[String] $jolokia_metrics_policy = $puppet::server_jolokia_metrics_policy, ) { $cadir = "${puppetserver_dir}/ca" diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index 7f7c7336..1cadfeb7 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -145,7 +145,6 @@ Boolean $disable_fips = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8', Array[String[1]] $jolokia_metrics_allowlist = $puppet::server::jolokia_metrics_allowlist, Optional[String] $jolokia_metrics_policy = $puppet::server::jolokia_metrics_policy, - Optional[Stdlib::Absolutepath] $jolokia_metrics_policy_location = $puppet::server::jolokia_metrics_policy_location, ) { include puppet::server @@ -273,4 +272,11 @@ ensure => 'file', content => template('puppet/server/puppetserver/conf.d/metrics.conf.erb'), } + + if $jolokia_metrics_policy != undef { + file { '/etc/puppetlabs/puppetserver/jolokia-access.xml' : + ensure => file, + content => $jolokia_metrics_policy, + } + } } From 52ccec14ead6e08a41228383d87ba8c4d814e6da Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 21 Nov 2023 20:38:18 -0500 Subject: [PATCH 7/8] get all params in order --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index fcf40d14..5bc5b423 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -552,7 +552,7 @@ # $server_jolokia_metrics_allowlist:: The allowlist of clients that # can query the jolokia /metrics/v2 endpoint # -# $server_jolokia_metrics_policy_location:: The path to the jolokia policy allowlist file +# $server_jolokia_metrics_policy:: The content of the jolokia-access.xml file for the jolokia metrics endpoint # # === Usage: # From 0a7b1f2a364e4bdfabddb760123d20956f7dd212 Mon Sep 17 00:00:00 2001 From: Nick Date: Wed, 22 Nov 2023 13:36:09 -0500 Subject: [PATCH 8/8] Need to use source, not content for jolokia-access.xml --- manifests/server/puppetserver.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp index 1cadfeb7..8463b015 100644 --- a/manifests/server/puppetserver.pp +++ b/manifests/server/puppetserver.pp @@ -275,8 +275,8 @@ if $jolokia_metrics_policy != undef { file { '/etc/puppetlabs/puppetserver/jolokia-access.xml' : - ensure => file, - content => $jolokia_metrics_policy, + ensure => file, + source => $jolokia_metrics_policy, } } }