There is no reason to have Kafo's debugging turned on by default. If there are issues, it can be turned on as needed.

When the installer is uninstalled with apt/dpkg, the following thing happens:

Removing puppetmaster-installer (1.1.2-1) ...
dpkg: warning: while removing puppetmaster-installer, directory '/usr/share/puppetmaster-installer' not empty so not removed

See if the directory could be configured to be elsewhere.

This happens because Puppet defaults to using standard location (/etc/puppetlabs) for Hiera. This can and should be overridden in installer configuration.

By default firewalld is enabled on CentOS 7. This means that Puppetboard won't be accessible until firewalld is disabled and iptables rules purged on CentOS 7 unless $manage_packetfilter = true.

Running the installer makes many changes to the installer. These changes often end up in commits for no reason. Fix.

The installer puts the "storeconfigs" settings into [master] section, which seems wrong nowadays as the setting does not have any effect according to "puppet config print storeconfigs".

In Puppet 5.x the correct section seems to "main":
puppet config set --section main storeconfigs true

This is probably resolvable by update of Foreman's puppet modules.

In certain so far unknown conditions an empty $host_entries manages to slip into the hosts template, causing a ERB error. This is possibly related to answer files.

It's again a separate scenario. Originally for selinux. If we don't need it, then let's get rid of it.

Right now many parameters have XXX in the description. Fill them in.

We don't librarian-puppet to fetch the latest version of the modules but a particular version of a module. Upgrades should be done in controlled fashion, and the results of the librarian-puppet run should be predictable and repeatable.

Hello,
Please add in documentation / README how to generate new Hiera eyaml keys for new Puppet installation. It may seems as unnessecary, but it will save time to beginers (who deploy Puppet first time) and doesn't know how to do it.

$ sudo mkdir /etc/puppetlabs/puppet/eyaml
$ sudo /opt/puppetlabs/puppet/bin/eyaml createkeys \
   --pkcs7-private-key /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem \
   --pkcs7-public-key /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem

$ sudo chown -R puppet:puppet
$ sudo chmod 500 /etc/puppetlabs/puppet/eyaml
$ sudo chmod 400 /etc/puppetlabs/puppet/eyaml/*.pem

This can probably be worked around by tagging the answer files as config files. If not, there are certainly other ways to resolve this.

There's really no need for a user to change the private key path. Simplify things by hardcoding it.

The Kafo installer has to be launched with --skip-puppet-version-check because one of the modules claims not to support anything above Puppet 3, even though it works just fine on Puppet 5.

This is useful for example when doing automated installer testing.

Currently the packetfilter class is turned off by default in Foreman and Smart Proxy scenarios. This is because the standard Puppetserver packetfilter configuration is insufficient. Write the proper support and enable packetfilter in these scenarios by default.

This is because the Apache2 configuration fragment directory is wrong. I have a PR open about that here.

If the "virtualenv" executable is not available the Puppetboard scenario will fail. Ensure that this does not happen, as some cloud images do not have the package. In Ubuntu the package name is "virtualenv".

It seems that some (yaml) files in the installer are not read at all and as such are completely useless and confusing. For example config/kafo.yaml seems to be one of these. Remove such files and ensure that nothing breaks because of that.

Do we want to set up the control-repo alongside puppet master? Do most people want this? If not, we should remove it. It's really a separate scenario anyway.

It fails because the Puppetboard module makes faulty assumptions in its params.pp:

 case $facts['os']['family'] {
    'Debian': {
      if ($facts['os']['name'] == 'ubuntu') {
        $apache_confd = '/etc/apache2/conf-enabled'
      } else {
        $apache_confd   = '/etc/apache2/conf.d'
      }
      $apache_service = 'apache2'
}

In Debian 9 the correct directory is /etc/apache2/conf-enabled.

Right now it is not possible to pass proper hash entries in Kafo wizard if the key is an IP address. In that case Kafo mangles the key by taking the first substring ending to an ".". For example, '10.10.50.1' becomes '10'. This can prevents adding host entries using the Kafo installer as a hash. The workaround might be to take an array of array of strings and convert that to a hash in a Ruby function.

The host entries are needed for two-way TLS communication when DNS entries are not present. This is in particular related to Foreman and Smart Proxy scenarios.

Puppet-lint reports a couple of problems:

./puppetboard.pp - WARNING: top-scope variable being used without an explicit namespace on line 42
./puppetboard.pp - WARNING: top-scope variable being used without an explicit namespace on line 44

The lines in question are:

$puppetboard_puppetdb_key  = "${::settings::ssldir}/private_keys/${puppetboard_certname}.pem"
$puppetboard_puppetdb_cert = "${::settings::ssldir}/certs/${puppetboard_certname}.pem"

The variable $puppetboard_certname is not defined.

Give user some useful information about what to do next etc.

Introduction

Currently the installer installs r10k but does not configure it. This can be fixed, but there is some effort.

Add the config file

This is what the config file, /etc/puppetlabs/r10k/r10k.yaml, looks like:

---
:cachedir: /opt/puppetlabs/puppet/cache/r10k
:sources:
  control:
    basedir: /etc/puppetlabs/code/environments
    prefix: false
    remote: <remote-git-url>

Install deployment key

Most control repositories are not public and a SSH deployment key is usually required. We don't have the key, so the user has to place it in the correct location. We have traditionally used /etc/puppetlabs/r10k/ssh/id_rsa.

Add SSH host entry

If a non-default SSH key is used then an SSH host entry is needed in /root/.ssh/config:

Host bitbucket.org
StrictHostKeyChecking no
RSAAuthentication yes
IdentityFile /etc/puppetlabs/r10k/ssh/id_rsa
User git

Add known_hosts entry

r10k will fail miserably if there is no known_host entry for the Git repository server hosting the control repository. We can add them for most of the common hosted ones (GitHub, GitLab, Bitbucket), but for others the user has to provide entries for.

Fetch the control repository

Control repository should be fetched automatically.

Deploy production environment

The production environment should be deployed automatically.

The Foreman scenarios (foreman_proxy and lcm) depended heavily on sane defaults stored in answer files. Now the answer files are empty, so the default values are missing. Add sane defaults which can be used reasonably in any environment.

A related problem is defaults for Vagrant, which can be considered a special environment with additional sane defaults. My proposed solution is this:

• Add generic, sane defaults to foreman_proxy.pp and lcm.pp
• Create an answer file suitable for the Vagrant environment
• Store and version the answer file
• Ensure that the default (almost empty) answer file is overwritten during Vagrant provisioning with the answer file tailored for Vagrant

This way Vagrant-specifisms don't accidentally end up in production environments.

Latest r10k does not seem to work properly in our context:

root@puppet:~# r10k deploy environment production -vp -c /etc/puppetlabs/r10k/r10k.yaml

r10k: Runtime error: #<NoMethodError: undefined method `[]=' for nil:NilClass> 

This is with r10k version 3.2.0. I suspect that the new version cannot parse the old-format config file, r10k.yaml, and hence fails with this very unhelpful error message.

The workaround is to downgrade to r10k 2.6.5:

/opt/puppetlabs/puppet/bin/gem uninstall r10k
/opt/puppetlabs/puppet/bin/gem install r10k -v 2.6.5

It does not require pressing return after typing "y" or "n", unlike when navigating in the installer menus. Check if Kafo could be modified to make the behavior consistent across the whole UI.

When launching the installer the following error is displayed:

2018-07-17 15:09:44.434737 WARN puppetlabs.facter - locale environment variables were bad; continuing with LANG=C LC_ALL=C

This only occurs with box version 1804.02 which we need to update to to fix other issues.

More details in this PR that fixes the problem in Kafo.

Currently the installer creates eyaml keys, but does not configure eyaml. Fix.

This makes the parameter list dauntingly long for no particular reason. Fix in the same way as in the lcm scenario.

Foreman's puppet modules are being ported to Puppet 6. Make sure that our installer works with it.

Let's finish them.

Recently the installer has started failing with these errors:

[ERROR 2019-03-20T05:45:35 main] Errors encountered during run:
[ERROR 2019-03-20T05:45:35 main]  Evaluation Error: Error while evaluating a Function Call, Lookup of key 'lookup_options' failed:  The Lookup Configuration a
t '/tmp/kafo_hiera20190320-5670-iw2i8y/hiera.conf' has wrong type, unrecognized key 'backends'

The offending hiera.conf looks like this:

---
:backends:
- yaml
:hierarchy:
- "%{::osfamily}"
- common
:yaml:
  :datadir: "/usr/share/puppetmaster-installer/config/data"
version: 5
defaults:
  datadir: "/tmp/kafo_hiera20190320-6062-di2vrb/data"
  data_hash: yaml_data
hierarchy:
- name: Kafo Answers
  path: kafo_answers.yaml
  datadir: "/tmp/kafo_hiera20190320-6062-di2vrb/data"
  data_hash: yaml_data

The package.sh script does not "git checkout" the answer files. So, if the answer files have been modified, for example during Vagrant testing, these modified files end up in the package. This should be prevented to ensure consistency of the packages.

As we have no immediate need for CentOS 7 Puppetmaster with Puppetboard I will just note down the issues encountered with it.

The httpd service does not start because /etc/httpd/conf.modules.d/00-mpm.conf tries to load a conflicting MPM module:

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

This is probably the reason why we originally set the MPM to "prefork" across all platforms. But now, as we don't purge_configs with puppetlabs-apache this causes a issue. Simply commenting out or removing that line makes httpd start correctly.

Another issue is that the Python module attempts to install python3-virtualenv package which is not present on CentOS 7. This would have to be fixed.

We don't want to support Foreman scenarios on Debian and Ubuntu, at least not initially. Create a mechanism for disabling scenarios, for example during packaging phase.