Ask Your Question

Customizing Puppet Code Manager

asked 2018-01-17 03:26:28 -0600

Romiko gravatar image

updated 2018-01-17 03:31:51 -0600


I am trying to replace the certificates in the /etc/puppetlabs/puppetserver/webserver.conf for CodeManager so that the certificate is valid for Git to hit.

So I have this in my common.yaml file.

puppet_enterprise::master::code_manager::certname: "/opt/puppetlabs/server/data/certs/public-console.cert.pem"

puppet_enterprise::master::code_manager::localcacert: "/opt/puppetlabs/server/data/certs/COMODORSAOrganizationValidationSecureServerCA.pem" puppet_enterprise::master::code_manager::private_key: "/opt/puppetlabs/server/data/certs/public-console.private_key.pem"

However only localcacert is being applied. When I do a puppet agent -t, the other two settings are not being written, I think there is a bug.

Notice below ssl-cert and ssl-key are not being updated only ssl-ca-cert. Any idea? I cannot believe I am the only person trying to get CodeManager endpoint working with a CA signed cert?

e.g. https://customdomain:8170/code-manage... Should show a valid cert.

If I edit the webserver.conf file manually it works, but when the agent runs, it will overwrite my settings. If you look below ssl-ca-cert was applied from the common.yaml, but not ssl-key and ssl-cert..

 code-manager: {
client-auth: "want"
ssl-host: ""
ssl-port: 8170
ssl-ca-cert: "/opt/puppetlabs/server/data/certs/COMODORSAOrganizationValidationSecureServerCA.pem"
ssl-cert: "/etc/puppetlabs/puppet/ssl/certs/"
ssl-key: "/etc/puppetlabs/puppet/ssl/private_keys/"
ssl-crl-path: "/etc/puppetlabs/puppet/ssl/crl.pem"
access-log-config: "/etc/puppetlabs/puppetserver/code-manager-request-logging.xml"
ssl-protocols: [


edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-01-17 13:59:15 -0600

Romiko gravatar image

updated 2018-01-18 08:19:22 -0600

DarylW gravatar image


Much appreciated for the answer to this. We using Visual Studio Online Services (GIT), which does not have the option to disable SSL verification.

What I have done is this to get around the problem.

cron { 'codedeploy':
    command => '/root/',
    user    => 'root',
    hour    => "*/1",
    minute  => "0",

  file { '/root/':
    mode     => '0770',
    owner    => 'root',
    group    => 'root',
    content   => '/opt/puppetlabs/bin/puppet-code deploy --all --wait',
    before => Cron['codedeploy']

Is this method ok?

edit flag offensive delete link more


Looks fine to me. This can also be supplemented by adopting a development workflow that includes running the `puppet code deploy [env] -w` command whenever you need code deployed.

reidmv gravatar imagereidmv ( 2018-01-18 16:34:30 -0600 )edit

answered 2018-01-17 11:31:18 -0600

reidmv gravatar image

updated 2018-01-17 11:31:56 -0600

Assuming you're enabling Code Manager in the documented, supported manner by setting puppet_enterprise::profile::master::code_manager_auto_configure = true, it's not possible to configure Code Manager's certname independently of the Puppet master node's certname.

The reason it's not possible is because of how the puppet_enterprise code turns Code Manager on.

In Puppet Enterprise, the Puppet master node is classified with the puppet_enterprise::profile::master class. This class in turn declares the puppet_enterprise::master::code_manager::certname class if code_manager_auto_configure is true, passing the code manager class several parameters. These parameters include remote, proxy, private_key, git_provider, puppet_master_port ...and certname. None of the parameters that are declared directly in code are possible to set or override with a Hiera data key.

Recommended solution

I would recommend disabling SSL verification in your webhook. This feature doesn't really grant you anything in the Puppet scenario, and configuring Code Manager with its own certificate is not worth the hassle.

Github example:

image description


If you really need to configure a separate certificate, you would need to leave puppet_enterprise::profile::master::code_manager_auto_configure = false, and manually classify your Puppet master node with the puppet_enterprise::master::code_manager class. This would let you play with setting any of the parameters, including certname. That said, there's no guarantee the parameters would let you do what you're trying to.

You'd also need to enable file-sync separately, and possibly a few other odds and ends if you did this. Even assuming you were able to get it working this way, it might break the next time you upgrade since it wouldn't really be a supported way of doing it.

If you have a strong need to do it and disabling ssl verification in the Git webhook isn't an option your best bet is to open a support ticket with Puppet to ask for the feature you need.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2018-01-17 03:26:28 -0600

Seen: 184 times

Last updated: Jan 18