puppetlabs / pupperware Goto Github PK

View Code? Open in Web Editor NEW

183.0 82.0 66.0 1.03 MB

Container fun time lives here.

License: Other

Shell 22.03% PowerShell 14.90% Ruby 58.15% Makefile 4.92%

pupperware

pupperware's Introduction

pupperware

Run a container-based deployment of Puppet Infrastructure.

To get started, you will need an installation of Docker Compose on the host on which you will run your Puppet Infrastructure.

Running Puppet Infrastructure in Kubernetes is also a very viable option. To get started with that, you will need a running K8s cluster with Helm deployed.

We've been developing our own Helm chart which can get you up & running fast. You can find it here. It's hosted as a Helm chart here and published in the fantastic Helm Hub and Artifact Hub. The latter will allow you to make use of it by just adding the repo in your configured Helm repos.

Generally, containers included here follow Dockerfile best practices.

Required versions

Docker Compose - must support version: '3' of the compose file format, which requires Docker Engine 1.13.0+. Full compatibility matrix
- Linux is tested with docker-compose 1.28.6
- Windows requires a minimum of Windows 10, Build 2004 and WSL2 as described in README-windows.md, but is no longer tested
- OSX is tested with docker-compose version 1.28.5, build c4eb3a1f
Docker Engine support is only tested on versions newer than 17.09.0-ce
- Linux is tested with (client and server) 20.10.5-ce
- OSX is tested during development with Docker Engine - Community edition
  - Client 20.10.5 using API version 1.41 (Git commit: 55c4c88)
  - Server 20.10.5 using API version 1.41 (minimum version 1.12) (Git commit: 363e9a8)

Provisioning

Once you have Docker Compose installed, you can start the stack on Linux or OSX with:

    export ADDITIONAL_COMPOSE_SERVICES_PATH=${PWD}/gem/lib/pupperware/compose-services
    export COMPOSE_FILE=${ADDITIONAL_COMPOSE_SERVICES_PATH}/postgres.yml:${ADDITIONAL_COMPOSE_SERVICES_PATH}/puppetdb.yml:${ADDITIONAL_COMPOSE_SERVICES_PATH}/puppet.yml
    DNS_ALT_NAMES=host.example.com docker-compose up -d

With the environment variables exported, the stack can be torn down with:

    docker-compose down --volumes

The value of DNS_ALT_NAMES must list all the names, as a comma-separated list, under which the Puppet server in the stack can be reached from agents. It will have puppet prepended to it as that name is used by PuppetDB to communicate with the Puppet server. The value of DNS_ALT_NAMES only has an effect the first time you start the stack, as it is placed into the server's SSL certificate. If you need to change it after that, you will need to properly revoke the server's certificate and restart the stack with the changed DNS_ALT_NAMES value.

When you first start the Puppet Infrastructure, the stack will create a number of Docker volumes to store the persistent data that should survive the restart of your infrastructure. The actual location on disk of these volumes may be examined with the docker inspect command. The following volumes include:

puppetserver-code: the Puppet code directory.
puppetserver-config: Puppet configuration files, including ssl/ containing the local agent's certificate and key. This volume is populated with default configuration files if they are not present when the stack starts
puppetserver-ca: Puppetserver CA files, including all signed certs.
puppetdb-ssl: certificates in use by the PuppetDB instance in the stack.
puppetdb-postgres: the data files for the PostgreSQL instance used by PuppetDB
puppetserver-data: persistent data for Puppet Server

Container Versions

By default, the puppetserver and puppetdb containers will use the latest tag. PUPPETSERVER_IMAGE and PUPPETDB_IMAGE environment variables have been added to the compose file to easily select different image repos / pin versions if you need to by setting those on the command line, or in a .env file.

Pupperware on Windows with WSL2 (Unsupported)

Complete instructions for provisiong a server with WSL2 support are in README-windows.md

Creating the stack from PowerShell is nearly identical to other platforms, aside from how environment variables are declared:

PS> $ENV:DNS_ALT_NAMES = 'host.example.com'
PS> $ENV:ADDITIONAL_COMPOSE_SERVICES_PATH="${PWD}/gem/lib/pupperware/compose-services"
PS> $ENV:COMPOSE_FILE="${ENV:ADDITIONAL_COMPOSE_SERVICES_PATH}\postgres.yml;${ENV:ADDITIONAL_COMPOSE_SERVICES_PATH}\puppetdb.yml;${ENV:ADDITIONAL_COMPOSE_SERVICES_PATH}\puppet.yml"

PS> docker-compose up
Creating network "pupperware_default" with the default driver
Creating volume "pupperware_puppetserver-code" with default driver
Creating volume "pupperware_puppetserver-config" with default driver
Creating volume "pupperware_puppetserver-data" with default driver
Creating volume "pupperware_puppetdb-ssl" with default driver
Creating volume "pupperware_puppetdb-postgres" with default driver
Creating pupperware_postgres_1 ...

Creating pupperware_puppet_1   ...

Creating pupperware_puppet_1   ... done

Creating pupperware_postgres_1 ... done

Creating pupperware_puppetdb_1 ...

Creating pupperware_puppetdb_1 ... done

...

To delete the stack:

PS> docker-compose down
Removing network pupperware_default
...

Managing the stack

The script bin/puppet (or bin\puppet.ps1 on Windows) makes it easy to run puppet commands on the puppet master. For example, ./bin/puppet config print autosign --section master prints the current setting for autosigning, which is true by default. In a similar manner, any other task that you would perform on a puppet master by running puppet x y z ... can be achieved against the stack by running ./bin/puppet x y z ....

There is also a similar script providing easy access to puppetserver commands. This is particularly useful for CA and cert management via the ca subcommand.

Changing postgresql password

The postgresql instance uses password authentication for communication with the puppetdb instance. If you need to change the postgresql password, you'll need to do the following:

update the password in postgresql: docker-compose exec postgres /bin/bash -c "psql -U \$POSTGRES_USER -c \"ALTER USER \$POSTGRES_USER PASSWORD '$dbpassword'\";"
update values for PUPPETDB_PASSWORD and POSTGRES_PASSWORD in docker-compose.yml
rebuild and restart containers affected by these changes: docker-compose up --detach --build

Running tests

Running tests locally

This repo contains some simple tests that can be run with RSpec. To run these tests you need to have Ruby, Docker, and Docker Compose installed on the machine where you're running the tests. The tests depend on the 'rspec' and 'json' rubygems. The tests are known to run on at least ruby 1.9.3-p551 and as new as ruby 2.4.3p205.

NOTE These tests will start and stop the cluster running from the current checkout of Pupperware, so be careful where you run them from.

To run the tests:

bundle install --with test
bundle exec rspec spec

Containers

The containers used in pupperware are generated based on dockerfiles in the repos for puppetserver and puppetdb. Published containers can be found on dockerhub.

Analytics Data Collection

The Puppet owned containers run in the pupperware stack collect usage data. You can opt out of providing this data.

What data is collected?

Version of the puppetserver container.
Version of the puppetdb container.
Anonymized IP address is used by Google Analytics for Geolocation data, but the IP address is not collected.

Why does pupperware collect data?

We collect data to help us understand how the containers are used and make decisions about upcoming changes.

How can I opt out of pupperware container data collection?

Create a .env file in this directory with the contents:

PUPPERWARE_ANALYTICS_ENABLED=false

This file is in the .gitignore file and will not be managed or changed by pupperware.

License

See LICENSE file.

Issue Tracking

Please report any issues as GitHub issues in this repo.

Contact us!

If you have questions or comments about pupperware, feel free to send a message to the puppet-users mailing list or reach out in the #puppet channel in the puppet community slack.

pupperware's People

Contributors

Stargazers

Watchers

Forkers

underscorgan stahnma ragnarkon greynolds123 iristyle ekinanp eboutili magisus mwaggett fabianaborba epikurus chmeee unbrokenrabbit ammogcoder k203007 binfalse neilamoran lpasha elserhumano anezjonathan pks-os ayanendude necati slconley irom77 thoppen syseleven andreas-stuerz dadav agnaldom nbentoumi ppouliot codebugg topgolf cpritchett thetalentedmrpeter ccoombs1972 usi-devops tamerlanchik daijingwu iac-ops joskid jpartlow galaxy-trotter mahisthra fxcebx ccais phendren florentpoinsaut breakah tomarskt isabella232 alainlompo cjswart thesaddragonborn philiphanderson complexsplit mjtice bandrews9832 justinstoller sf-mattgummel mbrydak pdaugavietis jontheniceguy devsadds rwaffen

pupperware's Issues

Version 6.11.1 PuppetServer container has a bug, consider pinning

When running pupperware/docker-compose.yml, I discovered that the container for puppet/puppetserver created yesterday (5.7/2020) about 13 hours ago (6.11.1) has a bug with the DNS_ALT_NAMES resulting in puppetserver not able to complete start up. Using docker logs, could see it was due to malformed dns_alt_names line in the puppet.conf.

Expected Behavior

Expect a running puppetserver when done

Steps to Reproduce

Run the latest yaml, using the 6.11.1 as the version:
PUPPETSERVER_VERSION=6.11.1 docker-compose up

Environment

CentOS 7.6

Additional Context

Though the bug is not in this tool, I saw other Bug Reports where it was referenced to pin the version due to bug in the container.
Container 6.10.0 does not have the bug

unable to start with example docker-compose: google analytics connection refused

Describe the Bug

upon starting of the example compose file:

puppetdb_1  | Running /docker-entrypoint.d/00-analytics.sh
puppetdb_1  | (/docker-entrypoint.d/00-analytics.sh) Sending metrics http://www.google-analytics.com/collect?v=1&t=event&tid=UA-132486246-1&an=puppetdb&av=6.9.1&cid=959c630d-4ab1-425b-a12b-8c39969b9b10&ec=production&ea=start&aip=1
puppetdb_1  | curl: (7) Failed to connect to www.google-analytics.com port 80: Connection refused

puppet_1    | Running /docker-entrypoint.d/10-analytics.sh
puppet_1    | (/docker-entrypoint.d/10-analytics.sh) Sending metrics http://www.google-analytics.com/collect?v=1&t=event&tid=UA-132486246-4&an=puppetserver&av=6.10.0&cid=738ddf10-14ec-41a8-a23f-97ccf103edc3&ec=production&ea=start&aip=1
puppet_1    | curl: (7) Failed to connect to www.google-analytics.com port 80: Connection refused

Expected Behavior

An example docker-compose stack that starts

Steps to Reproduce

from: https://puppet.com/try-puppet/open-source-puppet/download :

The fastest and easiest way to get started with Puppet is with PUPPERWARE, our Docker Compose-based stack. If you’ve got Docker and want to get started, just

clone the repo https://github.com/puppetlabs/pupperware
run docker-compose up

Environment

Version puppet -> latest (as of 2020/04/24)
Platform Manjaro(gnome) 20.0
Docker: 19.03.8-ce, build afacb8b7f0
Docker-compose: version 1.25.5

Additional Context

k8s, code/hiera deployment isn't working because of ReadWriteOnce volume

Describe the Bug

The k8s Helm Chart uses a PersistentVolume (puppet-code-claim) for the Puppet code (/etc/puppetlabs/code/) storage. This gets initialized by a PersistentVolumeClaim as ReadWriteOnce.

The PVC (puppet-code-claim) then gets used by the Puppetserver Deployment and both r10k Cronjobs (code/hiera). Due to the fact that the volume being a ReadWriteOnce, this doesn't work.

This effectively leads to broken setup as the code will never be deployed.

Expected Behavior

Quick and dirty: s,ReadWriteOnce,ReadWriteMany,g

But because ReadWriteMany isn't support by a many cloud providers, I would prefer a solution which doesn't depend on the cloud provider offering a ReadWriteMany.

My current approach would be a webhook based version instead of cronjobs:

Use emptyDir volumes instead of a PVC for code/hiera
Every Puppetserver pod gets a sidecar which runs a webhook which can trigger a local r10k redeployment of code/hiera
Create a central webhook receiver pod which can be used to push Github/Gitlab/... webhook to it. This receiver should forward the redeploy request to all currently running Puppetserver pods.

Steps to Reproduce

Deploy the helm chart on a multi node cluster (not multi az/dc! ;))

Environment

Additional Context

Add any other context about the problem here.

Enable modifications of auth.conf to persist

Use Case

I wanted to tell Puppet to re-read the files on disk for an environment, but to do that i have to modify auth.conf. First, I think oh, here's auth.conf right in /var/lib/docker/volumes/pupperware_puppetserver-config/_data/, but after some chatting with Charlie and Morgan, seems like that file isn't actually used (so maybe it should go away) and that we need the auth.conf that would mount into puppetserver's conf.d directory.

Describe the Solution You Would Like

Have a way to modify auth.conf rules (the one that is used) that persists across container restarts. This could a volume mounted, it could be ENV vars set and read in or something.

Describe Alternatives You've Considered

Not using puppet?
Trying to use the older (easier to use) auth.conf.

Additional Context

Probably should make the files either expose via volumes or values available in ENV vars.

unknown field "selector" in io.k8s.api.batch.v1beta1.CronJobSpec

Describe the Bug

running the helm command to install the chart gives an error and fails with the following error:

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(CronJob.spec): unknown field "selector" in io.k8s.api.batch.v1beta1.CronJobSpec

Expected Behavior

The helm chart is installed without errors

Steps to Reproduce

Steps to reproduce the behavior:

Go to 'k8s/'
Run 'helm install --namespace puppetserver puppetserver ./ --set puppetserver.puppeturl='git_url_here'

Environment

n/a

Additional Context

I suspect its something wrong/missing in templates/r10k-cronjob.yaml

[puppet/puppetdb:6.6.0] `/docker-entrypoint.d/30-configure-ssl.sh` Errors Out

Describe the Bug

The changes introduced 8 hours ago in puppet/puppetdb:6.6.0 lead to an error in the third step of the post-init scripts.

Logs:

Running /docker-entrypoint.d/30-configure-ssl.sh
(/ssl.sh) Using configuration values:
(/ssl.sh) * CERTNAME: 'puppetdb' (/CN=puppetdb)
(/ssl.sh) * DNS_ALT_NAMES: 'puppetdb,'
(/ssl.sh) * CA: 'https://puppet:8140/puppet-ca/v1'
(/ssl.sh) * SSLDIR: '/opt/puppetlabs/server/data/puppetdb/certs'
(/ssl.sh) * WAITFORCERT: '120' seconds
subject=CN = Puppet CA: puppet
issuer=CN = Puppet CA: puppet
Generating RSA private key, 4096 bit long modulus (2 primes)
...........................................................++++
.....................................................................++++
e is 65537 (0x010001)
writing RSA key
(/ssl.sh) Error: unsigned CSR for 'puppetdb' already exists on CA

Expected Behavior

In puppet/puppetdb:6.5.0 - logs:

Running /docker-entrypoint.d/30-configure-ssl.sh
(/ssl.sh) Using configuration values:
(/ssl.sh) * CERTNAME: 'puppetdb' (/CN=puppetdb)
(/ssl.sh) * DNS_ALT_NAMES: ''
(/ssl.sh) * CA: 'https://puppet:8140/puppet-ca/v1'
(/ssl.sh) * SSLDIR: '/etc/puppetlabs/puppet/ssl'
(/ssl.sh) * WAITFORCERT: '120' seconds
subject=CN = Puppet CA: puppet
issuer=CN = Puppet CA: puppet
Generating RSA private key, 4096 bit long modulus (2 primes)
...............................................................................................................++++
.....................++++
e is 65537 (0x010001)
writing RSA key
subject=CN = puppetdb
issuer=CN = Puppet CA: puppet
(/ssl.sh) Successfully signed certificate '/etc/puppetlabs/puppet/ssl/certs/puppetdb.pem'
PEM files in /etc/puppetlabs/puppetdb/ssl are missing, we will move them into place for you
Copying files: /etc/puppetlabs/puppet/ssl/certs/ca.pem, /etc/puppetlabs/puppet/ssl/private_keys/puppetdb.pem and /etc/puppetlabs/puppet/ssl/certs/puppetdb.pem to /etc/puppetlabs/puppetdb/ssl
Updated default settings from package installation for ssl-host in /etc/puppetlabs/puppetdb/conf.d/jetty.ini.
Updated default settings from package installation for ssl-port in /etc/puppetlabs/puppetdb/conf.d/jetty.ini.
Updated default settings from package installation for ssl-key in /etc/puppetlabs/puppetdb/conf.d/jetty.ini.
Updated default settings from package installation for ssl-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini.
Updated default settings from package installation for ssl-ca-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini.

Steps to Reproduce

Steps to reproduce the behavior:

helm install --namespace puppetserver --name puppetserver . --set puppetserver.puppeturl='https://github.com/puppetlabs/control-repo.git',puppetboard.enabled='true' --debug

Environment

Using the Helm chart.

Execution error (IllegalArgumentException) at java.net.URI/toURL (URI.java:1088).

Describe the Bug

puppetserver creation fails on initial docker-compose up command with error:

puppet-puppet-1    | Execution error (IllegalArgumentException) at java.net.URI/toURL (URI.java:1088).
puppet-puppet-1    | URI is not absolute

Expected Behavior

docker-compose command should start puppetserver

Steps to Reproduce

Steps to reproduce the behavior:

git clone repository
set environment variables
execute 'docker-compose up'

Environment

Main branch of pupperware as of 2021-11-22
'latest' puppetserver as defined in puppet.yml
Platform Ubuntu 20.04

The docker-compose up command succeeds in creating puppetdb and postgres containers, but the puppet server never succeeds. It exits with code 0 but generates the error below.

puppet-puppet-1    | Running /docker-entrypoint.d/55-set-masterport.sh
puppet-puppet-1    | /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.3.1/lib/hocon/cli.rb:179:in `read': No such file or directory @ rb_sysopen - webserver.conf (Errno::ENOENT)
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.3.1/lib/hocon/cli.rb:179:in `get_hocon_file'
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.3.1/lib/hocon/cli.rb:111:in `main'
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.3.1/bin/hocon:4:in `<top (required)>'
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon:23:in `load'
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon:23:in `<main>'
puppet-puppet-1    | Running /docker-entrypoint.d/60-setup-autosign.sh
puppet-puppet-1    | Running /docker-entrypoint.d/70-set-dns-alt-names.sh
puppet-puppet-1    | Running /docker-entrypoint.d/80-ca.sh
puppet-puppet-1    | /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.3.1/lib/hocon/cli.rb:179:in `read': No such file or directory @ rb_sysopen - /etc/puppetlabs/puppetserver/conf.d/ca.conf (Errno::ENOENT)
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.3.1/lib/hocon/cli.rb:179:in `get_hocon_file'
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.3.1/lib/hocon/cli.rb:111:in `main'
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.3.1/bin/hocon:4:in `<top (required)>'
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon:23:in `load'
puppet-puppet-1    |    from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon:23:in `<main>'
puppet-puppet-1    | Running /docker-entrypoint.d/85-setup-storeconfigs.sh
puppet-puppet-1    | Running /docker-entrypoint.d/90-log-config.sh
puppet-puppet-1    | System configuration values:
puppet-puppet-1    | * HOSTNAME: 'puppet.pumahost'
puppet-puppet-1    | * hostname -f: 'puppet.pumahost'
puppet-puppet-1    | * PUPPETSERVER_HOSTNAME: 'puppet'
puppet-puppet-1    | * PUPPET_MASTERPORT: '8140'
puppet-puppet-1    | * Certname: 'puppet.pem'
puppet-puppet-1    | * DNS_ALT_NAMES: 'puppet,puppet.pumahost'
puppet-puppet-1    | * SSLDIR: '/etc/puppetlabs/puppet/ssl'
puppet-puppet-1    | CA Certificate:
puppet-puppet-1    | subject=CN = "Puppet Enterprise CA generated on puppet.pumahost at 2021-11-22 22:58:14 +0000"
puppet-puppet-1    | issuer=CN = Puppet Root CA: 8fafb38ce0dc60
puppet-puppet-1    |         X509v3 extensions:
puppet-puppet-1    |             X509v3 Basic Constraints: critical
puppet-puppet-1    |                 CA:TRUE
puppet-puppet-1    |             X509v3 Key Usage: critical
puppet-puppet-1    |                 Certificate Sign, CRL Sign
puppet-puppet-1    |             X509v3 Subject Key Identifier: 
puppet-puppet-1    |                 D8:BA:BD:56:EC:36:AF:61:17:C6:F5:83:D9:22:64:EE:6C:98:27:86
puppet-puppet-1    |             Netscape Comment: 
puppet-puppet-1    |                 Puppet Server Internal Certificate
puppet-puppet-1    |             X509v3 Authority Key Identifier: 
puppet-puppet-1    |                 keyid:26:2A:A3:60:D7:BA:99:79:5C:5C:18:C3:8A:2B:77:A4:7E:09:58:EB
puppet-puppet-1    | 
puppet-puppet-1    | Certificate puppet.pem:
puppet-puppet-1    | subject=CN = puppet
puppet-puppet-1    | issuer=CN = "Puppet Enterprise CA generated on puppet.pumahost at 2021-11-22 22:58:14 +0000"
puppet-puppet-1    |         X509v3 extensions:
puppet-puppet-1    |             X509v3 Basic Constraints: critical
puppet-puppet-1    |                 CA:FALSE
puppet-puppet-1    |             Netscape Comment: 
puppet-puppet-1    |                 Puppet Server Internal Certificate
puppet-puppet-1    |             X509v3 Authority Key Identifier: 
puppet-puppet-1    |                 keyid:D8:BA:BD:56:EC:36:AF:61:17:C6:F5:83:D9:22:64:EE:6C:98:27:86
puppet-puppet-1    | 
puppet-puppet-1    |             X509v3 Extended Key Usage: critical
puppet-puppet-1    |                 TLS Web Server Authentication, TLS Web Client Authentication
puppet-puppet-1    |             X509v3 Key Usage: critical
puppet-puppet-1    |                 Digital Signature, Key Encipherment
puppet-puppet-1    |             X509v3 Subject Key Identifier: 
puppet-puppet-1    |                 8F:58:E9:F8:B5:C3:DE:32:86:7E:98:52:9B:81:10:C7:E1:70:FC:9D
puppet-puppet-1    |             1.3.6.1.4.1.34380.1.3.39: 
puppet-puppet-1    |                 ..true
puppet-puppet-1    |             X509v3 Subject Alternative Name: 
puppet-puppet-1    |                 DNS:puppet, DNS:puppet, DNS:puppet.pumahost
puppet-puppet-1    | Execution error (IllegalArgumentException) at java.net.URI/toURL (URI.java:1088).
puppet-puppet-1    | URI is not absolute
puppet-puppet-1    | 
puppet-puppet-1    | Full report at:
puppet-puppet-1    | /tmp/clojure-4346921919719610333.edn
puppet-puppet-1 exited with code 0

Could turn off puppet update check inside container

Describe the Bug

Container still checking if version of puppet server is latest or has an update available. Probably could check for a container, vs the puppet server? Just an idea. (A lot of other software does this now).

2020-04-21 22:19:20,432 INFO [p.s.a.analytics-service] Puppet Server Update Service has successfully started and will run in the background

Expected Behavior

Either tell me a new container is available or tell me nothing.

Steps to Reproduce

Steps to reproduce the behavior:

Start pupperware.
Look at logs

Environment

Pupperware Master d352afa

Additional Context

Add any other context about the problem here.

ssl during docker-compose startup (puppet 6.x)

Describe the Bug

puppetdb instance does not start during startup fails with the following error.

puppetdb_1  | Running /docker-entrypoint.d/30-configure-ssl.sh
puppetdb_1  | (/ssl.sh) Using configuration values:
puppetdb_1  | (/ssl.sh) * CERTNAME: 'puppetdb.internal' (/CN=puppetdb.internal)
puppetdb_1  | (/ssl.sh) * DNS_ALT_NAMES: ''
puppetdb_1  | (/ssl.sh) * CA: 'https://puppet.internal:8140/puppet-ca/v1'
puppetdb_1  | (/ssl.sh) * SSLDIR: '/etc/puppetlabs/puppet/ssl'
puppetdb_1  | (/ssl.sh) * WAITFORCERT: '120' seconds
puppetdb_1  | subject=CN = Puppet CA: puppet.internal
puppetdb_1  | issuer=CN = Puppet CA: puppet.internal
puppetdb_1  | Generating RSA private key, 4096 bit long modulus (2 primes)
puppetdb_1  | ..............................++++
puppetdb_1  | ......................++++
puppetdb_1  | e is 65537 (0x010001)
puppetdb_1  | writing RSA key
puppetdb_1  | subject=CN = puppetdb.internal
puppetdb_1  | issuer=CN = Puppet CA: puppet.internal
puppetdb_1  | (/ssl.sh) Successfully signed certificate '/etc/puppetlabs/puppet/ssl/certs/puppetdb.internal.pem'
puppetdb_1  | /ssl-setup.sh: 21: /ssl-setup.sh: Syntax error: "(" unexpected

It looks like ssl-setup.sh was last touched back in January.

Expected Behavior

Startup of puppetdb without error

Steps to Reproduce

git clone https://github.com/puppetlabs/pupperware.git
cd pupperware
docker-compose up -d

I was able to "fix" it by modifying docker-compose.yml file to revert back to older versions of puppet (5.2.0), but it appears the change in 6.x of puppet the change to ssl-setup.sh appears to break things.

...
services:
  puppet:
    hostname: puppet.${DOMAIN:-internal}
    image: puppet/puppetserver:${PUPPERWARE_VERSION:-latest}
...
  puppetdb:
    hostname: puppetdb.${DOMAIN:-internal}
    image: puppet/puppetdb:${PUPPERWARE_VERSION:-latest}
...

and creating a .env

PUPPERWARE_VERSION=5.2.0

Environment

Linux
Docker version 1.13.1, build 7f2769b/1.13.1
MacOS
Docker version 19.03.1, build 74b1e89
docker-compose
docker-compose version 1.24.1, build 4667896b

k8s, Doesn't work with Helm 3

Describe the Bug

If I want to install the k8s pupperware Helm chart with Helm 3, the following error occurs:

$ helm upgrade --install --namespace puppetserver puppetserver ./ --set puppetserver.puppeturl='https://github.com/puppetlabs/control-repo.git'
Release "puppetserver" does not exist. Installing it now.
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(CronJob.spec): unknown field "selector" in io.k8s.api.batch.v1beta1.CronJobSpec

Expected Behavior

Runs with Helm 3

Steps to Reproduce

helm upgrade --install --namespace puppetserver puppetserver ./ --set puppetserver.puppeturl='https://github.com/puppetlabs/control-repo.git'

Environment

$ helm version
version.BuildInfo{Version:"v3.0.2", GitCommit:"19e47ee3283ae98139d98460de796c1be1e3975f", GitTreeState:"clean", GoVersion:"go1.13.5"}

Additional Context

Add any other context about the problem here.

K8S: Inconsistent R10K module deployment

Describe the Bug

In K8S deployment, R10K does not retrieve modules for any environments if the responsible cronjob is not triggered quickly enough after initial deployment.

Expected Behavior

The /etc/puppetlabs/code/environments/production/modules should be populated with modules listed in the Puppetfile.

Steps to Reproduce

Steps to reproduce the behavior:

In values.yaml, configure puppetserver.puppeturl to valid puppet-control repo, which should contain a Puppetfile on at least one branch.That Puppetfile should list a number of modules to be downloaded for the environment.
Also in values.yaml, set r10k.cronJob.schedule so that it would run less frequently, i.e. every 5 minutes.
Run "helm install -n puppetserver ." with at least 2 minutes time before the cronJob would be triggered.
Wait for the cronJob to run, and exec into the main puppetserver container. Examine the /etc/puppetlabs/code/environments/production to see that there is no "modules" sub-directory.

Environment

Version: Kubernetes 1.14.8
Platform: Docker-for-Desktop w/k8s enabled. Will be testing on other systems soon.

Additional Context

If the cronJob is triggered within roughly 30 seconds of the initial deployment, then the modules to get populated as expected.

In case this is relevant, I have been testing with private git repos via ssh for puppet-control, hiera, and most of the modules. All of that gets fetched properly except for this timing issue, so it seems the repo/transport types are not factors.

Allow management of puppet UID and GID values and names?

Use Case

While we are currently using the stock puppet uid and gid for our puppet installs we are moving towards normalizing a lot of service accounts, user uids, and groups with our parent organization it would be good to be be able to set the internal ids in the containers to mirror the on system ones used for access control to environment folders and the like.

Describe the Solution You Would Like

I suspect this isn't going to be quite as trivial as it sounds but just having ENVVAR overrides for username/groupname/uid/gid would be great.

Describe Alternatives You've Considered

Configuring in with a RUN command for user add and the USER setting seems like it wouldn't work just because the servers seem to expect to launch as root then pick the specific user they are running on from the config file. Otherwise this approach might work as well letting you just make a derived image with the settings required (actually you might be able to do this anyway and just use usermod and groupmod to set the values?)

Can't start Puppet server on latest version

Describe the Bug

Upon a fresh clone (ref 094db0c) of the repository, the puppet server fails to start with the error:

(LoadError) no such file to load -- concurrent

Expected Behavior

The Puppet server runs correctly

Steps to Reproduce

Clone the repository
Run docker-compose up

Environment

Windows 10
Docker 19.03.2
Docker API: 1.40
Repository version: 094db0c

Additional Context

The compose file was modified to use an internal docker volume for the pgdata, rather than using a filesystem mount.

clojure-6866681218821049896.edn.txt

ERROR: relation "resource_events_status_for_corrective_change_idx" already exists

git clone and running docker-compose up, without any changes.

error returned on deployment,
at 'Applying database migration version 65':


2019-06-24 12:08:12,991 INFO  [p.p.s.migrate] Applying database migration version 64
2019-06-24 12:08:12,992 INFO  [p.p.s.migrate] [1/8] Cleaning up unreferenced facts...
2019-06-24 12:08:12,993 INFO  [p.p.s.migrate] [2/8] Creating new fact storage tables...
2019-06-24 12:08:13,001 INFO  [p.p.s.migrate] [3/8] Copying unique fact values into fact_values
2019-06-24 12:08:13,002 INFO  [p.p.s.migrate] [4/8] Reconstructing facts to refer to fact_values...
2019-06-24 12:08:13,004 INFO  [p.p.s.migrate] [5/8] Cleaning up duplicate null values...
2019-06-24 12:08:13,006 INFO  [p.p.s.migrate] [6/8] Computing fact value hashes...
2019-06-24 12:08:13,007 INFO  [p.p.s.migrate] [7/8] Indexing fact_values table...
2019-06-24 12:08:13,017 INFO  [p.p.s.migrate] [8/8] Indexing facts table...
2019-06-24 12:08:13,028 INFO  [p.p.s.migrate] Applied database migration version 64 in 37 ms
2019-06-24 12:08:13,028 INFO  [p.p.s.migrate] Applying database migration version 65
2019-06-24 12:08:13,046 ERROR [p.p.s.migrate] Caught SQLException during migration
java.sql.BatchUpdateException: Batch entry 1 alter table resource_events
     alter column status type text,
     alter column property type text,
     alter column containing_class type text,
     alter column file type text was aborted: ERROR: relation "resource_events_status_for_corrective_change_idx" already exists  Call getNextException to see other errors in the batch.
	at org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHandler.java:148)
	at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2179)
	at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:479)
	at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:835)
	at com.zaxxer.hikari.pool.ProxyStatement.executeBatch(ProxyStatement.java:128)
	at com.zaxxer.hikari.pool.HikariProxyStatement.executeBatch(HikariProxyStatement.java)
	at clojure.java.jdbc$execute_batch.invokeStatic(jdbc.clj:563)
	at clojure.java.jdbc$execute_batch.invoke(jdbc.clj:556)
	at clojure.java.jdbc$db_do_commands$fn__21283.invoke(jdbc.clj:906)
	at clojure.java.jdbc$db_transaction_STAR_.invokeStatic(jdbc.clj:814)
	at clojure.java.jdbc$db_transaction_STAR_.invoke(jdbc.clj:741)
	at clojure.java.jdbc$db_transaction_STAR_.invokeStatic(jdbc.clj:754)
	at clojure.java.jdbc$db_transaction_STAR_.invoke(jdbc.clj:741)
	at clojure.java.jdbc$db_do_commands.invokeStatic(jdbc.clj:905)
	at clojure.java.jdbc$db_do_commands.invoke(jdbc.clj:890)
	at puppetlabs.puppetdb.jdbc$do_commands.invokeStatic(jdbc.clj:38)
	at puppetlabs.puppetdb.jdbc$do_commands.doInvoke(jdbc.clj:33)
	at clojure.lang.RestFn.invoke(RestFn.java:421)
	at puppetlabs.puppetdb.scf.migrate$varchar_columns_to_text.invokeStatic(migrate.clj:1467)
	at puppetlabs.puppetdb.scf.migrate$varchar_columns_to_text.invoke(migrate.clj:1466)
	at puppetlabs.puppetdb.scf.migrate$migrate_BANG_$fn__34737$fn__34739$fn__34743.invoke(migrate.clj:1793)
	at puppetlabs.puppetdb.scf.migrate$sql_or_die.invokeStatic(migrate.clj:1735)
	at puppetlabs.puppetdb.scf.migrate$sql_or_die.invoke(migrate.clj:1726)
	at puppetlabs.puppetdb.scf.migrate$migrate_BANG_$fn__34737$fn__34739.invoke(migrate.clj:1793)
	at clojure.core$map$fn__5851.invoke(core.clj:2755)
	at clojure.lang.LazySeq.sval(LazySeq.java:42)
	at clojure.lang.LazySeq.seq(LazySeq.java:51)
	at clojure.lang.RT.seq(RT.java:531)
	at clojure.core$seq__5387.invokeStatic(core.clj:137)
	at clojure.core$filter$fn__5878.invoke(core.clj:2809)
	at clojure.lang.LazySeq.sval(LazySeq.java:42)
	at clojure.lang.LazySeq.seq(LazySeq.java:58)
	at clojure.lang.RT.seq(RT.java:531)
	at clojure.core$seq__5387.invokeStatic(core.clj:137)
	at clojure.core$map$fn__5851.invoke(core.clj:2746)
	at clojure.lang.LazySeq.sval(LazySeq.java:42)
	at clojure.lang.LazySeq.seq(LazySeq.java:51)
	at clojure.lang.Cons.next(Cons.java:39)
	at clojure.lang.RT.boundedLength(RT.java:1788)
	at clojure.lang.RestFn.applyTo(RestFn.java:130)
	at clojure.core$apply.invokeStatic(core.clj:667)
	at clojure.core$apply.invoke(core.clj:660)
	at puppetlabs.puppetdb.scf.migrate$migrate_BANG_$fn__34737.invoke(migrate.clj:1800)
	at clojure.java.jdbc$db_transaction_STAR_.invokeStatic(jdbc.clj:771)
	at clojure.java.jdbc$db_transaction_STAR_.invoke(jdbc.clj:741)
	at puppetlabs.puppetdb.scf.migrate$migrate_BANG_.invokeStatic(migrate.clj:1788)
	at puppetlabs.puppetdb.scf.migrate$migrate_BANG_.invoke(migrate.clj:1759)
	at puppetlabs.puppetdb.cli.services$initialize_schema.invokeStatic(services.clj:331)
	at puppetlabs.puppetdb.cli.services$initialize_schema.invoke(services.clj:316)
	at puppetlabs.puppetdb.cli.services$init_with_db$fn__34979.invoke(services.clj:363)
	at puppetlabs.puppetdb.cli.services$init_with_db.invokeStatic(services.clj:362)
	at puppetlabs.puppetdb.cli.services$init_with_db.invoke(services.clj:335)
	at puppetlabs.puppetdb.cli.services$start_puppetdb.invokeStatic(services.clj:458)
	at puppetlabs.puppetdb.cli.services$start_puppetdb.invoke(services.clj:432)
	at puppetlabs.puppetdb.cli.services$reify__35099$service_fnk__18770__auto___positional$reify__35110.start(services.clj:568)
	at puppetlabs.trapperkeeper.services$fn__18607$G__18588__18610.invoke(services.clj:9)
	at puppetlabs.trapperkeeper.services$fn__18607$G__18587__18614.invoke(services.clj:9)
	at puppetlabs.trapperkeeper.internal$fn__19102$run_lifecycle_fn_BANG___19109$fn__19110.invoke(internal.clj:198)
	at puppetlabs.trapperkeeper.internal$fn__19102$run_lifecycle_fn_BANG___19109.invoke(internal.clj:181)
	at puppetlabs.trapperkeeper.internal$fn__19131$run_lifecycle_fns__19136$fn__19137.invoke(internal.clj:231)
	at puppetlabs.trapperkeeper.internal$fn__19131$run_lifecycle_fns__19136.invoke(internal.clj:208)
	at puppetlabs.trapperkeeper.internal$fn__19704$build_app_STAR___19713$fn$reify__19725.start(internal.clj:586)
	at puppetlabs.trapperkeeper.internal$fn__19752$boot_services_for_app_STAR__STAR___19759$fn__19760$fn__19762.invoke(internal.clj:612)
	at puppetlabs.trapperkeeper.internal$fn__19752$boot_services_for_app_STAR__STAR___19759$fn__19760.invoke(internal.clj:610)
	at puppetlabs.trapperkeeper.internal$fn__19752$boot_services_for_app_STAR__STAR___19759.invoke(internal.clj:604)
	at clojure.core$partial$fn__5826.invoke(core.clj:2630)
	at puppetlabs.trapperkeeper.internal$fn__19176$initialize_lifecycle_worker__19187$fn__19188$fn__19338$state_machine__12279__auto____19363$fn__19366.invoke(internal.clj:251)
	at puppetlabs.trapperkeeper.internal$fn__19176$initialize_lifecycle_worker__19187$fn__19188$fn__19338$state_machine__12279__auto____19363.invoke(internal.clj:251)
	at clojure.core.async.impl.ioc_macros$run_state_machine.invokeStatic(ioc_macros.clj:973)
	at clojure.core.async.impl.ioc_macros$run_state_machine.invoke(ioc_macros.clj:972)
	at clojure.core.async.impl.ioc_macros$run_state_machine_wrapped.invokeStatic(ioc_macros.clj:977)
	at clojure.core.async.impl.ioc_macros$run_state_machine_wrapped.invoke(ioc_macros.clj:975)
	at clojure.core.async$ioc_alts_BANG_$fn__12494.invoke(async.clj:384)
	at clojure.core.async$do_alts$fn__12434$fn__12437.invoke(async.clj:253)
	at clojure.core.async.impl.channels.ManyToManyChannel$fn__7098$fn__7099.invoke(channels.clj:95)
	at clojure.lang.AFn.run(AFn.java:22)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.postgresql.util.PSQLException: ERROR: relation "resource_events_status_for_corrective_change_idx" already exists
	at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2433)
	at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2178)
	... 77 common frames omitted

running provided RSpec as described also returns failures:

Failures:

The docker-compose file works the cluster starts should start puppetdb
Failure/Error: expect(wait_on_puppetdb_status()).to eq('running')

Timeout::Error:
puppetdb never entered running state

Amir.

PuppetDB CLI?

Trying to follow the documentation results in the following error:

puppet resource package puppet-client-tools ensure=latest
Error: Could not run: undefined method `first' for nil:NilClass

This was easily resolved by manually installing it:

docker-compose exec puppet /bin/bash
apt update && apt install -y puppet-client-tools

However, I had issues actually running the commands:

puppet query 'nodes [ certname ]{ limit 1 }'
Failed to connect to server: connection refused

puppet db status
{
  "http://127.0.0.1:8080": {
    "error": "Connection refused (os error 111)"
  }
}

Update

Had to create a client-tools configuration file, e.g., /etc/puppetlabs/client-tools/puppetdb.conf, via docker-compose exec.

cat /etc/puppetlabs/client-tools/puppetdb.conf
{
  "puppetdb": {
    "server_urls": "https://puppetdb:8081",
    "cacert": "/etc/puppetlabs/puppet/ssl/certs/ca.pem",
    "cert": "/etc/puppetlabs/puppet/ssl/certs/puppet.localdomain.pem",
    "key": "/etc/puppetlabs/puppet/ssl/private_keys/puppet.localdomain.pem"
  }
}

It works!

 puppet db status
{
  "https://puppetdb:8081": {
    "puppetdb-status": {
      "active_alerts": [],
      "detail_level": "info",
      "service_status_version": 1,
      "service_version": "6.3.1-SNAPSHOT",
      "state": "running",
      "status": {
        "maintenance_mode?": false,
        "queue_depth": 0,
        "read_db_up?": true,
        "write_db_up?": true
      }
    },
    "status-service": {
      "active_alerts": [],
      "detail_level": "info",
      "service_status_version": 1,
      "service_version": "1.1.0",
      "state": "running",
      "status": {}
    }
  }
}

PuppetDB connection tuning

Use Case

The number of connections to the postgres database has an impact on performance. For some sites, the defaults are too low, for others they waste resources.

Describe the Solution You Would Like

An option to tweak the number of connections held open in the pool

Describe Alternatives You've Considered

A script in the init section to tweak the config

Additional Context

Config Setting

Make it possible to run pupperware in Openshift

Use Case

I would like to run pupperware in k8s, especially in Openshift.
I love the possibility to scale compile masters, which is not available in docker-compose.yml.
But Openshift is per default restricted to non-priviledged containers and
as far as I see puppet-docker images are assuming to be priviledged (startup scripts are trying to chmod and mkdir in non-volume directories,...)

Describe the Solution You Would Like

I would like to see docker images for pupperware to run as non-priviledged containers.

Describe Alternatives You've Considered

Alternative right now is to let it run as priviledged container, which means lowering the security inside my Openshift cluster namespace.

Additional Context

There are already other projects building puppetserver and other components images for Openshift. But they are slightly different I think to the official ones, but maybe a good starting point.
for example: https://github.com/cegeka/docker-puppetserver or https://github.com/itsbcit/openshift-puppetserver

k8s: modules do not get deployed per updated Puppetfile

Describe the Bug

When a Puppetfile in any branch of the puppet-control repo is updated to add modules, those modules do not get deployed when r10k-deploy cronjob is run.

Expected Behavior

Modules added to any environment Puppetfile should be deployed to environment directory (i.e. /etc/puppetlabs/code/environments/production/modules).

Steps to Reproduce

Steps to reproduce the behavior:

Deploy app as normal, with at least one branch/environment in a puppet-control repo, and that repo having a Puppetfile with some modules listed.
Wait for the cronjob to complete the initial r10k deploy, and verify that the modules were deployed for the environment.
Add some modules to the Puppetfile for that environment and commit/push to the puppet-control repo.
Wait for next run of r10k-deploy cronjob. Verify that no new modules were added to puppetserver container.

Environment

Version: Kubernetes 1.14.8
Platform: Docker-for-Desktop w/k8s enabled. Will be testing on other systems soon.

Additional Context

As with another issue I opened... I have been testing with private git repos via ssh for puppet-control, hiera, and most of the modules. Since all of this works on the initial deploy, it seems the repo/transport types are not factors.

How to run local puppet parser on local files

Perhaps I am missing something obvious? I cannot seem to get Puppet parser to run on local files

osboxes@puppetself:~/dev/pupperware$ ./bin/puppet parser validate ./demouser.pp
Error: One or more file(s) specified did not exist:
[" ./demouser.pp\n"]
Error: Try 'puppet help parser validate' for usage

Thanks in advance!

How to run on macOS

The readme has sections for running on Linux and on Windows but not one for macOS... is it the same as the Linux section or something else?

CA is not persisted to a volume

Describe the Bug

Perhaps I'm overlooking something here, but the ca data is stored outside of the puppetserver-config volume and is lost when stopping the stack. The ca is stored in /etc/puppetlabs/puppet/ssl/ca which is a symlink to /etc/puppetlabs/puppetserver/ca which is not defined as a volume.

Expected Behavior

The ca is persisted to the puppetserver-config volume with the rest of the ssl data.

Steps to Reproduce

Steps to reproduce the behavior:

Provision the stack
docker compose down
docker compose up -d
bye bye ca

Environment

Ubuntu 20.04

Additional Context

I'm going to work around this issue by mapping a volume to /etc/puppetlabs/puppetserver.

Invalid interpolation format for "environment"

When using the default docker-compose.yml file, the error below is received. I was able to get around this by removing the ":-" at the end of the environment variable. Is this the correct resolution? Let me know if this serves another purpose I missed.

DNS_ALT_NAMES=host.example.com docker-compose up -d

ERROR: Invalid interpolation format for "environment" option in service "puppet": "DNS_ALT_NAMES=puppet,${DNS_ALT_NAMES:-}"

is this chart hosted anywhere?

Hi,

it seems like this chart is meant to be self-hosted? Or did I miss something?
I couldn't find any mentions of where this chart is hosted.
Just wanted to double check my assumption.
And if it is indeed not hosted, any reason why it cannot be added to say https://hub.helm.sh/ ?

Thank you!

r10k Container GID - "ping" instead of "puppet"

The r10k container should run with UID puppet and GID puppet.
The r10k home directory /home/puppet should be owned by puppet username and puppet group.

Current Situation

/home $ ls -ltrah
total 16
drwxr-xr-x    1 root     root        4.0K Nov 26 22:42 .
drwxr-xr-x    1 root     root        4.0K Dec 22 12:21 ..
drwxr-sr-x    1 puppet   ping        4.0K Dec 22 12:22 puppet

Additional Context

At present that's not the case and it appears something has changed in the r10k container with version tag 3.3.3 - which leads to r10k Helm chart's jobs crashing.

volume puppetdb-ssl doesn't exist.

Describe the Bug

Volume puppetdb-ssl is referenced in the documentation but not created when stack is started.

Expected Behavior

A volume should exist for the puppetdb-ssl for container puppetdb instance based on the README documentation.

Steps to Reproduce

docker-compose up -d
docker volume ls <- Notice no volume for puppetdb-ssl

Environment

Docker 20.10.3
Ubuntu 20.04

Unable to start containers due to volume permission issue

Describe the Bug

After cloning the repository and running docker-compose up, the puppet_1 and postgres_1 containers print the following permission errors, then exit

postgres_1 | chown: cannot read directory '/var/lib/postgresql/data': Permission denied puppet_1 | chown: cannot read directory '/etc/puppetlabs/puppet/': Permission denied puppet_1 | chown: cannot read directory '/opt/puppetlabs/server/data/puppetserver/': Permission denied

Expected Behavior

Containers to start successfully.

Steps to Reproduce

$ git clone https://github.com/puppetlabs/pupperware.git
$ cd pupperware/
$ sudo docker-compose up

Environment

docker-compose version 1.22.0, build f46880f
Docker version 1.13.1, build 47e2230/1.13.1
Fedora release 30 (Thirty)
Linux 5.2.11-200.fc30.x86_64 #1 SMP Thu Aug 29 12:43:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Additional Context

Apologies if this is something trivial, this is my first play with containers.

build linuxkit error

I tried to follow the guide to installed the latest docker/compose/linuxkit versions, yet the linuxkit-lcow steps fails?

w:\GitHub\lcow>linuxkit build lcow.yml
Extract kernel image: linuxkit/kernel:4.19.34
WARN[0001] error with delegation targets/releases key ID %!d(string=b6f9f8e1aab0676c4a7fd04eae5621a59fe15f97591eeb1a9ef7438ab6b0b0dc): certificate with CN Justin Cormack is expired
WARN[0001] error with delegation targets/releases key ID %!d(string=82a66673242c9c12078ebea9cae303f3ac52610d9299477ed82de0454f4e285f): certificate with CN  is expired
WARN[0001] error with delegation targets/releases key ID %!d(string=47caae5b3e61702d354c67706eccc40b90ec3e7c81f4c84522e2dee830e3df06): certificate with CN  is expired
WARN[0001] error with delegation targets/releases key ID %!d(string=a85aab9d20a412c0eda2e134d38f2cc609bf67fdeab117e27005931d53604481): certificate with CN [email protected] is expired
WARN[0001] error with delegation targets/releases key ID %!d(string=034370bcbd779e9aeb71f2deb87fe4dddb72d05d3c162c005a0e680dbe467567): certificate with CN Ian Campbell is expired
WARN[0001] error with delegation targets/justin key ID %!d(string=b6f9f8e1aab0676c4a7fd04eae5621a59fe15f97591eeb1a9ef7438ab6b0b0dc): certificate with CN Justin Cormack is expired
Pull image: docker.io/linuxkit/kernel:4.19.34@sha256:77b07a1863eed1dd22bc45a6718c5e63937078e6bf9e4c79f1c7ba72e01c5786
FATA[0001] Failed to extract kernel image and tarball: Could not pull image docker.io/linuxkit/kernel:4.19.34@sha256:77b07a1863eed1dd22bc45a6718c5e63937078e6bf9e4c79f1c7ba72e01c5786: Error response from daemon: client version 1.23 is too old. Minimum supported API version is 1.24, please upgrade your client to a newer version

docker version
Client:
 Version:           master-dockerproject-2019-05-22
 API version:       1.40
 Go version:        go1.12.5
 Git commit:        57aa7731
 Built:             Wed May 22 23:47:38 2019
 OS/Arch:           windows/amd64
 Experimental:      false

Server:
 Engine:
  Version:          master-dockerproject-2019-05-22
  API version:      1.41 (minimum version 1.24)
  Go version:       go1.12.5
  Git commit:       0805242
  Built:            Wed May 22 23:58:19 2019
  OS/Arch:          windows/amd64
  Experimental:     true

docker-compose.exe version
docker-compose version 1.24.0, build 0aa59064
docker-py version: 3.7.2
CPython version: 3.6.8
OpenSSL version: OpenSSL 1.0.2q  20 Nov 2018

I tested to build under Linux with a older docker version and this works, so seems its a windows docker problem aka
Windows

Version:          master-dockerproject-2019-05-22
API version:      1.41 (minimum version 1.24)

Version:          18.06.3
  API version:      1.38 (minimum version 1.12)

CI options?

Hey while I am having tons of fun with this (thank you) I was wondering if there is any CI options that can be used with the helm chart, like jenkins or girlab-ci to hook the r10k deployments through once they pass?

openssl s_client "unable to verify the first certificate"

Describe the Bug

The certificate chain looks faulty on pupperware both via openssl s_client or a browser.

Browser: Secure Connection Failed

openssl:

openssl s_client -showcerts -connect puppetdb.internal:32782
CONNECTED(00000003)
depth=0 CN = puppetdb.internal
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = puppetdb.internal
verify error:num=21:unable to verify the first certificate
verify return:1
139832684724288:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1407:SSL alert number 42
---
Certificate chain
 0 s:/CN=puppetdb.internal
   i:/CN=Puppet CA: puppet.internal
-----BEGIN CERTIFICATE-----
MIIFczCCA1ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpQdXBw
ZXQgQ0E6IHB1cHBldC5pbnRlcm5hbDAeFw0xOTA5MTQxOTU0MzFaFw0yNDA5MTMx
OTU0MzFaMBwxGjAYBgNVBAMMEXB1cHBldGRiLmludGVybmFsMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEArDIAOpC2F7BOtQJ/OkTTMnxEtW3z96AAytfw
R9zMZHWy54S6uzEJ7q0i9SS4Hew4PxkmRFAoFp2GIoNs6OXpkyYdRapClsWlrOWN
DU43EEn8uCPUpRpKNUPuzAD6OQOkjwsFqbjjAuF0UNSpbUXEvdzUNfAsMythrsYF
yO0e3b7Nm8gWibClV725fZZV+SiRGbALqHjvR7JnFxRZBLY9sobKEzEpE1+D6GiZ
4Dl/312pFS0mp1qrFqD3uvBuZ+EUM7pCXTUaZ8pd6td4nFLZi1Nfkxn6fLpKFwO+
Q/gxN9CXJKw6Rg/U++sYroNi4OEdjq0wUhp1uumdjeaLFpQtf0PXcok44uZ2gZy/
VznK3xKU6IPhWhnAYEYy8ZUfZnPfXIrL2D/lEYOB55M/i5ZiWZNZfgD9FluiTh+/
WnDBfq/Z5tSio/nO6oyLtOtDCvy9yc76fBhGaDfmwLzzWG3qE49f89L2Uvn8kJjW
Tk4RAIMqxAhohodEPRr2HXqhJPAQZCXUteRvCbGxwEVtU6CD2IMGocbLv5LQlUv/
1QbcDndbqhVs+V8VtJq2/xtVsviSrEAy2BhKdPjLxopIYX+QwQlkqi7E8dY++AsJ
rkoBdmvgu/jzI6RCp04zE25FBXwTeEN4wkuVTIQxBMdIiWHhckv8HpGUDE786VMQ
r58zExkCAwEAAaOBtjCBszAxBglghkgBhvhCAQ0EJBYiUHVwcGV0IFNlcnZlciBJ
bnRlcm5hbCBDZXJ0aWZpY2F0ZTAfBgNVHSMEGDAWgBQvdlQ/NXXHuXb+ZbyEtj6Z
zqavszAdBgNVHQ4EFgQUxdTlLdy0Iq9S+al5/maKiuf2N+kwDAYDVR0TAQH/BAIw
ADAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMA0GCSqGSIb3DQEBCwUAA4ICAQCNl+vErR8z99l0bOfmhoTKO/ggNTd0MjGs
t2nTKgtZdSIojZIGKyST2ijHEsJ60ftxY3gNmpnzCrZgb+imxu7+x1kBFCZoJq+D
lyUndfk/JA88/QxbedhoDHiriLTa/NMuz2+CHj14eiz7CGfJ4M5gehy+5tB7229J
u00pJ7SVgMOeuxwsDSuN9HTaEw/ycfXzMZxu/eithM5kwW8QCh/PsnpVuVVKrwVE
OEkcK2Et1XG0hmqeRvpIq9isO1P9zsHQxkEV4UNKgyV7Lg8vrkxUa7cWT9s+fHuz
37kFYhNAnMtnO1+sX8sHyRMem9LOujaQSL9iAFVmDhwBIr2tNyOD8PK+xgdUh6Lc
x2EMPMv8Nm6q6SqF49fgEsyr93bAaRIUaDfFONFhuKxgRAAnMqbnB1RtnyJIbMeX
TBvAjPHDe2zn3UxpeKm7Rr392pyH+hkHgzG5YQhpY17z2PWj/3/gO+ZKoseChIM0
qH8rRinR9ThrofvDodvRThw16DTSyCtR3uCgbLRQwj1xZCLOnqSxQeu3DDLQoDwa
4/8W5N4nT1se8NKHmZCsYfazB2/der58WiA21tUecb+TX2d9lhsnx7ARh9UJ7DoP
cA6xUn3VYHEFmwa1Q4i11qNN4Ms560aOy2bGkYRNIB260/oIdyRr80/CS/aPFvd9
GhO5YY0/rA==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=puppetdb.internal
issuer=/CN=Puppet CA: puppet.internal
---
Acceptable client certificate CA names
/CN=Puppet CA: puppet.internal
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2372 bytes and written 378 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is DHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-GCM-SHA256
    Session-ID: 5D7E9AFF8D38DD433FBA8484D43314BB49BC830C4D88D96603BCF15267F628D4
    Session-ID-ctx: 
    Master-Key: 2601C7F198C4698B3BD551EB3B8EE2DC7466E1FC193C653668FA4071F80CD627900CDD9192B3480AB024AEA91704F683
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1568578303
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---

Expected Behavior

Steps to Reproduce

git clone https://github.com/puppetlabs/pupperware
cd pupperware
DNS_ALT_NAMES=puppet docker-compose up -d

Environment

git branch -vvv
* master ab5b6d9 [origin/master] (maint) Use named volumes in compose where possible (#129)

docker-compose version 1.24.1, build 4667896

docker version
Client: Docker Engine - Community
 Version:           19.03.2
 API version:       1.40
 Go version:        go1.12.8
 Git commit:        6a30dfc
 Built:             Thu Aug 29 05:28:55 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.2
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.8
  Git commit:       6a30dfc
  Built:            Thu Aug 29 05:27:34 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

CONTAINER ID        IMAGE                       COMMAND                  CREATED             STATUS                    PORTS                                              NAMES
e19d4f6df666        puppet/puppetdb             "/usr/bin/tini -g --…"   25 minutes ago      Up 16 minutes (healthy)   0.0.0.0:32783->8080/tcp, 0.0.0.0:32782->8081/tcp   pupperware_puppetdb_1
483dfb48709d        puppet/puppetserver:6.4.0   "dumb-init /docker-e…"   25 minutes ago      Up 16 minutes (healthy)   0.0.0.0:8140->8140/tcp                             pupperware_puppet_1
d45a0d140fbc        postgres:9.6                "docker-entrypoint.s…"   25 minutes ago      Up 16 minutes (healthy)   5432/tcp                                           pupperware_postgres_1

docker exec -it e19d4f6df666 /bin/bash
root@puppetdb:/# hostname
puppetdb.internal
root@puppetdb:/# host puppet
puppet has address 172.20.0.3

docker exec -it 483dfb48709d /bin/bash
root@puppet:/# hostname
puppet.internal

docker inspect e19d4f6df666 | grep 172
                    "Gateway": "172.20.0.1",
                    "IPAddress": "172.20.0.2",

docker inspect 483dfb48709d | grep 172
            "SandboxID": "58172b70e551993d9126c238b914398713e4e1c3773ac9867c82ce68b66932e5",
            "SandboxKey": "/var/run/docker/netns/58172b70e551",
                    "Gateway": "172.20.0.1",
                    "IPAddress": "172.20.0.3",

Additional Context

Add any other context about the problem here.

[helm chart] PuppetDB points to wrong Postgresql service

When naming the Helm release foo (using helm chart version 5.2.0), the Postgresql service is called foo-postgresql, but PuppetDB points to puppetserver-postgresql instead.

"Puppetserver ca migrate" error

I want to solve this issue " he cadir is currently configured to be inside the /etc/puppetlabs/puppet/ssl directory. This config setting and the directory location will not be used in a future version of puppet. Please run the puppetserver ca tool to migrate out from the puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. Use puppetserver ca migrate --help for more info."

The first step is :
puppetserver ca migrate --config

After this , I got this message : "Puppetserver service is running. Please stop it before attempting to run this command"

if i stop it , i couldn't execute the command of the first step.

is it possible to manually update the ca path in a Dockerfile?

Use Docker Content Trust (DCT) to sign Docker Containers

Use Case

Our security team is uneasy that the docker containers used for pupperware hosted at https://hub.docker.com/u/puppet are not signed with a Docker Content Trust Key. Which makes verifying the software supply chain difficult for security vetting purposes.

Describe the Solution You Would Like

Would you be able to start using keys to sign containers published on docker.com?

Additional Context

Info about Docker Content Trust can be found here : https://docs.docker.com/engine/security/trust/

javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)

Describe the Bug

I get the following errors every time I add a node to my setup

puppet_1       | 2020-10-08 03:33:34,668 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:503)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:34,680 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/query/v4/nodes/dvv.hosted.example.com/facts, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:34,690 ERROR [puppetserver] Puppet Cached facts for dvv.hosted.example.com failed: Failed to find facts from PuppetDB at puppet.example.com:8140: Failed to execute '/pdb/query/v4/nodes/dvv.hosted.example.com/facts' on at least 1 of the following 'server_urls': https://puppetdb:8081
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/puppetdb.rb:86:in `block in find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/puppetdb.rb:99:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/puppetdb.rb:57:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/store_configs.rb:16:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:265:in `find_in_cache'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:215:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/node.rb:138:in `fact_merge'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/node/plain.rb:18:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:223:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:138:in `do_find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:54:in `block in call'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:53:in `call'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:82:in `block in process'
puppet_1       | org/jruby/RubyArray.java:1809:in `each'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:81:in `process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:88:in `process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:88:in `process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:87:in `block in process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:70:in `block in with_request_profiling'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:66:in `with_request_profiling'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:86:in `block in process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:93:in `respond_to_errors'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:85:in `process'
puppet_1       | uri:classloader:/puppetserver-lib/puppet/server/master.rb:65:in `block in handleRequest'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'
puppet_1       | uri:classloader:/puppetserver-lib/puppet/server/master.rb:64:in `handleRequest'
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:34 +0000 "GET /puppet/v3/node/dvv.hosted.example.com?environment=production&transaction_uuid=225932bd-8d54-49ba-804b-13231679fd15&fail_on_404=true HTTP/1.1" 200 57 172.26.0.1 172.26.0.1 8140 573
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:34 +0000 "GET /puppet/v3/file_metadatas/pluginfacts?environment=production&links=follow&recurse=true&source_permissions=use&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&checksum_type=md5 HTTP/1.1" 200 220 172.26.0.1 172.26.0.1 8140 62
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:34 +0000 "GET /puppet/v3/file_metadatas/plugins?environment=production&links=follow&recurse=true&source_permissions=ignore&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&checksum_type=md5 HTTP/1.1" 200 224 172.26.0.1 172.26.0.1 8140 37
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:34 +0000 "GET /puppet/v3/file_metadatas/locales?environment=production&links=follow&recurse=true&source_permissions=ignore&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&ignore=%2A.pot&ignore=config.yaml&checksum_type=md5 HTTP/1.1" 200 224 172.26.0.1 172.26.0.1 8140 34
puppet_1       | 2020-10-08 03:33:36,707 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:544)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:188)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:36,713 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/cmd/v1?checksum=1e998fa1e2ba8461985087c1696d9b716a3f018b&version=5&certname=dvv.hosted.example.com&command=replace_facts&producer-timestamp=2020-10-08T03:33:35.589Z, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:36,716 ERROR [puppetserver] Puppet Failed to execute '/pdb/cmd/v1?checksum=1e998fa1e2ba8461985087c1696d9b716a3f018b&version=5&certname=dvv.hosted.example.com&command=replace_facts&producer-timestamp=2020-10-08T03:33:35.589Z' on at least 1 of the following 'server_urls': https://puppetdb:8081
puppet_1       | 2020-10-08 03:33:36,967 INFO  [puppetserver] Puppet Compiled catalog for dvv.hosted.example.com in environment production in 0.21 seconds
puppet_1       | 2020-10-08 03:33:36,974 INFO  [puppetserver] Puppet Caching catalog for dvv.hosted.example.com
puppet_1       | 2020-10-08 03:33:37,033 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:544)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:188)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:37,045 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/cmd/v1?checksum=468c9a2c4e250da55bec631b5a3de587c3b60309&version=9&certname=dvv.hosted.example.com&command=replace_catalog&producer-timestamp=2020-10-08T03:33:36.975Z, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:37,056 ERROR [puppetserver] Puppet Failed to execute '/pdb/cmd/v1?checksum=468c9a2c4e250da55bec631b5a3de587c3b60309&version=9&certname=dvv.hosted.example.com&command=replace_catalog&producer-timestamp=2020-10-08T03:33:36.975Z' on at least 1 of the following 'server_urls': https://puppetdb:8081
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:37 +0000 "POST /puppet/v3/catalog/dvv.hosted.example.com?environment=production HTTP/1.1" 200 604 172.26.0.1 172.26.0.1 8140 1932
puppet_1       | 2020-10-08 03:33:37,292 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:544)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:188)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:37,299 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/cmd/v1?checksum=148962ad7d608fe5409fe68076e66880618a9e7c&version=8&certname=dvv.hosted.example.com&command=store_report&producer-timestamp=2020-10-08T03:33:37.255Z, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:37,301 ERROR [puppetserver] Puppet Failed to execute '/pdb/cmd/v1?checksum=148962ad7d608fe5409fe68076e66880618a9e7c&version=8&certname=dvv.hosted.example.com&command=store_report&producer-timestamp=2020-10-08T03:33:37.255Z' on at least 1 of the following 'server_urls': https://puppetdb:8081
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:37 +0000 "PUT /puppet/v3/report/dvv.hosted.example.com?environment=production& HTTP/1.1" 200 12 172.26.0.1 172.26.0.1 8140 113
puppet_1       | 2020-10-08 03:33:38,971 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:544)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:188)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:38,978 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/query/v4/nodes/dvv.hosted.example.com/facts, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:38,990 ERROR [puppetserver] Puppet Cached facts for dvv.hosted.example.com failed: Failed to find facts from PuppetDB at puppet.example.com:8140: Failed to execute '/pdb/query/v4/nodes/dvv.hosted.example.com/facts' on at least 1 of the following 'server_urls': https://puppetdb:8081
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/puppetdb.rb:86:in `block in find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/puppetdb.rb:99:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/puppetdb.rb:57:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/store_configs.rb:16:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:265:in `find_in_cache'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:215:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/node.rb:138:in `fact_merge'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/node/plain.rb:18:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:223:in `find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:138:in `do_find'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:54:in `block in call'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:53:in `call'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:82:in `block in process'
puppet_1       | org/jruby/RubyArray.java:1809:in `each'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:81:in `process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:88:in `process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:88:in `process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:87:in `block in process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:70:in `block in with_request_profiling'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:66:in `with_request_profiling'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:86:in `block in process'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:93:in `respond_to_errors'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:85:in `process'
puppet_1       | uri:classloader:/puppetserver-lib/puppet/server/master.rb:65:in `block in handleRequest'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
puppet_1       | /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'
puppet_1       | uri:classloader:/puppetserver-lib/puppet/server/master.rb:64:in `handleRequest'
puppet_1       | 2020-10-08 03:33:39,138 INFO  [puppetserver] Puppet Caching facts for dvv.hosted.example.com
puppet_1       | 2020-10-08 03:33:40,178 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:544)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:188)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:40,183 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/cmd/v1?checksum=c1c863b023296a9b3b4f192b51f387f54ac164f6&version=5&certname=dvv.hosted.example.com&command=replace_facts&producer-timestamp=2020-10-08T03:33:39.147Z, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:40,185 ERROR [puppetserver] Puppet Failed to execute '/pdb/cmd/v1?checksum=c1c863b023296a9b3b4f192b51f387f54ac164f6&version=5&certname=dvv.hosted.example.com&command=replace_facts&producer-timestamp=2020-10-08T03:33:39.147Z' on at least 1 of the following 'server_urls': https://puppetdb:8081
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:40 +0000 "GET /puppet/v3/node/dvv.hosted.example.com?environment=production&transaction_uuid=408eb3ed-a987-4409-b9e3-2e4a7b791736&fail_on_404=true HTTP/1.1" 200 17063 172.26.0.1 172.26.0.1 8140 1295
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:40 +0000 "GET /puppet/v3/file_metadatas/pluginfacts?environment=production&links=follow&recurse=true&source_permissions=use&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&checksum_type=md5 HTTP/1.1" 200 220 172.26.0.1 172.26.0.1 8140 53
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:40 +0000 "GET /puppet/v3/file_metadatas/plugins?environment=production&links=follow&recurse=true&source_permissions=ignore&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&checksum_type=md5 HTTP/1.1" 200 224 172.26.0.1 172.26.0.1 8140 82
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:40 +0000 "GET /puppet/v3/file_metadatas/locales?environment=production&links=follow&recurse=true&source_permissions=ignore&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&ignore=%2A.pot&ignore=config.yaml&checksum_type=md5 HTTP/1.1" 200 224 172.26.0.1 172.26.0.1 8140 36
puppet_1       | 2020-10-08 03:33:41,855 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:544)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:188)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:41,861 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/cmd/v1?checksum=379e6018fb8ab801829787908b2a9c3d0afadc76&version=5&certname=dvv.hosted.example.com&command=replace_facts&producer-timestamp=2020-10-08T03:33:40.829Z, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:41,863 ERROR [puppetserver] Puppet Failed to execute '/pdb/cmd/v1?checksum=379e6018fb8ab801829787908b2a9c3d0afadc76&version=5&certname=dvv.hosted.example.com&command=replace_facts&producer-timestamp=2020-10-08T03:33:40.829Z' on at least 1 of the following 'server_urls': https://puppetdb:8081
puppet_1       | 2020-10-08 03:33:41,951 INFO  [puppetserver] Puppet Compiled catalog for dvv.hosted.example.com in environment production in 0.07 seconds
puppet_1       | 2020-10-08 03:33:41,953 INFO  [puppetserver] Puppet Caching catalog for dvv.hosted.example.com
puppet_1       | 2020-10-08 03:33:41,990 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:544)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:188)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:41,999 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/cmd/v1?checksum=fbade8f3f7d11492bf53ef29ae5b689e83d16480&version=9&certname=dvv.hosted.example.com&command=replace_catalog&producer-timestamp=2020-10-08T03:33:41.957Z, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:42,007 ERROR [puppetserver] Puppet Failed to execute '/pdb/cmd/v1?checksum=fbade8f3f7d11492bf53ef29ae5b689e83d16480&version=9&certname=dvv.hosted.example.com&command=replace_catalog&producer-timestamp=2020-10-08T03:33:41.957Z' on at least 1 of the following 'server_urls': https://puppetdb:8081
puppet_1       | 172.26.0.1 - - - 08/Oct/2020:03:33:42 +0000 "POST /puppet/v3/catalog/dvv.hosted.example.com?environment=production HTTP/1.1" 200 604 172.26.0.1 172.26.0.1 8140 1293
puppet_1       | 2020-10-08 03:33:42,253 WARN  [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
puppet_1       | javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
puppet_1       | 	at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
puppet_1       | 	at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:544)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:188)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
puppet_1       | 	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
puppet_1       | 	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
puppet_1       | 	at java.lang.Thread.run(Thread.java:748)
puppet_1       | 2020-10-08 03:33:42,260 WARN  [puppetserver] Puppet Error connecting to puppetdb on 8081 at route /pdb/cmd/v1?checksum=b0711887be75cb9b33e5b862c1d0000db77a41a6&version=8&certname=dvv.hosted.example.com&command=store_report&producer-timestamp=2020-10-08T03:33:42.165Z, error message received was 'Error executing http request'. Failing over to the next PuppetDB server_url in the 'server_urls' list
puppet_1       | 2020-10-08 03:33:42,263 ERROR [puppetserver] Puppet Failed to execute '/pdb/cmd/v1?checksum=b0711887be75cb9b33e5b862c1d0000db77a41a6&version=8&certname=dvv.hosted.example.com&command=store_report&producer-timestamp=2020-10-08T03:33:42.165Z' on at least 1 of the following 'server_urls': https://puppetdb:8081

Expected Behavior

I expected to not get the following error when I added nodes to Puppet Server

javax.net.ssl.SSLPeerUnverifiedException: Host name 'puppetdb' does not match the certificate subject provided by the peer (CN=puppetdb)

Steps to Reproduce

Steps to reproduce the behavior:

Git clone the repo
cd pupperware
Run docker-compose up -d
Run docker-compose logs -f
Added a puppet node and you should see the error

Environment

puppetserver version: 6.13.0 (running in docker of course 😉 )
Platform Ubuntu 18.04 (Docker v19.03.6)

Additional Context

I figured out that if I make the variable PUPPETDB_SERVER_URLS contain a full domain (see docker-compose.yml)
I don't get the errors.

Example if I change

PUPPETDB_SERVER_URLS=https://puppetdb:8081

PUPPETDB_SERVER_URLS=https://puppetdb.${DOMAIN}:8081

and add an aliases: the puppetdb service (see docker-compose.yml)

services:
...
  puppetdb:
  ...
    networks:
      default:
        aliases:
          - puppetdb.${DOMAIN}

Are there other there have had this problem?

Two bugs with DNS_ALT_NAMES variable

README.md says:
"The value of DNS_ALT_NAMES must list all the names, as a comma-separated list, under which the Puppet server in the stack can be reached from agents. It will have puppet prepended to it as that name is used by PuppetDB to communicate with the Puppet server."

Two bugs:

Bug 1)
The variable DNS_ALT_NAMES is not actually used in the code!
The variables PUPPET_DNS_ALT_NAMES and PUPPETDB_DNS_ALT_NAMES are used to set DNS_ALT_NAMES.

gem/lib/pupperware/compose-services/puppet.yml: - DNS_ALT_NAMES=${PUPPET_DNS_ALT_NAMES:-puppet}
gem/lib/pupperware/compose-services/puppetdb.yml: - DNS_ALT_NAMES=${PUPPETDB_DNS_ALT_NAMES:-puppetdb}

I run the given command from README.md:
DNS_ALT_NAMES=host.example.com docker-compose up -d

...but since I have set neither PUPPET_DNS_ALT_NAMES nor PUPPETDB_DNS_ALT_NAMES, DNS_ALT_NAMES is set to its defaults.

You can see this in:

/var/lib/docker/volumes/compose-services_puppetserver-config/_data/puppet.conf :
dns_alt_names = puppet

This should read:

dns_alt_names = puppet,host.example.com

Bug 2)
README.md says the hostname "puppet" will be prepended to whatever I type. It is not!

If I manually workaround Bug 1 above by:

export PUPPET_DNS_ALT_NAMES=host.example.com
export PUPPETDB_DNS_ALT_NAMES=host.example.com
docker-compose up -d

/var/lib/docker/volumes/compose-services_puppetserver-config/_data/puppet.conf :
dns_alt_names = host.example.com

See that the hostname "puppet" has not been prepended.

This should read:

dns_alt_names = puppet,host.example.com

Current workaround for both bugs:

export PUPPET_DNS_ALT_NAMES=puppet,host.example.com
export PUPPETDB_DNS_ALT_NAMES=puppetdb,host.example.com
docker-compose up -d

Fix:
Either fix the bugs or change the documentation.

Why?

Describe the Change You Would Like

Could the documentation please explain the advantage of building and installing a gem file that does nothing other than make it more difficult to use docker-compose?

Add support to bind a local IP address

I would like to be able bind the puppetserver port to a local IP address instead of 0.0.0.0. I.e. puppet.MYLOCALDOMAIN.