SVCPLAN-5723 Primary KDC firewall changes

Moved firewall data to control repo in yaml file

Workflow updates

PDK update

pdk update from 2.5.0 to 2.7.1

update actions/checkout to @v4

.devcontainer/README.md

@@ -0,0 +1,38 @@
+# devcontainer
+
+
+For format details, see https://aka.ms/devcontainer.json. 
+
+For config options, see the README at:
+https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet
+
+``` json
+{
+	"name": "Puppet Development Kit (Community)",
+	"dockerFile": "Dockerfile",
+
+	// Set *default* container specific settings.json values on container create.
+	"settings": {
+		"terminal.integrated.profiles.linux": {
+			"bash": {
+				"path": "bash",
+			}
+		}
+	},
+
+	// Add the IDs of extensions you want installed when the container is created.
+	"extensions": [
+		"puppet.puppet-vscode",
+		"rebornix.Ruby"
+	],
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	"forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	"postCreateCommand": "pdk --version",
+}
+```
+
+
+

.devcontainer/devcontainer.json

@@ -1,23 +1,17 @@
-// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
-// https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet
 {
 	"name": "Puppet Development Kit (Community)",
 	"dockerFile": "Dockerfile",
 
-	// Set *default* container specific settings.json values on container create.
 	"settings": {
-		"terminal.integrated.shell.linux": "/bin/bash"
+		"terminal.integrated.profiles.linux": {
+			"bash": {
+				"path": "bash",
+			}
+		}
 	},
 
-	// Add the IDs of extensions you want installed when the container is created.
 	"extensions": [
 		"puppet.puppet-vscode",
 		"rebornix.Ruby"
 	]
-
-	// Use 'forwardPorts' to make a list of ports inside the container available locally.
-	// "forwardPorts": [],
-
-	// Use 'postCreateCommand' to run commands after the container is created.
-	// "postCreateCommand": "pdk --version",
 }

.github/workflows/pdk-validate.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name: "Clone repository"
-        uses: "actions/checkout@v2"
+        uses: "actions/checkout@v4"
       - name: "Run pdk validate"
         uses: "puppets-epic-show-theatre/action-pdk-validate@v1"
         with:

.github/workflows/yamllint.yml

@@ -7,7 +7,7 @@ jobs:
   lintAllTheThings:
     runs-on: "ubuntu-latest"
     steps:
-      - uses: "actions/checkout@v1"
+      - uses: "actions/checkout@v4"
       - name: "yaml-lint"
         uses: "ibiqlik/action-yamllint@v3"
         with:

.rubocop.yml

@@ -4,7 +4,7 @@ require:
 - rubocop-rspec
 AllCops:
   DisplayCopNames: true
-  TargetRubyVersion: '2.4'
+  TargetRubyVersion: '2.5'
   Include:
   - "**/*.rb"
   Exclude:

Gemfile

@@ -13,21 +13,31 @@ def location_for(place_or_version, fake_version = nil)
   end
 end
 
-ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
-minor_version = ruby_version_segments[0..1].join('.')
-
 group :development do
-  gem "json", '= 2.0.4',                                         require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "json", '= 2.1.0',                                         require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "json", '= 2.3.0',                                         require: false if Gem::Requirement.create(['>= 2.7.0', '< 2.8.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "puppet-module-posix-default-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
-  gem "puppet-module-posix-dev-r#{minor_version}", '~> 1.0',     require: false, platforms: [:ruby]
-  gem "puppet-module-win-default-r#{minor_version}", '~> 1.0',   require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "puppet-module-win-dev-r#{minor_version}", '~> 1.0',       require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "json", '= 2.1.0',                               require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.3.0',                               require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.5.1',                               require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.6.1',                               require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "json", '= 2.6.3',                               require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "voxpupuli-puppet-lint-plugins", '~> 3.1',       require: false
+  gem "facterdb", '~> 1.18',                           require: false
+  gem "metadata-json-lint", '>= 2.0.2', '< 4.0.0',     require: false
+  gem "puppetlabs_spec_helper", '>= 3.0.0', '< 5.0.0', require: false
+  gem "rspec-puppet-facts", '~> 2.0',                  require: false
+  gem "codecov", '~> 0.2',                             require: false
+  gem "dependency_checker", '~> 0.2',                  require: false
+  gem "parallel_tests", '~> 3.4',                      require: false
+  gem "pry", '~> 0.10',                                require: false
+  gem "simplecov-console", '~> 0.5',                   require: false
+  gem "puppet-debugger", '~> 1.0',                     require: false
+  gem "rubocop", '= 1.6.1',                            require: false
+  gem "rubocop-performance", '= 1.9.1',                require: false
+  gem "rubocop-rspec", '= 2.0.1',                      require: false
+  gem "rb-readline", '= 0.5.5',                        require: false, platforms: [:mswin, :mingw, :x64_mingw]
 end
 group :system_tests do
-  gem "puppet-module-posix-system-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
-  gem "puppet-module-win-system-r#{minor_version}", '~> 1.0',   require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "puppet_litmus", '< 1.0.0', require: false, platforms: [:ruby]
+  gem "serverspec", '~> 2.41',    require: false
 end
 
 puppet_version = ENV['PUPPET_GEM_VERSION']

Rakefile

@@ -43,6 +43,7 @@ end
 
 PuppetLint.configuration.send('disable_relative')
 
+
 if Bundler.rubygems.find_name('github_changelog_generator').any?
   GitHubChangelogGenerator::RakeTask.new :changelog do |config|
     raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil?

manifests/common.pp

@@ -4,11 +4,9 @@
 #   include profile_kerberos_server::common
 #
 class profile_kerberos_server::common {
-
   include profile_kerberos_server::common::firewall
   include profile_kerberos_server::common::scripts
   include profile_kerberos_server::common::cron
   include profile_kerberos_server::common::config
   include profile_kerberos_server::common::services
-
 }

manifests/common/config.pp

@@ -4,7 +4,6 @@
 #   include profile_kerberos_server::common::config
 #
 class profile_kerberos_server::common::config {
-
   ## Copy over the kerberos server configuration files (NOT .k5.NCSA.EDU, it must be hand copied)
   file { '/var/kerberos/krb5kdc/':
     ensure => 'directory',
@@ -30,5 +29,4 @@
       Service['krb5kdc'],
     ],
   }
-
 }

manifests/common/cron.pp

@@ -4,7 +4,6 @@
 #   include profile_kerberos_server::common::cron
 #
 class profile_kerberos_server::common::cron {
-
 # Make daily backup of propagated database on local disk
 # 03 04 * * * /root/cron_scripts/krb5_ss_backup.pl
   cron { 'ss_backup':
@@ -37,5 +36,4 @@
     environment => ['SHELL=/bin/sh', 'MAILTO=kerberos-admin@ncsa.uiuc.edu'],
     #description => 'Roll the syslogs to AFS'
   }
-
 }

manifests/common/firewall.pp

@@ -4,7 +4,6 @@
 #   include profile_kerberos_server::common::firewall
 #
 class profile_kerberos_server::common::firewall {
-
   # this should be port 88
   ['tcp','udp'].each |$protocol| {
     firewall { "210 Kerberos via ${protocol}":
@@ -15,5 +14,4 @@
       action => 'accept',
     }
   }
-
 }

manifests/common/scripts.pp

@@ -4,7 +4,6 @@
 #   include profile_kerberos_server::common::scripts
 #
 class profile_kerberos_server::common::scripts {
-
   file { '/root/cron_scripts/krb5_passwd_check':
     source => "puppet:///modules/${module_name}/root/cron_scripts/krb5_passwd_check",
     mode   => '0755',
@@ -39,5 +38,4 @@
     source => "puppet:///modules/${module_name}/root/cron_scripts/watchlogins.pl",
     mode   => '0700',
   }
-
 }

manifests/common/services.pp

@@ -13,9 +13,8 @@
   Array[String] $packages_absent,
   Array[String] $packages_present,
 ) {
-
-  ensure_packages($packages_present, {'ensure' => 'present'})
-  ensure_packages($packages_absent, {'ensure' => 'absent'})
+  ensure_packages($packages_present, { 'ensure' => 'present' })
+  ensure_packages($packages_absent, { 'ensure' => 'absent' })
 
   service { 'krb5kdc':
     ensure => running,
@@ -31,6 +30,4 @@
 #      Service['rsyslog'],
 #    ],
 #  }
-
-
 }

manifests/init.pp

@@ -8,7 +8,6 @@
 #   include profile_kerberos_server::secondary
 #
 class profile_kerberos_server {
-
   $notify_text = @("EOT"/)
     The top level profile_backup class should not be used.
     Instead use one of the following classes:
@@ -31,5 +30,4 @@
   # is the 'crontab' file in root up-to-date
   # do we want /var/kerberos/krb5kdc/mysql/insert.pl
   # create a service for watchlogins.pl
-
 }

manifests/primary.pp

@@ -4,12 +4,10 @@
 #   include profile_kerberos_server::primary
 #
 class profile_kerberos_server::primary {
-
   include profile_kerberos_server::common
   include profile_kerberos_server::primary::firewall
   include profile_kerberos_server::primary::scripts
   include profile_kerberos_server::primary::cron
   include profile_kerberos_server::primary::config
   include profile_kerberos_server::primary::services
-
 }

manifests/primary/config.pp

@@ -6,7 +6,6 @@
 class profile_kerberos_server::primary::config (
   String $kadm_acl_contents,
 ) {
-
   file { '/var/kerberos/krb5kdc/kadm5.acl':
     content => $kadm_acl_contents,
     mode    => '0600',
@@ -19,5 +18,4 @@
     ensure => 'absent',
     path   => '/var/kerberos/krb5kdc/kpropd.acl',
   }
-
 }

manifests/primary/cron.pp

@@ -4,7 +4,6 @@
 #   include profile_kerberos_server::primary::cron
 #
 class profile_kerberos_server::primary::cron {
-
   # Propagate the database to secondary KDCs every five minutes
   # */5 * * * * /var/kerberos/krb5kdc/propagate
   cron { 'propagate':
@@ -39,5 +38,4 @@
     environment => ['SHELL=/bin/sh', 'MAILTO=kerberos-admin@ncsa.uiuc.edu'],
     #description => 'Put principal information into MySQL database'
   }
-
 }

manifests/primary/firewall.pp

@@ -3,8 +3,9 @@
 # @example
 #   include profile_kerberos_server::primary::firewall
 #
-class profile_kerberos_server::primary::firewall {
-
+class profile_kerberos_server::primary::firewall (
+  Array[String, 1] $kadmin_allow_cidr,
+) {
   # kpasswd
   ['tcp','udp'].each |$protocol| {
     firewall { "212 kpasswd ${protocol}":
@@ -15,18 +16,12 @@
   }
 
   # kadmin
-  [
-    '141.142.0.0/16',
-    '10.142.0.0/16',
-    '172.24.0.0/13',
-    '172.16.0.0/13'
-  ].each |$range| {
-    firewall { "213 kerberos-adm tcp ${range}":
-      source => $range,
+  $kadmin_allow_cidr.each |$cidr| {
+    firewall { "213 kerberos-adm tcp ${cidr}":
+      source => $cidr,
       proto  => 'tcp',
       dport  => '749',
       action => 'accept',
     }
   }
-
 }

manifests/primary/scripts.pp

@@ -4,10 +4,8 @@
 #   include profile_kerberos_server::primary::scripts
 #
 class profile_kerberos_server::primary::scripts {
-
   file { '/var/kerberos/krb5kdc/propagate':
     source => "puppet:///modules/${module_name}/var/kerberos/krb5kdc/propagate",
     mode   => '0700',
   }
-
 }

manifests/primary/services.pp

@@ -4,10 +4,8 @@
 #   include profile_kerberos_server::primary::services
 #
 class profile_kerberos_server::primary::services {
-
   service { 'kadmin':
     ensure => running,
     enable => true,
   }
-
 }

manifests/secondary.pp

@@ -4,11 +4,9 @@
 #   include profile_kerberos_server::secondary
 #
 class profile_kerberos_server::secondary {
-
   include profile_kerberos_server::common
   include profile_kerberos_server::secondary::firewall
   include profile_kerberos_server::secondary::scripts
   include profile_kerberos_server::secondary::config
   include profile_kerberos_server::secondary::services
-
 }

manifests/secondary/config.pp

@@ -4,7 +4,6 @@
 #   include profile_kerberos_server::secondary::config
 #
 class profile_kerberos_server::secondary::config {
-
   # make sure kadm5.acl doesn't exist so we don't accidentally write to a secondary KDC database
   file { 'secondary-/var/kerberos/krb5kdc/kadm5.acl':
     ensure => 'absent',
@@ -20,5 +19,4 @@
       Service['krb5kdc'],
     ],
   }
-
 }

manifests/secondary/firewall.pp

@@ -4,7 +4,6 @@
 #   include profile_kerberos_server::secondary::firewall
 #
 class profile_kerberos_server::secondary::firewall {
-
   $primary_server = lookup('profile_kerberos_server::primary_server')
 
   # this should be port 754
@@ -14,5 +13,4 @@
     source => $primary_server,
     action => 'accept',
   }
-
 }

manifests/secondary/scripts.pp

@@ -4,9 +4,7 @@
 #   include profile_kerberos_server::secondary::scripts
 #
 class profile_kerberos_server::secondary::scripts {
-
   file { '/var/kerberos/krb5kdc/propagate':
-    ensure => 'absent'
+    ensure => 'absent',
   }
-
 }