Deploy your #Puppet Enterprise license key with Puppet

Since I manage my Puppet infrastructure with Puppet itself, I am for full automation. For Puppet Enterprise, that includes deploying the license key file from the puppet fileserver (profile/files/master/license.key served as puppet:///modules/profile/master/license.key). When upgrading to the latest Puppet Enterprise version, 2016.2.0, I encountered a change that was tricky to resolve – the puppet_enterprise::license class accepted a license_key parameter, which was marked as deprecated:

Warning: puppet_enterprise::license::license_key is deprecated and will be removed in the next
    PE version. Please use puppet_enterprise::license_key_path. If using the Node Manager, the class
    is located in the PE Infrastructure node group.

Easy, I’ll just use the parameter license_key_path instead! Except, it wants a location for a file on the master, and I’m trying to deploy a file to the master!

  # Support using the deprecated parameter for now so things don't break
  $_license_key = pe_pick($license_key, $puppet_enterprise::license_key_path)       # Results in $_license_key = 'puppet:///modules/profile/master/license.key'

  # We only want to manage the license file if it actually exists. If it
  # doesn't, the file() function will fail, so we still have to pass /dev/null
  # as a default. So we check whether we have any content before making the
  # resource.
  $license_content = file($_license_key, '/dev/null')                               # But the file function won't accept a puppet:// URL!

  if !pe_empty($license_content) {
    file { $puppet_enterprise::params::dest_license_key_path:
      ensure  => present,
      content => $license_content,
      mode    => '0644',

On top of that, I can’t deploy the file from the puppet fileserver to the target location, because that file resource is already managed. The solution took me a while to puzzle out, but is clear in hindsight: deploy to an alternative location and adjust the license_key_path to point to that location instead. Keep in mind that the PE Console Service’s nginx process needs to be able to read the file. I choose to stick the key next to the default location of /etc/puppetlabs/license.key, /etc/puppetlabs/pe-license.key, to avoid the duplicate resource and ensure it’s visible to the process.

In hiera, add the parameter:

puppet_enterprise::license_key_path: '/etc/puppetlabs/pe-license.key'

Create a new profile that deploys the license key:

class profile::license (
  $source = 'puppet:///modules/profile/master/license.key',
) {
  file{ '/etc/puppetlabs/pe-license.key':
    ensure => present,
    source => $source,
    notify => Service['pe-console-services'],

Be sure to add that profile to your puppet master’s role, of course!

class role::puppet {
  include profile::base
  include profile::puppet_master
  include profile::license

Don’t forget the rspec test for profile::license, which you obviously were going to do anyway because testing is important, right? 😉

Now, when you renew your license at the end of the year, one update to profile/files/master/license.key is all you need for the new license to take effect!

4 thoughts on “Deploy your #Puppet Enterprise license key with Puppet

  1. Pingback: Newsletter: August 6, 2016 | Notes from MWhite
    • I do believe I tried this and it would not work for me, but it has been a while. Have you tried a setting like that yourself to confirm that it works?

      • Yep! Tried it at a customer’s site. They had PE 2017.1 for what its worth. I haven’t had a chance to try it anywhere else on any other version yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s