Deploy your #Puppet Enterprise license key with Puppet

Since I manage my Puppet infrastructure with Puppet itself, I am for full automation. For Puppet Enterprise, that includes deploying the license key file from the puppet fileserver (profile/files/master/license.key served as puppet:///modules/profile/master/license.key). When upgrading to the latest Puppet Enterprise version, 2016.2.0, I encountered a change that was tricky to resolve – the puppet_enterprise::license class accepted a license_key parameter, which was marked as deprecated:

Warning: puppet_enterprise::license::license_key is deprecated and will be removed in the next
    PE version. Please use puppet_enterprise::license_key_path. If using the Node Manager, the class
    is located in the PE Infrastructure node group.

Easy, I’ll just use the parameter license_key_path instead! Except, it wants a location for a file on the master, and I’m trying to deploy a file to the master!

  # Support using the deprecated parameter for now so things don't break
  $_license_key = pe_pick($license_key, $puppet_enterprise::license_key_path)       # Results in $_license_key = 'puppet:///modules/profile/master/license.key'

  # We only want to manage the license file if it actually exists. If it
  # doesn't, the file() function will fail, so we still have to pass /dev/null
  # as a default. So we check whether we have any content before making the
  # resource.
  $license_content = file($_license_key, '/dev/null')                               # But the file function won't accept a puppet:// URL!

  if !pe_empty($license_content) {
    file { $puppet_enterprise::params::dest_license_key_path:
      ensure  => present,
      content => $license_content,
      mode    => '0644',

On top of that, I can’t deploy the file from the puppet fileserver to the target location, because that file resource is already managed. The solution took me a while to puzzle out, but is clear in hindsight: deploy to an alternative location and adjust the license_key_path to point to that location instead. Keep in mind that the PE Console Service’s nginx process needs to be able to read the file. I choose to stick the key next to the default location of /etc/puppetlabs/license.key, /etc/puppetlabs/pe-license.key, to avoid the duplicate resource and ensure it’s visible to the process.

In hiera, add the parameter:

puppet_enterprise::license_key_path: '/etc/puppetlabs/pe-license.key'

Create a new profile that deploys the license key:

class profile::license (
  $source = 'puppet:///modules/profile/master/license.key',
) {
  file{ '/etc/puppetlabs/pe-license.key':
    ensure => present,
    source => $source,
    notify => Service['pe-console-services'],

Be sure to add that profile to your puppet master’s role, of course!

class role::puppet {
  include profile::base
  include profile::puppet_master
  include profile::license

Don’t forget the rspec test for profile::license, which you obviously were going to do anyway because testing is important, right? 😉

Now, when you renew your license at the end of the year, one update to profile/files/master/license.key is all you need for the new license to take effect!

6 thoughts on “Deploy your #Puppet Enterprise license key with Puppet

  1. Pingback: Newsletter: August 6, 2016 | Notes from MWhite
    • I do believe I tried this and it would not work for me, but it has been a while. Have you tried a setting like that yourself to confirm that it works?

      • Yep! Tried it at a customer’s site. They had PE 2017.1 for what its worth. I haven’t had a chance to try it anywhere else on any other version yet.

      • For what its worth…
        I just experienced the issue where the PE Console get the incorrect license key path, and thus reports as unlicensed. The “puppet license” command does report the correct license status. Puppet Console is receiving the source path (profile/puppetmaster/license.key) for the license instead of the destination path (/etc/puppetlabs/license.key). This was on PE 2016.4.x. We found a problem in `/opt/puppetlabs/puppet/modules/puppet_enterprise/trapperkeeper/console_services.pp` line 32, and changed it to:

        $license_key_path = $puppet_enterprise::params::dest_license_key_path

        I am guessing this has been fixed somewhere between 2016.4 and 2017.1. Just thought I would followup on my original “success” statement.

      • So I noticed today (nearly a year later) that it still breaks on 2017.3.5. I am not sure how I ever thought it worked. 🙂 Console is set to use the source path instead of the destination file. I also noticed that I messed up the name of the file previously.

        File: /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/trapperkeeper/console_services.pp
        … also appears to be

        Line: 44 (in PE 2017.3.5)
        Change: $license_key_path = $puppet_enterprise::license_key_path
        To: $license_key_path = $puppet_enterprise::params::dest_license_key_path

        NOTE: I had to `systemctl restart pe-puppetserver` to get it to “see” the updated module.

        For what its worth, I filed last June to report this issue…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s