Deploy your #Puppet Enterprise license key with Puppet

Since I manage my Puppet infrastructure with Puppet itself, I am for full automation. For Puppet Enterprise, that includes deploying the license key file from the puppet fileserver (profile/files/master/license.key served as puppet:///modules/profile/master/license.key). When upgrading to the latest Puppet Enterprise version, 2016.2.0, I encountered a change that was tricky to resolve – the puppet_enterprise::license class accepted a license_key parameter, which was marked as deprecated:

Warning: puppet_enterprise::license::license_key is deprecated and will be removed in the next
    PE version. Please use puppet_enterprise::license_key_path. If using the Node Manager, the class
    is located in the PE Infrastructure node group.

Easy, I’ll just use the parameter license_key_path instead! Except, it wants a location for a file on the master, and I’m trying to deploy a file to the master!

  # Support using the deprecated parameter for now so things don't break
  $_license_key = pe_pick($license_key, $puppet_enterprise::license_key_path)       # Results in $_license_key = 'puppet:///modules/profile/master/license.key'

  # We only want to manage the license file if it actually exists. If it
  # doesn't, the file() function will fail, so we still have to pass /dev/null
  # as a default. So we check whether we have any content before making the
  # resource.
  $license_content = file($_license_key, '/dev/null')                               # But the file function won't accept a puppet:// URL!

  if !pe_empty($license_content) {
    file { $puppet_enterprise::params::dest_license_key_path:
      ensure  => present,
      content => $license_content,
      mode    => '0644',
    }
  }

On top of that, I can’t deploy the file from the puppet fileserver to the target location, because that file resource is already managed. The solution took me a while to puzzle out, but is clear in hindsight: deploy to an alternative location and adjust the license_key_path to point to that location instead. Keep in mind that the PE Console Service’s nginx process needs to be able to read the file. I choose to stick the key next to the default location of /etc/puppetlabs/license.key, /etc/puppetlabs/pe-license.key, to avoid the duplicate resource and ensure it’s visible to the process.

In hiera, add the parameter:

puppet_enterprise::license_key_path: '/etc/puppetlabs/pe-license.key'

Create a new profile that deploys the license key:

class profile::license (
  $source = 'puppet:///modules/profile/master/license.key',
) {
  file{ '/etc/puppetlabs/pe-license.key':
    ensure => present,
    source => $source,
    notify => Service['pe-console-services'],
  }
}

Be sure to add that profile to your puppet master’s role, of course!

class role::puppet {
  include profile::base
  include profile::puppet_master
  include profile::license
}

Don’t forget the rspec test for profile::license, which you obviously were going to do anyway because testing is important, right? 😉

Now, when you renew your license at the end of the year, one update to profile/files/master/license.key is all you need for the new license to take effect!

5 thoughts on “Deploy your #Puppet Enterprise license key with Puppet

  1. Pingback: Newsletter: August 6, 2016 | Notes from MWhite
    • I do believe I tried this and it would not work for me, but it has been a while. Have you tried a setting like that yourself to confirm that it works?

      • Yep! Tried it at a customer’s site. They had PE 2017.1 for what its worth. I haven’t had a chance to try it anywhere else on any other version yet.

      • For what its worth…
        I just experienced the issue where the PE Console get the incorrect license key path, and thus reports as unlicensed. The “puppet license” command does report the correct license status. Puppet Console is receiving the source path (profile/puppetmaster/license.key) for the license instead of the destination path (/etc/puppetlabs/license.key). This was on PE 2016.4.x. We found a problem in `/opt/puppetlabs/puppet/modules/puppet_enterprise/trapperkeeper/console_services.pp` line 32, and changed it to:

        “`
        $license_key_path = $puppet_enterprise::params::dest_license_key_path
        “`

        I am guessing this has been fixed somewhere between 2016.4 and 2017.1. Just thought I would followup on my original “success” statement.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s