OpenVoxProject · dotconfig404 · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025
@@ -1,3 +1,7 @@
+ARG OPENVOXSERVER_VERSION=8.10.0
+ARG OPENVOXDB_VERSION=8.10.0
+ARG R10K_VERSION=5.0.0
+
 FROM alpine:3.22 AS base
 
 # Install JDK
@@ -9,8 +13,8 @@
 
 FROM base AS build
 
-ARG OPENVOXSERVER_VERSION=8.10.0
-ARG OPENVOXDB_VERSION=8.10.0
+ARG OPENVOXSERVER_VERSION
+ARG OPENVOXDB_VERSION
 
 ADD https://artifacts.voxpupuli.org/openvox-server/${OPENVOXSERVER_VERSION}/openvox-server-${OPENVOXSERVER_VERSION}.tar.gz /
 ADD https://artifacts.voxpupuli.org/openvoxdb/${OPENVOXDB_VERSION}/openvoxdb-${OPENVOXDB_VERSION}.tar.gz /
@@ -84,7 +88,9 @@
 
 ARG vcs_ref
 ARG build_date
-ARG R10K_VERSION=5.0.0
+ARG build_type
+ARG R10K_VERSION
+ARG OPENVOXSERVER_VERSION
 
 LABEL org.label-schema.maintainer="Voxpupuli Team <[email protected]>" \
       org.label-schema.vendor="OpenVoxProject" \
@@ -97,7 +103,7 @@
      org.label-schema.vcs-ref="$vcs_ref" \
      org.label-schema.build-date="$build_date"

 ENV AUTOSIGN=true \
    CA_ALLOW_SUBJECT_ALT_NAMES=false \
    CA_ENABLED=true \
    CA_TTL=157680000 \
@@ -105,7 +111,6 @@
     CA_PORT=8140 \
     CERTNAME="" \
     CSR_ATTRIBUTES='{}' \
-    DEBIAN_FRONTEND=noninteractive \
     DNS_ALT_NAMES="" \
     ENVIRONMENTPATH=/etc/puppetlabs/code/environments \
     HIERACONFIG='$confdir/hiera.yaml' \
@@ -129,7 +134,6 @@
     OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \
     OPENVOXSERVER_PORT=8140 \
     PATH=$PATH:/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin \
-    SSLDIR=/etc/puppetlabs/puppet/ssl \
     USE_OPENVOXDB=true \
     ### build variables
     apps_dir=/opt/puppetlabs/server/apps \
@@ -192,6 +196,15 @@
 # install puppet gem as library into jruby loadpath
 && puppetserver gem install --no-document openvox
 
+RUN chown -R puppet:puppet /var/log/puppetlabs/puppetserver/ \
+&& chown -R puppet:puppet /etc/puppetlabs/puppet/ \
+&& chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/ \
+&& chown -R puppet:puppet /etc/puppetlabs/puppetserver/
+
+USER puppet
+RUN install -d -m 0755 ~/.puppetlabs/etc/puppet \
+&& install -d -m 0755 ~/.puppetlabs/etc/puppetserver/ca
+
 # k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
 HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"]
 

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+if [ "$(id -u)" -ne 0 ]; then
+    # jruby-puppet's master-conf-dir/server-conf-dir and master-code-dir/server-code-dir 
+    # need to be the same as confdir and codedir from puppet.conf in order to sync `puppetserver` 
+    # and `puppet` defaults.
+    # See "Overriding Puppet settings in Puppet Server" in:
+    # https://help.puppet.com/core//8/Content/PuppetCore/server/puppet_conf_setting_diffs.htm
+    #
+    # "Any changes made to the master-conf-dir and master-code-dir settings absolutely MUST be made 
+    # to the corresponding Puppet settings (confdir and codedir) as well to ensure that Puppet Server 
+    # and the Puppet CLI tools (such as `puppetserver ca` and `puppet module`) use the same directories."
+    hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-conf-dir $(puppet config print confdir)
+    hocon -f /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf set jruby-puppet.master-code-dir $(puppet config print codedir)  
+
+
+    # Despite setting the above, `puppet` and `puppetserver ca` still resolve to different CA directories when run as nonroot:
+    # - `puppetserver ca`: defaults to ~/.puppetlabs/etc/puppetserver/ca if run as nonroot and cadir is not set in puppet.conf
+    # - `puppet`: defaults to /etc/puppetlabs/puppetserver/ca by default
+    #
+    # To unify this, explicitly set cadir for nonroot users:
+    puppet config set cadir ~/.puppetlabs/etc/puppetserver/ca
+fi
@@ -7,7 +7,7 @@ set -e
 # default
 TEMPLATES=/var/tmp/puppet
 
-cd /etc/puppetlabs/puppet
+cd "$(puppet config print confdir)"
 for f in auth.conf hiera.yaml puppet.conf puppetdb.conf; do
   [ -f "$TEMPLATES/$f" ] && [ ! -f "$f" ] && {
     echo "Copying template $f from $TEMPLATES"

@@ -3,5 +3,5 @@
 set -e
 
 if test -n "${OPENVOXDB_SERVER_URLS}" ; then
-  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" /etc/puppetlabs/puppet/puppetdb.conf
+  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(puppet config print confdir)/puppetdb.conf
 fi
@@ -7,9 +7,10 @@ config_section=main
 # Allow setting dns_alt_names for the compilers certificate. This
 # setting will only have an effect when the container is started without
 # an existing certificate on the /etc/puppetlabs/puppet volume
+
 if [ -n "${DNS_ALT_NAMES}" ]; then
     certname=$(puppet config print certname)
-    if test ! -f "${SSLDIR}/certs/$certname.pem" ; then
+    if test ! -f "$(puppet config print ssldir)/certs/$certname.pem" ; then
         puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section "${config_section}"
     else
         actual=$(puppet config print dns_alt_names --section "${config_section}")

@@ -3,9 +3,10 @@
 require 'json'
 require 'yaml'
 
+target_path = ARGV[0] || '/etc/puppetlabs/puppet/csr_attributes.yaml'
 begin
   csr_yaml = YAML.dump(JSON.load(ENV['CSR_ATTRIBUTES']))
-  File.write('/etc/puppetlabs/puppet/csr_attributes.yaml', csr_yaml)
+  File.write(target_path, csr_yaml)
 rescue => error
   puts "Error on reading JSON env. Terminating"
   puts "Malformed JSON: #{ENV['CSR_ATTRIBUTES']}"

@@ -5,8 +5,9 @@ set -e
 # determine script location
 readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}")
 readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME")
+readonly CSR_PATH=$(puppet config print csr_attributes)
 
 if [ -n "${CSR_ATTRIBUTES}" ]; then
     echo "CSR Attributes: ${CSR_ATTRIBUTES}"
-    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb"
+    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH"
 fi
@@ -20,7 +20,6 @@ EOF
   ssl_ca_cert=$(puppet config print localcacert)
   ssl_crl_path=$(puppet config print hostcrl)
 
-
   cd /etc/puppetlabs/puppetserver/conf.d/
   hocon -f webserver.conf set webserver.ssl-cert $ssl_cert
   hocon -f webserver.conf set webserver.ssl-key $ssl_key
@@ -59,7 +58,8 @@ else
       exit 99
     fi
 
-    if [[ -f /etc/puppetlabs/puppetserver/ca/ca_crt.pem ]]; then
+    ca_cert=$(puppet config print cacert)
+    if [[ -f "$ca_cert" ]]; then
       echo "CA already imported."
     else
       puppetserver ca import \
@@ -68,9 +68,10 @@ else
         --private-key $INTERMEDIATE_CA_KEY
     fi
   else
-    new_cadir=/etc/puppetlabs/puppetserver/ca
+    new_cadir=$(puppet config print cadir)
+    ssl_dir=$(puppet config print ssldir)
 
-    if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
+    if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then
         # There is no existing CA
 
         # Append user-supplied DNS Alt Names
@@ -87,13 +88,11 @@ else
 
         # See puppet.conf file for relevant settings
         puppetserver ca setup \
-            --ca-name "$ca_name" \
-            --config /etc/puppetlabs/puppet/puppet.conf
+            --ca-name "$ca_name" 
 
-    elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
+    elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then
         # Legacy CA upgrade
-        puppetserver ca migrate \
-            --config /etc/puppetlabs/puppet/puppet.conf
-    fi
+        puppetserver ca migrate     
+        fi
   fi
-fi
+fi
@@ -8,41 +8,43 @@ echo "System configuration values:"
 echo "* HOSTNAME: '${HOSTNAME}'"
 echo "* hostname -f: '$(hostname -f)'"
 
+ssl_dir=$(puppet config print ssldir)
+
 if [ -n "${CERTNAME}" ]; then
   echo "* CERTNAME: '${CERTNAME}'"
   certname=${CERTNAME}.pem
 else
   echo "* CERTNAME: unset, try to use the oldest certificate in the certs directory, because this might be the one that was used initially."
-  if [ ! -d "${SSLDIR}/certs" ]; then
+  if [ ! -d "${ssl_dir}/certs" ]; then
     certname="Not-Found"
-    echo "WARNING: No certificates directory found in ${SSLDIR}!"
+    echo "WARNING: No certificates directory found in ${ssl_dir}!"
   else
-    certname=$(cd "${SSLDIR}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1)
+    certname=$(cd "${ssl_dir}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1)
     if [ -z "${certname}" ]; then
-      echo "WARNING: No certificates found in ${SSLDIR}/certs! Please set CERTNAME!"
+      echo "WARNING: No certificates found in ${ssl_dir}/certs! Please set CERTNAME!"
     fi
   fi
 fi
 
 echo "* OPENVOXSERVER_PORT: '${OPENVOXSERVER_PORT:-8140}'"
 echo "* Certname: '${certname}'"
 echo "* DNS_ALT_NAMES: '${DNS_ALT_NAMES}'"
-echo "* SSLDIR: '${SSLDIR}'"
+echo "* SSLDIR: '${ssl_dir}'"
 
 altnames="-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux"
 
-if [ -f "${SSLDIR}/certs/ca.pem" ]; then
+if [ -f "${ssl_dir}/certs/ca.pem" ]; then
   echo "CA Certificate:"
   # shellcheck disable=SC2086 # $altnames shouldn't be quoted
-  openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/ca.pem" $altnames
+  openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/ca.pem" $altnames
 fi
 
 if [ -n "${certname}" ]; then
-  if [ -f "${SSLDIR}/certs/${certname}" ]; then
+  if [ -f "${ssl_dir}/certs/${certname}" ]; then
     echo "Certificate ${certname}:"
     # shellcheck disable=SC2086 # $altnames shouldn't be quoted
-    openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/${certname}" $altnames
+    openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/${certname}" $altnames
   else
-    echo "WARNING: Certificate ${certname} not found in ${SSLDIR}/certs!"
+    echo "WARNING: Certificate ${certname} not found in ${ssl_dir}/certs!"
   fi
 fi