From d94fdfe45ab38f13b05a14d74022e327185f18b3 Mon Sep 17 00:00:00 2001
From: Nick Maludy <nmaludy@gmail.com>
Date: Fri, 20 Mar 2020 08:25:29 -0400
Subject: [PATCH 1/2] Fixing wsgi.py for python 3. Added documentation on
 running Puppetboard under python3 on RHEL 7

---
 README.md             | 83 +++++++++++++++++++++++++++++++++++++++++++
 templates/wsgi.py.erb |  2 +-
 2 files changed, 84 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e292c0be..b2ec0173 100644
--- a/README.md
+++ b/README.md
@@ -264,6 +264,57 @@ class { 'puppetboard::apache::vhost':
 }
 ```
 
+### RedHat/CentOS 7 with Python 3
+
+If you want to use the latest version of Puppet Board you'll need to run Python 3.6+.
+
+By default RHEL 7 has Python 2.7 installed, so you'll need to install a Python 3 and
+the compatible version of `mod_wsgi` (the `mod_wsgi` module must be compiled to support
+the specific version of Python you're running).
+
+
+``` puppet
+$mod_wsgi_package_name = 'rh-python36-mod_wsgi'
+
+package { ['python36', 'python36-pip', 'python36-virtualenv']:
+  ensure => present,
+}
+
+# configure apache
+class { 'apache':
+  purge_configs => false,
+  mpm_module    => 'prefork',
+  default_vhost => false,
+  default_mods  => false,
+}
+
+# configure mod_wsgi for python3
+class { 'apache::mod::wsgi':
+  mod_path           => 'modules/mod_rh-python36-wsgi.so',
+  package_name       => $mod_wsgi_package_name,
+  wsgi_socket_prefix => '/var/run/wsgi',
+}
+
+# create symlinks from the isolated Red Hat directory into the
+# standard Apache paths so that it can pick up the module and config
+file { '/etc/httpd/conf.modules.d/10-rh-python36-wsgi.conf':
+  ensure  => 'link',
+  target  => '/opt/rh/httpd24/root/etc/httpd/conf.modules.d/10-rh-python36-wsgi.conf',
+  require => Package[$mod_wsgi_package_name],
+}
+file { '/usr/lib64/httpd/modules/mod_rh-python36-wsgi.so':
+  ensure  => 'link',
+  target  => '/opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_rh-python36-wsgi.so ',
+  require => Package[$mod_wsgi_package_name],
+}
+
+class { 'puppetboard':
+  # use python3 when setting up the virtualenv for puppetboard
+  virtualenv_python => '3',
+  # specify other parameters here
+}
+```
+
 ### Using SSL to the PuppetDB host
 
 
@@ -328,6 +379,38 @@ class { 'puppetboard':
 }
 ```
 
+### Using SSL to PuppetDB >= 6.9.1
+
+As of PuppetDB `6.9.1` the `/metrics/v2` API is only accessible on the loopback/localhost
+interface of the PuppetDB server. This requires you to run `puppetboard` locally on
+that host and configure `puppetdb_host` to `127.0.0.1`:
+
+``` puppet
+
+$ssl_dir = $::settings::ssldir
+$puppetboard_certname = $::certname
+class { 'puppetboard':
+  groups              => 'puppet',
+  manage_virtualenv   => true,
+  puppetdb_host       => '127.0.0.1',
+  puppetdb_port       => 8081,
+  puppetdb_key        => "${ssl_dir}/private_keys/${puppetboard_certname}.pem",
+  puppetdb_ssl_verify => "${ssl_dir}/certs/ca.pem",
+  puppetdb_cert       => "${ssl_dir}/certs/${puppetboard_certname}.pem",
+}
+```
+
+**NOTE** In order for SSL to verify properly in this setup, you'll need your
+         Puppet SSL certificate to have an IP Subject Alternative Name setup
+         for `127.0.0.1`, otherwise the certificate verification will fail.
+         You can set this up in your `puppet.conf` with the `dns_alt_names`
+         configuration option, documented [here](https://puppet.com/docs/puppet/latest/configuration.html#dnsaltnames):
+
+``` ini
+[main]
+    dns_alt_names = puppetdb,puppetdb.domain.tld,puppetboard,puppetboard.domain.tld,IP:127.0.0.1
+```
+
 ## Development
 
 This module is maintained by [Vox Pupuli](https://voxpupuli.org/). Voxpupuli
diff --git a/templates/wsgi.py.erb b/templates/wsgi.py.erb
index bb55740e..8a2731f9 100644
--- a/templates/wsgi.py.erb
+++ b/templates/wsgi.py.erb
@@ -5,7 +5,7 @@ import sys
 
 os.environ['PUPPETBOARD_SETTINGS'] = '<%= @basedir %>/puppetboard/settings.py'
 activate_this = '<%= @basedir %>/virtenv-puppetboard/bin/activate_this.py'
-execfile(activate_this, dict(__file__=activate_this))
+exec(compile(open(activate_this).read(), activate_this, 'exec'), dict(__file__=activate_this))
 
 me = os.path.dirname(os.path.abspath(__file__))
 # Add us to the PYTHONPATH/sys.path if we're not on it

From b27a2c35a3efadf823cb7f405f3fcdaea857932a Mon Sep 17 00:00:00 2001
From: Nick Maludy <nmaludy@gmail.com>
Date: Fri, 20 Mar 2020 09:58:07 -0400
Subject: [PATCH 2/2] Added table of repos needed for the python3 packages

---
 README.md | 44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index b2ec0173..231bea88 100644
--- a/README.md
+++ b/README.md
@@ -276,7 +276,7 @@ the specific version of Python you're running).
 ``` puppet
 $mod_wsgi_package_name = 'rh-python36-mod_wsgi'
 
-package { ['python36', 'python36-pip', 'python36-virtualenv']:
+package { ['python3', 'python3-pip', 'python3-devel', 'python36-virtualenv']:
   ensure => present,
 }
 
@@ -315,6 +315,23 @@ class { 'puppetboard':
 }
 ```
 
+**NOTE** Below are the Yum repos needed for the various packages above.
+         On CentOS you'll need to package `centos-release-scl-rh` or manage
+         the SCL repos with the [bodgit/scl](https://github.com/bodgit/puppet-scl) module.
+
+| OS       | package                | repo                          |
+|----------|------------------------|-------------------------------|
+| RHEL 7   | `python3`              | `rhel-7-server-rpms`          |
+| RHEL 7   | `python3-pip`          | `rhel-7-server-rpms`          |
+| RHEL 7   | `python3-devel`        | `rhel-7-server-optional-rpms` |
+| RHEL 7   | `python36-virtualenv`  | `EPEL`                        |
+| RHEL 7   | `rh-python36-mod_wsgi` | `rhel-server-rhscl-7-rpms`    |
+| CentOS 7 | `python3`              | `base/7`                      |
+| CentOS 7 | `python3-pip`          | `base/7`                      |
+| CentOS 7 | `python3-devel`        | `base/7`                      |
+| CentOS 7 | `python36-virtualenv`  | `EPEL`                        |
+| CentOS 7 | `rh-python36-mod_wsgi` | `centos-sclo-rh`              |
+
 ### Using SSL to the PuppetDB host
 
 
@@ -404,13 +421,36 @@ class { 'puppetboard':
          Puppet SSL certificate to have an IP Subject Alternative Name setup
          for `127.0.0.1`, otherwise the certificate verification will fail.
          You can set this up in your `puppet.conf` with the `dns_alt_names`
-         configuration option, documented [here](https://puppet.com/docs/puppet/latest/configuration.html#dnsaltnames):
+         configuration option, documented [here](https://puppet.com/docs/puppet/latest/configuration.html#dnsaltnames).
 
 ``` ini
 [main]
     dns_alt_names = puppetdb,puppetdb.domain.tld,puppetboard,puppetboard.domain.tld,IP:127.0.0.1
 ```
 
+**NOTE** If you need to regenerate your existing cert to add DNS Alt Names
+follow the documentation [here](https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html#regenerate_agent_certs_and_add_dns_alt_names):
+
+``` shell
+# remove the existing agent certs
+puppetserver ca clean --certname <CERTNAME_OF_YOUR_PUPPETDB>
+puppet ssl clean
+
+# stop our services
+puppet resource service puppetserver ensure=stopped
+puppet resource service puppetdb ensure=stopped
+
+# regenerate our cert
+puppetserver ca generate --certname <CERTNAME> --subject-alt-names puppetdb,puppetdb.domain.tld,puppetboard,puppetboard.domain.tld,IP:127.0.0.1 --ca-client
+# copy the cert into the PuppetDB directory
+cp /etc/puppetlabs/puppet/ssl/certs/<CERTNAME>.pem /etc/puppetlabs/puppetdb/ssl/public.pem 
+cp /etc/puppetlabs/puppet/ssl/private_keys/<CERTNAME>.pem /etc/puppetlabs/puppetdb/ssl/private.pem 
+
+# restart our services
+puppet resource service puppetdb ensure=running
+puppet resource service puppetserver ensure=running
+```
+
 ## Development
 
 This module is maintained by [Vox Pupuli](https://voxpupuli.org/). Voxpupuli