When applied together with a role that enables base::firewall, role::puppetmaster::standalone's puppetmaster is unreachable because it has no firewall rule to access it (port 8140).
There are two obstacles that make for example a simple ferm::service { 'puppetmaster-frontend': proto => 'tcp', port => 8140, srange => '$DOMAIN_NETWORKS', } not enough:
- role::labs::puppetmaster includes role::puppetmaster::standalone with the (Apache) restriction $allow_from => flatten([$labs_instance_range, '208.80.154.14', '208.80.155.119', '208.80.153.74', $horizon_host_ip, $labs_metal]) (and in general $allow_from can contain wildcard domain names as well), so restricting srange too narrowly is not an option and automatically converting $allow_from is not possible.
- role::labs::puppetmaster has its own ferm rules (saddr (${labs_vms} ${labs_metal} ${monitoring} ${horizon_host_ip}) proto tcp dport 8140 ACCEPT; and saddr (${labs_vms} ${labs_metal} ${monitoring} ${horizon_host_ip}) proto tcp dport 8100 ACCEPT;), so "restricting" srange too broadly is no option either.
Probably the manifests need to be reorganized so that the roles do not depend on each other, i. e. move the $use_enc bits to the class puppetmaster and then instantiate puppetmaster and not role::puppetmaster::standalone in role::puppetmaster::labs, or truly combine role::puppetmaster::standalone and role::puppetmaster::labs into one role.